FeaturesHow It WorksPricingFAQ
BackUpdated: February 7, 2026

Pain Tracker App Privacy Policy

Pain Tracker App Privacy Policy v.1.4

Introduction

Thank you for using Pain Tracker App (the "Service"). Pain Tracker App is a headache tracking application available as a Telegram mini app (Telegram bot @MigraineAppBot) and via our web interface (e.g. at pain-tracker.app and web.pain-tracker.app). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Pain Tracker App. We are committed to protecting your privacy and handling your data in a transparent and secure manner. Please note that Pain Tracker App is a personal diary and reminder tool for tracking pain and symptoms – it does not provide medical advice or treatment recommendations.

Data Controller and Contact

The Service is operated by Vitalii Rizo, a private individual. For the purposes of data protection laws (such as the EU GDPR), Vitalii Rizo is the "Data Controller" of your personal data processed through Pain Tracker App. You can contact the Data Controller at:

If you have any questions or requests regarding your personal data, please feel free to contact us using the details above.

What Data We Collect

We only collect data that is necessary to provide and improve the Pain Tracker App service. This includes:

  • Account Information: When you use Pain Tracker App via Telegram, we receive your basic Telegram profile information such as your user ID and username (and any content you send to the bot). If you use our web version, we collect information you provide during registration (such as your email address) and any login credentials (stored securely, e.g. hashed passwords).
  • Diary Entries (User-Provided Data): The core of Pain Tracker App is your migraine diary. We collect the data you input about your headaches and related details (for example, pain intensity, symptoms, triggers, dates/times, notes, medications, etc.). Warning: Some of this information may be about your health (e.g. pain levels, medications taken, symptoms), which is considered sensitive personal data under applicable law. You choose what to log, and by entering this data you consent to our processing it for the purposes of the Service.
  • Usage and Technical Data: When you access the web interface, our servers and security services (see Cloudflare below) may automatically collect basic technical information such as your IP address, device type, browser type, and usage timestamps. We use this data to ensure the Service functions properly, to secure the Service (e.g. prevent DDoS attacks), and for debugging performance issues. This data is generally collected through server logs and cookies or similar technologies for session management. On the web version, we use a cookie banner; analytics are only enabled if you choose "Accept all" (see Cookies and Similar Technologies below).
  • Communication Data: If you contact us via email or other means for support or privacy requests, we may keep a record of that correspondence and any contact information you provide (such as your email address) in order to respond to you.
  • Notification and Preference Data: Reminder settings, Telegram link status, push subscription data when enabled, and consent or preference records (e.g. analytics consent, notification preferences) are stored as necessary to provide the features you have chosen.

Pain Tracker App does not collect any unnecessary personal information. For example, we do not ask for your real name, address (except as required for contact if you provide it), or payment information (the app is free to use). We also do not intentionally collect any data from your device beyond what is listed above.

How We Use Your Data

We process your personal data only for the purposes of providing and improving the Service, and not for any unrelated purposes. Specifically, we use the collected data to:

  • Provide the Migraine Tracking Service: We use your diary entries and account info to enable you to log and review your migraine history. This includes storing your entries, displaying them back to you in the app, and maintaining your account (login, Telegram chat context, etc.).
  • Generate Reports and Insights: The Service automatically processes your logged data to create summary reports (for example, counting how many migraines occurred in a period, or highlighting patterns). These reports are shown to you within the app to help you identify trends. This automated processing is solely for your benefit and does not involve any automated decision-making that affects you legally or similarly significantly – it is just summarizing the data *you* provided.
  • Send Reminders: Pain Tracker App can send you reminder notifications to fill in your diary (for instance, via Telegram, email, or push when you opt in). We use your contact data (Telegram ID or email, as applicable) and reminder settings to send these. You can manage or disable reminders at any time through the app settings.
  • Ensure Security and Prevent Abuse: We use technical data (like IP addresses and usage logs) to protect the Service and its users against unauthorized access, spam, or attacks. For example, we rely on Cloudflare's security services to mitigate DDoS attacks and malicious traffic. This may involve processing of IP addresses and device information to filter out harmful requests and keep the Service stable and secure.
  • Communicate with You: If you reach out with questions, support requests, or bug reports, we will use your contact information to communicate with you and resolve issues. We may also send important service or policy updates to your registered email if necessary. Optional product-update or marketing emails (if enabled by you) are opt-in, controllable in settings, and include unsubscribe functionality.
  • Comply with Legal Obligations: If we are required by law to process or disclose your data (for example, responding to a lawful court order or regulatory inquiry), we will only do so in accordance with applicable data protection laws.

We will not use your personal data for any form of advertising or share it with third parties for marketing. We do not sell your data. All processing is tightly related to providing you with the headache tracking service you signed up for.

Legal Bases for Processing (GDPR)

Under the EU General Data Protection Regulation (GDPR), we must have a valid legal basis to process your personal data. We rely on the following legal grounds:

  • Performance of a Contract (Article 6(1)(b) GDPR): When you sign up and use Pain Tracker App, you are effectively entering into a service agreement (even if the service is free). Most of our data processing is to fulfill our obligations to you under that agreement – for example, processing your diary inputs and account data is necessary for providing the service you requested. Without this data, we cannot deliver the core functionality (tracking your migraines and generating reports).
  • User Consent (Article 6(1)(a) and, where applicable, Article 9(2)(a) GDPR): Because some information you enter may relate to your health (which is a special category of personal data under GDPR), we rely on your explicit consent to process that data. By using Pain Tracker App and inputting your migraine-related information, you consent to our handling of this health-related data solely for the purposes of providing the diary and reports to you. You have the right to withdraw your consent at any time (see "Your Rights" below), but note that if you do so, we may not be able to continue providing the Service since it relies on processing the diary entries you provide.
  • Legitimate Interests (Article 6(1)(f) GDPR): In certain cases, we process some personal data to pursue our legitimate interests, for example: maintaining the security of our platform, preventing fraud/abuse, and improving the usability and reliability of the Service. When we rely on legitimate interests, we ensure that our interests are not overridden by your data-protection rights. For instance, using Cloudflare to protect our service against attacks is in our legitimate interest (keeping the service available and secure) and does not unduly infringe on users' privacy, since such processing is limited and for security purposes only.
  • Legal Obligation (Article 6(1)(c) GDPR): If we are required to process or disclose data to comply with a legal obligation (such as tax law record-keeping or responding to government requests), we do so under this basis. We will inform you where required by law if such a situation occurs.

Data Sharing and Third-Party Processors

Pain Tracker App is a private service, and we treat your data with care. We do not share your personal data with third-party companies for their own uses. However, we do use a few trusted service providers (processors) to help us run Pain Tracker App, and your data may be processed through or stored on their systems as follows:

  • Hosting Provider (FastVPS): Pain Tracker App's databases and servers are hosted on FastVPS infrastructure (FASTVPS Eesti OÜ). Infrastructure is based on Hetzner facilities in Germany (European Union). FastVPS acts as our infrastructure provider; the data you enter into Pain Tracker App is stored on their servers. We have ensured that FastVPS maintains appropriate security measures and complies with applicable data protection requirements. All data remains physically within the EU.
  • Cloudflare (Cloudflare, Inc.): We utilize Cloudflare's services to protect Pain Tracker App from distributed denial-of-service attacks and to ensure reliable, fast delivery of our website content (including CDN and static content delivery). When you interact with Pain Tracker App via the web interface, your requests may pass through Cloudflare's network. What Cloudflare sees: Cloudflare will process certain technical data such as your IP address, device and browser information, and URLs requested, in order to filter malicious traffic and deliver content. Cloudflare operates as a Data Processor on our behalf for these purposes. We have a standard Data Processing Addendum (DPA) in place with Cloudflare to safeguard your data. Cloudflare, Inc. is a U.S.-based company, but it is committed to GDPR compliance and provides appropriate safeguards (including Standard Contractual Clauses) for any data transfers outside the EEA. Cloudflare Workers AI: When you use the free-form journal entry feature (sending a text message to the bot describing your headache), we use Cloudflare Workers AI to extract structured diary data (e.g. pain intensity, triggers, medications) from your message. Your message text is sent to Cloudflare Workers AI solely for this extraction; the extracted data is stored in our database. Cloudflare Workers AI processes data on Cloudflare's infrastructure and is covered by the same Cloudflare DPA and safeguards as above.
  • PostHog EU Cloud (PostHog, Inc.): We use PostHog EU Cloud for product analytics and operational usage/error events (EU region configuration), including in both the web and Telegram mini app versions. The cluster is hosted in the EU; we have a signed Data Processing Agreement with PostHog, Inc. that includes Standard Contractual Clauses where applicable. No raw diary text is sent to PostHog. All analytics events are processed exclusively in the EU. On the web version, analytics (including session recordings) are only activated if you give consent via the cookie banner ("Accept all"). In the Telegram mini app, we use the same analytics to improve the service; we do not show a cookie banner there, and disclosure and consent for this processing are provided when you accept this Privacy Policy at the start of the bot.
  • Brevo (Sendinblue): We use Brevo (operated by Sendinblue, France) for transactional email delivery (for example signup, login, password reset, verification, and reminder emails). Brevo processes only the data necessary to deliver these emails on our behalf and acts as a Data Processor. We maintain processor terms (including a DPA where required) as part of our compliance records.
  • Telegram Platform (Telegram Messenger Inc.): If you use the Telegram bot or mini app for Pain Tracker App, your interactions are transmitted via Telegram's servers (operated by Telegram Messenger Inc.). Telegram will have access to the messages you send to the bot (as with any Telegram chat). Telegram acts under its own terms and privacy policy as an independent data controller for data processed on their platform. Once received through Telegram, your diary data is stored in our database (hosted on FastVPS as above). We recommend you review Telegram's privacy policy if you have concerns.

We do not share personal data with third parties for their own advertising purposes. Aside from the above services, we do not use any other third-party analytics, advertising, or marketing services that would involve sharing your personal data. We do not disclose your data to any third parties unless: (1) With your explicit consent, or (2) For legal reasons – if we are compelled by a valid legal process (such as a court order or government regulation) to disclose certain data. In any case, we will only share the minimum required information and will inform you whenever possible.

International Data Transfers

Our primary application and database hosting is in the EU (Germany-based infrastructure). Where a provider may process or access data outside the European Economic Area (e.g. global security/CDN operations or vendor support), we apply appropriate safeguards required by applicable law, such as Standard Contractual Clauses and equivalent transfer mechanisms where applicable.

Cookies and Similar Technologies

Web version

The web version uses cookies and browser storage for: essential functionality (session/authentication and security); technical storage (e.g. language/UI state and Telegram context handoff); and analytics storage where you have granted analytics consent. The web version shows a simple cookie banner with two choices: Essential only or Accept all. If you choose "Essential only", analytics is not activated. If you choose "Accept all", analytics-related processing is enabled for web usage.

Landing pages (public website)

Our landing pages currently use only essential technologies needed to deliver content and keep the site secure and functional (for example, security and anti-abuse processing via Cloudflare, and technical language handling). We currently do not activate analytics or marketing cookies on landing pages. Because only essential technologies are used there at this time, a consent banner is not shown on landing pages.

Cloudflare may set strictly necessary security cookies when needed for bot management, abuse prevention, or challenge flows. These are used for security and service integrity, not for advertising.

Telegram mini app version

In Telegram, authentication and context are primarily provided through Telegram WebApp mechanisms rather than regular website cookie flows. We use the same product analytics (PostHog) in the Telegram mini app as on the web (e.g. usage events and session recordings to improve the service). We do not show a cookie banner in the Telegram mini app: users accept this Privacy Policy when they start the bot for the first time (as part of Telegram's start flow), and that acceptance, together with the disclosure in this policy, covers analytics and other processing in the Telegram context. Technical processing for Telegram context is described in this policy and in the Data Sharing section above.

Data Storage and Security

We understand that your migraine diary entries are personal and sensitive. We take appropriate security measures to protect your data against unauthorized access or disclosure. These measures include:

  • Encrypted Transmission: The communication between your device and our servers is secured using HTTPS/TLS encryption. Whether you are using the web app or the Telegram bot, your data in transit is encrypted. (Telegram chats are also encrypted between your app and Telegram's servers; our server's connection to Telegram is via secure API.)
  • Secure Storage: We store your data on servers located in secure facilities (FastVPS/Hetzner in Germany, EU). We use access controls so that only authorized personnel can access the server and database. Passwords (if you use email registration) are stored in hashed form; we do not store plaintext passwords. Session tokens are stored hashed on backend systems.
  • Cloudflare Security: By leveraging Cloudflare, we add an extra layer of protection against common web threats (malicious bots, DDoS attacks, etc.). Cloudflare's firewall and filtering help block suspicious or malicious traffic before it reaches our servers.
  • No Unnecessary Data: We minimize the personal data we store and limit collection to what is needed for the service to reduce risk exposure.
  • Monitoring and Updates: We monitor the Service for security issues and keep our software and libraries up-to-date with security patches. In the event of any data breach or security incident affecting your personal data, we will notify affected users and the relevant authorities as required by law.

Please note that no method of transmission or storage is completely secure. We continuously work to reduce risk and improve controls. You also play a role in keeping your data safe: for example, if you use the web version, choose a strong password and keep it confidential. If you suspect any unauthorized access to your account or data, please contact us immediately.

Data Retention

How long do we keep your data? Pain Tracker App is designed to help you track long-term patterns in your migraine history, so we aim to keep your diary records for as long as you continue to use the Service. Our data retention policy is as follows:

  • We retain your personal data (account information and diary entries) for as long as your account is active and required to provide the Service, because ongoing retention is necessary to provide you with historical tracking and reports over time. We consider an account active as long as you sign in or log data periodically. We do not currently enforce automatic account deletion solely due to inactivity; if we introduce routine deletion of long-inactive accounts in the future, we will update this policy or inform you.
  • Free-form journal entry context: When you use the free-form text feature (e.g. sending "7, stress, ibuprofen" to the bot), we temporarily store a small context record (including your last message and state) to support multi-turn flows (e.g. overwrite confirmation, consent). This context is retained for up to 7 days and is then automatically cleaned up. It is not used for analytics or any purpose other than completing the journal entry flow.
  • You always have the option to request deletion of your data at any time (see "Your Rights" below). If you request account deletion (via the in-app function or by contacting us), we will erase your personal data from our active systems, except any data we are required to keep by law. Deletion requests are processed as described; full data export is currently handled manually on request by email (we do not yet offer an automatic complete export workflow; you may contact us to obtain your data).
  • Security, legal, and operational records: Minimal data may be retained as required for legal compliance, fraud/security investigation, dispute handling, audit, and backup lifecycle management. Some minimal data may be kept in backups or logs for a short duration even after deletion, but such data will be securely destroyed on the next backup rotation and is not accessible in the live system.

In summary, we aim to store your data for as long as it is useful and needed for you to use Pain Tracker App, and no longer. We balance this by giving you control over your data and the ability to purge it if you wish.

Your Rights

As a user of Pain Tracker App and as a data subject under applicable data protection laws (like GDPR, if you are in the EU), you have several important rights regarding your personal data. We are committed to upholding these rights. Below is an overview of your rights and how you can exercise them:

1. Right to Access: You have the right to request a copy of the personal data we hold about you, and to obtain information about how we process it. In the Pain Tracker App app, you can directly access most of your data (your diary entries, account info, etc.). We also provide report/export features within the interface. For a comprehensive copy of all your data, you may contact us – full data export is currently provided manually on request by email. 2. Right to Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected. You can edit or delete entries in your migraine diary through the app interface. If there is account information (like your email) that needs updating, you can update it in the app or by contacting us for assistance. 3. Right to Erasure: Commonly known as the "right to be forgotten," you can request that we delete your personal data. You can do this by using the account deletion function (if available) or by contacting us directly. Upon such a request, we will erase your data from our active databases, unless we have a lawful basis to keep certain data (for example, if required for legal obligations). Once deleted, your diary entries and account info will be permanently removed or anonymized so they can no longer be linked to you. *(Note that deletion of your data means we can no longer provide the Service to you.)* 4. Right to Restrict Processing: You have the right to ask us to restrict or pause the processing of your data in certain circumstances. For instance, if you contest the accuracy of your data or have objected to processing (see below), you can request a restriction until the issue is resolved. While restricted, we will store your data but not actively use it (aside from storing it securely) until the restriction is lifted. 5. Right to Object: You have the right to object to certain types of processing of your data. For example, if we were to process your data for direct marketing (which we do not do), you could object and opt out. You can also object if you feel our legitimate interest processing (see the Legal Bases section) impacts your rights – in such cases, we will review your objection and stop or adjust processing unless we have compelling legitimate grounds to continue. 6. Right to Data Portability: You have the right to obtain your personal data in a structured, commonly used, machine-readable format, and to have that data transmitted to another service (if technically feasible), under the conditions of GDPR. Our report/export features are designed to give you a portable record of your data. For full data portability, contact us; we provide data manually on request as described above. 7. Right to Withdraw Consent: If we are processing any personal data based on your consent, you have the right to withdraw that consent at any time. In Pain Tracker App, the primary use of consent is for processing your health-related diary data. You can withdraw consent by discontinuing use of the diary and requesting deletion of your data. Withdrawing consent will not affect the lawfulness of any processing we already performed while we had your consent. However, if you withdraw consent for processing your migraine diary data, we will likely be unable to continue providing the core service to you (since that data is necessary for the app to function). 8. Right to Lodge a Complaint: If you believe that we have violated your privacy rights or applicable data protection laws, you have the right to file a complaint with a supervisory data protection authority. You may do this in the EU member state where you live, work, or where the alleged infringement occurred. For example, in Germany you could contact the Berlin Commissioner for Data Protection. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – so please feel free to contact us about any issues and we will do our best to resolve them promptly.

Exercising Your Rights: You can exercise the rights above by contacting us at vitalii.rizo@gmail.com. Please describe your request clearly and with enough detail (for example, what data you want to access or delete). We may need to verify your identity before fulfilling certain requests (to ensure we do not give your data to the wrong person or delete the wrong account). We aim to respond within 30 calendar days after request validation, and at most within the timeframe required by law (generally within 30 days for GDPR-related requests). There is no fee for making a request, though manifestly unfounded or excessive requests may be refused or may incur a reasonable fee as permitted by law.

Automated Decision-Making

Pain Tracker App does not use automated decision-making that produces legal effects or similarly significant effects on users. The reports and statistics we generate are based solely on the data you provide and are for your informational use only.

Children's Privacy

Pain Tracker App is not intended for use by children under the age of 16. We do not knowingly collect personal data from anyone under 16 years old. If you are under 16, you must have permission from a parent or legal guardian to use this Service, and they should review and consent to this Privacy Policy on your behalf. If we become aware that we have inadvertently collected personal information from a child under 16 without appropriate consent, we will take steps to delete such information as soon as possible. If you are a parent or guardian and discover that your child under 16 has been using Pain Tracker App without your consent, please contact us and we will remove the data. (The age limit may be lower in certain jurisdictions if allowed by local law – for example, 13 in some countries – but since our service is primarily offered from the EU and we choose to be cautious, we use 16 as the default minimum age for consent to data processing.)

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make changes, we will post the updated policy on our website (and via the Telegram bot interface where applicable) and update the "last modified" date. If the changes are significant, we may also notify you through additional means, such as sending an email to the address on file or providing a notice in the app. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data. Your continued use of Pain Tracker App after any changes to this Policy will signify your acceptance of the updated terms.

Contact Us

If you have any questions or concerns about this Privacy Policy or about how Pain Tracker App handles your data, please do not hesitate to reach out: vitalii.rizo@gmail.com. We value your privacy and will gladly address any issues or clarifications you need.

Thank you for trusting Pain Tracker App with your headache tracking. We are dedicated to keeping your data safe and your privacy respected while you use the Service.

Third-Party Assets and Licenses

The web app includes UI icons based on Heroicons (MIT License). Heroicons is © Tailwind Labs, Inc. and contributors.

Change log

  • 07 Feb 2026 (v1.3): Updated policy for current product behavior (Cloudflare, FastVPS-Hetzner Germany, Telegram, Brevo, PostHog EU), clarified cookies for web vs Telegram, clarified manual data export and data retention, product updates and International Data Transfers; added processor legal entity names.
  • 29 Jan 2026 (v1.2): Added icon licensing attribution.
  • 23 Jun 2025 (v1.1): Added details of PostHog EU Cloud analytics cluster and signed DPA.
  • 16 Jun 2025 (v1.0): Initial version of the Privacy Policy.