Privacy Policy — myCrescent

Last updated: 29 March 2026

myCrescent is built for people living with sickle cell disease. We take your health data seriously. This policy explains exactly what we collect, where it lives, and who can see it.

    The short version: Your health data is stored on your device and securely synced to the cloud via your account. Only you can access it. We never share, sell, or use your health data for advertising.
  

1. Data we store

When you create an account, the following data is stored locally on your device and securely synced to the cloud (hosted by Supabase) so you never lose it:

Blood test results (Hb, HbS%, HbF%, HbA%, ferritin, WBC, platelets, reticulocytes, etc.)
Daily symptom check-ins (pain, fatigue, breathlessness scores)
Crisis and hospitalisation episodes
Medication records and hydroxyurea adherence logs
Hydration tracking
Appointment reminders
Medical profile (name, age, weight, SCA type, hospital, haematologist)
Emergency card details (baseline Hb, analgesia protocol)
Carer profiles
App preferences and settings

Cloud data is associated with your account and protected by your authentication credentials. You can export all your data at any time using the in-app data export feature.

2. Account and authentication

An account is required to use myCrescent. You can sign in with Google, Apple, or email and password. We store:

Your email address — to identify your account and enable cloud sync
Your health data — securely synced to our cloud database (Supabase) so it's available across devices
Your premium subscription status — to manage your plan

Your email is never shared, sold, or used for marketing without your consent.

3. AI assistant (SicklySense)

When you use the SicklySense AI assistant, your messages are sent to Anthropic (the AI provider) via our secure server proxy. The following applies:

Messages are processed in real time and are not permanently stored on our servers
We do not attach your name, email, or profile data to AI requests
Anthropic processes messages in accordance with their own privacy policy
Do not include sensitive identifiers (NHS number, date of birth) in AI messages

4. Payments

Premium subscriptions are processed by Stripe. We do not see or store your card details. When a payment completes:

Stripe sends us your email address and the plan purchased
We generate a one-time activation code and email it to you via Resend
The code and your email are stored in our secure database (Vercel KV) to enable account recovery

Stripe's privacy policy: stripe.com/privacy

5. Analytics and tracking

We use Vercel Analytics to collect anonymous, aggregate usage data. This helps us understand how the app is used so we can improve it. Vercel Analytics:

Does not use cookies or fingerprinting
Does not track individual users across sessions
Collects page views, device type, browser, and approximate country/region only
Is fully GDPR-compliant by design

We do not use advertising networks, remarketing pixels, or any other third-party tracking. Vercel's privacy policy: vercel.com/legal/privacy-policy

6. Cookies

myCrescent does not use cookies for tracking. The app uses browser localStorage to persist your data between sessions on the same device.

7. Children's privacy

myCrescent is not directed at children under 13. Carers using the app to track data for a child are responsible for that data. The child's health data is stored locally on the carer's device only.

8. Your rights (UK GDPR)

Because your health data is stored only on your device, you have complete control over it at all times. For data we do hold (your email address for premium accounts):

Right of access: Contact us to request a copy of any data we hold about you
Right to erasure: Request deletion of your account and associated data
Right to portability: Use the in-app backup feature to export all your health data at any time

To exercise these rights, email: support@mycrescent.app

9. Data security

Your health data is synced to our cloud database hosted by Supabase, which maintains SOC 2 Type II compliance. All communication is encrypted in transit using HTTPS/TLS. Data at rest is encrypted on Supabase's servers. Authentication is handled via Supabase Auth with support for OAuth (Google, Apple) and email/password with email verification. Our server infrastructure runs on Vercel, which also maintains SOC 2 compliance.

10. Changes to this policy

If we make significant changes to this privacy policy, we will update the date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.

11. Contact

Questions about this policy or your data:

Email: support@mycrescent.app
Support: support@mycrescent.app