Privacy Policy

Version 2.0 — Last updated: May 12, 2026 · Versión en español

This Privacy Policy describes how Strukto LLC processes personal information collected through the VitalTrak mobile application. Because VitalTrak's primary deployment is in Mexico, this policy is also issued as an Aviso de Privacidad Integral under the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) — see the Spanish version for the LFPDPPP-formatted notice.

1. Identity of the controller

Strukto LLC ("Strukto", "we", "us") is a limited liability company organized under the laws of the State of Texas, USA, with registered address at 5511 Parkcrest Drive, Austin, TX 78731, USA. Strukto develops and operates the VitalTrak mobile application and related services (collectively, the "Application").

For any matter related to this Policy or your personal data, contact Strukto's privacy team at info@strukto.tech.

2. Roles in the processing of data

VitalTrak is used by hospitals, clinics, and medical centers (the "Institutions") to record and track surgical procedures. Institutions upload patient data to the Application; family members access scoped procedure information; medical staff act on those records.

The roles in data processing are:

This distinction matters when a user deletes their account: the registered user's own data is erased (because Strukto controls it), but patient data — including the full clinical record — remains in the custody of the treating Institution, which is the legal data controller for the medical record and is required to retain it under Mexican Official Standard NOM-024-SSA3-2012. As a processor, Strukto cannot delete the patient's clinical record at a family member's request (see Section 7).

3. Personal data we collect

3.1 Medical staff and clinic administrators

IdentificationFull name, email, phone, profile photo (optional).
ProfessionalProfessional license number ("cédula"), specialty, role (surgeon, anesthesiologist, nurse, orderly, administrator), years of experience.
AuthenticationHashed password, session identifiers.

3.2 Registered family members

IdentificationFull name, email, phone.
RelationshipRelationship to the patient (spouse, mother, father, child, sibling, other), access code used.
AuthenticationHashed password, session identifiers.

3.3 Patient data uploaded by Institutions

This data is uploaded by the Institution and Strukto stores it as a processor. Strukto does not collect this data directly from patients.

IdentificationFull name, age, photo (optional), health insurance information (provider, policy number, validity).
ContactPhone, email, emergency contact (name and phone).
Sensitive health dataBlood type, allergies, prior medical conditions, prior surgeries, family medical history, current medications, clinical notes, surgery type and description, diagnosis, doctor notes, post-operative instructions, lab results (pre-operative, lab work, imaging), pre-operative checklist, follow-up dates.

Sensitive personal data. The health data listed in section 3.3 is considered sensitive personal data under Mexican law (Article 3, fraction VI of the LFPDPPP) and would also fall under heightened protections under HIPAA in the United States where applicable. It is processed only with the express consent of the data subject (collected by the Institution as controller) and under enhanced security measures.

3.4 Technical and security data

ConnectionIP address, user-agent, device type, operating system, application version.
AuditAccess logs, failed authentication attempts, hashed access code used, timestamps for actions performed.

3.5 Disclosures for App Store and Google Play

For consistency with this Policy, the following table summarizes the data categories VitalTrak declares in the App Privacy section of App Store Connect and in the Google Play Data Safety form. All categories are collected linked to the user's identity and are used exclusively for the operation of the Application (App Functionality).

CategoryExamplesDeclared purpose
Contact infoEmail address, name, phone (optional)App functionality
IdentifiersInternal user ID, session identifierApp functionality
Health & fitnessBlood type, allergies, medical history, current medications, lab resultsApp functionality
Sensitive infoDiagnoses, procedure descriptions, post-operative instructionsApp functionality
Other user contentNotes and observations captured by medical staffApp functionality
Usage & diagnosticsIP address, user-agent, action timestampsSecurity analytics

VitalTrak does not use any of these categories for advertising tracking, cross-app tracking, or third-party marketing. VitalTrak does not share this data with advertising networks, data brokers, or third parties for their own commercial purposes. The Application does not integrate any advertising SDKs.

4. Purposes of processing

4.1 Primary purposes (necessary for the service)

4.2 Secondary purposes (not necessary)

As of the last update of this Policy, VitalTrak does not process data for secondary purposes such as marketing, commercial prospecting, or advertising. If Strukto decides to introduce secondary purposes in the future, we will request your express consent or provide a clear opt-out mechanism.

5. Data sharing and transfers

To operate the Application, Strukto uses technology providers that may process your data on our behalf:

RecipientPurposeLocation
Supabase Inc.PostgreSQL database, authentication, Realtime, and Edge Functions.USA
Vercel Inc.Legal site (privacy/terms) and future admin web hosting.USA
Expo (Expo Application Services)App build, OTA updates, push notifications.USA
Google LLC (Google Play)Android distribution.USA
Apple Inc. (App Store)iOS distribution.USA
Competent authoritiesCompliance with valid legal requests.As applicable.

The providers listed above act as processors for Strukto under contracts containing data-protection clauses equivalent to those required by the LFPDPPP. They do not use the data for their own purposes. Strukto does not sell, rent, or trade your personal data with third parties for commercial or advertising purposes.

5.1 International transfers

Strukto's infrastructure and that of the providers listed above is primarily located in the United States of America. Personal data of users in Mexico is therefore transferred outside Mexican territory. Strukto ensures that such providers maintain contractual and technical safeguards equivalent to those required by the law applicable to the data subject.

6. Your rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

Mexican users may exercise the ARCO rights specifically defined under LFPDPPP (Acceso, Rectificación, Cancelación, Oposición). See the Spanish version for the LFPDPPP procedure.

6.1 How to exercise your rights

Send a request to info@strukto.tech with subject Privacy rights request — VitalTrak, including:

  1. Full name and contact email.
  2. A copy of an official identification document (or that of your representative).
  3. A clear and precise description of the data and the right you wish to exercise.
  4. For corrections, the corrected data and supporting documentation.

Strukto will respond within 20 business days from receipt of the request. If the request is granted, it will be effected within 15 business days of that response.

7. Account deletion

Any registered user can delete their account and the associated personal data directly from within the Application, without having to leave to a website or contact support. Deletion is immediate: it happens in the same operation, not after a 30-day waiting period.

7.1 How to delete your account (step by step)

  1. Open the VitalTrak app and sign in to your account.
  2. Tap the Profile tab on the bottom bar.
  3. Inside the Account section, tap Delete account.
  4. Read the confirmation dialog and tap Delete to confirm.
  5. You will be signed out automatically, and your account will be deleted.

If for any reason the in-app button is not working, you may send an equivalent request to info@strukto.tech from the email registered to your account, with subject Delete account — VitalTrak.

7.2 Summary: what is deleted and what is retained

DataWhat happens on account deletion?
Authentication record (email, hashed password, identifiers) Erased immediately.
User profile (name, phone, photo) Erased immediately.
Family member's links to surgeries The rows linking the user to the surgeries they were following are erased immediately.
Medical staff assignments Future assignments are erased; the user's reference on past surgeries is anonymized (set to NULL) to preserve record integrity without linking back to you.
Access audit log Anonymized immediately (user identifier set to NULL). Entries remain for up to 12 months for security audit and fraud prevention, with no link to your identity.
Patient clinical record (medical history, lab results, surgeries, events, stages, instructions) Not deleted. Belongs to the treating Institution, not to the family member. Must be retained for at least five years pursuant to NOM-024-SSA3-2012.
Anonymous tracking sessions (no account) No user action required; automatically purged 7 days after the surgery ends.

7.3 Rules by account type

7.4 Why some data is retained after you delete your account

Strukto operates the infrastructure, but each patient's clinical record legally belongs to the Institution that treats the patient (see Section 2). Under Mexican Official Standard NOM-024-SSA3-2012 ("Information systems for electronic health records"), the Institution must retain the clinical record for a minimum of five years from the last medical event. For that reason, when a family member deletes their account, the patient's data is not erased: the family member had read access to the record, not ownership of it.

The Account deletion page contains extended details, including alternate routes when in-app deletion is not possible.

8. Data retention

Strukto retains personal data only for as long as necessary to fulfill the purposes described and applicable legal retention periods:

9. Security measures

Strukto implements reasonable administrative, technical, and physical security measures to protect personal data against loss, misuse, unauthorized access, alteration, or disclosure. These include encryption in transit (HTTPS/TLS), encrypted at-rest storage of credentials on the device (iOS Keychain / Android Keystore), role-based access control (Row Level Security at the database layer), audit logs, and rate limiting.

10. Cookies and similar technologies

The mobile application does not use browser cookies. The companion website vitaltrak.strukto.tech does not use third-party cookies and uses only strictly necessary technical cookies for site operation.

11. Children's privacy

VitalTrak is intended for adult medical staff and adult family members responsible for a patient. The Application may store clinical data of minor patients when uploaded by the Institution; in such cases, applicable consent is obtained by the Institution from the minor's parent or legal guardian. Strukto does not knowingly collect personal information directly from children under 13.

12. Changes to this Policy

Strukto may update this Privacy Policy to reflect legal, operational, or technological changes. Updates will be published at https://vitaltrak.strukto.tech/privacy/en/ with the updated date at the top. For material changes, Strukto will notify registered users via the application or by email.

13. Supervisory authority

For users in Mexico, the supervisory authority is the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI)home.inai.org.mx. For users in other jurisdictions, please contact your local data protection authority.

14. Contact

Strukto LLC
5511 Parkcrest Drive, Austin, TX 78731, USA
Email: info@strukto.tech