FacilityLog Privacy Policy

Effective date: 2026-05-16 · Last updated: 2026-05-16

Short version: FacilityLog stores your facility audit archive — facility records, incidents, call logs, billing disputes, care plan meetings, photo evidence, and attached documents — on your iPhone only. Nothing leaves your device. We have no servers and no analytics. The only network communication the app performs is with Apple's StoreKit servers (subscription verification). To protect your archive against device loss, back up your iPhone to iCloud or Finder regularly — Apple's standard device backup includes FacilityLog's records.

1. Who we are

FacilityLog is published by an independent iOS developer (Apple Developer Team ID ZM8LF8494F). For any privacy-related question, write to captainlongevity@gmail.com.

2. Information we do not collect

We do not collect, transmit to our servers, store on a server we operate, sell, share, or analyze:

The names, NPI numbers, state license numbers, addresses, or administrator names of any long-term-care facility you log
The name, date of birth, diagnoses, move-in date, move-out date, monthly fee, care level, or POA type of any resident you log
Incident records, including incident type, severity, description, witnesses, staff names, F-tag references, state Bill of Rights references, photo evidence, or resolution status
Call log records, including direction, duration, hold time, contact name, role, purpose, outcome, or key quotes
Billing dispute records, including bill amounts, disputed amounts, dispute categories, submission destinations, or refund amounts
Care plan meeting records, including attendees, goals set, family concerns raised, or facility responses
Document attachments (admission contracts, marketing materials, care plans, monthly statements, EOBs, survey reports, ombudsman letters, provider letters, hospital records, police reports, APS reports, audio recordings)
Your name, email, phone, address, or any account identifier
Device identifiers (IDFA, IDFV) for advertising or tracking purposes
Location data
Crash reports or analytics events sent to any third party

We have no servers. The fields above never reach us.

3. No data sharing with facility chains, government agencies, or advocacy organizations

FacilityLog does not share any records with nursing home chains (Brookdale, Sunrise, Atria, Five Star, Genesis HealthCare, Ensign, or any other), assisted living operators, memory care providers, CMS, HHS, state Long-Term Care Ombudsman programs, AARP, the National Consumer Voice for Quality Long-Term Care, the American Health Care Association, LeadingAge, state survey agencies, Adult Protective Services, law enforcement, or any government, advocacy, or research database. There is no advertising SDK, no analytics SDK, and no marketing-data partnership in the app. If a future release ever introduces any such integration, it will be strictly opt-in, with a clear in-app notice before any record leaves your device.

4. Information stored on your device

All archive data you enter is stored locally on your iOS device using Apple's SwiftData framework. This data is included in your iCloud or Finder device backup if you have device backup enabled.

5. On-device processing

Several features process data locally on your device only:

Document scanning uses Apple's VisionKit on-device. Scanned images of admission contracts, billing statements, EOBs, or ombudsman letters never leave your phone.
PDF report generation uses Apple's PDFKit on-device. No archive content is transmitted during generation. The Ombudsman Complaint Pack, State AG Complaint Pack, State Survey / CMS Complaint Pack, Civil Litigation Evidence Pack, and Care Plan vs Reality Audit Report are all built from your local records and rendered on-device.
App Lock uses Apple's LocalAuthentication framework. Your Face ID or Touch ID biometric data never leaves Apple's Secure Enclave; the app only receives a success or failure signal.
Incident, care plan meeting, and bill dispute reminders are scheduled via Apple's UserNotifications framework and fire locally on your device. No remote push servers are involved.

5a. Device backup is your archive's lifeline

FacilityLog stores all records on your iPhone only. The app does not use iCloud sync, CloudKit, or any cloud storage of its own. If you lose your phone and have no backup, your archive is gone.

To protect against device loss:

Keep iCloud Backup on (iOS Settings > [your name] > iCloud > iCloud Backup). When enabled, Apple includes FacilityLog's SwiftData store in your nightly encrypted device backup, and a new-iPhone restore recovers your archive automatically.
Alternatively, back up to iTunes / Finder on a Mac or PC. FacilityLog's records travel with the device backup.
Pro users can also export the entire archive as a JSON file via Settings > Privacy and Backup > Export Archive Now, save it to Files, email it to yourself, or copy it to a USB drive for an additional offline copy.

We have no servers and cannot retrieve your records for you. Apple's device backup is the canonical recovery path.

6. Family archive sharing and InfusionLog schema coordination (Pro)

Pro users can export a read-only version of the FacilityLog archive as a JSON file for sharing with up to three family members (siblings, spouse, friend) through your own iCloud Drive shared folder. The read-only archive contains record metadata only - raw photo bytes are NOT exported, only filenames and EXIF dates. File transfer is performed by iOS Files and iCloud Drive under your Apple ID; FacilityLog does not transmit the file to any server. Pro users can also exchange a JSON file (filename extension .facilitylog-infusionlog) with InfusionLog representing provider audit history, for two-way coordination. Each JSON file is generated on your device and exchanged via the iOS Share Sheet or Files app, never via a remote server. InfusionLog is a separate application with its own privacy policy; we do not receive any data exchanged between the apps.

7. Subscriptions and StoreKit

FacilityLog offers an optional Pro subscription (Monthly, Annual, or Lifetime one-time) via Apple's StoreKit 2. When you subscribe, restore a purchase, or when the app verifies your entitlement, your device communicates directly with Apple's servers. FacilityLog receives only the entitlement status (active or inactive) and a purchase identifier. We do not see your Apple ID, payment method, billing address, or transaction history. Apple's handling of subscription information is governed by Apple's Privacy Policy.

8. Permissions the app requests

Camera — only when you tap "Scan document" on a facility document or "Take photo" on an incident.
Photo Library — only when you tap "Import photo" or "Import document".
Face ID — only after you enable App Lock in Settings.
Notifications — only after you enable open-incident, care-plan-meeting, or bill-dispute reminders.

You can revoke any of these permissions at any time in iOS Settings > FacilityLog.

9. No AI, no automatic abuse detection, no mandatory reporting

FacilityLog does not predict facility-quality outcomes, recommend complaints, detect abuse patterns, calculate official severity scores, generate ombudsman or attorney letters, or perform any artificial-intelligence analysis on your archive. Incident types and severity ratings you record are your own characterizations and are stored as text and category tags without further processing. Many U.S. states have mandatory reporter laws requiring certain individuals to report suspected elder abuse, neglect, or exploitation to Adult Protective Services or law enforcement. FacilityLog does not report on your behalf to APS, law enforcement, CMS, state survey agencies, or any other authority. Whether and when to report is your decision and may be legally required in your state — consult an elder-law attorney or your state Long-Term Care Ombudsman for guidance.

10. Children's privacy

FacilityLog is not directed to children under 13. The records typically logged in the app describe care provided to adult or elderly residents. We do not knowingly collect any information from anyone, including children. The app's age rating reflects this.

11. Data retention and deletion

You control retention completely. Records you delete in the app are permanently removed from your device immediately upon confirmation — FacilityLog uses hard delete with a mandatory confirmation alert, and there is no Recently Deleted recovery. Before deleting, you can export a JSON backup (Pro) so a copy survives elsewhere. To remove every trace of your archive: delete the app from your device. There is no remote copy on our servers for us to delete because we do not have servers. If you have an iCloud device backup, that backup may contain prior versions of the FacilityLog store — you can manage iCloud device backups via iOS Settings > [your name] > iCloud > Manage Account Storage.

12. International users

The app is published in English and is primarily marketed in North America. Because we operate no servers, we do not transfer your data internationally.

13. Changes to this policy

If we ever change how the app handles data, we will update this policy and surface the change in the app before you can use the affected feature. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact

Privacy questions: captainlongevity@gmail.com