Privacy Policy – OcuHub

Effective date: 2 Feb 2026

Who we are

OcuHub is a clinical productivity app for eye-care professionals. It provides medical reference tools, calculators, and optional electronic medical record (EMR) features for documenting patient encounters. OcuHub does not diagnose, treat, or predict medical conditions.

Data we collect

We collect the following categories of data:

  • Account identifiers: name, email address, and (optional) medical specialty.
  • Usage & diagnostics: app usage metrics, session information, and crash/error logs.
  • Device information: device model, operating system, and app version for multi-device sync.
  • User-generated clinical data (EMR feature): If you use the EMR features, you may enter patient information including patient identifiers, clinical notes, encounter records, and attachments. This data is created and controlled by you as the healthcare provider.

How we use data

We use your data to: provide and improve app features, synchronize your settings and clinical records across your devices, respond to support requests, maintain security, and send essential service notices.

Where data is stored

Your data is stored in the following locations:

  • On your device: Clinical records and app settings are stored locally in a SQLite database on your device. Local storage relies on your device's built-in encryption (iOS Data Protection, Android file-based encryption).
  • In the cloud: If you enable sync, your data is stored in our cloud database hosted on Supabase (PostgreSQL) with servers in the EU region. Supabase provides encryption at rest for all stored data.

Security measures

We implement the following security measures:

  • Encryption in transit: All network communications use HTTPS/TLS encryption. Our API endpoints and cloud database connections are exclusively over HTTPS.
  • Encryption at rest (cloud): Data stored in our Supabase/PostgreSQL database is encrypted at rest using AES-256 encryption.
  • Local device storage: Local data relies on your device's operating system encryption. We recommend enabling device passcode/biometric protection.
  • Authentication: User authentication is handled via Firebase Authentication with support for email/password and Google Sign-In. API requests are authenticated using Firebase ID tokens.
  • Data isolation: Row-Level Security (RLS) policies ensure that each user can only access their own data. Clinical records are isolated by authenticated user ID at the database level.
  • Audit trail: EMR data changes are tracked with timestamps, user IDs, and device IDs for accountability.

Data sharing

We do not sell your personal data. We use the following service providers to operate OcuHub:

  • Google Firebase: Authentication and analytics.
  • Supabase: Cloud database and file storage.
  • Vercel: Web hosting and API infrastructure.

These providers process data under their respective privacy policies and data processing agreements.

Data retention & deletion

We retain your data until you request deletion or as required for legitimate business purposes.

To request deletion: Email admin@ocuhub.com with the subject "OcuHub Data Deletion Request". Include your account email and specify what data you want deleted.

What gets deleted: Upon verified request, we will delete your account profile, synced settings, clinical records (EMR data), and associated cloud storage files. We will confirm completion within 30 days.

Local data: Data stored locally on your device can be removed by uninstalling the app or clearing app data in your device settings.

Healthcare provider responsibility

If you use OcuHub's EMR features to document patient encounters, you are the data controller for that patient information. You are responsible for:

  • Obtaining appropriate patient consent where required by your jurisdiction.
  • Complying with applicable healthcare privacy laws (e.g., HIPAA, GDPR, local regulations).
  • Ensuring the accuracy and appropriate use of clinical documentation.
  • Maintaining device security (passcode, biometrics, physical security).

OcuHub provides the technical infrastructure; compliance with healthcare regulations is your responsibility as the healthcare provider.

International transfers

Data may be processed on servers outside your country. Our primary database is hosted in the EU region. We apply appropriate safeguards for international data transfers.

Permissions

The app requests only permissions necessary for its features. Camera access is requested only if you choose to attach photos to clinical records. All permission requests are disclosed in-app before use.

Audience

OcuHub is designed for adult healthcare professionals (ophthalmologists, optometrists, nurses, orthoptists). It is not directed to children or general consumers.

Your rights

Where applicable (e.g., GDPR, CCPA), you may request access to, correction of, or deletion of your personal data, or object to certain processing. Contact admin@ocuhub.com to exercise these rights.

Changes

We may update this policy. The latest version and effective date will always be posted at https://ocuhub.com/privacy-policy.

Contact

For privacy inquiries: admin@ocuhub.com