DEV Community

Wellnest
Wellnest

Posted on • Originally published at wellnestapp.app

Where Does Your Medication Data Actually Go? The Case for Local-First Architecture

#privacy #healthtech #security #localfirst

Most health apps function as cloud-first systems, where your data traverses a chain of third-party vendors, analytics SDKs, and notification relays. Wellnest takes a different path: local-first architecture that keeps your records on your device.

Key takeaway: Most health apps function as "cloud-first" systems, where your data traverses a complex chain of third-party vendors, analytics SDKs, and notification relays. Wellnest utilizes a local-first architecture: your medication records, adherence patterns, and health history never leave your device. Optional features like anonymous usage analytics send only non-health metadata—never medication names, dosages, or schedules. We prioritize "data minimization" over "cloud convenience."

When you enter a pill into a typical medication tracker, you are not just saving a note. In a standard architecture, that single action initiates a data chain that touches more systems than most people expect.

The Anatomy of a "Cloud-First" Data Leak

The Typical Data Flow Chain

  1. The Auth Provider (e.g., Firebase/Auth0): Records when you log in and links your identity to a unique ID.
  2. The Cloud Database (e.g., AWS/GCP): Stores your medication list, dosages, and refill dates.
  3. Third-Party Analytics SDKs (e.g., Mixpanel/Segment): Records the event ("User added Metformin") to help the team track "feature engagement." The problem is not analytics itself—it is that health data flows through third-party vendors who set their own retention and access policies.
  4. Push Notification Services (APNs/FCM): To send you a reminder, the app must often send the medication name or a "trigger" to a third-party server.
  5. Crash Reporting (e.g., Sentry/Crashlytics): If the app crashes, a "snapshot" of the app's state—which might include local variables containing drug names—is sent to a developer dashboard.

The HIPAA Misconception

Many users assume "Health App = HIPAA Protected." This is a significant misunderstanding of US law. HIPAA only applies to "Covered Entities" (doctors, hospitals, insurers) and their business associates. Most consumer medication trackers are "Health & Wellness" apps, not medical providers. This means they are largely governed by their own Privacy Policy and the FTC's Health Breach Notification Rule, not the stringent federal audits of HIPAA.

Why Medication Data is a "High-Stakes" Asset

Medication lists are high-resolution proxies for your private life. They are not just "pills"—they are a map of your vulnerabilities.

  • Inferred Diagnoses: A prescription for Truvada implies HIV status or PrEP use. Lithium implies Bipolar Disorder. Methadone implies recovery from opioid use.
  • Adherence Patterns: Data showing a person consistently misses doses of blood pressure medication could, in theory, be used by insurers to argue "non-compliance" to justify higher premiums or denied claims.
  • Law Enforcement Subpoenas: In a post-Roe landscape, data regarding fertility treatments or abortifacients stored in a central cloud database is subject to legal discovery. Local-only data cannot be subpoenaed from a company that does not possess it.

The Local-First Difference: Architecture as Policy

At Wellnest, we believe the best way to keep a secret is to never know it.

The best way to keep a secret is to never know it. Architecture is policy.

The Local-First Tradeoff (An Honest Look)

Local-first is not a "superior" technology—it is a philosophical choice with real-world downsides:

  • The "Lost Phone" Problem: If you lose your device and have not performed a manual, encrypted export, your data is gone. We cannot "reset your password" to bring back your records because we never had them.
  • No Multi-Device Sync: You cannot currently start a fast on your iPhone and "check in" on your iPad without a manual data move.
  • Limited Caregiver Features: Sharing your adherence with a doctor requires you to physically show them the screen or export a PDF.

We follow the Signal Protocol model: security and privacy are built into the code, even if it makes the user experience slightly more "manual."

Regulatory Realities: What Protections Do You Actually Have?

  • GDPR (Right to Erasure): In the EU, you can ask a cloud app to delete your data. But you have to trust they actually purged every backup and analytics log. With Wellnest, deleting the app erases all health data instantly—it only existed on your device. For optional analytics or feedback data stored server-side, in-app "Delete My Data" buttons trigger immediate server-side deletion.
  • App Tracking Transparency (ATT): Apple's "Ask App Not to Track" stops apps from sharing your IDFA (ID for Advertisers), but it does not stop them from storing your health data on their own servers.
  • Google Health Connect: This allows apps to share data locally on the device, which is a step toward privacy, but many apps still "sync" that shared data to the cloud immediately.

5 Questions to Ask Any Health App

Before you type a single prescription into an app, look for these red flags:

Question The Wellnest Answer The Red Flag Answer
Do I need an account? No. Start tracking immediately. "Login with Facebook/Google required."
Where is data stored? Health data: on-device only. Non-health analytics: first-party server, no third parties. "Securely synced to our encrypted cloud."
Is analytics opt-in? First-party only. Anonymous usage stats (no health data) are on by default with an opt-out toggle. Richer analytics require explicit opt-in. No third-party SDKs. "We use data to improve your experience."
How is the app funded? Direct-to-consumer (subscription/one-time). No clear business model (often means data is the product).
Can I work offline? 100% of core features work offline. App won't load or "sync" without a connection.

"Privacy-first" should not be a promise written in a 50-page legal document. It should be a byproduct of the app's code. Wellnest does collect some data—anonymous usage statistics that help us build a better app, and an optional feedback board. But the hard line is the one that matters most: your health history—medications, dosages, fasting sessions, adherence patterns—never leaves your device. We do not want the responsibility of holding it. We want you to have the tools to manage it yourself.

Top comments (0)