This page is maintained by Hoitaja (Sakdakorn Suksanwiman), operator of hoitaja.app, to answer common security and privacy questions about the app. It is app-owned editable content, not an independent audit or certification.

Shared responsibility

hoitaja.app is built on the Lovable platform, which provides hosting, managed database, authentication, edge runtime and storage. We configure those building blocks and are responsible for how the app uses them. You are responsible for using your account safely, keeping your credentials private, and not entering real patient identifiers or other third-party personal data without a lawful basis.

Accounts and authentication

Email and password accounts, with optional Google sign-in.
Passwords are hashed by the managed auth service; we never see them in plain text.
Password reset is email-based; the reset link expires after a short window.
You can sign out at any time from the in-app profile screen.

What data we collect

Account data: email, hashed password, display name, language preference.
App content: your shifts, notes, scanned care summaries, favourites, feedback and other content you create.
AI input/output: text you submit to translation, writing-assistant or summary features, and the AI's response.
Device & log data: IP address, browser/device type, timestamps and error logs.

Full details are in the Privacy Notice.

How your data is protected

Traffic between your device and hoitaja.app is encrypted in transit (HTTPS/TLS).
Database access is gated by row-level security policies so each signed-in user can read and write only their own rows.
Privileged backend operations run server-side using short-lived service credentials; they are never exposed to the browser.
Webhooks and scheduled jobs require a shared secret in the request header before any admin action runs.

Subprocessors and integrations

Lovable Cloud — hosting, database, authentication, storage and edge functions.
ElevenLabs — text-to-speech for the in-app listen feature.
Lovable AI Gateway — routes prompts to the language model that powers translation and writing assistance.

Cookies and analytics

hoitaja.app uses functional storage (such as the session cookie and local preferences) needed to keep you signed in and remember your language. We do not run third-party advertising trackers.

Retention and deletion

Account and app content are retained while your account is active.
Community posts are automatically deleted after a short visibility window (about three days).
You can delete your account and associated content from the in-app profile screen, or by emailing us through the in-app feedback form.

Privacy requests

To access, correct or delete your personal data, or to ask any other privacy question, contact us through the in-app feedback form or the email shown in the app. We aim to respond within 30 days.

Security contact and vulnerability reporting

If you believe you have found a security issue, please report it responsibly through the in-app feedback form. Please do not exploit the issue, access other users' data, or run automated scans against the production service. We will acknowledge legitimate reports and work in good faith to fix confirmed issues.

Compliance

hoitaja.app is not independently audited or certified against standards such as SOC 2, ISO 27001 or HIPAA. We follow the security and privacy practices described on this page and in the Privacy Notice. If you need a formal assurance document for procurement, please contact us.

Updates to this page

We may update this page as the app evolves. Material changes will be reflected by the "Last updated" date at the top.

Trust, security & privacy