Data Breach Response Plan
Last Updated: May 21, 2026
Quick Navigation
1. Our Commitment
We take data security seriously and have procedures in place to respond quickly if any part of our infrastructure is ever compromised. This plan outlines what we would do and what you should know.
Important context: SteadiDay stores all your personal data — medications, tasks, contacts, health data, and settings — on your device, not on our servers. This means that a breach of our infrastructure would not expose your personal health information, medication details, or other app data. See Section 2 for details on what our infrastructure does and does not contain.
2. Our Architecture
Understanding what we do and don't have access to is important context for any security incident:
- We do NOT have: Your medications, tasks, contacts, health data, settings, or any personal content you enter in the app. This data never leaves your device.
- We do have: Anonymous analytics data (app open events with randomly generated identifiers), website contact form submissions (name, email, message), and access to the emergency SMS relay service (Twilio) used for SOS and fall detection alerts.
Because of this architecture, the scope of any potential breach is limited to the data described above — not your personal health or wellness information.
3. What Could Be Affected
In the event of a security incident involving our infrastructure, the following data could potentially be affected:
- Anonymous analytics data (cannot identify you)
- Website contact form submissions (name, email, message text)
- Emergency SMS relay configuration (Twilio API credentials, which could theoretically allow unauthorized use of the relay)
The following data could NOT be affected by a breach of our infrastructure because we do not have it:
- Your medications, dosages, and schedules
- Your health data from Apple Health or Health Connect
- Your tasks, appointments, and daily routines
- Your trusted contacts and emergency contact information
- Your food, water, and wellness logs
- Your app settings and preferences
4. Detection and Assessment
We monitor our systems for security issues. If we detect unauthorized access or a potential breach, our team immediately:
- Assesses the scope of the incident
- Identifies what data or systems were affected
- Begins containment to prevent further unauthorized access
- Preserves evidence for investigation
5. Immediate Response (First 24 Hours)
- Contain the breach and secure affected systems
- Determine what data was accessed
- Identify whether any users could be affected
- Rotate any compromised credentials (API keys, service accounts)
- Begin forensic investigation
6. User Notification
If a security incident could affect you, we will notify you within 72 hours through our website and in-app notification. We will explain:
- What happened and when
- What data was affected
- What we have done to fix it
- Steps you should take to protect yourself (if any)
- How to contact us with questions
Note: Because SteadiDay does not require an account and we do not have your email address (unless you submitted our website contact form), our primary notification method is through the app itself and our website. We recommend checking steadiday.com/security.html periodically or following our updates.
7. Health Data Protection
Health data accessed through Apple Health (iOS) or Health Connect (Android) is stored locally on your device and protected by your operating system's security architecture.
In the event of a breach of our infrastructure, your health data remains secure on your device because it was never transmitted to or stored on our servers. This includes steps, heart rate, sleep data, exercise minutes, and any other health metrics synced from your device's health platform.
8. Your Steps After an Incident
Because SteadiDay does not use accounts or passwords, the typical breach response steps (changing passwords, enabling two-factor authentication) do not apply. However, if we notify you of an incident:
- If you submitted our website contact form: Be alert for phishing emails that reference SteadiDay or appear to come from us. We will never ask you for passwords, payment information, or personal data via email.
- If the SMS relay was compromised: We would immediately disable and re-secure the relay service. You may want to verify your trusted contacts are correct in the app.
- Update the app: Install any available updates, as they may contain security fixes.
- Contact us: If you notice anything unusual, reach out through the Feedback feature in Settings.
9. Law Enforcement and Regulators
For serious breaches, we will notify law enforcement and relevant regulatory authorities as required by law. We cooperate fully with investigations to identify and prosecute attackers.
10. Prevention Measures
After any incident, we review and improve our security measures. We conduct post-incident analysis, update security protocols, and implement additional safeguards to prevent future breaches.
Our ongoing security practices include:
- On-device data architecture that minimizes what we store
- Encrypted communications for any data that does leave the device (emergency SMS relay)
- Regular review of third-party service configurations
- Minimal data collection philosophy — we only collect what we need
11. Questions or Concerns
If you believe you've received a suspicious message claiming to be from SteadiDay, or if you have any security concerns, contact us immediately through the Feedback feature in the app or through our website contact form.