Home · RecallMD

Privacy Policy

Last updated: May 6, 2026

Türkçe →

This Privacy Policy describes how RecallMD handles information when you use our mobile application. We have designed RecallMD to be privacy-first: most of your data stays on your device, and we collect the absolute minimum needed to make the App work.

RecallMD ("we", "us", or "our") is operated by Ahmet Burak Yılmaz, an independent developer based in Türkiye.

1. What We Collect and Why

1.1 Data You Create (stored locally and on your iCloud)

• Pearls, flashcards, decks, and clinical cases you create
• Images and audio you attach to cards
• Review history (when you reviewed each card, your responses)
• App settings (default specialty, notification time, etc.)

This data is stored on your iPhone and synchronized to your personal iCloud account using Apple's CloudKit. It never reaches our servers. We cannot access it.

1.2 Data Sent to Our Backend (only when using AI features)

When you tap "Generate" to create a flashcard or case, the following is sent to our backend (Cloudflare Workers):

• The text of your pearl or case (chief complaint, history, exam findings, etc.)
• Your selected response language
• A signed App Store subscription receipt (to verify you have an active Pro subscription)

We do not send:

• Your name, email, Apple ID, or any other identifier
• Images or audio attached to your cards
• Your review history
• Your other pearls or decks

1.3 Subscription Information (handled by Apple)

If you purchase a Pro subscription, the transaction is handled entirely by Apple through the App Store. We receive a signed receipt to verify your subscription is active, but we do not see your credit card details, billing address, or Apple ID.

1.4 Usage Quotas (anonymous)

To prevent abuse and manage costs, our backend tracks how many AI generations you have made this week using a hash of your subscription's transaction ID. This is anonymous — we cannot identify you from this data. The counter resets every Monday.

1.5 Information We Do NOT Collect

• Your name or email
• Your location
• Your contacts or photos library
• Analytics or usage tracking
• Advertising identifiers
• Crash reports (other than what Apple provides through standard iOS tools)
• Any data that identifies you personally

2. How We Use the Information

We use the data we receive (pearl/case text, subscription receipt) only to:

1. Verify your subscription is active
2. Send your text to the AI provider (Anthropic Claude) to generate flashcards
3. Return the generated flashcards to your app
4. Track anonymous weekly usage to enforce fair-use limits

We do not use your data for advertising, profiling, training AI models, or any purpose other than providing the AI generation service you requested.

3. Third-Party Services

To provide the App, we use the following third-party services. Their privacy policies apply to data they receive:

3.1 Apple Inc.

• Purpose: App Store distribution, in-app purchases, iCloud sync, push notifications
• Data shared: Subscription information, iCloud content (encrypted, only you can read)
• Privacy Policy: apple.com/legal/privacy

3.2 Anthropic, PBC

• Purpose: AI flashcard generation (Claude language model)
• Data shared: Your pearl/case text and language preference
• Note: Anthropic does not use API inputs to train its models per its enterprise terms.
• Privacy Policy: anthropic.com/legal/privacy

3.3 Cloudflare, Inc.

• Purpose: Backend hosting (Cloudflare Workers) and request routing
• Data shared: API requests are routed through Cloudflare's network
• Privacy Policy: cloudflare.com/privacypolicy

We do not share your data with anyone else, including advertisers, data brokers, or analytics providers.

4. Where Your Data is Processed

• On-device data stays on your iPhone
• iCloud data is processed by Apple in regions Apple operates in
• AI requests are processed by Cloudflare's edge network globally and Anthropic's servers (primarily in the United States)
• Subscription is handled by Apple

By using the App, you consent to your data being processed in these locations, including outside your country of residence.

5. Data Retention

• Pearl/case text sent to backend: Discarded immediately after the AI generates a response. We do not log or store the content of your pearls.
• Subscription receipts: Verified in real-time and not stored.
• Quota counters: Anonymous, reset weekly.
• Logs: Operational logs (timestamp, response status) are kept for up to 7 days for debugging purposes and contain no pearl content.

6. Your Rights

Depending on where you live, you may have the following rights:

Under GDPR (European Economic Area)

• Right to access your personal data
• Right to rectification (correct inaccurate data)
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to object to processing
• Right to lodge a complaint with a supervisory authority

Under KVKK (Türkiye)

• Right to learn whether your personal data is processed
• Right to request information regarding processing
• Right to learn the purpose of processing and whether it is used in accordance with that purpose
• Right to know the third parties to whom your personal data is transferred
• Right to request correction of incomplete or inaccurate data
• Right to request deletion of personal data within the framework of conditions stipulated by law
• Right to object to results that arise against you due to analyses processed exclusively through automated systems
• Right to claim damages in case of harm due to unlawful processing of personal data

Under CCPA (California)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt out of sale (we do not sell data)
• Right to non-discrimination

To exercise any of these rights, contact us at the email below. Note: because we do not store identifiable information, in practice the only data we may have for you is anonymous quota counters which automatically expire weekly.

7. Children's Privacy

RecallMD is intended for medical professionals and students aged 18 and over. We do not knowingly collect data from children under 13 (or under 16 in the EEA). If you believe a child has provided us with personal information, contact us and we will delete it.

8. Security

We protect your data with:

• Encryption in transit: All connections to our backend use HTTPS/TLS
• Subscription verification: We use Apple's signed JWS tokens (ECDSA-SHA256)
• Minimal collection: We collect only what is strictly necessary
• No long-term storage: Pearl/case text is not retained after processing

No security measure is perfect. If you discover a vulnerability, please report it to us responsibly using the contact below.

9. Patient Privacy (Important for Healthcare Users)

Do not enter personally identifiable patient information into RecallMD. This includes names, ID numbers, dates of birth, addresses, photographs of patients, or any data that could identify a real patient. You are responsible for ensuring your use of RecallMD complies with applicable patient-confidentiality laws (HIPAA in the US, GDPR in the EU, KVKK in Türkiye, etc.).

The App is designed for anonymized clinical learning content only.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last updated" date at the top
• For material changes, post a notice in the App

Continued use of the App after changes constitutes acceptance.

11. Contact Us

If you have questions, concerns, or want to exercise your privacy rights:

Ahmet Burak Yılmaz
Email: abyilmaz05@gmail.com
Website: ahmetburakyilmaz.com

For data protection authority complaints in Türkiye: Kişisel Verileri Koruma Kurumu (KVKK)