Privacy Policy

Last updated: 16 November 2025

1. Who we are

This Privacy Policy explains how Morning Meds (“we”, “us”, “our”) collects, uses and protects your personal data when you use our website and app.

Morning Meds is currently operated by an individual based in Portugal. If you have any questions, you can contact us at: support@morningmeds.co.

For the purposes of the EU General Data Protection Regulation (“GDPR”), we act as the data controller for the processing of your personal data described in this Policy.

2. What Morning Meds does

Morning Meds provides a personalized feed of medical research article summaries, primarily for medical residents, doctors and students. The service is for educational and informational purposes only and does not provide individual medical advice or patient care.

3. Personal data we collect

We collect and process the following categories of personal data.

3.1. Account and identity data

From Supabase Auth (default auth.users table):

• Email address
• Account creation date
• Last sign-in date and related auth metadata (e.g. provider)

From our own users table:

• Email address (copied from your auth profile)
• Password hash (for non-Supabase/local auth, if used)
• is_active, is_admin flags
• supabase_uid (link between Supabase Auth and our internal user record)
• Optional profile data you provide:
• display_name
• avatar_url
• Plan and billing identifiers:
• plan ("free" or "premium")
• stripe_customer_id
• stripe_subscription_id
• premium_valid_until (currently not actively used)

Technical personalization fields:

• Embedding model name (model)
• Embedding dimension (dim)
• user_vector (a 1536-dimensional numerical vector representing your preferences, not raw text)

Timestamps:

• created_at, updated_at for your user record

3.2. Usage and preference data

To personalize your feed and track what you have seen, we store:

Feedback (feedback table):

• user_id
• article_id
• Whether you liked or disliked an article (liked boolean)
• source of the feedback (e.g. "app", "email")
• created_at timestamp

Saved articles (saved_articles table):

• user_id
• article_id
• created_at timestamp

Feed delivery logs (feed_delivery_audit table):

• user_id
• article_id
• delivered_at timestamp (when an article was included in your feed)

These data points are used to build and update your user_vector and to avoid sending you the same content repeatedly.

3.3. Emails and communication

We send:

• Transactional and product emails, such as:
  • Onboarding / welcome emails
  • Daily summary emails with your article summaries
  • Important service notifications (e.g. plan changes)

To send these, we process:

• Your email address
• The articles included in a given email
• Email metadata (subject, send date, provider message ID)

We also log some email events in an email_jobs / email_events setup, e.g.:

• Email queued, sent, open and click events
• Metadata about the event, such as:
  • job_id, user_id
  • The article linked to a click
  • A timestamp

For feedback buttons in emails (👍/👎):

• We include signed tokens so that clicks on those links can be safely associated with:
  • Your user_id
  • The article_id
  • Whether you liked or disliked the article

This feedback is written into the feedback table and can update your user_vector.

3.4. Billing and payments (Stripe)

When you upgrade to a Premium plan, we create or reuse a Stripe customer for you.

We send to Stripe:

• Your email address
• Your Stripe customer ID and subscription ID are stored in our users table to track your plan state.

We never see or store your full payment card details. These are handled directly by Stripe, which acts as an independent data controller / processor for payment data under its own privacy policy.

3.5. Analytics and product usage (PostHog)

We use PostHog to understand how users interact with Morning Meds so we can improve the product.

From the frontend:

• We initialize PostHog with:
  • capture_pageview and autocapture enabled (page views, clicks, some form interactions)
  • Persistence using localStorage and cookies

We may send:

• A unique user identifier (your internal user.id as a string)
• Your email address as a person property when you are logged in
• Event properties related to how you use the app (e.g. onboarding completed, feedback events, navigation)

From the backend (via _ph_async_capture), we may send analytics events such as:

• "feedback_given" (including user_id, article_id, value +1/-1, source "email")
• "email_opened" and "email_clicked" (including job_id, user_id, article_id where applicable)

PostHog may also collect technical device information such as:

• IP address (used for approximate location and security)
• Browser, OS, and device type
• Referrer URL and pages visited

4. How we use your data

We use your personal data for the following purposes:

1. To provide and operate the service
   • Creating and managing your account
   • Authenticating you and keeping your session secure
   • Personalizing your article feed using feedback, saved items and your user_vector
   • Sending your daily summary emails
2. To process payments and manage subscriptions
   • Creating Stripe checkout and billing portal sessions
   • Tracking whether your subscription is active, trialing or cancelled
   • Updating your plan (free / premium) based on Stripe webhooks
3. To communicate with you
   • Onboarding and welcome emails
   • Daily summary emails
   • Service-related notifications (e.g. billing or important changes)
4. To improve the product
   • Understanding which features are used and how often (via PostHog)
   • Measuring engagement with emails (opens, clicks, feedback)
   • Debugging issues and improving performance
5. To ensure security and prevent abuse
   • Monitoring for suspicious login or usage patterns
   • Enforcing our Terms of Use and protecting the service from misuse

We do not use Morning Meds to store or process patient-level medical records about identifiable patients. The service is oriented towards healthcare professionals and students and focuses on your own educational preferences, not patient data.

5. Legal bases for processing (GDPR)

We rely on the following legal bases under GDPR:

• Performance of a contract (Art. 6(1)(b)): To create and manage your account, deliver your personalized feed and emails, and process your subscription.
• Legitimate interests (Art. 6(1)(f)): To run analytics (PostHog), monitor usage, protect against abuse, and improve the service, as long as these interests are not overridden by your rights and interests.
• Compliance with legal obligations (Art. 6(1)(c)): For accounting, tax and other regulatory obligations, especially related to billing.

If we ever rely on consent for a specific type of processing (e.g. separate marketing emails, if introduced in the future), you will be clearly asked for it and can withdraw consent at any time.

6. How we share your data and with whom

We do not sell your personal data.

We share data with a limited number of trusted service providers (“processors”) who help us run Morning Meds, including:

• Supabase – authentication, database and storage provider.
• Railway or similar hosting provider – to run our backend and worker services.
• Stripe – payment processing and subscription billing.
• PostHog – product analytics and event tracking.
• Resend (or another email provider, depending on configuration) – sending emails on our behalf.

We may also share data when necessary:

• To comply with applicable laws or legal requests
• To enforce our legal rights (e.g. in case of abuse)
• In connection with a business transaction (e.g. merger, acquisition), where data may be transferred as part of that transaction, subject to appropriate protections.

7. International data transfers

Some of our service providers (such as Stripe and PostHog) may process data outside the European Economic Area (EEA), including in the United States.

Where such transfers occur, we take steps to ensure an adequate level of protection, for example by relying on:

• Adequacy decisions of the European Commission, where applicable; and/or
• Standard Contractual Clauses (SCCs) approved by the European Commission, combined with additional safeguards where required.

8. Data retention

We retain personal data only for as long as necessary for the purposes described above, including:

• Account data: kept while your account is active. If you request deletion, we will delete or anonymize your account data within a reasonable time, subject to any legal retention requirements.
• Feedback, saved items, feed delivery: kept while needed to personalize your feed. If you delete your account, associated records are typically removed via cascades.
• Billing data: kept as required by tax and accounting laws (often 6–10 years, depending on jurisdiction).
• Email events and analytics events: kept for a period that allows us to analyze product usage and improve the service. Data may be aggregated or anonymized for longer-term analytics.

We may retain some information in backup copies for a limited period, even after active records are deleted, but we will not use such backups for any other purpose.

9. Security

We take technical and organizational measures to protect your data, including:

• Using reputable infrastructure providers with strong security practices
• Restricting access to production databases to authorized personnel and services
• Applying authentication and authorization controls
• Using encryption in transit (HTTPS) for communication between you and our services

No online service can be 100% secure, but we work to protect your information continuously.

10. Your rights (EEA/UK users)

If you are in the European Economic Area or the UK, you have the following rights regarding your personal data:

• Right of access – to obtain a copy of the personal data we hold about you.
• Right to rectification – to have inaccurate or incomplete data corrected.
• Right to erasure (“right to be forgotten”) – to request deletion of your personal data in certain circumstances.
• Right to restriction of processing – to request that we temporarily stop processing your data in certain cases.
• Right to data portability – to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller, where technically feasible.
• Right to object – to object to processing based on our legitimate interests, including analytics, in certain circumstances.
• Right to withdraw consent – where processing is based on consent, you may withdraw it at any time (this will not affect processing that has already occurred).

You can exercise these rights by contacting us at support@morningmeds.co. We may need to verify your identity before responding to your request.

You also have the right to lodge a complaint with your local data protection authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).

11. Cookies and similar technologies

We use cookies and similar technologies primarily via PostHog and our auth/session system to:

• Keep you logged in and secure the session
• Measure usage and improve the product
• Capture analytics events and page views

You can control cookies through your browser settings (e.g. blocking third-party cookies or all cookies for the site). Please note that blocking certain cookies may impact the functionality of Morning Meds.

12. Children’s privacy

Morning Meds is not intended for children under 16 years old and is primarily aimed at medical residents, healthcare professionals and students. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal information, please contact us at support@morningmeds.co so we can delete it.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. If changes are material, we may notify you via email or in-app notice.

We encourage you to review this Policy periodically to stay informed about how we protect your data.