Recovery Record: Eating Disorder Management
Mental Health Apps Mental Disorder Apps Mood Trackers Peer Support

Recovery Record: Eating Disorder Management

Recovery Record, Inc
Wi-Fi

Review date: April 25, 2023

|
Mozilla researched 18 hours
|

Mozilla says

|
People voted: A little creepy

Recovery Record makes two separate apps to help people manage eating disorders. The first is targeted at patients and is free to download and use. Called Recovery Record: Eating Disorder Management, this apps helps users keep track of their meals, create customized meal plans and eating schedules, send and receive anonymous encouraging messages with other users, and share their recovery journey with their treatment team.

The second app, called Recovery Record for Clinicians, is designed to let eating disorder treatment professionals engage with their patients between visits to help keep them on track in their recovery. The app for clinicians requires a subscription, costing between $9 - $80. How do these apps look from a privacy perspective? They have improved since we first reviewed them in 2022 and that is something good to see.

What could happen if something goes wrong?

First reviewed April 20, 2022. Review updated, April 25, 2023

Credit where credit is due, Recovery Record has improved since last year and we are happy to recognized them for that. When we first published our review of Recovery Record in 2022, users could sign in using the weak password "111111", we couldn't determine if they used encryption or had a way to manage security vulnerabilities, and their privacy policy raised a number of concerns for us. After publishing our review, Recovery Record reached out to us and worked to better their password requirement to now require a strong password, clarified their use of encryption and how they manage security vulnerabilities, so we can now confirm they meet our Minimum Security Standards.

They updated and clarified some parts of their privacy policy as well. It is still a pretty vague privacy policy with language that leaves too many things up in the air for our tastes. But, it also seems like Recovery Record does an OK job with privacy and doesn't share much data for targeted advertising purposes, which is good.

We appreciate that Recovery Record was willing to reach out and work to improve the security practices of their app. We still have a few concerns based on their privacy policy, but Recovery Record is better than they were in 2023 and that is a good thing indeed.

Read our review from 2022:

Recovery Record can collect a fair amount of personal and usage data, including name, age, gender, city/town, and email address. They also say "clinicians and support persons involved in your care may provide us information, including protected health information, about you." They do say US HIPAA privacy laws requires them "to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of this information." This is a fine line it seems many mental health apps walk -- the line between the privacy protections therapists are required to follow under HIPAA laws and the current data economy apps operate under that leads to the collection of personal information to provide and market their paid services.

Recovery Record also may collect anonymized or aggregate data and "use it for any purpose." That's a pretty broad statement. Especially because it's been shown to be pretty easy to re-identify user data.

Another line from Recovery Record's privacy policy that leaves us just a little worried "From time to time, we may desire to use information about you for uses not previously disclosed in this Privacy Policy. If our practices change regarding previously collected information in a way that would be materially less restrictive than stated in the version of this Privacy Policy in effect at the time we collected the information, we will make reasonable efforts to provide notice and obtain consent to any such uses as may be required by law." All that sounds like it could be fine. However, as The Verge pointed out, mental health apps can change their privacy policies at any time and they don't always make a lot of effort to let users know when their privacy practices have changed. Hopefully Recovery Record will ensure all users know when and if their privacy policy changes.

We'll end with one more statement from Recovery Record's privacy policy that serves as a warning for everything shared on the internet, "Unfortunately, the Internet and mobile networks over which our Services are delivered cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. We do not accept liability for unintentional disclosure. " What's the worst that could happen. Well, we worry that your very sensitive eating disorder information could wind up in the hands of someone you really don't want to have that information and that doesn't sound healthy at all. Hopefully that will never happen.

Tips to protect yourself

  • Choose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Do not use social media plug-ins.
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
  • Keep your app regularly updated
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
  • When starting a sign-up, do not agree to tracking of your data if possible.
  • mobile

Can it snoop on me? information

Camera

Device: N/A

App: Yes

Microphone

Device: N/A

App: No

Tracks location

Device: N/A

App: No

What can be used to sign up?

What data does the company collect?

How does the company use this data?

"We do not rent, sell, or share information about you with other people or non affiliated companies for their direct marketing purposes."

"We use the information we collect about and from you for a number of purposes, including: providing, supporting, and improving the services we offer, analyzing how you use the Services, and better tailoring features"

"Except as otherwise described in this Privacy Policy, we will not disclose information that we collect about you on the Services to third parties without your consent. In addition, to the extent permitted by applicable law, we may de-identify your information and process it in an anonymous and/or aggregated form. For example, we may share anonymous and aggregated reports on user demographics, service performance and traffic patterns with third parties."

"If your account is linked to the clinicians' organizations, the organizations may see information, including protected health information, about you. Linked organizations may use the information available through the Services for medical diagnosis, treatment, and general analysis reporting purposes. An organization will not be able to view any message like text such as clinician messages, team chat messages, linking messages."

How can you control your data?

We ding this product for no clear retention policy.

According to the company representative, the data is retained "until patient requests their data deleted. We often have people who reuse the product after 5+ years."

You can delete your data in the app or via email.

"If you would like to update or correct any information that you have provided to us through your use of the Services or otherwise, you may use the functionality of the Services to change or delete such information. If such functionality is insufficient or if you have any questions regarding our privacy practices, please send an email to [email protected]. "

What is the company’s known track record of protecting users’ data?

Average

No known privacy or security incidents discovered in the last 3 years.

Child Privacy Information

"We do not knowingly collect, maintain, or use personal information from children under 13 years of age, and no part of the Services are directed to children under the age of 13. If you learn that your child has provided us with information, you may alert us at [email protected]. If we learn that we have collected any information from children under 13, we will promptly take steps to delete such information and terminate the child's account."

Can this product be used offline?

No

User-friendly privacy information?

No

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Data is encrypted in transit (TLS). PHI and PII are encrypted in the database (AES). A KMS is used to manage keys. EBS (disks) partitions are encrypted. Backups are encrypted.

Strong password

Yes

When we first reviewed Recovery Record, the weak password "11111111" is allowed. Since we published our review, Recovery Record has updated their password requirements to now require a strong password which we love to see.

Security updates

Yes

Manages vulnerabilities

Yes

While Recovery Record doesn't have a bug bounty program, they do say they have policies and procedures that have been reviewed by third party assessors as part of the HITRUST certification process. Anyone can contact them through https://www.recoveryrecord.com/contact to report a security vulnerability.

Privacy policy

Yes

Does the product use AI? information

No

*privacy not included

Dive Deeper

Comments

Got a comment? Let us hear it.