Privacy Policy
This Privacy Policy describes how Strukto LLC processes personal information collected through the VitalTrak mobile application. Because VitalTrak's primary deployment is in Mexico, this policy is also issued as an Aviso de Privacidad Integral under the Mexican Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) — see the Spanish version for the LFPDPPP-formatted notice.
1. Identity of the controller
Strukto LLC ("Strukto", "we", "us") is a limited liability company organized under the laws of the State of Texas, USA, with registered address at 5511 Parkcrest Drive, Austin, TX 78731, USA. Strukto develops and operates the VitalTrak mobile application and related services (collectively, the "Application").
For any matter related to this Policy or your personal data, contact Strukto's privacy team at info@strukto.tech.
2. Roles in the processing of data
VitalTrak is used by hospitals, clinics, and medical centers (the "Institutions") to record and track surgical procedures. Institutions upload patient data to the Application; family members access scoped procedure information; medical staff act on those records.
The roles in data processing are:
- Patient data: the Institution acts as the data controller and Strukto acts as a processor operating the infrastructure on the Institution's instructions. The privacy notice given to patients is issued directly by the Institution.
- Data of medical staff, clinic administrators, and family members who register in the Application: Strukto acts as the data controller, since Strukto collects this data at sign-up and processes it to operate the Application.
3. Personal data we collect
3.1 Medical staff and clinic administrators
| Identification | Full name, email, phone, profile photo (optional). |
|---|---|
| Professional | Professional license number ("cédula"), specialty, role (surgeon, anesthesiologist, nurse, orderly, administrator), years of experience. |
| Authentication | Hashed password, session identifiers. |
3.2 Registered family members
| Identification | Full name, email, phone. |
|---|---|
| Relationship | Relationship to the patient (spouse, mother, father, child, sibling, other), access code used. |
| Authentication | Hashed password, session identifiers. |
3.3 Patient data uploaded by Institutions
This data is uploaded by the Institution and Strukto stores it as a processor. Strukto does not collect this data directly from patients.
| Identification | Full name, age, photo (optional), health insurance information (provider, policy number, validity). |
|---|---|
| Contact | Phone, email, emergency contact (name and phone). |
| Sensitive health data | Blood type, allergies, prior medical conditions, prior surgeries, family medical history, current medications, clinical notes, surgery type and description, diagnosis, doctor notes, post-operative instructions, lab results (pre-operative, lab work, imaging), pre-operative checklist, follow-up dates. |
Sensitive personal data. The health data listed in section 3.3 is considered sensitive personal data under Mexican law (Article 3, fraction VI of the LFPDPPP) and would also fall under heightened protections under HIPAA in the United States where applicable. It is processed only with the express consent of the data subject (collected by the Institution as controller) and under enhanced security measures.
3.4 Technical and security data
| Connection | IP address, user-agent, device type, operating system, application version. |
|---|---|
| Audit | Access logs, failed authentication attempts, hashed access code used, timestamps for actions performed. |
4. Purposes of processing
4.1 Primary purposes (necessary for the service)
- Create, authenticate, and manage your account.
- Operate surgical tracking: register surgeries, advance stages (registration, preparation, in-surgery, recovery, discharge), and display information to authorized users.
- Allow family members to track a procedure via the access code issued by the Institution.
- Assign and coordinate the medical staff participating in each procedure.
- Store and display medical history, pre- and post-operative instructions, and lab results when the Institution captures them.
- Generate audit logs and security records.
- Detect and prevent abuse, fraud, and unauthorized access attempts.
- Comply with applicable legal obligations.
4.2 Secondary purposes (not necessary)
As of the last update of this Policy, VitalTrak does not process data for secondary purposes such as marketing, commercial prospecting, or advertising. If Strukto decides to introduce secondary purposes in the future, we will request your express consent or provide a clear opt-out mechanism.
5. Data sharing and transfers
To operate the Application, Strukto uses technology providers that may process your data on our behalf:
| Recipient | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database and authentication storage. | USA |
| Vercel Inc. | Legal site and future admin web hosting. | USA |
| Expo (Expo Application Services) | App build, OTA updates, push notifications. | USA |
| Google LLC (Google Play) | Android distribution. | USA |
| Apple Inc. (App Store) | iOS distribution. | USA |
| Competent authorities | Compliance with valid legal requests. | As applicable. |
Strukto does not sell, rent, or trade your personal data with third parties for commercial or advertising purposes.
5.1 International transfers
Strukto's infrastructure and that of the providers listed above is primarily located in the United States of America. Personal data of users in Mexico is therefore transferred outside Mexican territory. Strukto ensures that such providers maintain contractual and technical safeguards equivalent to those required by the law applicable to the data subject.
6. Your rights
Depending on your jurisdiction, you may have the following rights with respect to your personal data:
- Access the personal data we hold about you.
- Rectify data that is inaccurate or incomplete.
- Erase your data when it is no longer required for the purposes for which it was collected.
- Object to the processing of your data for specific purposes.
- Withdraw your consent previously granted, where processing was based on consent.
- Limit the use or disclosure of your data.
- Portability of your data, where applicable.
Mexican users may exercise the ARCO rights specifically defined under LFPDPPP (Acceso, Rectificación, Cancelación, Oposición). See the Spanish version for the LFPDPPP procedure.
6.1 How to exercise your rights
Send a request to info@strukto.tech with subject
Privacy rights request — VitalTrak, including:
- Full name and contact email.
- A copy of an official identification document (or that of your representative).
- A clear and precise description of the data and the right you wish to exercise.
- For corrections, the corrected data and supporting documentation.
Strukto will respond within 20 business days from receipt of the request. If the request is granted, it will be effected within 15 business days of that response.
7. Account deletion
Family members may delete their accounts at any time from within the application's profile screen. Deletion removes account-bound data and surgery access links; audit log entries are anonymized and retained up to 12 months for security purposes. Medical staff accounts are removed by the Institution's administrator. Administrator accounts require contacting Strukto. Full details are at /account-deletion/en/.
8. Data retention
Strukto retains personal data only for as long as necessary to fulfill the purposes described and applicable legal retention periods:
- User account data: while the account remains active.
- Patient clinical data uploaded by Institutions: per the Institution's policy as controller.
- Anonymous tracking sessions: up to 7 days after the surgery ends.
- Audit log: 12 months from the recorded event.
9. Security measures
Strukto implements reasonable administrative, technical, and physical security measures to protect personal data against loss, misuse, unauthorized access, alteration, or disclosure. These include encryption in transit (HTTPS/TLS), encrypted at-rest storage of credentials on the device (iOS Keychain / Android Keystore), role-based access control (Row Level Security at the database layer), audit logs, and rate limiting.
10. Cookies and similar technologies
The mobile application does not use browser cookies. The companion website
vitaltrak.strukto.tech does not use third-party cookies and uses only strictly
necessary technical cookies for site operation.
11. Children's privacy
VitalTrak is intended for adult medical staff and adult family members responsible for a patient. The Application may store clinical data of minor patients when uploaded by the Institution; in such cases, applicable consent is obtained by the Institution from the minor's parent or legal guardian. Strukto does not knowingly collect personal information directly from children under 13.
12. Changes to this Policy
Strukto may update this Privacy Policy to reflect legal, operational, or technological changes. Updates will be published at https://vitaltrak.strukto.tech/privacy/en/ with the updated date at the top. For material changes, Strukto will notify registered users via the application or by email.
13. Supervisory authority
For users in Mexico, the supervisory authority is the Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales (INAI) — home.inai.org.mx. For users in other jurisdictions, please contact your local data protection authority.
14. Contact
Strukto LLC
5511 Parkcrest Drive, Austin, TX 78731, USA
Email: info@strukto.tech