Is my IVF data private?

Yes. TrackMyIVF uses a "Local-First" architecture. Your data is stored on your device, not in the cloud. We cannot see, sell, or leak your data.

Does it track medications?

Yes. The app includes a comprehensive medication tracker with reminders and injection site rotation logging.

Can my partner see my progress?

Partner Sync is coming soon. This feature will allow you to share your timeline and updates with your partner automatically.

What is the Two Week Wait (TWW)?

The Two Week Wait is the period between embryo transfer and the pregnancy test. TrackMyIVF provides specific emotional support and symptom tracking during this high-anxiety phase.

Security at TrackMyIVF

Local-first storage. Defense in Depth. Data Minimization.

1. Our Security Philosophy

We treat your data with the care medical records deserve. Our security model is based on Defense in Depth and Data Minimization. Specific framework certifications (HIPAA, SOC 2, ISO 27001) are not currently in place; this page describes only the practices we presently implement and can verify.

2. Storage and Transport

Local-first: Your fertility data is stored on your device by default in a local database (WatermelonDB). It does not leave your device unless you opt in to a sync or backup feature.
In Transit: When you do enable sync or sign in, data moves over TLS (Transport Layer Security) — the same standard used by online banking. We use strict HSTS to prevent protocol downgrade.
Key Management: Where the platform supports it, secrets are stored in the device hardware enclave (iOS Keychain / Android Keystore). We do not have access to your device-side keys.
At-rest encryption: Specific algorithm claims about server-side at-rest encryption are intentionally omitted until independent verification is in place. See our privacy page for what we currently store and why.

3. Infrastructure Posture

Our cloud infrastructure is hosted on Vercel and Supabase. We rely on each provider's documented security posture and follow their recommended hardening defaults. We do not currently make independent SOC 2, ISO 27001, or HIPAA claims of our own.

Access Control: Strict Principle of Least Privilege (PoLP) for engineering staff.
Rate limiting: Public APIs are rate limited to deter abuse.

4. Incident Response

In the event of a data breach, we are committed to transparency. We will notify affected users without undue delay, consistent with GDPR and applicable US breach notification laws.

5. Vulnerability Disclosure (Bug Bounty)

If you believe you have found a security vulnerability in TrackMyIVF, please report it to security@trackmyivf.com. We operate a "Safe Harbor" policy: we will not pursue legal action against researchers who report vulnerabilities in good faith and do not exploit user data.