Handler Labs
This is the privacy policy for SteriLog, a professional compliance-logbook app published by Handler Labs LLC.

SteriLog · Privacy Policy

Effective date: June 4, 2026

1. Who we are

Handler Labs LLC ("Handler Labs," "we," "us," or "our") is an independent iOS software studio. SteriLog is a digital sterilization and sanitation compliance logbook for professional body-art and personal-care businesses. You can reach us at [email protected].

The records you create in the app stay on your device and in your own private Apple iCloud account. We operate no server, no database, and no account system, and we cannot see, access, or retrieve those records. Apple provides the iCloud and CloudKit storage as part of your own Apple account; to the limited extent Apple processes that data on our behalf through CloudKit, it does so as our processor under Apple's data-processing terms. Because the records are entered, controlled, and stored by you (the business), you are the controller of that information, including any client information you choose to record.

2. Our privacy principle

Your logbook lives in your iCloud account. We cannot see it, access it, sell it, or share it.

Every record you log is stored on your device and in your private Apple CloudKit database — the same infrastructure Apple uses for your own iCloud data. Handler Labs has no technical means of accessing your records.

3. What data the app stores

The app stores the information you choose to enter, on your device and in your private iCloud. Depending on how you use it, this can include:

  • Business profile: business name, address, state, license or permit numbers, an optional logo image, and your stated setup goal.
  • Staff records: operator/artist names, roles, and bloodborne-pathogen (BBP) training and expiry dates.
  • Compliance records: entries such as spore/biological tests, autoclave cycles, disinfection logs, sharps and incident records — including the operator name, date/time, your notes, and the record-specific fields for each entry.
  • Signatures and photos: a captured signature image and/or a photo you attach (for example, a lab report, certificate, or consent form).
  • Client consent records (where the app offers them): the information you enter for a procedure, which may include a client name, the consent date, the procedure and body area, single-use needle/cartridge and ink/pigment lot numbers, and a client signature.
  • Document vault: files you upload (such as a license, certificate, exposure-control plan, safety data sheet, or insurance document) with optional expiry/review dates and notes.
  • Audit trail: a tamper-evident history of edits. Each edit stores a timestamp, a short summary, a SHA-256 chain value, and an author identifier. The author identifier is your iCloud user record name when you are signed into iCloud, or otherwise a random per-installation identifier generated on your device. It is not your name, email, or Apple ID.

All of this is stored with iOS Data Protection (encrypted at rest when your device is locked) and, in the App Store build, synced through your private CloudKit database. Only devices signed in with your Apple Account can access it.

4. Multi-user sharing (optional)

If you subscribe to a plan that supports multiple artists or locations, you can choose to share a shop's logbook with other people's iCloud accounts using Apple's CloudKit Sharing. When you do, the people you invite can read and (if you grant it) write to that shop's records through Apple's iCloud. Sharing happens entirely between your Apple account and the accounts you invite — Handler Labs is not a party to it and still cannot access the data. You control who is invited and can change a person's permission or remove their access at any time from within the app. Sharing is governed by Apple's iCloud terms.

5. What we do not collect

  • No Handler Labs account or registration — there is no account system.
  • No names, email addresses, or contact information sent to us.
  • No device location (GPS) data — the app never uses Location Services.
  • No advertising identifiers (IDFA) and no device fingerprinting.
  • No access to your camera, contacts, or health data.
  • We do not sell, rent, license, or share your personal information, and we do not use it for advertising or cross-context behavioral advertising — ever.

6. Analytics and tracking

This app contains no analytics, advertising, or tracking software. No usage or analytics data leaves your device, and we do not track you across apps or websites. (Your records still sync to your own private iCloud, as described above — that is your Apple account, not ours.) If we ever add analytics, we will update this policy and Apple's App Privacy information before that change ships.

7. Subscriptions and payments

The app is offered as an auto-renewing subscription with a free trial. All payments are processed by Apple through the App Store (Apple StoreKit + RevenueCat). We never receive or store your payment card, Apple Account credentials, or billing address.

We use RevenueCat, Inc. as our service provider to manage and verify subscription entitlements (that is, to confirm whether your subscription is active). Acting as our processor, RevenueCat receives a limited, app-generated anonymous identifier plus subscription and device information needed to validate purchases — for example, your App Store transaction/receipt information, subscription status, last-seen time, technical details such as device type and operating-system version, and an approximate country that RevenueCat infers from your IP address at the time of a transaction (it uses the IP address only to determine country and does not retain it). We do not send RevenueCat your name or email. RevenueCat processes this data under its own privacy commitments; see the RevenueCat Privacy Policy.

8. Third-party services and protection

The only third parties involved are Apple (iCloud/CloudKit storage and App Store payments) and RevenueCat (subscription verification). Each processes the limited data described above under its own privacy and security commitments, which provide protections equal to or greater than those described in this policy. See Apple's Privacy Policy and the RevenueCat Privacy Policy.

9. Permissions the app requests

  • Photo library: only when you choose to attach a photo (such as a lab report, certificate, or consent form) to a record. The app accesses the photo you select; it does not browse or upload your library.
  • Notifications: if you allow them, the app schedules local reminders on your device (for example, when a test is due or a document is expiring). These are generated on-device.

The app does not request access to your camera, microphone, location, contacts, or health data.

10. Export and sharing of your data

When you export an inspection PDF or a JSON backup, the file is created on your device and is shared only when and where you choose, using the standard iOS share sheet. Nothing is uploaded to us or sent anywhere automatically. You control every export.

11. Your control, retention, and deletion

  • Edit or delete individual records at any time within the app.
  • Delete everything at once: Settings → Delete all data permanently erases every record, document, and your shop profile from the device and, when iCloud sync is on, from your private iCloud database. This cannot be undone, so export a backup first if you might need it. (A shop that someone else shared with you is not affected — leave it from Team & sharing instead.)
  • Retention is in your hands. The app can suggest how long to keep a record based on the rules you select and remind you when a record reaches the end of its suggested retention window, but it never deletes your records automatically. You decide what to keep and what to remove.
  • Delete the app to remove its data from that device. To also remove the data from iCloud, use Delete all data first, or go to Settings → [your name] → iCloud → Manage Account Storage and remove the app's data there.
  • Shared shops: the owner can remove a participant's access at any time from within the app.
  • Requests: because we hold none of your records, deletion is entirely under your control. If you have a question about data we may control (such as subscription records held by our processor), email [email protected].

12. Security

Your data is protected by Apple's built-in security: iOS Data Protection encryption on the device, CloudKit private-database isolation, and the iOS App Sandbox. Because Handler Labs holds no server-side copy of your records, there is no central database of your data to breach on our side. In the unlikely event of a security incident affecting the limited subscription data we control, we will notify affected users and any required authority as the law requires.

13. Your privacy rights

Because your records remain in your own iCloud account under your control, you can exercise the core privacy rights directly within the app: access and portability (export a JSON backup), correction (edit a record), and deletion (delete individual records, or use Settings → Delete all data to remove everything from the app and your private iCloud). The app performs no automated decision-making or profiling. The only data we control is the limited subscription information handled by our processors, which may be processed in the United States by Apple and RevenueCat under their respective safeguards. To make a written request about that data, email [email protected].

U.S. state privacy rights. Handler Labs does not meet the revenue or volume thresholds that trigger the California Consumer Privacy Act (as amended) or other U.S. state privacy laws, and we do not sell or share personal information. For transparency, the only personal information any third party processes is commercial/transaction information and device identifiers handled by Apple (payments) and RevenueCat (subscription verification); we collect no sensitive personal information. Where state law applies, residents have the rights to know/access, delete, correct, opt out of the sale or sharing of personal information, limit the use of sensitive personal information, and not be discriminated against for exercising these rights. To exercise any of these, email [email protected].

14. Children's privacy

SteriLog is a professional business tool intended for use by adults (18 or older) operating licensed studios, salons, or shops. It is not directed to children, is not in the Apple Kids Category, and we do not knowingly collect personal information from children under 13 (or under 16 where applicable). If you believe a child has provided information through the app, contact us at [email protected] and we will address it.

15. App Privacy information (App Store label)

Apple requires every app to disclose the data it collects. The records, photos, signatures, and client information you enter are declared as Data Not Collected, because they never leave your device or your private iCloud and we never receive them. The limited subscription data handled through RevenueCat (such as purchase information, an anonymous identifier, and basic device/diagnostic information) is declared as collected and linked to that anonymous identifier, and is not used to track you. If any of this changes, we will update the App Privacy information before the change ships.

16. Changes to this policy

If we make material changes to this policy, we will update the effective date above and, where feasible, provide notice within the app. Continued use of the app after the updated policy is posted constitutes acceptance of the changes. If a change would materially expand the categories of data we collect or how we use them, we will obtain any consent the law requires and update Apple's App Privacy information before the change takes effect.

17. Contact

Questions about this policy or your data? Contact Handler Labs LLC, 5510 NW 38th Terrace, Coconut Creek, FL 33073, USA, or email [email protected]. We aim to respond within 3 business days, and within 30 days for any formal privacy request.