openmed v0.1.2
Docs Request Preview

OpenMed

Privacy

Effective June 4, 2026 · Last updated June 4, 2026

OpenMed builds privacy-first health tools. This is the privacy home for each OpenMed product — jump to the one you use:

  • Welna — the patient-first iOS app.
  • OpenMed Agent — the developer CLI & runtime (preview).

One principle holds across everything we build: we redact identifiers on your device before anything is sent, and we never sell your data.

Welna

iOS app

Welna is a patient-first health companion. Its core principle is simple: identifiers are redacted on your device before anything is sent. Redaction is automated and may not catch everything, so you stay in control of what you enter and share. This section explains what the app handles, what stays on your device, and the few things processed in the cloud.

The short version

  • Your health data and documents are not collected by us. Apple Health is read-only, and any text you scan or type is redacted on your device before anything is sent anywhere.
  • No advertising. No ad identifier (IDFA). No tracking across other apps or companies. Welna does not ask for App Tracking Transparency permission because it has nothing to track.
  • Analytics are anonymous and optional. You can turn them off in Settings → Analytics at any time.
  • We do not sell your data. Ever.

What stays on your device

  • Apple Health data — read-only, only the metrics you authorize. Raw HealthKit records, device names, and metadata never leave your device.
  • Documents and notes: anything you scan or paste is processed on-device. An on-device model detects and removes identifiers (names, dates, contact details, record numbers) before any cloud request. Automated redaction is not perfect, so review your text before you run a workflow.
  • Your saved runs and generated documents — stored locally; delete them anytime in Settings. (They are also excluded from iCloud/device backups.)
  • Your credentials — your ChatGPT session or OpenAI API key, and any Hugging Face token, are stored only in the device Keychain and are never sent to us.

What is processed in the cloud — and by whom

To produce a workflow result, the app sends a redacted request to an AI model using your own account:

  • OpenAI (api.openai.com) or ChatGPT (when you sign in with ChatGPT) acts as the AI processor. The request contains free text after on-device redaction, plus normalized Apple Health summaries (e.g. "average resting heart rate," not raw records) — and only when a workflow you started uses them. These requests are governed by OpenAI's privacy policy and your account terms. Health-derived context is used only to generate the result you asked for — never for advertising, and never sold.

We, the app's developer, do not operate a server that receives your health data, documents, or redacted text. That content flows directly from your device to the AI provider under your own account.

Analytics (anonymous, optional)

To understand how the app is used and improve it, Welna uses Google Analytics for Firebase. It is on by default and can be turned off in Settings → Analytics.

  • What we collect: anonymized, aggregate data only — app version, device model and iOS version, language/region, a resettable app-instance identifier (not linked to your identity), which screens you view, which features you use, and anonymous crash/hang counts.
  • What we never collect through analytics: your name or contact details, your health data or values, the contents of any document or note, the text of your requests or the AI's responses, or any advertising identifier.
  • No tracking, no ads. We do not use the advertising identifier (IDFA), do not link analytics to your identity, and do not track you across other apps. Analytics data is processed by Google under its privacy policy.

Crash diagnostics (on-device)

Welna uses Apple's MetricKit to detect crashes and hangs. The detailed diagnostic reports (which can include technical stack traces) stay on your device and are not transmitted. Only an anonymous crash/hang count is included in analytics (when analytics is enabled), so we can see stability trends without receiving diagnostic detail.

Optional: Hugging Face audit trail

If you connect a Hugging Face account in Settings and name a dataset, each completed run is saved as a JSON file to your own private dataset on Hugging Face. This is entirely opt-in, uses your own account and token (stored only in your device Keychain), and stores the redacted run record. You can disable uploads or disconnect at any time.

Your choices and rights

  • Turn off analytics: Settings → Analytics.
  • Delete local data: Settings → Delete all history.
  • Disconnect accounts: Settings (ChatGPT / API key, Apple Health, Hugging Face).
  • Access / erasure (GDPR / UK GDPR / CCPA): Because we don't operate a server that stores your personal data, most of your data lives only on your device and is deleted when you delete it (or delete the app). For analytics data held by Google, contact us and we will assist with applicable requests.

Children

Welna is not directed to children and is rated 17+. We do not knowingly collect data from children.

Medical disclaimer

Welna provides general health information to help you prepare for conversations with your clinician. It is not a medical device and does not diagnose, treat, or prescribe. Always consult a qualified healthcare professional. Not for use in emergencies.

OpenMed Agent

Developer preview

OpenMed Agent is a local-first terminal/CLI runtime for clinical workflows, aimed at developers and operators. It runs on your machine and is designed so you can see what the system is doing, where data is stored, and which external services are in the loop.

  • Local runtime. The TUI, session files, plans, workflow artifacts, and local file operations happen on your machine (~/.openmed/, ~/.config/openmed/). Credentials from openmed login are written to a local ~/.openmed/auth.json with restrictive file permissions where the OS supports them.
  • Remote boundaries you choose. Clinical capabilities can reach your configured model provider (your own OpenAI/ChatGPT account), OpenMed's native medical-service plane (extraction, PII, de-identification, terminology, education, HCC, RAF), and any remote MCP servers you add. The privacy posture of those services depends on where they are hosted and governed.
  • No in-product telemetry. OpenMed Agent does not include in-product analytics, usage tracking, or background crash reporting. (Public docs and marketing pages may use lightweight site analytics for aggregate traffic.)
  • Opt-in audit trail. Audit traces are off by default. When enabled, they write directly from your machine to a destination you configure — a private Hugging Face dataset or bucket, or a local-only directory — never to OpenMed-owned infrastructure.

For the full detail — runtime boundary, approval & review model, PHI modes, local storage, token storage, and network access — see Privacy & Security.

Changes

We may update this policy; material changes are reflected by the "Last updated" date above.

Contact

Privacy questions: support@openmed.life