Privacy Policy

Effective date: 23 May 2026 · Last updated: 23 May 2026

This policy applies globally. Region-specific rights and notices for Australia, the EEA/UK and the United States appear in §10. Washington State residents should also read our Consumer Health Data Privacy Policy.

1. Who We Are

Remira is operated by Remira Care Pty Ltd ("we", "us", "our"), an Australian company headquartered in Sydney, New South Wales.

For all privacy matters: privacy@remiracare.com.

For the purposes of the EU and UK General Data Protection Regulation (collectively, the "GDPR"), we act as the data controller of personal information collected through Remira.

2. Information We Collect

Information you provide directly

  • Account information: email address, display name, password (stored only as a bcrypt hash; we never see your plaintext password).
  • Profile information: date of birth, gender, RA type, diagnosis date.
  • Wellness data: daily pain levels, joint pain locations and severity, morning stiffness duration, fatigue severity, sleep quality and duration, mood and anxiety levels, body map selections.
  • Medication data: medication names, dosages, frequency, schedule, adherence logs.
  • Food and lifestyle data: food entries, meal types, dietary tags.
  • Lab results: marker values you choose to enter (CRP, ESR, etc.) that you have been given by your treating clinician.
  • Flare events: dates, severity, trigger notes, optional photos and voice notes.
  • Location: city and coordinates, only if you choose to set them for weather tracking.
  • Free-text notes: any notes you add to daily check-ins or flare logs.

Information collected automatically

  • Device information: device type, operating system, browser type.
  • Usage data: pages visited, features used, timestamps. Aggregated and pseudonymous; collected via our self-hosted Umami analytics (no cookies, no cross-site tracking).
  • IP address: recorded transiently for security purposes (login, share-link access logging, rate limiting). Not used for advertising.
  • Weather data: if you set a location, your saved coordinates are sent to Open-Meteo to fetch weather conditions when you submit a daily check-in. Your identity is not transmitted.

3. Health Data — Special Provisions

Your health data deserves extra protection.

Remira collects sensitive health-related information including symptom severity, joint involvement, medication details and mood data. Under the EU/UK GDPR this is "special category" personal data (Art. 9). Under the Australian Privacy Act 1988 it is "sensitive information". US state laws (notably the Washington My Health My Data Act) treat it as "consumer health data".

  • We collect this data only with your explicit, opt-in consent, obtained separately from our Terms of Service.
  • Your health data is encrypted in transit (TLS 1.3) and at rest on our infrastructure.
  • We never sell your personal health data.
  • We never share your identifiable health data with advertisers, data brokers or pharmaceutical companies.
  • We use your health data only to provide you with personal wellness tracking, the features you request, and (for paying tiers) trend analysis and shareable reports.
  • You can export or permanently delete all your health data at any time from Settings.
  • You may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4. How We Use Your Information

PurposeLegal basis (GDPR)
Providing the wellness tracking serviceContract (Art. 6(1)(b))
Processing your health/wellness dataExplicit consent (Art. 9(2)(a))
Generating wellness scores and observationsExplicit consent
Auto-capturing weather for correlationExplicit consent
Creating shareable wellness reportsExplicit consent (user-initiated)
Account security (login, lockout, sessions)Legitimate interest (Art. 6(1)(f))
Sending transactional email (verification, password reset, billing)Contract
Processing subscription paymentsContract
Aggregated, anonymised product analyticsLegitimate interest
Complying with legal obligationsLegal obligation (Art. 6(1)(c))

5. How We Share Your Information

We share your personal information only in these limited circumstances:

  • With your healthcare team: only when you explicitly create a share link, invite a connected clinician, or generate a clinician PDF. Shared data is view-only, scoped, time-limited and revocable by you.
  • With caregivers you invite: only data you choose, only after the caregiver accepts your invitation, revocable any time.
  • With our subprocessors: listed in §6 below, under contractual data-protection obligations.
  • For legal compliance: only when required by valid legal process (subpoena, court order, regulatory request).
  • For business transfer: in the event of a merger, acquisition or asset sale, your data may be transferred to the successor entity. We will notify you in advance and your rights under this policy will be honoured by any successor.

We do not and will never sell or rent your personal information, and we do not engage in cross-context behavioural advertising. We do not share your data with pharmaceutical companies, data brokers or advertisers.

6. Subprocessors

ProviderPurposeLocation
Oracle Cloud InfrastructureApplication hosting + databaseSydney, Australia
Oracle Cloud Email DeliveryTransactional email (verification, password reset, billing notifications)Sydney, Australia
Stripe PaymentsSubscription billingUS, EU, AU (region of card)
Umami Analytics (self-hosted)Aggregated, cookieless product analyticsSydney, Australia (on our infrastructure)
Open-MeteoWeather data lookup (coordinates only, no identity)EU

We do not use Google Analytics, Facebook Pixel, advertising SDKs, or any third-party tracker. We will update this list before adding any new subprocessor that handles personal data.

7. Data Retention

  • Active account: data is retained as long as your account is active.
  • Account deletion: 30-day grace period (cancellable by you), then permanent deletion from the primary database. Requesting deletion cancels any active paid subscription immediately, so you are not billed during the grace period.
  • Backups: rolling backups are purged within 90 days of account deletion.
  • Payment records: billing, invoice and payment records are held by our payment processor (Stripe), not in Remira's primary database, and are retained by them for the period required by Australian tax law and equivalent US/EU obligations. Deleting your Remira account removes your local account data and requests deletion of your Stripe customer record; it does not erase the transaction records Stripe is legally required to keep.
  • Audit logs: retained in pseudonymised form for security and incident-response purposes for up to 12 months.
  • Shared-report access logs: retained for security auditing; deleted with the underlying account.

8. Data Security

  • All data encrypted in transit (TLS 1.3) and at rest.
  • Passwords hashed with bcrypt (work factor 12).
  • JWT authentication with RS256 asymmetric signing; short-lived access tokens; refresh tokens with single-use rotation.
  • Account lockout after 5 failed login attempts (15-minute cooldown).
  • Rate limiting on all API endpoints.
  • Security headers (CSP, HSTS, X-Frame-Options, Referrer-Policy).
  • Comprehensive audit logging of sensitive operations.
  • Documented data-breach response plan with role-aware notification workflow.

No system is 100% secure. We take reasonable, industry-standard measures to protect your data but cannot guarantee absolute security.

9. Breach Notification

If we suffer a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify you and the relevant authorities in accordance with applicable law. Specifically:

  • Australia (NDB scheme): we will notify affected individuals and the OAIC as soon as practicable after assessing an eligible data breach, and in any event within 30 days of becoming aware of it.
  • EU/UK (GDPR): we will notify the lead supervisory authority within 72 hours of becoming aware of a breach where required, and affected individuals without undue delay where the breach is likely to result in high risk.
  • United States (FTC Health Breach Notification Rule): for US users, where the Rule applies, we will notify affected individuals, the FTC and, where applicable, the media, within 60 days of discovery.

10. Region-Specific Rights

10.1 Everyone

Regardless of where you live, you can do the following directly in the App:

  • Access / export all your data (Settings → Export Report, or "Download all my data (JSON)").
  • Correct data by editing it in the App.
  • Delete your account and all data (Settings → Delete Account; 30-day grace period).
  • Withdraw consent to health-data processing (Settings → Consents).
  • Change subscription or cancel any time.

For requests we cannot handle in-App, email privacy@remiracare.com. We will respond within 30 days (often sooner).

10.2 Australia

The Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) apply. You may lodge a privacy complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au or by phoning 1300 363 992.

10.3 European Economic Area and United Kingdom

If you are in the EEA or UK, you have the following rights under the GDPR / UK GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / "right to be forgotten" (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right not to be subject to solely automated decision-making, including profiling (Art. 22). We do not make any decision about you by purely automated means with legal or similarly significant effect.
  • Right to withdraw consent (Art. 7(3))
  • Right to lodge a complaint with your local supervisory authority. UK residents: the Information Commissioner's Office (ICO) at ico.org.uk.

EU representative: where required by GDPR Art. 27, we will designate an EU representative and publish their contact details here.

10.4 United States — California (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know what personal information we collect, use, disclose and (if applicable) sell or share.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information for cross-context behavioural advertising. We do not sell or share personal information in this sense.
  • Right to limit the use and disclosure of sensitive personal information. To exercise this right, email privacy@remiracare.com.
  • Right to non-discrimination for exercising these rights.

We do not knowingly collect or sell the personal information of California residents under 16.

10.5 United States — Washington State

If you are a Washington State resident, the Washington My Health My Data Act applies to "consumer health data" we collect about you. Your rights, the categories of data, sources, purposes, recipients and how to exercise your rights are set out in our separate Consumer Health Data Privacy Policy.

10.6 Other US states

Residents of states with comprehensive consumer privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Nevada, Oregon, Texas and Montana) may have similar rights to access, correct, delete and opt out of certain processing. To exercise any such right, email privacy@remiracare.com.

11. International Data Transfers

Remira's primary servers are hosted on Oracle Cloud Infrastructure in Sydney, Australia. If you access the App from outside Australia, your personal information is transferred to and processed in Australia. Australia is not currently the subject of an EU adequacy decision; for transfers of EEA/UK personal data we rely on the Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) together with supplementary measures (encryption in transit and at rest, access controls, audit logging). A copy of the relevant SCCs is available on request from privacy@remiracare.com.

12. Children's Privacy

Remira is not intended for children under 16, and our service is not directed to children under 13 in the United States. We do not knowingly collect personal information from children under these ages. If we learn that we have collected such information, we will delete it promptly. If you believe we have done so, please contact privacy@remiracare.com.

13. Cookies and Similar Technologies

Remira uses only essential cookies and storage required for authentication and session management. We do not use advertising cookies, third-party tracking pixels, social-media trackers, fingerprinting, or session replay. Our self-hosted analytics (Umami) operates without cookies and does not perform cross-site tracking.

Because we use only strictly necessary cookies, we do not display a tracking-cookie consent banner.

14. Automated Decision-Making and AI Features

We do not make any decision concerning you by purely automated means that produces legal or similarly significant effects on you. Where the App displays AI-generated wellness narratives or pattern observations (planned features), these are informational only, framed with explicit non-medical disclaimers, and are not used to make decisions about your access to services, employment, credit or healthcare.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide reasonable advance notice by email and/or in-App message before the changes take effect. The "Last updated" date at the top reflects the most recent revision.

16. Contact Us

For privacy enquiries, data access requests, complaints or to exercise any right described above:

Remira Care Pty Ltd
Privacy enquiries: privacy@remiracare.com
Security reports: security@remiracare.com
Postal address: available on request
Website: remiracare.com