MigraineBot Privacy Policy v.1.1

Introduction

Thank you for using MigraineBot (the “Service”). MigraineBot is a headache tracking application available as a Telegram mini app (Telegram bot @MigraineAppBot) and via our web interface (e.g. at pain-tracker.app). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use MigraineBot. We are committed to protecting your privacy and handling your data in a transparent and secure manner. Please note that MigraineBot is a personal diary and reminder tool for tracking pain and symptoms – it does not provide medical advice or treatment recommendations.

Data Controller and Contact

The Service is operated by Vitalii Rizo, a private individual. For the purposes of data protection laws (such as the EU GDPR), Vitalii Rizo is the “Data Controller” of your personal data processed through MigraineBot. You can contact the Data Controller at:

Name: Vitalii Rizo
Address: Adlergestell 371, 12527 Berlin, Germany
Email: vitalii.rizo@gmail.com

If you have any questions or requests regarding your personal data, please feel free to contact us using the details above.

What Data We Collect

We only collect data that is necessary to provide and improve the MigraineBot service. This includes:

Account Information: When you use MigraineBot via Telegram, we receive your basic Telegram profile information such as your user ID and username (and any content you send to the bot). If you use our web version, we collect information you provide during registration (such as your email address) and any login credentials (stored securely, e.g. hashed passwords).
Diary Entries (User-Provided Data): The core of MigraineBot is your migraine diary. We collect the data you input about your headaches and related details (for example, pain intensity, symptoms, triggers, dates/times, notes, etc.). Warning: Some of this information may be about your health (e.g. pain levels, medications taken, symptoms), which is considered sensitive personal data. You choose what to log, and by entering this data you consent to our processing it for the purposes of the Service.
Usage and Technical Data: When you access the web interface, our servers and security services (see Cloudflare below) may automatically collect basic technical information such as your IP address, device type, browser type, and usage timestamps. We use this data to ensure the Service functions properly, to secure the Service (e.g. prevent DDoS attacks), and for debugging performance issues. This data is generally collected through server logs and cookies or similar technologies for session management. (MigraineBot does not use any advertising or analytics trackers.)
Communication Data: If you contact us via email or other means for support, we may keep a record of that correspondence and any contact information you provide (such as your email address) in order to respond to you.

MigraineBot does not collect any unnecessary personal information. For example, we do not ask for your real name, address (except as required for contact if you provide it), or payment information (the app is free to use). We also do not intentionally collect any data from your device beyond what is listed above.

How We Use Your Data

We process your personal data only for the purposes of providing and improving the Service, and not for any unrelated purposes. Specifically, we use the collected data to:

Provide the Migraine Tracking Service: We use your diary entries and account info to enable you to log and review your migraine history. This includes storing your entries, displaying them back to you in the app, and maintaining your account (login, Telegram chat context, etc.).
Generate Reports and Insights: The Service automatically processes your logged data to create weekly and monthly summary reports (for example, counting how many migraines occurred in a month, or highlighting patterns). These reports are shown to you within the app to help you identify trends. This automated processing is solely for your benefit and does not involve any automated decision-making that affects you legally or significantly – it’s just summarizing the data you provided.
Send Reminders: MigraineBot can send you reminder notifications to fill in your diary (for instance, a daily or weekly reminder if you opt-in to such notifications). We use your contact data (Telegram ID or email, as applicable) and usage history to determine when to send reminders. You can manage or disable reminders at any time through the app settings.
Ensure Security and Prevent Abuse: We use technical data (like IP addresses and usage logs) to protect the Service and its users against unauthorized access, spam, or attacks. For example, we rely on Cloudflare’s security services to mitigate DDoS attacks and malicious traffic. This may involve processing of IP addresses and device information to filter out harmful requests and keep the Service stable and secure.
Communicate with You: If you reach out with questions, support requests, or bug reports, we will use your contact information to communicate with you and resolve issues. We may also send important service or policy updates to your registered email if necessary (but we do not send marketing emails, and we have no newsletter).
Comply with Legal Obligations: If we are required by law to process or disclose your data (for example, responding to a lawful court order or regulatory inquiry), we will only do so in accordance with applicable data protection laws.

We will not use your personal data for any form of advertising or share it with third parties for marketing. We do not sell your data. All processing is tightly related to providing you with the headache tracking service you signed up for.

Legal Bases for Processing (GDPR)

Under the EU General Data Protection Regulation (GDPR), we must have a valid legal basis to process your personal data. We rely on the following legal grounds:

Performance of a Contract: When you sign up and use MigraineBot, you are effectively entering into a service agreement (even if the service is free). Most of our data processing is to fulfill our obligations to you under that agreement – for example, processing your diary inputs and account data is necessary for providing the service you requested. Without this data, we cannot deliver the core functionality (tracking your migraines and generating reports).
User Consent (for Sensitive Data): Because some information you enter may relate to your health (which is a special category of personal data under GDPR), we rely on your explicit consent to process that data. By using MigraineBot and inputting your migraine-related information, you consent to our handling of this health-related data solely for the purposes of providing the diary and reports to you. You have the right to withdraw your consent at any time (see “Your Rights” below), but note that if you do so, we may not be able to continue providing the Service since it relies on processing the diary entries you provide.
Legitimate Interests: In certain cases, we process some personal data to pursue our legitimate interests, for example: maintaining the security of our platform, preventing fraud/abuse, and improving the usability of the Service. When we rely on legitimate interests, we ensure that our interests are not overridden by your data-protection rights. For instance, using Cloudflare to protect our service against attacks is in our legitimate interest (keeping the service available and secure) and does not unduly infringe on users’ privacy, since such processing is limited and for security purposes only.
Legal Obligation: If we ever have to process or disclose data to comply with a legal obligation (such as tax law record-keeping or responding to government requests), that would be under the legal obligation basis. We will inform you where required if such a situation occurs.

Data Sharing and Third-Party Processors

MigraineBot is a private service, and we treat your data with care. We do not share your personal data with third-party companies for their own uses. However, we do use a few trusted service providers (processors) to help us run MigraineBot, and your data may be processed through or stored on their systems as follows:

Hosting Provider (FastVPS): MigraineBot’s databases and servers are hosted on FastVPS data centers located in the European Union (currently in Germany and Finland). FastVPS acts as our infrastructure provider, which means that the data you enter into MigraineBot is stored on their servers. We have ensured that FastVPS maintains appropriate security measures and complies with applicable data protection requirements. All data remains physically within the EU.
Cloudflare (DDoS Protection and DNS): We utilize Cloudflare’s services to protect MigraineBot from distributed denial-of-service attacks and to ensure reliable, fast delivery of our website content. This means that when you interact with MigraineBot (especially via the web interface), your requests pass through Cloudflare’s global content delivery network. What Cloudflare sees: Cloudflare will process certain technical data such as your IP address, device and browser information, and URLs requested, in order to filter malicious traffic and caching content. Cloudflare operates as a Data Processor on our behalf for these purposes. We have a standard Data Processing Addendum (DPA) in place with Cloudflare to safeguard your data. Cloudflare is a U.S.-based company, but it is committed to GDPR compliance and provides appropriate safeguards (including Standard Contractual Clauses) for any data transfers outside the EU.
PostHog: We use PostHog EU Cloud to understand basic usage patterns (for example: how often the “Add Entry” button is clicked). The cluster is hosted on AWS in Germany; we have a Data Processing Agreement with PostHog (signed 23 June 2025) that includes Standard Contractual Clauses. No raw diary text is sent to PostHog. All analytics events are processed exclusively in the EU (PostHog EU Cloud, Frankfurt). Therefore no additional transfer mechanism is required for this sub-processor.
Telegram Platform: If you use the Telegram bot interface for MigraineBot, your interactions with the bot are transmitted via Telegram’s servers (which are operated by Telegram Messenger Inc.). Telegram will have access to the messages you send to the bot (as with any Telegram chat). However, Telegram generally only relays this content to our Service and stores messages per their own privacy policy. Once received through Telegram, your diary data is stored in our database (hosted on FastVPS as above). We recommend you also review Telegram’s own privacy policy if you have concerns, as Telegram is an independent data controller for data processed on their platform.

Aside from the above services, we do not use any other third-party analytics, advertising, or marketing services that would involve sharing your personal data. We do not disclose your data to any third parties unless one of the following applies: (1) With your explicit consent: if you instruct us to share data with someone (for example, if in the future you choose to integrate MigraineBot with another app, which is not currently applicable); or (2) For legal reasons: if we are compelled by a valid legal process (such as a court order or government regulation) to disclose certain data. In any case, we will only share the minimum required information and will inform you whenever possible.

Data Storage and Security

We understand that your migraine diary entries are personal and sensitive. We take appropriate security measures to protect your data against unauthorized access or disclosure. These measures include:

Encrypted Transmission: The communication between your device and our servers is secured using HTTPS/TLS encryption. Whether you are using the web app or the Telegram bot, your data in transit is encrypted. (Telegram chats are also encrypted between your app and Telegram’s servers; and our server’s connection to Telegram is via secure API.)
Secure Storage: We store your data on servers located in secure facilities (FastVPS data centers in the EU). We use access controls to ensure that only authorized personnel (in this case, the developer/administrator) can access the server and database. Passwords (if you use email registration) are stored in hashed form, and we do not store plaintext passwords.
Cloudflare Security: By leveraging Cloudflare, we add an extra layer of protection against common web threats (malicious bots, DDoS attacks, etc.). Cloudflare’s firewall and filtering help block suspicious or malicious traffic before it reaches our servers.
No Unnecessary Data: We minimize the personal data we store. For example, we do not collect extraneous identifiers. By limiting data collection to only what is needed for the service, we reduce the risk exposure.
Monitoring and Updates: We monitor the Service for any security issues and keep our software and libraries up-to-date with security patches. In the event of any data breach or security incident affecting your personal data, we will notify affected users and the relevant authorities as required by law.

Please note that while we strive to protect your data, no method of transmission or storage is 100% secure. However, we continuously work to maintain a high level of security. You also play a role in keeping your data safe: for example, if you use the web version, choose a strong password and keep it confidential. If you suspect any unauthorized access to your account or data, please contact us immediately.

Data Retention

How long do we keep your data? MigraineBot is designed to help you track long-term patterns in your migraine history, so by nature we aim to keep your diary records for as long as you continue to use the Service. Our data retention policy is as follows:

We will retain your personal data (account information and diary entries) indefinitely as long as your account remains active, because ongoing retention is necessary to provide you with historical tracking and reports over time (which is the main goal of the app). We consider an account active as long as you sign in or log some data at least once within any 6-month period. Regular usage ensures your data stays available to you and continues to accumulate for long-term statistics.
If you become inactive for an extended period (for example, you do not use the app at all for over 6 months), we reserve the right to delete or anonymize your data. This is to protect your privacy (we won’t keep personal data indefinitely if it’s no longer being used) and to manage storage resources. However, we do not currently enforce automatic deletion at the 6-month mark. In practice, this means if you return after a long break, your past data may still be available. We will update this policy or inform you if we introduce routine deletion of long-inactive accounts in the future.
Regardless of the above, you always have the option to request deletion of your data at any time (see “Your Rights” below). If you request account deletion, we will erase your personal data from our systems (except any data we are required to keep by law).
Some minimal data may be kept in backups or logs for a short duration even after deletion, but such data will be securely destroyed on the next backup rotation and is not accessible in the live system. Also, if we are required by law to retain certain information (for example, transaction records or communications in case of legal disputes), we will retain that specific information only for as long as legally mandated.

In summary, we aim to store your data for as long as it is useful and needed for you to use MigraineBot, and no longer. We cannot practically offer very short automatic retention periods (like deleting data after a few weeks or months of inactivity) because that would undermine the purpose of tracking long-term migraine patterns. But we balance this by giving you control over your data and the ability to purge it if you wish.

Your Rights

As a user of MigraineBot and as a data subject under applicable data protection laws (like GDPR, if you are in the EU), you have several important rights regarding your personal data. We are committed to upholding these rights. Below is an overview of your rights and how you can exercise them:

1. Right to Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it. In the MigraineBot app, you can directly access most of your data (your diary entries, account info, etc.). Additionally, we provide a "Report" or export feature within the interface that allows you to download your entire log/history in a user-friendly format. If you need a more comprehensive report or have trouble using the export feature, you can contact us and we will provide you with your data.

2. Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. You can edit or delete entries in your migraine diary through the app interface. If there is account information (like your email) that needs updating, you can also update it in the app or by contacting us for assistance. We encourage you to keep your information up to date so we can serve you best.

3. Right to Erasure: Commonly known as the “right to be forgotten,” you can request that we delete your personal data. You can achieve this either by using any account deletion function provided (if available) or by contacting us directly to request deletion. Upon such a request, we will erase your data from our active databases, unless we have a lawful basis to keep certain data (for example, if required for legal obligations). Once deleted, your diary entries and account info will be permanently removed or anonymized so they can no longer be linked to you. (Do note that deletion of your data means we can no longer provide the Service to you.)

4. Right to Restrict Processing: You have the right to ask us to restrict or pause the processing of your data in certain circumstances. For instance, if you contest the accuracy of your data or have objected to processing (see below), you can request a restriction until the issue is resolved. While restricted, we will store your data but not actively use it (aside from storing it securely) until the restriction is lifted.

5. Right to Object: You have the right to object to certain types of processing of your data. For example, if we were to process your data for direct marketing (which we do not do), you could object and opt out. You can also object if you feel our legitimate interest processing (see the Legal Bases section) impacts your rights – in such cases, we will review your objection and stop or adjust processing unless we have compelling legitimate grounds to continue.

6. Right to Data Portability: You have the right to obtain your personal data in a structured, commonly used, machine-readable format, and to have that data transmitted to another service (if technically feasible), under the conditions of GDPR. The MigraineBot "report export" feature is designed to give you a portable record of your data (for example, a CSV or PDF report of your migraine logs), which you could potentially import into another application or simply keep for your own records. If you need assistance with data portability, let us know.

7. Right to Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time. In MigraineBot, the primary use of consent is for processing your health-related diary data. You can withdraw consent by discontinuing use of the diary and requesting deletion of your data. Withdrawing consent will not affect the lawfulness of any processing we already performed while we had your consent. However, note that if you withdraw consent for processing your migraine diary data, we will likely be unable to continue providing the core service to you (since that data is necessary for the app to function).

8. Right to Lodge a Complaint: If you believe that we have violated your privacy rights or applicable data protection laws, you have the right to file a complaint with a supervisory data protection authority. You may do this in the EU member state where you live, work, or where the alleged infringement occurred. For example, in Germany you could contact the Berlin Commissioner for Data Protection. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – so please feel free to contact us about any issues and we will do our best to resolve them promptly.

Exercising Your Rights: You can exercise most of the rights above by contacting us at vitalii.rizo@gmail.com. Please describe your request clearly and with enough detail (for example, what data you want to access or delete). We may need to verify your identity before fulfilling certain requests (to ensure we don’t give your data to the wrong person or delete the wrong account). We will respond to your request as soon as possible, and at most within the timeframe required by law (generally within 30 days for GDPR-related requests). There is no fee for making a request, though manifestly unfounded or excessive requests may be refused or may incur a reasonable fee as permitted by law.

Children’s Privacy

MigraineBot is not intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16 years old. If you are under 16, you must have permission from a parent or legal guardian to use this Service, and they should review and consent to this Privacy Policy on your behalf. If we become aware that we have inadvertently collected personal information from a child under 16 without appropriate consent, we will take steps to delete such information as soon as possible. If you are a parent or guardian and discover that your child under 16 has been using MigraineBot without your consent, please contact us and we will remove the data. (The age limit may be lower in certain jurisdictions if allowed by local law – for example, 13 in some countries – but since our service is primarily offered from the EU and we choose to be cautious, we use 16 as the default minimum age for consent to data processing.)

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on our website (and via the Telegram bot interface where applicable) and update the “last modified” date. If the changes are significant, we may also notify you through additional means, such as sending an email to the address on file or providing a notice in the app. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of MigraineBot after any changes to this Policy will signify your acceptance of the updated terms.

Contact Us

If you have any questions or concerns about this Privacy Policy or about how MigraineBot handles your data, please do not hesitate to reach out: vitalii.rizo@gmail.com. We value your privacy and will gladly address any issues or clarifications you need.

Thank you for trusting MigraineBot with your headache tracking. We are dedicated to keeping your data safe and your privacy respected while you use the Service. Enjoy using MigraineBot to gain insights into your migraine patterns, and rest assured that your personal information is handled responsibly.

Change log

23 Jun 2025 (v1.1): Added details of PostHog EU Cloud analytics cluster and signed DPA.
16 Jun 2025 (v1.0): Initial version of the Privacy Policy.