Observability and privacy — patient mobile
Version: 1.0
Date: 2026-03-31
References: COMPLIANCE_SECURITY.md, API_CLIENT_AND_KONG.md §5, TESTING_AND_RELEASE.md.
1. Principles
- Default: no PHI/PII in analytics, structured logs, or crash reports (COMPLIANCE_SECURITY.md §8; aligns with FR-NFR-018 / no raw PHI in debug paths).
- Minimum necessary: aggregate or sample non-clinical metrics (cold start, screen transition latency, API error rate without bodies).
2. Crash reporting
- Use a crash SDK only with tenant-approved subprocessors and DPAs where required.
- Configure breadcrumbs and attachments to exclude patient identifiers, tokens, and response payloads.
- Prefer handled error reporting with category codes (e.g.
BOOKING_409) instead of raw messages containing PHI.
3. Performance and product telemetry
Acceptable non-PHI signals:
- App version, OS version, device class (phone/tablet)
- Locale and RTL flag (for layout quality)
- Screen load duration (aggregated)
- Network failure counts (no URLs with query strings containing identifiers)
Avoid: free-text search terms, message bodies, lab values, names.
4. User consent for optional analytics
- If opt-in product analytics are used, gate behind in-app consent where regional law requires; allow disable in settings.
- Do not tie analytics identity to clinical identity in third-party tools without explicit legal review.
5. Operational dashboards
- Mobile SRE dashboards should use the same gateway metrics as web (Kong 4xx/5xx for
/v1/portal/*) where available—correlate with release version, not with individual patients.
6. AI-assisted features
If patients use AI education via Kong /v1/ai/*, follow SPEC.md AI subsection: no vendor keys in client; structured logs without raw PHI (AI_PLATFORM.md).