Privacy Policy

Last updated: May 3, 2026

The short version

My GLP Shot is a local-first app. Your data lives in your browser, on your device.
If you turn on Cloud Sync, your data is end-to-end encrypted in your browser before it leaves your device. The server stores opaque ciphertext only.
We have no way to decrypt your data. Not through admin tools, not under subpoena, not ever. Lose your passphrase and the cloud copy is unrecoverable.
No accounts, no email collection, no analytics, no third-party trackers, no advertising, no data sales.

What stays on your device only

By default, all of this lives in your browser's IndexedDB on your device and never reaches our servers:

Shot logs (medication, dose, date/time, injection site, notes)
Weight entries
Settings (cadence, reminders, theme)

What we store if you enable Cloud Sync

Cloud Sync is opt-in. When enabled, an encrypted blob of your data is uploaded so you can restore it on another device. The server stores:

An opaque lookup_id derived from your username + passphrase via PBKDF2 (we cannot reverse it to find your username or passphrase)
A ciphertext blob (AES-GCM 256, encrypted in your browser before upload)
An IV (random 96-bit nonce per encryption)
A last-updated timestamp

We do not store: your username, your passphrase, your encryption key, your medications, your dosages, your weight, or anything else readable. The server cannot determine who you are or what is in your data.

How the encryption works

Key derivation: PBKDF2-SHA-256, 600,000 iterations, salted with a hash of your username
Encryption: AES-256-GCM with a fresh random 96-bit IV per upload
Lookup ID: derived from the same PBKDF2 output, separate from the encryption key, hex-encoded SHA-256
All cryptography runs in your browser via the Web Crypto API. The plaintext, the passphrase, and the encryption key never leave your device.

Plain-English glossary

If any of the terms above are unfamiliar, here's what they actually mean.

Local-first: The app runs on your device and saves your data on your device. Nothing leaves the phone or computer unless you explicitly turn on Cloud Sync.
IndexedDB: A built-in storage area inside your web browser where the app keeps your shots, weight, and settings. It stays on your device — like the notes app on your phone.
End-to-end encrypted (E2EE): Your data is scrambled on your device before it's sent to our server, and only your device has the key to unscramble it. We can't read it. Same approach used by Signal and Bitwarden.
Ciphertext: Scrambled data. Without the key, it's a jumble of random-looking bytes — useless to anyone who steals it, including us.
Encryption key: The secret that turns ciphertext back into your readable data. We never see it. It's derived from your password on your device and never leaves.
PBKDF2: The way we turn your password into an encryption key. We run the password through 600,000 rounds of a math function so it's slow to guess, even with a powerful computer.
AES-256-GCM: The actual scrambling method. AES-256 is the gold-standard encryption used by banks and governments. GCM is the mode that also detects if anyone tried to tamper with the ciphertext.
IV (initialization vector) / nonce: A random number we mix in each time we encrypt, so the same data encrypted twice produces different ciphertext. Stops attackers from spotting patterns.
Lookup ID: An anonymous ID we use to find your encrypted blob without knowing who you are. We can't reverse it back into your email or password.
Web Crypto API: The cryptography toolkit built into every modern browser. It's what does the encrypting on your device. Standard, audited, and runs locally.
PWA (Progressive Web App): A website you can install to your phone or computer like an app. Works offline, sends notifications, no app-store middleman.
HIPAA, GDPR, CCPA: Health and privacy laws — U.S. health (HIPAA), European general privacy (GDPR), and California consumer privacy (CCPA/CPRA). They give you rights like exporting your data and deleting it. The export/delete buttons in the app cover those rights.

Server logs

Our reverse proxy logs basic request metadata (IP address, user agent, timestamp, request size, response status) for security and rate-limiting purposes. These logs are rotated and retained for no longer than 14 days. They are not joined to user data.

Cookies, analytics, third parties

None. My GLP Shot does not set tracking cookies, does not run analytics, does not include third-party scripts, and does not embed advertising or social-media trackers.

Your rights

Export your data anytime as JSON from Settings → Backup.
Delete all local data at any time via Settings → Erase all data on this device.
Delete the cloud copy at any time via Settings → Cloud Sync → Delete cloud data. This permanently removes the encrypted blob from our server.
If you are in the EU/UK, California, or another jurisdiction with privacy rights (GDPR, CCPA/CPRA, etc.), the above export and deletion controls satisfy your access and erasure rights. Because we cannot read your data, we have nothing else to disclose about you specifically.

HIPAA

My GLP Shot is a personal tracking tool used directly by individuals. It is not a Covered Entity under HIPAA, is not integrated with healthcare providers or insurers, and does not handle Protected Health Information on behalf of any covered entity. Nothing in this app constitutes medical advice. Talk to your doctor about your medication.

Breaches

If our server is ever compromised, an attacker would obtain encrypted ciphertext only — not your data in any readable form. We will still notify users if any breach occurs that we believe could affect them, in accordance with applicable law including the FTC Health Breach Notification Rule.

Children

My GLP Shot is not directed to children under 13. We do not knowingly collect data from children.

Changes to this policy

If this policy changes materially, we will update the "Last updated" date and post a notice in the app.

Contact

Questions or concerns: [email protected]

Back to My GLP Shot · Terms of Use