ENdi Privacy Policy
Last updated: 3 June 2026
ENDI LTD (“ENdi”, “we”, “us”) provides the ENdi app for tracking and understanding endometriosis and related conditions. This policy explains what we collect, how we use and protect it, and the choices you have. We’ve written it to match exactly how the app works.
Our core privacy principle: we designed ENdi so that we cannot link your health data to your identity. Even with full access to our servers, it is technically infeasible for us — or anyone else — to determine which health data belongs to which person. The sections below explain how.
1. Who we are
Data controller: ENDI LTD, The Catalyst, Baird Lane, York, England, YO10 5GA, United Kingdom. Contact: info@endiapp.com · https://www.endiapp.com/contact
2. What we collect
Account data (to give you an account): your email address and a securely hashed password. We identify your account by a one-way hash of your email.
Health & wellbeing data you log (symptoms, pain, mood, periods and cycle, sleep, food, medications, supplements, notes, body-map pain entries, health-profile answers). This is “special category data” under the UK GDPR. It lives on your device. It is only copied off your device if you turn on cloud backup (Section 5) or sign up for pattern detection (Section 6).
Wearable & health-platform data (optional, opt-in): if you connect a source, we read metrics such as heart-rate variability, resting heart rate, sleep, temperature, steps and stress. Supported sources: Apple Health (HealthKit) on iOS, Google Health Connect on Android, and Oura, Garmin, WHOOP, and Fitbit. This data is used on your device to enrich your patterns.
Usage & diagnostic data: anonymous app-usage events and crash reports, tied only to a random identifier (Section 7).
Permissions you may grant: camera/photo library (to attach images), and contacts (to add care-team members) — only used for those features, only with your permission.
3. How your health data is structured (zero-knowledge design)
ENdi keeps three independent systems with no link between them:
- Account system — your email (as a hash), password hash, auth tokens, subscription status, and an encrypted key blob we cannot decrypt. No health data.
- Health-features system — the computed, numeric signals used for on-device pattern detection (e.g. “pain level = 6”, “had cramps = yes”), never raw notes or free text. Tagged only with a random identifier generated on your device, which we never hold in readable form.
- Analytics system — anonymous usage and crash data under a separate random identifier.
When you create an account, your device generates a random ML identifier and a recovery key, and encrypts the identifier with a key derived from your recovery key (AES-256-GCM; PBKDF2, 600,000 iterations). We store only the encrypted blob. The result: your email sits in one place and your anonymous health features in another, with no way for us to connect them. If you lose your device and recovery key, your uploaded health data is permanently unrecoverable — that trade-off is what makes the guarantee real.
4. How we use your data
- To provide the app and your account.
- To generate observational pattern insights on your device (Section 6).
- To process subscriptions, send essential service emails, and (if you opt in) marketing email.
- To keep the app secure, fix crashes, and improve features.
We do not sell or rent your personal data, and we do not use your health data for advertising. We never use information from Apple Health (HealthKit) or Google Health Connect for advertising, and we never sell or share it with advertising platforms, data brokers, or resellers. ENdi contains no third-party advertising trackers.
We do not use your data to train any external large language model, and we don’t share your health data with third-party services beyond the narrow, non-identifying descriptor described in 6.3.
5. Cloud backup (opt-in, default off)
If you turn on cloud backup, your full journal data is backed up to your own iCloud account (iOS) or Google Drive (Android). That copy is governed by Apple’s or Google’s privacy terms and tied to your Apple/Google account. Turning it off deletes the existing backup and stops future syncing.
6. Pattern detection
6.1 On-device pattern detection. ENdi’s insights come from pattern detection (machine learning) that runs on your device. It is pattern math — not a chatbot — that looks at your own data and surfaces regularities: dashboard insights, “unusual-day” notices, your daily pain outlook, and “similar days in the past” notes. These are observational, not medical predictions or diagnoses.
6.2 Two models, both run on your device. A general model ships with the app (trained on anonymised, aggregated data from users who signed up to help). Pattern detection is optional and off until you sign up for it. When you sign up, an anonymised summary of your computed features (never raw entries, never personally identifying information) is uploaded under your random identifier so your personal model can be trained and the general model can keep improving; the trained model is downloaded back to your device.
Lawful basis & explicit consent. Because these computed features are derived from your health data (special category data), we upload and process them only on the basis of your explicit consent, which you give when you create your pattern-detection account during sign-up. You can withdraw consent at any time by disconnecting in Settings, which stops further uploads and deletes the data you have uploaded from our servers. Withdrawing does not affect the lawfulness of processing before withdrawal.
6.3 Insight wording (OpenAI). To phrase an insight as a readable sentence in your language, we send a small, non-identifying descriptor to OpenAI’s API: which pattern was found, how strong it is, and your cycle phase. We do not send your name, email, account, or anything you typed. Per OpenAI’s API terms, they do not train their models on this content.
6.4 What activates personalization. Personalization is opt-in. Insights need enough of your own data to be meaningful — for example, cycle estimates appear once you’ve logged at least three cycles, and “What Helps Me” verdicts need roughly two weeks of entries with several instances of an activity. Effectiveness verdicts that contribute to anonymous, aggregated comparisons are hashed before leaving your device.
7. Service providers
We share limited data with processors under data-processing agreements:
| Provider | Purpose | What it receives | Identifier |
|---|---|---|---|
| Mixpanel | Product analytics | Anonymous usage events | Random identifier |
| Sentry | Crash reporting | Error traces, device info | Random identifier |
| RevenueCat | Subscription management | Purchase receipts, subscription status | Random identifier |
| GrowthBook | Feature configuration | App config flags (no health data) | — |
| Mailjet | Transactional/marketing email | Email address | |
| OpenAI | Insight wording (6.3) | Non-identifying pattern descriptor | None |
| Microsoft Azure | Backend hosting | Account data + anonymous health features | See §3 |
| Apple / Google | Optional cloud backup (§5) | Full journal data (your account) | Apple/Google ID |
8. Storage, transfers & security
Data may be processed on servers outside your country; we rely on appropriate safeguards for international transfers. We protect data with HTTPS/TLS in transit; AES-256-GCM for ML-key encryption and Azure encryption at rest; bcrypt password hashing; short-lived access tokens stored in the iOS Keychain / Android EncryptedSharedPreferences. We do not log request bodies or full identifiers, and we never log emails alongside health data. We don’t store your payment-card details — payments are handled by Apple, Google, and RevenueCat under PCI-DSS.
9. Retention
- ML features / feedback / models: auto-deleted after 24 months of inactivity.
- Account data: kept until you delete your account.
- Analytics & crash data: anonymous, per Mixpanel’s and Sentry’s retention policies.
10. Categories of personal information (California)
For California residents, the following table lists the categories of personal information (as defined by the CCPA/CPRA) we have collected in the last 12 months, the purpose, and the categories of third parties to whom we disclose them for a business purpose. We have not sold personal information and have not shared it for cross-context behavioural advertising.
| CCPA category | Examples in ENdi | Collected? | Disclosed to (business purpose) |
|---|---|---|---|
| Identifiers | Email address; hashed account ID; random app/ML identifiers | Yes | Azure (hosting), Mailjet (email), Mixpanel/Sentry/RevenueCat (random ID only) |
| Account / commercial information | Subscription status, purchase receipts | Yes | RevenueCat, Apple/Google |
| Health & medical information | Symptoms, pain, mood, cycle, medications, computed health features | Yes (on device; only anonymous features leave the device if you opt in) | Azure (anonymous features); Apple/Google (only if cloud backup on) |
| Internet / device & usage activity | App-usage events, crash diagnostics, device type | Yes | Mixpanel, Sentry (random ID only) |
| Sensory / visual information | Photos you choose to attach | Only if you grant permission | Not disclosed (stored with your data) |
| Contacts | Care-team contacts you add | Only if you grant permission | Not disclosed (stored with your data) |
| Geolocation | — | No (precise location not collected) | — |
California residents may exercise the rights described below, including the right to know, delete, correct, and limit use of sensitive personal information, and the right not to be discriminated against for exercising them. Submit requests to info@endiapp.com.
11. Your choices and rights
In Settings you can: toggle Cloud Backup, Analytics, and Pattern detection (all default off); export all your data (machine-readable JSON); and delete your account, which removes your account record, all uploaded ML data, and all local data.
We aim to respond to requests within one month. Complete deletion from our backup systems may take up to 90 days. Subject to your jurisdiction (UK/EU GDPR, California CCPA/CPRA, and others) you may have rights to access, correct, delete, port, restrict, or object to processing of your data, to withdraw consent, and to lodge a complaint with a supervisory authority. We will not discriminate against you for exercising these rights. Contact info@endiapp.com.
12. Eligibility
ENdi is intended for users who are 18 years of age or older. The app is not directed to anyone under 18, and we do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a person under 18, we will delete it. If you believe someone under 18 has provided us data, contact info@endiapp.com.
13. Changes
We may update this policy and will post the new “Last updated” date here, notifying you of material changes. Questions: info@endiapp.com.