Data Breach Response Plan
Last Updated: June 29, 2026
Quick Navigation
1. Our Commitment
We take data security seriously and have procedures in place to respond quickly if any part of our infrastructure is ever compromised. This plan outlines what we would do and what you should know.
Important context: SteadiDay stores your data on your device. If you sign in, some data (medications, tasks, check-ins, and activity summaries) is also synced securely to our servers. Apple Health data always stays on your device. See Section 2 for details on what our infrastructure does and does not contain.
2. Our Architecture
Understanding what we do and don't have access to is important context for any security incident:
- We do NOT have: Apple Health data, photos, or insurance card details. This data never leaves your device.
- We may have (if you signed in): Medications, tasks, check-ins, and activity summaries synced to our servers (hosted on Supabase) for backup and caregiver sharing.
- We always have: Anonymous analytics data (app open events with randomly generated identifiers), website contact form submissions (name, email, message), and access to the emergency SMS relay service (Twilio) used for SOS and fall detection alerts.
If you have not signed in, the scope of any potential breach is limited to anonymous analytics and website contact form data. If you have signed in, your synced account data (medications, tasks, check-ins, activity summaries) could also be affected — but never Apple Health data or photos.
3. What Could Be Affected
In the event of a security incident involving our infrastructure, the following data could potentially be affected:
- Anonymous analytics data (cannot identify you)
- Website contact form submissions (name, email, message text)
- Emergency SMS relay configuration (Twilio API credentials, which could theoretically allow unauthorized use of the relay)
- Synced account data (if you signed in): medications, tasks, check-ins, and activity summaries
The following data could NOT be affected by a breach of our infrastructure because we never have it:
- Your health data from Apple Health or Health Connect
- Photos of insurance cards or prescriptions
- Your app settings and preferences (stored only on your device)
4. Detection and Assessment
We monitor our systems for security issues. If we detect unauthorized access or a potential breach, our team immediately:
- Assesses the scope of the incident
- Identifies what data or systems were affected
- Begins containment to prevent further unauthorized access
- Preserves evidence for investigation
5. Immediate Response (First 24 Hours)
- Contain the breach and secure affected systems
- Determine what data was accessed
- Identify whether any users could be affected
- Rotate any compromised credentials (API keys, service accounts)
- Begin forensic investigation
6. User Notification
If a security incident could affect you, we will notify you within 72 hours through our website and in-app notification. We will explain:
- What happened and when
- What data was affected
- What we have done to fix it
- Steps you should take to protect yourself (if any)
- How to contact us with questions
Note: Because SteadiDay does not require an account and we do not have your email address (unless you submitted our website contact form), our primary notification method is through the app itself and our website. We recommend checking steadiday.com/security.html periodically or following our updates.
7. Health Data Protection
Health data accessed through Apple Health (iOS) or Health Connect (Android) is stored locally on your device and protected by your operating system's security architecture.
In the event of a breach of our infrastructure, your Apple Health data remains secure on your device because it is never transmitted to or stored on our servers. This includes steps, heart rate, sleep data, exercise minutes, and any other health metrics from your device's health platform.
8. Your Steps After an Incident
If we notify you of an incident:
- If you have an account: Change your password immediately. We may also force a password reset for all affected accounts.
- If you submitted our website contact form: Be alert for phishing emails that reference SteadiDay or appear to come from us. We will never ask you for passwords, payment information, or personal data via email.
- If the SMS relay was compromised: We would immediately disable and re-secure the relay service. You may want to verify your trusted contacts are correct in the app.
- Update the app: Install any available updates, as they may contain security fixes.
- Contact us: If you notice anything unusual, reach out through the Feedback feature in Settings.
9. Law Enforcement and Regulators
For serious breaches, we will notify law enforcement and relevant regulatory authorities as required by law. We cooperate fully with investigations to identify and prosecute attackers.
10. Prevention Measures
After any incident, we review and improve our security measures. We conduct post-incident analysis, update security protocols, and implement additional safeguards to prevent future breaches.
Our ongoing security practices include:
- On-device data architecture that minimizes what we store
- Encrypted communications for any data that does leave the device (emergency SMS relay)
- Regular review of third-party service configurations
- Minimal data collection philosophy — we only collect what we need
11. Questions or Concerns
If you believe you've received a suspicious message claiming to be from SteadiDay, or if you have any security concerns, contact us immediately through the Feedback feature in the app or through our website contact form.