Warning: *privacy not included with this product
Recovery Record: Eating Disorder Management
Recovery Record makes two separate apps to help people manage eating disorders. The first is targeted at patients and is free to download and use. Called Recovery Record: Eating Disorder Management, this apps helps users keep track of their meals, create customized meal plans and eating schedules, send and receive anonymous encouraging messages with other users, and share their recovery journey with their treatment team.
The second app, called Recovery Record for Clinicians, is designed to let eating disorder treatment professionals engage with their patients between visits to help keep them on track in their recovery. The app for clinicians requires a subscription, costing between $9 - $80.
What could happen if something goes wrong?
Recovery Record can collect a fair amount of personal and usage data, including name, age, gender, city/town, and email address. They also say "clinicians and support persons involved in your care may provide us information, including protected health information, about you." They do say US HIPAA privacy laws requires them "to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of this information." This is a fine line it seems many mental health apps walk -- the line between the privacy protections therapists are required to follow under HIPAA laws and the current data economy apps operate under that leads to the collection of personal information to provide and market their paid services.
Recovery Record also may collect anonymized or aggregate data and "use it for any purpose." That's a pretty broad statement. Especially because it's been shown to be pretty easy to re-identify user data.
Tips to protect yourself
- Do not provide consent for sharing personal data with third parties, whenever possible.
What can be used to sign up?
What data does the company collect?
Email, name, age, gender, city/town
Clinicians and support persons involved in your care may provide information, including protected health information, about you.
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
No known privacy or security incidents discovered in the last 3 years.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Links to privacy information
Does this product meet our Minimum Security Standards?
Data is encrypted in transit (TLS). PHI and PII are encrypted in the database (AES). A KMS is used to manage keys. EBS (disks) partitions are encrypted. Backups are encrypted.
When we first reviewed Recovery Record, the weak password "11111111" is allowed. Since we published our review, Recovery Record has updated their password requirements to now require a strong password which we love to see.
While Recovery Record doesn't have a bug bounty program, they do say they have policies and procedures that have been reviewed by third party assessors as part of the HITRUST certification process. Anyone can contact them through https://www.recoveryrecord.com/contact to report a security vulnerability.
Got a comment? Let us hear it.