Privacy Policy

1. Introduction

Welcome to Migraine Trail ("we," "our," "us," or the "Company"). We are committed to protecting your privacy and ensuring the security of your personal information, particularly the sensitive health data you entrust to us.

This Privacy Policy explains how Migraine Trail collects, uses, discloses, stores, and protects your information when you use our mobile application (the "App"), website (migrainetrail.com), and related services (collectively, the "Services"). This policy applies to all users of our Services, regardless of location.

By using our Services, you consent to the practices described in this Privacy Policy. If you do not agree with this policy, please do not use our Services.

Important Notice for EU and California Residents: This Privacy Policy complies with the European Union's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Please see sections 12 and 13 for specific information about your rights.

2. Data Controller Information

Migraine Trail is the data controller responsible for your personal information. You can contact us at:

For EU residents, our representative in the European Union can be contacted at the email addresses above.

3. Information We Collect

We collect different types of information depending on how you use our Services. This includes information you provide directly, information collected automatically, and information from third-party sources.

3.1 Account and Profile Information

When you create an account, we collect:

• Authentication Data: Email address, authentication tokens from Apple or Google if you use social sign-in
• Profile Information: Display name, country, biological sex (optional), age range (optional), migraine frequency (optional)
• Preferences: Period tracking enablement, theme selection, language preferences, notification settings
• Account Identifiers: Unique user ID, account creation date, last login timestamp

3.2 Health Data (Special Category Data)

This is the most sensitive category of data we collect. Under GDPR, health data is considered "special category" personal data requiring enhanced protection. We collect and process the following health information:

• Migraine Attack Records:
  • Start and end times, duration
  • Pain intensity level (1-10 scale)
  • Attack type (migraine, tension, cluster, aura-only, other)
  • Pain location (left/right front, back, whole head, neck)
  • Whether attack occurred during sleep
• Symptoms: Nausea, photophobia (light sensitivity), phonophobia (sound sensitivity), aura, visual disturbances, neck pain, dizziness, and other reported symptoms
• Triggers: Potential migraine triggers including food/drink, environmental factors, stress, sleep changes, hormonal factors, weather sensitivity
• Premonitory Symptoms: Warning signs before attacks (prodrome symptoms)
• Medications and Treatments:
  • Acute medications taken during attacks (name, dosage, timing, unit)
  • Preventative treatments (name, dosage, start/end dates, category)
  • Effectiveness ratings for medications
  • Relief methods tried (sleep, cold compress, dark room, etc.)
• Menstrual Cycle Data: Period start/end dates, flow intensity, cycle-related symptoms (if period tracking is enabled)
• Health Conditions: Comorbidities and other health conditions you choose to track (neurological, cardiovascular, hormonal, mental health, etc.) with severity levels
• Activity Impact: How attacks affected your daily activities (work, social, sleep, concentration)
• Notes: Free-form text notes you add to entries, which may contain additional health information

3.3 Voice Recordings

When you use the voice logging feature:

• Audio Recordings: Temporary voice recordings of your migraine descriptions
• Transcriptions: Text extracted from your voice recordings
• Processing: Voice data is processed in real-time by Google's Gemini API to extract structured health information (symptoms, triggers, medications, intensity)
• Storage: Audio recordings are immediately deleted after processing and are never permanently stored. Only the extracted text and structured data are saved to your journal
• Usage Limits: We track the number of voice entries you've used per billing period for free tier limits

3.4 Location Data

If you grant location permission:

• Approximate Location: ZIP code or city-level location (not precise GPS coordinates) for weather-based risk forecasting
• Location Permission Status: Whether you've granted precise or approximate location access
• Purpose: Used exclusively to provide local weather-based migraine risk forecasts
• Sharing: Location data is shared with our weather data provider to fetch forecasts but is not stored permanently or used for any other purpose

3.5 Device and Technical Information

When you use our App, we automatically collect:

• Device Information: Device model, manufacturer, operating system and version, unique device identifiers, enabled device accessibility features (e.g., text size, hearing features)
• App Information: App version, build number, installation date, last update date
• Usage Data: Features used, screens viewed, session duration, crash logs, error reports
• Network Information: IP address (anonymized), connection type (WiFi/cellular), general geographic region (country/region)
• Performance Data: App performance metrics, load times, API response times

3.6 Subscription and Payment Information

We do not directly collect or store payment information. All payments are processed through Apple App Store or Google Play Store. We receive from these platforms:

• Subscription status (free, premium monthly, premium annual, lifetime)
• Purchase receipts and transaction IDs (for verification)
• Subscription start and renewal dates
• Purchase country/region

Your payment card details are handled exclusively by Apple or Google and are not accessible to us.

3.7 Communications

If you contact us:

• Email correspondence and support tickets
• Feedback, feature requests, and bug reports submitted through the App
• Survey responses (when voluntary surveys are conducted)

3.8 Analytics and Cookies

On our website and through the App, we collect:

• Website Analytics: Page views, referral sources, time on site, user flows (via PostHog)
• Product Analytics: Feature usage, user journeys, conversion funnels, retention metrics
• Cookies: Session cookies, authentication tokens, preference cookies. See our Cookie Policy for details

3.9 HealthKit and Google Health Connect

With your explicit permission, we may connect to third-party services like Apple HealthKit and Google Health Connect to automatically import health and activity data into the app.

• Data Imported: We only read data you explicitly authorize, such as sleep patterns.
• Strict Limitations: HealthKit data will never be used for marketing, advertising, or use-based data mining, including by third parties. We do not sell HealthKit or Google Health Connect data to advertising platforms, data brokers, or information resellers.
• Revoking Access: You can revoke access at any time in your device's Health app settings.

3.10 Information We Do NOT Collect

For transparency, we explicitly do not collect:

• Precise GPS location (only approximate city/ZIP code level)
• Voice recording files (deleted immediately after processing)
• Contact lists or phone numbers
• Photos or camera access (except if you explicitly share screenshots for support)
• Microphone access outside of voice logging feature
• Social media profile data beyond basic authentication info

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on the following legal grounds:

4.1 Consent (Article 6(1)(a) and Article 9(2)(a) GDPR)

We process special category health data based on your explicit consent. When you create an account and begin logging health information, you provide explicit, informed consent for us to process your health data for the purposes described in this policy.

You may withdraw your consent at any time by deleting your account, which will permanently delete all associated data.

4.2 Contractual Necessity (Article 6(1)(b) GDPR)

Processing is necessary to provide the Services you've requested, including:

• Creating and managing your account
• Syncing data across your devices
• Processing subscriptions and access control
• Providing customer support

4.3 Legitimate Interests (Article 6(1)(f) GDPR)

We process certain data based on our legitimate interests, which include:

• Improving and optimizing our Services
• Ensuring security and preventing fraud
• Analyzing usage patterns to develop new features
• Marketing our Services (with opt-out options)

We have carefully balanced these interests against your privacy rights and only process data where we believe our legitimate interest is not overridden by your rights.

4.4 Legal Obligations (Article 6(1)(c) GDPR)

We may process data to comply with legal obligations, such as:

• Responding to lawful requests from authorities
• Complying with tax and accounting requirements
• Maintaining records as required by law

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Core Service Provision

• Store and organize your migraine attack records in a secure database
• Sync your data across multiple devices when signed in
• Process voice recordings to extract attack details using AI
• Generate weather-based migraine risk forecasts for your location
• Calculate statistics, patterns, and insights from your health data
• Create visualizations and reports of your migraine patterns
• Send notifications for active attack check-ins (if enabled)
• Send weather risk alerts for high-risk conditions (Premium feature, if enabled)

5.2 Analytics and Improvement

• Analyze aggregated, de-identified usage patterns to improve the App
• Identify and fix bugs, crashes, and technical issues
• Measure feature adoption and user engagement
• Conduct A/B testing for new features (using de-identified cohorts)
• Optimize app performance and user experience
• Develop new features based on usage patterns

5.3 Communications

• Respond to your support inquiries and feedback
• Send important service announcements and updates
• Notify you of policy changes or new features
• Send promotional emails about our Services (with opt-out)

5.4 Security and Fraud Prevention

• Verify your identity and prevent unauthorized access
• Detect and prevent fraudulent subscriptions or abuse
• Monitor for security threats and vulnerabilities
• Enforce our Terms of Service

5.5 Legal and Compliance

• Comply with legal obligations and regulatory requirements
• Respond to lawful requests from authorities
• Protect our legal rights and interests
• Resolve disputes

5.6 Research and Aggregated Insights

We may use aggregated and de-identified health data to:

• Conduct research on migraine patterns and triggers at population level
• Generate anonymized statistics about migraine prevalence
• Improve our weather risk forecasting algorithms
• Publish anonymized insights about migraine trends

Important: Aggregated research data is fully anonymized and cannot be traced back to individual users. We never sell or share individual health records.

5.7 Apple AppTrackingTransparency (ATT)

For iOS devices, we may use Apple's AppTrackingTransparency (ATT) framework to help us improve our advertising and user acquisition. If you see the "Ask App Not to Track" prompt and allow tracking, Apple shares your device's advertising ID (IDFA) and non-health metadata (like subscription status) with our mobile attribution partners. We absolutely never share your health data, migraine records, or symptom logs with advertising partners, regardless of your ATT choice. You can change your consent at any time in your iOS device Settings.

6. Data Sharing and Disclosure

We do not sell your personal information to third parties. We only share your data in the limited circumstances described below.

6.1 Service Providers and Processors

We share data with trusted third-party service providers who assist in operating our Services. These providers act as "data processors" under GDPR and are contractually obligated to:

• Process data only for specified purposes
• Maintain appropriate security measures
• Not use data for their own purposes
• Delete or return data upon termination

Our service providers include:

• Cloud Infrastructure: Cloudflare (data hosting, CDN, security)
• Database: Cloudflare D1 (SQLite-based database storage)
• Authentication: Apple Sign-In, Google Sign-In (identity verification)
• Voice Processing: Google Gemini API (AI-powered voice transcription and extraction)
• Weather Data: Weather API providers (for risk forecasting based on your location)
• Subscription Management: RevenueCat (subscription status and receipt validation)
• Analytics: PostHog (product analytics and usage insights)
• Email: Email service providers for transactional and support communications

6.2 Business Transfers

If Migraine Trail is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice in the App before your data is transferred and becomes subject to a different privacy policy.

6.3 Legal Requirements and Protection

We may disclose your information if required to do so by law or in response to:

• Valid legal requests (subpoenas, court orders, warrants)
• Requests from law enforcement or government agencies
• Protection of our rights, property, or safety
• Protection of users' safety or public safety
• Prevention of fraud or illegal activity

We will carefully review any such requests and will only disclose the minimum information necessary. Where legally permitted, we will notify you of such requests.

6.4 With Your Consent and Partner Sharing

We may share your information with third parties when you explicitly authorize us to do so, such as:

• When you export a PDF report to share with your healthcare provider
• When you explicitly request data to be shared for a specific purpose
• Partner Sharing: If we offer features allowing you to share your status with a caregiver, partner, or family member, they will have read-only access strictly limited to the information you choose to share. We collect only the name and email of the partner to set up their view-only access, and no health data is collected from the partner themselves.

6.5 Aggregated and De-identified Data

We may share aggregated, de-identified, or anonymized data that cannot be used to identify you, including:

• Statistical insights about migraine patterns
• Anonymized research data
• Usage statistics and trends

This data is not considered personal information under privacy laws.

7. Third-Party Services

Our Services integrate with the following third-party services. Each has its own privacy policy governing how they handle your data:

We carefully select service providers that maintain strong security and privacy practices. However, we cannot control these third parties' privacy practices. We encourage you to review their privacy policies.

8. Data Security

We implement comprehensive security measures to protect your personal information, particularly your sensitive health data.

8.1 Technical Safeguards

• Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption (HTTPS)
• Encryption at Rest: Health data stored in our database is encrypted using AES-256 encryption
• Secure Authentication: Passwords are hashed using industry-standard algorithms; we support passwordless authentication and two-factor authentication via Apple/Google
• API Security: All API endpoints require authentication tokens; rate limiting prevents abuse
• Voice Data: Audio recordings are encrypted during transmission and immediately deleted after processing

8.2 Organizational Safeguards

• Access Controls: Strict role-based access; only authorized personnel can access user data
• Confidentiality Agreements: All team members and contractors sign confidentiality agreements
• Security Training: Regular privacy and security training for staff
• Incident Response: Documented procedures for detecting and responding to security breaches
• Regular Audits: Periodic security audits and penetration testing

8.3 Infrastructure Security

• Hosted on Cloudflare's secure, SOC 2 Type II certified infrastructure
• DDoS protection and web application firewall (WAF)
• Automated backups with encryption
• Monitoring and logging of suspicious activity

8.4 Data Breach Notification

In the unlikely event of a data breach involving your personal information, we will:

• Notify affected users within 72 hours of discovering the breach (as required by GDPR)
• Report the breach to relevant supervisory authorities if required
• Provide details about what data was affected and steps we're taking
• Offer guidance on how to protect yourself

Important: While we implement industry-leading security measures, no system is 100% secure. You play a role in security by keeping your device secure, using strong authentication, and not sharing your account credentials.

9. Data Retention

We retain your personal information only as long as necessary for the purposes outlined in this policy, or as required by law.

9.1 Active Accounts

While your account is active, we retain:

• Health Data: Indefinitely, as this is the core value of the Service (you can delete entries individually or delete your entire account)
• Account Information: As long as your account exists
• Usage Data: Up to 2 years for analytics and improvement purposes

9.2 Deleted Accounts

When you delete your account:

• Immediate Deletion: All health data, entries, and personal information are immediately flagged for deletion
• Complete Deletion: Data is permanently deleted from production databases within 30 days
• Backup Deletion: Data is purged from backup systems within 90 days
• Analytics: Anonymized analytics data may be retained indefinitely as it cannot identify you

9.3 Inactive Accounts

If your account has been inactive (no sign-ins) for more than 3 years, we may:

• Send email notifications warning of potential account deletion
• Delete the account if you do not respond within 60 days
• This helps us minimize data retention and reduce security risks

9.4 Legal Retention Requirements

We may retain certain data longer if required by law, such as:

• Financial records and transaction data (up to 7 years for tax purposes)
• Data relevant to legal disputes or investigations
• Communications related to regulatory compliance

10. International Data Transfers

Migraine Trail operates globally, and your data may be transferred to and processed in countries other than your country of residence.

10.1 Data Hosting Locations

Your data is primarily hosted on Cloudflare's global network, which may store data in data centers located in:

• United States
• European Union
• United Kingdom
• Other Cloudflare data center locations worldwide

10.2 Adequacy and Safeguards

For EU/EEA users, we ensure appropriate safeguards for international transfers:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with our data processors
• Adequacy Decisions: We transfer data to countries that the EU Commission has determined provide adequate protection
• Additional Safeguards: Technical measures like encryption, access controls, and security assessments

10.3 Your Consent to Transfers

By using our Services, you consent to the transfer of your information to countries outside your jurisdiction, which may have different data protection laws. However, we ensure that appropriate safeguards are in place regardless of where your data is processed.

11. Your Privacy Rights

You have important rights regarding your personal information. These rights may vary depending on your location, but generally include:

11.1 Right to Access

You can request a copy of all personal information we hold about you. To exercise this right:

• Email us at privacy@migrainetrail.com
• We will provide your data in a structured, commonly used format (JSON or CSV)
• Response time: within 30 days (may be extended by 30 days for complex requests)

11.2 Right to Rectification

You can update or correct your personal information:

• Update profile information directly in the App (Settings → Profile)
• Edit health entries at any time through the Journal
• Contact us to correct data you cannot edit yourself

11.3 Anonymous Mode / Guest Browsing

We are exploring methods to allow you to log data locally on your device without linking an email or authentication token. Currently, an account is required to sync data across devices. If you wish to use the app anonymously without cloud backups, please log out (note that deleting the app will permanently delete local data if not synced).

11.4 Right to Deletion ("Right to be Forgotten")

You can request deletion of your personal information:

• Delete your account in the App (Settings → Manage Account → Delete Account)
• Email us at privacy@migrainetrail.com to request deletion
• We will delete your data as described in section 9.2
• Note: We may retain certain data if required by law or for legitimate business purposes (e.g., fraud prevention)

11.4 Right to Data Portability

You can export your data:

• Premium users can export PDF reports directly from the App
• Request a full data export (CSV/JSON) by emailing privacy@migrainetrail.com
• We will provide your data in a machine-readable format within 48 hours

11.5 Right to Object

You can object to certain processing of your data:

• Opt out of marketing emails by clicking "unsubscribe" in any promotional email
• Disable analytics by contacting us
• Object to processing based on legitimate interests by emailing us

11.6 Right to Restrict Processing

You can request that we limit how we use your data:

• While we verify the accuracy of contested data
• As an alternative to deletion when data is needed for legal claims
• While we assess your objection to processing

11.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time:

• Revoke location permission in your device settings
• Revoke microphone permission in your device settings
• Disable notifications in the App settings
• Delete your account to withdraw consent for health data processing

Note: Withdrawing consent does not affect the lawfulness of processing before withdrawal.

11.8 Right to Lodge a Complaint

If you believe we have violated your privacy rights, you can:

• Contact us first at privacy@migrainetrail.com - we will work to resolve your concern
• Lodge a complaint with your local data protection authority (for EU residents)
• File a complaint with the relevant regulatory body in your jurisdiction

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights.

12.1 Categories of Personal Information We Collect

In the past 12 months, we have collected the following categories of personal information (as defined by CCPA):

• Identifiers: Email address, user ID, device ID
• Protected Classification Characteristics: Biological sex, age range (optional)
• Commercial Information: Subscription status, purchase history
• Internet Activity: Usage data, app interactions, device information
• Geolocation Data: Approximate location (ZIP code level)
• Audio/Visual Data: Voice recordings (temporary, immediately deleted)
• Health Information: Migraine attack records, symptoms, medications, triggers (see section 3.2)
• Inferences: Migraine patterns, trigger correlations, medication effectiveness

12.2 Sources of Personal Information

We collect personal information from:

• Directly from you (account creation, health entries, voice logging)
• Automatically from your device (usage data, device information)
• Third-party authentication providers (Apple, Google)
• Third-party subscription platforms (Apple App Store, Google Play Store)

12.3 Business Purposes for Collection

We use personal information for the business purposes described in section 5.

12.4 Sale and Sharing of Personal Information

We do NOT sell your personal information. In the past 12 months, we have not sold any personal information of California residents.

We do not "share" personal information for cross-context behavioral advertising as defined by CPRA.

12.5 Sensitive Personal Information

Under CPRA, "sensitive personal information" includes health data. We collect and use sensitive personal information (your health data) only for purposes that are necessary to provide our Services and as disclosed in this Privacy Policy.

You have the right to limit the use of your sensitive personal information. To exercise this right, contact us at privacy@migrainetrail.com.

12.6 Your California Rights

California residents have the following rights:

Right to Know

You can request disclosure of:

• Categories of personal information collected
• Categories of sources
• Business purposes for collection
• Categories of third parties we share with
• Specific pieces of personal information we've collected about you

Right to Delete

You can request deletion of your personal information, subject to certain exceptions.

Right to Correct

You can request correction of inaccurate personal information.

Right to Opt-Out

While we do not sell personal information, you can opt out of any potential future sales by contacting us.

Right to Limit Use of Sensitive Personal Information

You can limit our use and disclosure of sensitive personal information (health data) to what is necessary to provide our Services.

Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not:

• Deny you goods or services
• Charge different prices or rates
• Provide a different level or quality of services
• Suggest that you will receive different pricing or services

12.7 Exercising Your California Rights

To exercise your rights:

• Email: privacy@migrainetrail.com
• Subject Line: "California Privacy Rights Request"
• Include: Your name, email address, and specific right you're exercising

We will verify your identity before processing your request. You may designate an authorized agent to make requests on your behalf by providing written authorization.

Response time: Within 45 days (may be extended by 45 days for complex requests with notice).

12.8 "Shine the Light" Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

13. European Union Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).

13.1 Legal Basis for Processing

See section 4 for detailed information about the legal basis for each type of processing.

13.2 Special Category Data (Health Data)

Your health information constitutes "special category data" under Article 9 of the GDPR, which requires explicit consent and enhanced protections. We process this data based on your explicit consent (Article 9(2)(a)) and only for the purposes you've authorized.

13.3 Your GDPR Rights

In addition to the rights outlined in section 11, EU residents have:

• Right to Erasure: Request deletion of your personal data (see section 11.3)
• Right to Restriction of Processing: Request that we limit our use of your data in certain circumstances
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right Not to be Subject to Automated Decision-Making: See section 15
• Right to Lodge a Complaint: File a complaint with your local supervisory authority

13.4 Data Protection Officer

You can contact our Data Protection Officer at:

13.5 EU Representative

For EU-specific inquiries, our EU representative can be contacted at the same email address above.

13.6 Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority. You can find your local authority at: https://edpb.europa.eu/about-edpb/board/members_en

13.7 Data Transfers Outside the EU

See section 10 for information about international data transfers and the safeguards we implement.

14. Children's Privacy (COPPA)

Our Services are not intended for children under the age of 13 (or 16 in the European Economic Area, United Kingdom, Canada, and India).

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at privacy@migrainetrail.com.

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take immediate steps to delete that information from our servers.

14.1 Age Verification

While we do not actively verify the age of users, we ask users to confirm they are at least 13 years old (or 16 in the EEA) during account creation. Our Terms of Service require users under 18 to have parental or guardian supervision.

14.2 For Parents and Guardians

If your child is between 13-17 years old and wishes to use our Services:

• We recommend reviewing this Privacy Policy and our Terms of Service with them
• Discuss the sensitivity of health information and online privacy
• Monitor their use of the App
• You may exercise rights on their behalf by contacting us

15. Automated Decision-Making

We use limited automated processing to provide our Services:

15.1 Weather Risk Forecasting

Our weather-based migraine risk score is calculated automatically using an algorithm that analyzes barometric pressure, humidity, temperature, and wind patterns. This is not a medical diagnosis and is provided for informational purposes only.

15.2 Voice Processing

Voice recordings are processed by Google's Gemini AI to automatically extract attack details (symptoms, intensity, medications). You can review and edit all extracted information before saving.

15.3 Pattern Recognition

We automatically generate insights from your data (e.g., "Most attacks occur on Monday"). These are informational and do not make automated decisions that have legal or similarly significant effects on you.

15.4 Your Rights

Under GDPR, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our automated processing does not fall into this category, as it is:

• Informational only (not legally binding)
• Subject to human review (you can edit all data)
• Used to enhance your experience, not make decisions about you

If you have concerns about automated processing, contact us at privacy@migrainetrail.com.

16. Exclusions and Unsolicited Information

This Privacy Policy does not apply to any unsolicited information you provide to us through public channels, such as social media pages, forums, or directly via email or support tickets regarding new product ideas, feature requests, or business proposals (collectively, "Unsolicited Information").

All such Unsolicited Information shall be deemed to be non-confidential, and we shall be free to reproduce, use, disclose, and distribute such Unsolicited Information to others without limitation or attribution. Please do not share any sensitive personal or health information in public forums or social media comments.

17. Medical Disclaimer

Not Medical Advice: Migraine Trail is designed to help you track, analyze, and communicate your health data. However, under no circumstances is our App meant to make a medical diagnosis, provide treatment recommendations, or replace professional medical advice. For a proper diagnosis of your medical condition or treatment plan, we strongly advise you to consult a licensed physician or relevant healthcare professional.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Legal, regulatory, or operational requirements
• Improvements to our privacy practices

16.1 Notification of Changes

When we make material changes to this policy, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email if you have an account
• Display a prominent notice in the App
• For significant changes, request your renewed consent where required by law

16.2 Your Continued Use

Your continued use of our Services after the effective date of changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of our Services and may delete your account.

16.3 Previous Versions

You can request previous versions of this Privacy Policy by contacting us at privacy@migrainetrail.com.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Additional Resources:

• Terms of Service
• Cookie Policy
• Health Data Privacy Notice
• Help Center