Privacy Policy — OpenSafety - Healthcare Network

1. Introduction

This Privacy Policy describes how OpenSafety (“OpenSafety”, “we”, “us”, or “our”) collects, uses, discloses, stores, and protects information when you use the OpenSafety mobile application for Android and iOS (the “App”), marketed as OpenSafety - Healthcare Network, and related websites or services we operate (together, the “Services”).

OpenSafety is designed for authorised healthcare professionals to:

Report adverse drug reactions (ADRs) and product quality concerns (PQC) for pharmacovigilance; and
Participate in a professional social network for healthcare practitioners (posts, comments, messaging, groups, and related features).

By creating an account, signing in, or using the App, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, do not use the App.

For questions about how we handle your data, contact us at ceo@opensafety.io.

2. Scope and important notices

2.1 Who this policy applies to

This policy applies to registered users of the App. Some information you submit in safety reports may relate to patients or other individuals. You must only include patient or third-party information that you are legally permitted to share, and you should minimise identifiable data (for example, use patient initials rather than full names where possible).

2.2 Not medical advice

The App facilitates reporting and professional communication. It does not provide medical advice, diagnosis, or treatment. Report content is processed for safety reporting and pharmacovigilance, not for clinical care through the App.

2.3 Regulatory reporting

ADR and PQC reports may be transmitted to marketing authorisation holders (pharmaceutical companies), regulatory authorities, and other parties as required by pharmacovigilance and product-quality laws. Once submitted, a report may need to be retained even if you later delete your account, as described in Section 9.

2.4 Eligibility and children

The App is intended for users who are at least 18 years old and who are healthcare professionals or otherwise authorised to submit safety reports in their jurisdiction. We do not knowingly collect personal data from children under 13 (or the minimum age in your country). The App is not directed at children.

2.5 Device permissions (Android & iOS)

The App does not require access to your device location, camera, or microphone for core features. You may grant access indirectly when you select photos, videos, or files from your device to attach to reports, posts, or messages (via the system file or media picker). Push notifications are optional and use a device token only if you enable notifications.

3. Information we collect

We collect information in the ways below. Some fields are required to create an account or submit a report; others are optional.

3.1 Account and profile information

Data	Examples	Purpose
Identity & contact	Full name, email, phone, country	Account, authentication, support
Professional details	Qualification, workplace, headline, about	Profile and professional context
Profile media	Profile photo (if uploaded)	Personalise profile
Career information	Work experience, education (if added)	Professional profile
Credentials	Password (hashed by auth provider)	Sign-in security
Account identifiers	Internal user ID, member ID	Operate the App

We may send a confirmation email when you sign up. You must accept our Terms and Conditions and this Privacy Policy to register.

3.2 ADR (adverse drug reaction) report data

When you create or submit an ADR report, we may collect:

Reporter: linked to your account
Patient information (if provided): initials, age, age group, gender, date of birth, weight, height, pregnancy status, concomitant medicines, medical history, condition at administration
Suspected product(s): drug name, company, dose, route, frequency, indication, dates, batch number, dechallenge/rechallenge
Reaction / event: terms, onset dates, seriousness criteria, outcomes, lab values, treatment
Follow-ups and attachments: notes, documents, images, metadata
Report metadata: draft/submitted status, case number, timestamps

Patient-related fields may constitute health-related personal data or special category data under laws such as the GDPR. Enter only what is necessary for pharmacovigilance.

3.3 PQC (product quality concern) report data

Product details (drug name, company, batch, dates)
Description of the quality issue and actions taken
Attachments you upload from your device

3.4 Drafts stored on your device

Incomplete ADR and PQC reports may be saved as drafts using encrypted secure storage on your device until you submit, delete the draft, or delete your account.

3.5 Professional social and messaging

Posts (text, images, videos, polls, attachments)
Comments, reactions, poll votes, update views
Follow, block, and mute relationships
Direct messages and group chats (content, timestamps, read status, attachments)
In-app and push notification state
Moderation reports you file

Other users may see your name, profile photo, workplace, headline, and similar profile fields according to App settings.

3.6 Jobs, updates, and other in-app content

Job listings you browse, safety updates you view, and diagnostics related to social modules where applicable.

3.7 Device, technical, and usage data

Device type, OS, App version, language/locale, theme preference (local)
IP address, request timestamps, error logs (hosting providers)
Push token: Firebase Cloud Messaging (FCM) token when notifications are enabled
Analytics (if Firebase is configured): usage events, app instance ID; may be linked to your user ID when signed in. If Firebase is not configured, analytics are not collected.

3.8 Information from third parties

We do not buy personal data from data brokers. We may receive authentication confirmations from our auth provider and content you attach from your device.

4. How we use your information

We use personal data to:

Provide the Services — accounts, authentication, profiles, reporting, social features
Process safety reports — drafts, submission, case numbers, follow-ups
Discharge pharmacovigilance obligations — share reports with MAHs and regulators as required
Operate the professional network — feeds, messaging, notifications, moderation
Send communications — account email, password reset, optional push notifications
Improve security and quality — abuse detection, debugging, analytics, performance
Comply with law — lawful requests, Terms enforcement, regulatory retention
Exercise or defend legal claims where permitted

We do not sell your personal data.

5. Legal bases for processing (EEA, UK, and similar)

Processing	Typical legal basis
Account and App operation	Contract and legitimate interests
ADR/PQC reporting and sharing	Legal obligation, public interest, and/or legitimate interests
Social features	Contract and legitimate interests
Push notifications	Consent (device settings)
Analytics	Legitimate interests or consent where required
Retention of submitted reports	Legal obligation and legitimate interests

You may have the right to object to certain processing based on legitimate interests (see Section 10).

6. How we share information

6.1 Marketing authorisation holders and regulators

For submitted ADR and PQC reports, we share report content with the responsible pharmaceutical company and regulatory authorities where required. This sharing is inherent to the purpose of the App.

6.2 Other users (social features)

Content you post or send may be visible to other users (feed, followers, groups, direct messages). Block and mute tools limit some interactions.

6.3 Service providers (processors)

Provider	Role	Typical data
Supabase	Database, auth, storage, serverless functions, account deletion	Most App data in this policy
Google Firebase (if enabled)	Cloud Messaging (push), Analytics	Device tokens, usage events, user ID for analytics
Google Fonts	Typography (when fonts are fetched)	Connection metadata to Google servers
Infrastructure / email	Hosting, transactional email	Contact details, logs

6.4 Legal and safety disclosures

We may disclose information to comply with law, protect users and the public, or detect fraud and abuse.

6.5 Business transfers

In a merger, acquisition, or asset sale, your information may be transferred subject to confidentiality and continued protection consistent with this policy.

7. International data transfers

Service providers may process data in countries other than your own (for example, where Supabase or Google operate data centres). Where required, we use safeguards such as Standard Contractual Clauses or equivalent. Contact us for details relevant to your region.

8. Data security

We implement measures including:

HTTPS/TLS for data in transit
Encrypted secure storage for report drafts on your device
Encryption at rest for direct message content in our database
Access controls and authentication for backend systems
Restricted production data access for authorised personnel

No method is completely secure. Keep your password confidential and use a secure device.

9. Data retention

Data type	Retention
Account and profile	Until account deletion, plus short backup/log periods
Draft reports	Until submit, delete draft, or delete account
Submitted ADR/PQC reports	Often years per pharmacovigilance law, even after account deletion where permitted
Social content	Until you delete it or your account is deleted
Push tokens	Until sign-out, disable notifications, or account deletion
Analytics	Per Firebase/Google settings if enabled
Logs	Limited retention for security and operations

Account deletion via the in-app process removes your account, profile, and associated user-generated data from our systems, except where retention is required for legal, regulatory, or safety reasons (including submitted safety reports).

10. Your choices and rights

Depending on your country, you may have rights to:

Access your personal data
Correct inaccurate data
Delete your account and associated data
Restrict or object to certain processing
Data portability where applicable
Withdraw consent (e.g. push via device settings)
Lodge a complaint with your data protection authority

10.1 Delete your account in the App

Open Settings in the App
Tap Delete account
Confirm deletion

This permanently deletes your account, profile, drafts, and associated user data, subject to regulatory retention of submitted safety reports. This cannot be undone. If deletion fails, contact ceo@opensafety.io.

10.2 Push notifications

Disable in device settings or App notification preferences.

10.3 Advertising

We do not use your data for third-party advertising. Service messages may still be sent for account and safety purposes.

11. Region-specific information

11.1 India (Digital Personal Data Protection Act)

If you are in India, you may have rights to access, correct, erase, and grievance redressal. Contact us at ceo@opensafety.io.

11.2 California (CCPA/CPRA)

California residents may have rights to know, delete, and correct personal information, and to opt out of “sale” or “sharing” for cross-context behavioural advertising. We do not sell or share personal information for cross-context behavioural advertising.

11.3 Other regions

Users in other jurisdictions may have similar rights. Contact us to exercise them.

12. Third-party links

The App may open external websites. We are not responsible for third-party privacy practices. Review their policies before providing personal data.

13. Changes to this policy

We may update this policy with a new “Last updated” date and, where required, notify you through the App or email. Continued use after changes take effect constitutes acceptance, unless otherwise required by law.

14. Contact us

For privacy questions, support, rights requests, or complaints, email ceo@opensafety.io.

We aim to respond within 30 days (or as required by local law).