Back to PD·HD

Privacy Policy

PD·HD · iOS App

Last updated: 11 April 2026 — Compliant with GDPR (EU) 2016/679, Apple App Store Review Guidelines 5.1.1–5.1.3

In plain language

This privacy policy applies exclusively to the iOS, iPadOS, watchOS and macOS app PD·HD. For the chapter.networks website, see the separate website privacy policy.

PD·HD is built with privacy as a structural requirement. In short:

  • You don't create an account. PD·HD never asks for your name, email, phone number, or any identifier.
  • All dialysis sessions, lab results, supply deliveries, and care-team contacts you enter are stored on your own device, protected by Apple's complete file protection (FileProtectionType.complete).
  • If you are signed in to iCloud, this data can additionally sync to your own private iCloud database so PD·HD shows the same data on your iPhone, iPad, Apple Watch, and Mac. Chapter Networks has no access to that database. Without iCloud, PD·HD runs entirely locally and makes zero network requests.
  • PD·HD integrates with Apple Health (HealthKit) strictly for four measurement types: body weight, blood glucose, and blood pressure (systolic and diastolic). Permissions are granted by you and can be revoked at any time in iOS Settings.
  • HealthKit data is never synced via iCloud and never leaves Apple's HealthKit store on your device. PD·HD does not keep a permanent copy of it either.
  • There are no analytics, no crash reporting, no advertising, and no third-party SDKs of any kind. The app makes no direct network requests to Chapter Networks or to any server controlled by us.
  • Face ID protects the app on launch, with a 5-minute inactivity timeout and brute-force lockout.

The sections below describe each of these points in detail, including the applicable legal bases.

§ 1 Scope and controller

This privacy policy applies to the PD·HD application ("the App") for iPhone, iPad, Apple Watch, and Mac, developed and published by Chapter Networks. The data controller under Article 4(7) of the General Data Protection Regulation (GDPR) is:

Chapter Networks
[Address]
E-Mail: hello@chapter.networks

This policy does not apply to the chapter.networks website (governed by its own privacy policy), to Apple's iCloud and HealthKit services (governed by Apple's privacy policy at apple.com/legal/privacy), or to any service you separately choose to share your exported data with.

§ 2 Data protection officer

A data protection officer has not been appointed, as Chapter Networks does not currently meet the thresholds established by Article 37 GDPR. For any data-protection queries, contact the controller directly at hello@chapter.networks.

§ 3 Scope and definitions

This privacy policy covers PD·HD — a personal health diary for patients undergoing peritoneal dialysis (PD) or haemodialysis (HD). PD·HD is available as a native app on iPhone, iPad, Apple Watch, and Mac; all variants are governed by this policy.

"Personal data" under Article 4(1) GDPR means any information relating to an identified or identifiable natural person. "Special categories of personal data" under Article 9(1) GDPR explicitly include health data. The dialysis session logs, lab results, vital signs, and HealthKit readings processed by PD·HD fall squarely within this definition and accordingly receive the highest level of protection under the GDPR.

§ 4 What PD·HD does not collect

PD·HD does not collect, process, or transmit any of the following:

  • Your name, email address, phone number, postal address, or any account credential — PD·HD does not know who you are as far as Chapter Networks is concerned.
  • Device identifiers (identifierForVendor, advertising ID / IDFA, device fingerprints, or similar).
  • Location data, contacts, photos, microphone, or camera input.
  • Analytics, telemetry, usage statistics, performance metrics, or A/B testing data.
  • Crash reports or diagnostic logs transmitted to Chapter Networks or any third party.
  • Any information shared with advertising networks, data brokers, or social platforms.

Chapter Networks operates no servers that receive personal data from the App. We could not access your App data even if we wanted to. This is not a promise we maintain in prose — it is a structural property of the App's design.

§ 5 Data stored on your device

The App stores only data you enter or import from Apple Health. Storage uses Apple's SwiftData with the highest protection level, FileProtectionType.complete — the underlying database file is encrypted by iOS and can only be decrypted while the device is unlocked after its first authentication since boot. The following categories are stored on-device:

  • Peritoneal dialysis session logs — session date, start and end times, dialysate type, bag volume, fill and drain volumes, pre- and post-session weight, systolic and diastolic blood pressure, ultrafiltration, and free-form notes.
  • Dialysate supply and delivery records — order dates, expected and actual delivery dates, supplier, delivery status, line items, and notes.
  • Laboratory values — manually entered readings for creatinine, potassium, phosphate, calcium, urea, and haemoglobin, each with a date.
  • Care-team contacts — name, phone number, email, and postal address for contacts such as your nephrologist, dialysate supplier, or clinic. These are supplied exclusively by you and are only created when you voluntarily enter them.
  • Clinical target values — your personalised thresholds for weight, blood glucose, blood pressure, ultrafiltration, glucose concentration, electrolytes, urea, and lab results. These are stored in iOS's UserDefaults for the App on your device.

Legal basis. For non-health fields (e.g. delivery dates, contact details): Article 6(1)(b) GDPR — performance of the contract between you and Chapter Networks: you installed PD·HD to track this data, and local storage is the core function you requested. For health-related fields (vital signs in dialysis sessions, all lab results): additionally Article 9(2)(a) GDPR — your explicit consent to the processing of special categories of personal data. You provide this consent by deliberately entering the data into the App; you may revoke it at any time by deleting the record or uninstalling the App.

§ 6 Apple HealthKit

PD·HD integrates with Apple HealthKit so that your weight, blood sugar, and blood pressure readings can appear in the App's charts and, optionally, be written back to Apple Health. The first time you use a HealthKit-backed feature, iOS presents its standard permission dialog. The permission strings the App supplies to iOS are reproduced verbatim here:

  • Read permission (NSHealthShareUsageDescription): "This app reads your weight, blood sugar, and blood pressure data to display in interactive charts."
  • Write permission (NSHealthUpdateUsageDescription): "This app allows you to add weight, blood sugar, and blood pressure data to Apple Health."

PD·HD requests read and write access for exactly the following four HealthKit quantity types and no others:

  • Body Mass (HKQuantityTypeIdentifier.bodyMass) — read & write
  • Blood Glucose (HKQuantityTypeIdentifier.bloodGlucose) — read & write
  • Blood Pressure Systolic (HKQuantityTypeIdentifier.bloodPressureSystolic) — read & write
  • Blood Pressure Diastolic (HKQuantityTypeIdentifier.bloodPressureDiastolic) — read & write

PD·HD does not request access to any other HealthKit category — no clinical records, workouts, sleep, mindfulness, medications, menstrual or reproductive data, heart-rate or ECG data, mobility or fall data. PD·HD does not use HealthKit background delivery (enableBackgroundDelivery) and does not keep a permanent copy of HealthKit samples in its own storage. Samples are queried from Apple's HealthKit store on demand and discarded when no longer needed on screen.

HealthKit data never enters PD·HD's own SwiftData store and is never synced via iCloud (see also § 7).

Legal basis. Article 9(2)(a) GDPR — your explicit consent to the processing of special categories of personal data. Granting HealthKit permissions in the iOS system dialog constitutes this explicit consent. You may revoke it at any time and in full via iOS Settings → Privacy & Security → Health → Data Access & Devices → PD·HD. Revocation takes effect immediately.

§ 7 Optional iCloud sync (Apple CloudKit)

This section is particularly important. Please read it carefully.

If you are signed in to iCloud on your device and have iCloud Drive enabled, PD·HD can store the App data listed in § 5 — dialysis session logs, lab results, delivery records, and contacts — in your own private iCloud database. The technical implementation uses Apple's CloudKit framework (NSPersistentCloudKitContainer), with the iCloud container identifier iCloud.de.chapter.pdhd. This allows the same data to appear on all your Apple devices where PD·HD is installed — iPhone, iPad, Apple Watch, and Mac — without any server operated by Chapter Networks.

The following points are key:

  • The database is a private CloudKit database: its contents are scoped to your personal iCloud account and are not visible to other users, to Chapter Networks, or to Apple employees. Chapter Networks has no technical ability to read, export, or delete the contents of your iCloud database.
  • If you are not signed in to iCloud, or if iCloud is disabled for PD·HD, the App automatically falls back to a local-only store on your device. In that mode PD·HD performs no network activity at all — not a single connection.
  • HealthKit data is never synced via CloudKit. HealthKit data remains solely within Apple's HealthKit store on your device; its own iCloud sync (if any) is controlled by you in iOS Settings → Health, not by PD·HD. PD·HD reads HealthKit samples in operation, displays them, and discards them; they are never copied into the SwiftData database, and the SwiftData database is the only data source that syncs via CloudKit.
  • Clinical target values stored in UserDefaults (see § 5) are likewise not synced by PD·HD and remain local to each device.

Relationship to Apple Guideline 5.1.3. Apple's App Store Review Guideline 5.1.3 states that apps "may not store personal health information in iCloud." This rule is intended to prevent apps that read HealthKit from exporting that data into third-party cloud storage. PD·HD complies strictly: HealthKit data is processed exclusively on-device and never written to CloudKit. What syncs via CloudKit are the contents you enter into PD·HD's diary function (dialysis sessions, lab values, etc.) — and they sync only into your personal, private iCloud database that only you can access. This use of Apple's standard NSPersistentCloudKitContainer mechanism for user-entered health diary content follows established practice for Apple's own and third-party health apps.

Legal basis. Where data is transmitted to Apple by your active choice: Article 6(1)(a) GDPR — your consent, provided by enabling iCloud for PD·HD in iOS Settings. For health-related fields within this channel (vital signs in sessions, lab results): additionally Article 9(2)(a) GDPR.

Data processing by Apple. When iCloud sync is enabled, Apple Inc. acts as a data processor under Article 28 GDPR. Apple's contractual obligations are governed by the Apple Developer Program License Agreement and its associated Data Processing Addendum; see § 12 on international transfers.

Revocation and deletion. You can stop iCloud sync at any time: iOS Settings → [Your Name] → iCloud → Apps Using iCloud → PD·HD → disable. Additionally, PD·HD's app settings offer a Bulk Delete function that removes all App data at once. After disabling or performing Bulk Delete, iCloud copies are removed from your iCloud account according to Apple's iCloud deletion policies.

§ 8 Widgets and Apple Watch (App Group)

PD·HD includes Home Screen and Lock Screen widgets and a companion Apple Watch app. To make recent dialysis and delivery data available to these extensions without re-querying iCloud, PD·HD writes compact summary snapshots to a shared App Group on your device (identifier group.de.chapter.pdhd). Data in the App Group never leaves your device; it is used solely to render the widgets and the Watch UI.

The Apple Watch app exchanges session and delivery updates with the iPhone via Apple's WatchConnectivity framework — a direct, device-level encrypted channel between iPhone and Watch. No data from Watch ↔ iPhone sync reaches Chapter Networks or any third-party server.

Legal basis. Article 6(1)(b) GDPR (performance of contract — the widget and Watch display is core functionality of the App you installed), plus for health-related fields additionally Article 9(2)(a) GDPR.

§ 9 On-device security

PD·HD takes the following concrete measures to protect the health data on your device:

  • Face ID on launch. On each cold launch, and after a 5-minute inactivity timeout, PD·HD requires Face ID authentication before any health data is visible. The in-prompt passcode fallback is disabled in the standard path, so biometric authentication is explicitly required.
  • Brute-force lockout. After three consecutive failed Face ID attempts, PD·HD imposes an escalating lockout (30 seconds, then 60 seconds, then 120 seconds) before another attempt is permitted.
  • Re-authentication on return from background. When you send PD·HD to the background, authentication state is invalidated immediately; a fresh Face ID check is required when you return, regardless of how briefly the App was backgrounded.
  • Sensitive data cleared from memory. When PD·HD enters the background, in-memory HealthKit data is cleared so that snapshots held by iOS for the App Switcher do not contain readable health values.
  • Privacy overlay. When PD·HD becomes inactive (e.g. during the App Switcher animation or an incoming call banner), an opaque overlay covers the App's content so it is not visible to bystanders or captured in App Switcher previews.
  • File protection. The SwiftData store (both in iCloud-backed and local-only mode) is marked FileProtectionType.complete; the underlying file is encrypted by iOS and can be decrypted only while the device is unlocked.
  • No Keychain credentials. PD·HD stores no credentials, tokens, or secrets in the Keychain, because it needs none.

These mechanisms complement, but do not replace, the overall security of your iOS device and Apple ID. Ensure your device passcode and Apple ID password are strong and unique.

§ 10 Data you choose to share (export)

PD·HD can export your records as PDF or CSV so you can share them with your nephrologist, care team, or personal archive. Exports are generated on-device. When you trigger an export, iOS presents its standard share sheet, and the destination — Mail, Messages, Files, AirDrop, or any other app — is entirely under your control. Chapter Networks does not see, receive, or process exported files in any way.

Once an exported file has left PD·HD, its further handling is governed by the destination service's own privacy policy and is outside the scope of this document. We recommend using encrypted channels when sharing medical data with healthcare providers.

§ 11 No advertising, no tracking, no third-party SDKs

PD·HD contains no advertising, no tracking technologies, no user profiling, and no third-party software development kits (SDKs) of any kind. Specifically, the following services are not integrated: Firebase (Analytics, Crashlytics, Cloud Messaging, Remote Config), Google Analytics, Amplitude, Mixpanel, Segment, PostHog, TelemetryDeck, Sentry, Bugsnag, Instabug, AppCenter, Facebook SDK, Branch, Adjust, AppsFlyer, Singular, Kochava, Braze, OneSignal, or any advertising SDK. The only external framework dependencies are Apple's own system frameworks and a single internal Swift package (PDHDShared) developed and maintained by Chapter Networks alongside PD·HD.

As a structural consequence, PD·HD does not, and structurally cannot, sell, rent, or share your data with any third party for any purpose.

Apple Guideline 5.1.2 (express assurance). Health data read from HealthKit is used solely for the core dialysis-tracking functionality and is never used for marketing, advertising, profiling, or use-based data mining — neither by Chapter Networks nor by any third party, because no third party has access.

§ 12 International data transfers (Chapter V GDPR)

PD·HD itself transfers no personal data to any third country. The only way App data may leave the European Economic Area (EEA) is through the iCloud sync described in § 7 — and only if you have actively enabled it.

When iCloud sync is enabled, Apple Inc. (One Apple Park Way, Cupertino, California 95014, USA) acts as data processor under Article 28 GDPR. Apple operates data centres in multiple regions worldwide; the physical location of your iCloud data is determined by Apple according to your Apple ID region and Apple's own infrastructure policies. PD·HD and Chapter Networks have no influence on that choice.

Transfers to third countries, particularly the United States of America, are based on the following safeguards under Chapter V GDPR:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission under Article 46(2)(c) GDPR, as used by Apple in its Data Processing Addendum for developer- and consumer-facing iCloud services.
  • Where an adequacy decision by the European Commission under Article 45 GDPR exists for the recipient country (such as the EU–US Data Privacy Framework for certified US companies), the transfer additionally relies on this decision.

A copy of the contractual bases used by Apple and further information about Apple's iCloud data transfers are available at apple.com/legal/privacy and in the current Apple Data Processing Addendum. If you wish to avoid international data transfers, you can use PD·HD in local-only mode (without iCloud sync) — in that mode your data never leaves the device.

§ 13 Data retention (Article 5(1)(e) GDPR)

Chapter Networks collects no data on its own servers and therefore has no server-side retention period. Your data remains on your device — and, if iCloud sync is enabled, in your own iCloud — for as long as you choose to keep it.

Deletion is available at any time, without reason, through any of the following mechanisms:

  • Delete individual records in the App (session, lab value, delivery, contact).
  • Use the Bulk Delete function in PD·HD's Settings — removes all App data at once.
  • Disable iCloud for PD·HD in iOS Settings — removes iCloud copies according to Apple's iCloud deletion policies.
  • Uninstall PD·HD from all devices.

Since PD·HD has no access to your data, any deletion request directed at Chapter Networks cannot achieve more than the self-service mechanisms listed above.

§ 14 Your rights under the GDPR

As a data subject you have the following rights without restriction:

  • Right of access — Article 15 GDPR
  • Right to rectification — Article 16 GDPR
  • Right to erasure ("right to be forgotten") — Article 17 GDPR
  • Right to restriction of processing — Article 18 GDPR
  • Right to data portability — Article 20 GDPR
  • Right to object — Article 21 GDPR
  • Right to withdraw consent — Article 7(3) GDPR — without affecting the lawfulness of processing performed before withdrawal

Because of PD·HD's architecture — Chapter Networks has no access to your data — you exercise these rights directly on your device:

  • Access and portability: Use the PDF/CSV export function to obtain a complete, human- and machine-readable copy of your data.
  • Rectification: Edit the relevant record directly in the App.
  • Erasure and restriction: Delete individual records, use Bulk Delete in Settings, disable iCloud for PD·HD, or uninstall the App.
  • HealthKit consent revocation: Via iOS Settings → Privacy & Security → Health → Data Access & Devices → PD·HD.
  • Contact: For general data-protection queries reach us at hello@chapter.networks. Please note that we cannot access the contents of your device or your private iCloud database.

§ 15 No automated decision-making (Article 22 GDPR)

PD·HD does not use automated decision-making or profiling within the meaning of Article 22(1) GDPR that produces legal effects concerning you or similarly significantly affects you. All values and charts displayed in the App are for your personal information only; all medically relevant decisions remain under your and your healthcare providers' direction.

§ 16 Right to lodge a complaint (Article 77 GDPR)

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority — in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement — if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority competent for Chapter Networks is the data-protection authority of the German federal state in which the company is registered: [competent state DPA of Chapter Networks' federal state]. For federal and EU-wide matters, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI), Graurheindorfer Straße 153, 53117 Bonn, is also available. In other EU/EEA member states, contact your national supervisory authority.

§ 17 Not a medical device

PD·HD is a personal health diary for dialysis patients and is not a medical device within the meaning of Regulation (EU) 2017/745 (MDR). PD·HD does not diagnose, treat, monitor, or prevent any disease, does not issue medical recommendations, and does not perform measurements using device sensors. The App solely accepts values you enter or that are read from Apple Health, stores them, and presents them graphically.

Always consult your healthcare team for medical decisions of any kind. PD·HD is not a substitute for medical advice, diagnosis, or treatment.

§ 18 Children

PD·HD is intended for adults managing their own dialysis treatment, or for caregivers acting on behalf of a patient. The App is not directed at children under 16. Chapter Networks does not knowingly collect data from children. Because the App transmits no personal data to Chapter Networks whatsoever, this section exists for completeness rather than as a mitigation of any actual data flow.

§ 19 Changes to this privacy policy

We may update this privacy policy to reflect changes in legal requirements or in PD·HD's functionality. For material changes — for example, if a future version of PD·HD adds a new HealthKit category, introduces a server-side feature, or integrates any third-party service — we will update this page and surface a notice inside the App before the change takes effect. The date at the top of this policy always reflects the currently published version.

§ 20 Contact

For any question about this privacy policy or about PD·HD's handling of your data, please contact us at hello@chapter.networks. Please describe your concern specifically so we can respond as promptly as possible.

Alignment with Apple's Privacy Manifest

In the terminology of Apple's App Privacy report ("Privacy Details" on the App Store), PD·HD collects zero data because no data is ever transmitted to Chapter Networks or to any server we control. The data described above is processed exclusively on your own device and, if enabled, in your own private iCloud database that Chapter Networks cannot access. The App's PrivacyInfo.xcprivacy declaration reflects this with an empty NSPrivacyCollectedDataTypes entry and NSPrivacyTracking = false. This privacy policy describes the full handling of your data beyond Apple's narrower definition so you are informed in every respect.