. Author manuscript; available in PMC: 2019 Jul 4.

Published in final edited form as: Headache. 2018 Jul 4;58(7):1014–1027. doi: 10.1111/head.13341

Table 2:

Headache Diary App Review Statistics

Functionality for an online account	9/14 ^{21,22,26–30,32,33}) (6 required creation of a remote account ^{22,27–30,32})
Data Storage Stored locally on the user’s device Stored on remote servers Stored locally but provided optional Dropbox remote backups Stored locally but provided a paid option to store the diary data on the app provider’s servers Unclear whether stored locally or remotely	1/14 ⁵³ 7/14 ^{21,22,26,27,29,30,32} 3/14 ^20,28,31 1/14 ³³ 2/14 ^34,54
Had a Privacy Policy Of those with a Privacy Policy^*: • Contained some description regarding the type of information collected from users • Stated whether or not the app collects and stores any information (not only including diary data) remotely. • Stated whether or not the app could store diary entries on a remote server (or only locally) • Contained ^30,33 only vague statements about data collection • Stated that data could be shared for medical research (including in anonymized format) • Permitted sharing of headache diary information directly with medical providers • Stated that data could be shared for marketing, promotions, and/or advertising • If there was an option to store data remotely (not including Dropbox-only functionality), stated they only shared anonymized data with 3^rd parties in an aggregated manner unless users specifically requested disclosure, e.g. to health providers • Policies (including those for apps without remote headache diary functionality) stated why they shared data with third parties. • Discussed the use of children: Specifically prohibited children under the age of 13 Allowed children to use the application with a parent’s supervision Stated “we do not specifically market to children under the age of 13,” but did not explicitly prohibit children from using the application. • Explicitly granted a right of Access to a user’s data Correct user’s data Delete user’s data Claims no personal data collected	79% 11/14^{20–22,26–33} 100% 11/11 100% 11/11 82% (9/11)^{20–22,26–29,31,32} 18% (2/11)^30,33 55% (6/11) ^{21,22,26,27,29,32} 36% (4/11)^21,22,26,27 [75% (3/4)^22,26,27 stated that specific user authorization was necessary before a medical provider could view the headache data] 55% (6/11)^{21,27,29,30,32,33} 75% (6/8)^{22,26–29,32} 64% (7/11) ^{21,22,26–29,32} 55% (6/11)^{21,27,28,30,32,33} 9% (1/11)²⁹ 9% (1/11)²⁹ 36% (4/11)^22,26,29,33 36% (4/11)^22,26,29,33 36% (4/11)^22,29,30,33 18% (2/11)^20,31

Functionality for an online account

9/14 ^{21,22,26–30,32,33}) (6 required creation of a remote account ^{22,27–30,32})

Data Storage
    Stored locally on the user’s device
    Stored on remote servers
    Stored locally but provided optional
    Dropbox remote backups
    Stored locally but provided a paid option to store the diary data on the app provider’s servers
    Unclear whether stored locally or remotely

1/14 ⁵³
7/14 ^{21,22,26,27,29,30,32}
3/14 ^20,28,31

1/14 ³³
2/14 ^34,54

Had a Privacy Policy
    Of those with a Privacy Policy^*:
    • Contained some description regarding the type of information collected from users
    • Stated whether or not the app collects and stores any information (not only including diary data) remotely.
    • Stated whether or not the app could store diary entries on a remote server (or only locally)
    • Contained ^30,33 only vague statements about data collection
    • Stated that data could be shared for medical research (including in anonymized format)
    • Permitted sharing of headache diary information directly with medical providers
    • Stated that data could be shared for marketing, promotions, and/or advertising
    • If there was an option to store data remotely (not including Dropbox-only functionality), stated they only shared anonymized data with 3^rd parties in an aggregated manner unless users specifically requested disclosure, e.g. to health providers
    • Policies (including those for apps without remote headache diary functionality) stated why they shared data with third parties.
    • Discussed the use of children:
        Specifically prohibited children under the age of 13
        Allowed children to use the application with a parent’s supervision
        Stated “we do not specifically market to children under the age of 13,” but did not explicitly prohibit children from using the application.
    • Explicitly granted a right of
        Access to a user’s data
        Correct user’s data
        Delete user’s data
        Claims no personal data
        collected

79% 11/14^{20–22,26–33}

100% 11/11
100% 11/11
82% (9/11)^{20–22,26–29,31,32}
18% (2/11)^30,33
55% (6/11) ^{21,22,26,27,29,32}
36% (4/11)^21,22,26,27 [75% (3/4)^22,26,27 stated that specific user authorization was necessary before a medical provider could view the headache data]
55% (6/11)^{21,27,29,30,32,33}
75% (6/8)^{22,26–29,32}
64% (7/11) ^{21,22,26–29,32}

55% (6/11)^{21,27,28,30,32,33}
9% (1/11)²⁹
9% (1/11)²⁹

36% (4/11)^22,26,29,33
36% (4/11)^22,26,29,33
36% (4/11)^22,29,30,33
18% (2/11)^20,31

The language used to describe the data collection policies of the apps varied greatly.

For example, the privacy policy of one app ³⁰ contained a broad statement about collecting data including “information you enter into our system” and that the data collection is “not limited to” the examples in the policy itself. In contrast, another app’s ²⁹ privacy policy detailed the specific categories of information collected by the app (and how the app used the data in these different categories), including data input to create an account, profile data, migraine data entered by the user, IP address and battery level, location features, and social networking activities. Other policies contained difficult-to-understand or incomprehensible statements (e.g. “We point out that we as providers of the sites no knowledge of the contents of the transmitted data and use them through Twitter.”) ²⁰.