Privacy Policy — myCrescent

Last updated: 30 April 2026 · Version 2.2

myCrescent is built for people living with sickle cell disease. Because we process health information — one of the most sensitive categories of personal data under UK law — we want to be completely transparent about what we collect, why, where it goes, and your rights over it.

    The short version: Your health data is stored on your device and securely synced to your account in the cloud. It is encrypted in transit and at rest, protected by your authentication credentials, and is not accessible to anyone outside the service providers listed in this policy, who process it only to deliver the service. We never share, sell, or use your health data for advertising. You can export or delete everything at any time.
  

1. Who we are (data controller)

The data controller responsible for your personal data is:

Rayscent Ltd (trading as "myCrescent")

Company number: 17120455

Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

ICO registration: ZC117860

Contact: privacy@mycrescent.app

Rayscent Ltd is registered with the UK Information Commissioner's Office (ICO) and pays the statutory data protection fee as required by the Data Protection (Charges and Information) Regulations 2018.

2. What data we collect

2.1 Account data

Email address (required to create and recover your account)
Authentication credentials (password hash, or OAuth token from Google / Apple)
Premium subscription status and activation code
Date of account creation and last sign-in timestamps

2.2 Health data ("special category data" under UK GDPR Article 9)

The following fields are treated as special category data and are subject to stricter legal protection:

Blood test results: Hb, HbS%, HbF%, HbA%, ferritin, WBC, platelets, reticulocytes and related markers
Daily symptom check-ins (pain, fatigue, breathlessness, other wellbeing scores)
Crisis and hospitalisation episodes (severity, triggers, duration, notes)
Medication records, doses, and hydroxyurea adherence logs
Hydration and vaccination logs
Appointment history and reminders
Medical profile: sickle cell genotype, baseline Hb, weight, hospital, haematologist, analgesia protocol
Messages you send to the SicklySense AI assistant (see section 5)

2.3 Technical data

Limited redacted product analytics events, such as app opens, page visits, view changes, feature-use counts, and premium conversion events, without message contents or health form values
Limited redacted crash diagnostics needed to investigate frontend errors, such as page path, app version, error type, and redacted stack context
Crash and error reports with redacted diagnostics for frontend monitoring

2.4 What we do not collect

NHS number, National Insurance number, or any national ID
Precise location / GPS data
Contacts, photos, microphone, or camera access
Advertising identifiers
Card or bank details (handled by Stripe, not us)

3. Why we process your data (lawful basis)

Under UK GDPR we must identify a lawful basis for every category of processing. Because health data is special category data, we need a basis under both Article 6 and Article 9:

Purpose	Art. 6 basis	Art. 9 basis (health data)
Creating and operating your account	6(1)(b) — contract	n/a
Storing and syncing your health tracker data	6(1)(a) — consent	9(2)(a) — explicit consent
Running the SicklySense AI assistant	6(1)(a) — consent	9(2)(a) — explicit consent
Processing premium payments	6(1)(b) — contract	n/a
Sending service emails (magic links, receipts)	6(1)(b) — contract	n/a
Security, fraud prevention, rate limiting	6(1)(f) — legitimate interests	n/a
Product analytics and frontend crash/error monitoring	6(1)(a) — consent	9(2)(a) — explicit consent

Your explicit consent for health data processing is obtained through the in-app consent flow before synced health-data processing continues. Some accounts may still see the current Settings-based consent controls while the dedicated first-open consent screen rollout is completed. You can withdraw consent at any time from Settings → Privacy → Consent, which stops new cloud sync of health data and disables in-app analytics plus crash monitoring for your signed-in session. If you also want your account and stored data erased, you can separately choose deletion from the account controls.

4. Who we share data with (processors)

We use the following carefully selected third-party processors. Each one has a data processing agreement with Rayscent Ltd and processes data only on our documented instructions.

Processor	Purpose	Data shared	Location	Transfer mechanism
Supabase	Cloud database and authentication	Account + health data	EU (Frankfurt)	Within UK/EEA — no transfer
Vercel	App hosting, serverless functions, KV store	Email, session tokens, push subscriptions, encrypted medication names	EU edge + US	UK IDTA / EU SCCs
PostHog	Product analytics and frontend crash/error monitoring	Redacted usage events, crash diagnostics, and standard request metadata	EU cloud	UK IDTA / EU SCCs
Anthropic	SicklySense AI assistant	Your chat messages only (no name, email, or profile attached)	US	UK IDTA / EU SCCs
Stripe	Payment processing	Email, plan, payment amount (no card data seen by us)	EU + US	UK IDTA / EU SCCs
Resend	Transactional email (magic links, receipts)	Email address + message content	US	UK IDTA / EU SCCs
Google / Apple / Mozilla	Push notification delivery	Anonymous push endpoint + encrypted notification payload	US	UK IDTA / EU SCCs
Google / Apple (OAuth only)	Optional sign-in	Email + name from your Google/Apple account	US	UK IDTA / EU SCCs

We do not share your data with advertisers, data brokers, or marketing networks under any circumstances.

5. SicklySense AI assistant

The SicklySense AI assistant is powered by Anthropic's Claude model. When you use it:

Your messages are forwarded via our secure proxy to Anthropic's API
We do not attach your name, email, account ID, or profile to the request
Anthropic does not train on your data (per their API terms)
Messages are not permanently stored on our servers — only on your device
Do not include NHS numbers, date of birth, or other government identifiers in AI messages

The AI assistant is opt-in: a separate consent checkbox is shown before you can use it for the first time. You can disable it at any time from Settings → Privacy.

6. International transfers

Some of our processors (Anthropic, Stripe, Resend, Vercel US edge, push providers) are based in the United States. When personal data leaves the UK, we rely on one of the following legal safeguards:

The UK's adequacy regulations where they apply (e.g. the UK–US Data Bridge for certified US companies)
The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, signed with each processor

You can request a copy of the safeguards in place for any specific transfer by emailing privacy@mycrescent.app.

7. How long we keep your data (retention)

Data type	Retention period
Account data (email, auth)	For as long as your account is active, then 30 days after deletion request
Health data (cloud copy)	Deleted within 30 days of account deletion request
Health data (on your device)	Until you uninstall the app or clear storage
Magic link tokens	15 minutes
Session tokens	30 days (renewed on use)
Premium activation codes	Until redeemed, then 12 months for support
Payment records (Stripe metadata)	7 years (UK tax / accounting law requirement)
Redacted analytics and crash logs	Up to 24 months

8. Your rights under UK GDPR

You have the following rights over your personal data. We will respond to requests within one calendar month.

Right to be informed — this policy
Right of access (Art. 15) — request a copy of the data we hold about you, in a readable format
Right to rectification (Art. 16) — correct inaccurate data; most data is editable directly in the app
Right to erasure (Art. 17) — delete your account and all associated data via Settings → Account → Delete account, or by emailing us
Right to restrict processing (Art. 18) — ask us to pause processing while a dispute is resolved
Right to data portability (Art. 20) — export your data in CSV / JSON format via Settings → Data → Export
Right to object (Art. 21) — object to processing based on legitimate interests (e.g. security or fraud prevention)
Right to withdraw consent — withdraw your consent for health data processing at any time via Settings → Privacy → Consent
Rights relating to automated decision-making — we do not make automated decisions that produce legal or similarly significant effects about you

To exercise any of these rights, email privacy@mycrescent.app. We will verify your identity before releasing any data. Requests are free unless clearly unfounded or excessive.

9. How to complain

If you are unhappy with how we handle your data, please contact us first at privacy@mycrescent.app — we will always try to resolve concerns directly.

You also have the right to complain to the UK Information Commissioner's Office:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk/make-a-complaint

10. Data security

We take the security of your health data seriously. Our technical and organisational measures include:

Encryption in transit — TLS 1.2+ for all network traffic
Encryption at rest — AES-256 on Supabase (managed) and Vercel KV (via our own AES-256-GCM wrapper for sensitive fields)
Optional on-device encryption — set a passphrase in Settings to encrypt local data with AES-256-GCM (PBKDF2, 600,000 iterations)
PIN lock — optional 4-digit PIN that re-locks the app after 2 minutes in the background
Row-level security — Supabase RLS policies ensure only you can read your own data
Authentication — Supabase Auth with magic links, email verification, and OAuth (Google/Apple)
Rate limiting and abuse protection — on all public API endpoints
Regular security review — dependency updates, code review, vulnerability scanning
SOC 2 Type II processors — both Supabase and Vercel maintain SOC 2 compliance

11. Breach notification

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Where the risk is high, we will also notify you directly by email without undue delay.

12. Children and young people

Sickle cell disease often begins in childhood, so we recognise that children and their carers may want to use myCrescent.

Children aged 13 or over may create their own account and consent to health data processing (the digital age of consent in the UK under Art. 8 UK GDPR).
Children under 13 may not create an account. A parent or legal guardian may instead create a "carer profile" on their own account to track the child's data. In that case, the carer is responsible for the data and for obtaining any necessary consent from the child as they grow.
We ask for date of birth at signup to enforce this. If we become aware that a child under 13 has created an account directly, we will delete it.

13. Cookies

myCrescent does not use tracking cookies, advertising cookies, or cross-site fingerprinting. The app uses browser localStorage and IndexedDB only to hold your data locally. PostHog analytics and monitoring are configured with in-memory identity only rather than persistent cookies.

14. Changes to this policy

We will update this policy when our processing changes or when the law requires it. The "last updated" date at the top will change and, for significant changes (new processors, new purposes, changes to retention), we will notify you in the app and by email before the change takes effect.

15. Contact us

For any privacy question or to exercise your rights:

Privacy enquiries: privacy@mycrescent.app
General support: support@mycrescent.app
Postal: Rayscent Ltd, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ

Rayscent Ltd is a company registered in England and Wales under company number 17120455. ICO registration ZC117860.