Health Tech v1.8.1
The practitioner's notebook. Your clients, your animals, your sessions. Encrypted, offline, unrecoverable without you.
Security audit — May 2026Why Health Tech?
An app designed for wellness practitioners who take professional secrecy and client confidentiality seriously.
Zero cloud
Everything stays on your phone. No third-party server, no sync, no telemetry. You can practice in airplane mode in the countryside, in the mountains or abroad.
Encrypted database
AES-256 encrypted SQLite (SQLCipher) with a master key derived by Argon2id (m=64 MB, t=3) from your passphrase. Uninstall the app = data unreadable forever.
Biometrics + passphrase
Hybrid 1Password / Bitwarden model: passphrase at first setup, then quick fingerprint unlock. Optional strict mode to require the passphrase on every launch.
Clients & animals
Complete client record, session history, tags. Linked animals (breed, date of birth, health notes). Ideal for animal osteopaths, energy practitioners for humans and animals.
Calendar & reminders
Appointment scheduling with local reminders (Android AlarmManager, on-device only — no push service). Optional bridge to the system calendar if you wish.
Encrypted attachments
Photos, session reports, documents — every file is compressed then AES-GCM encrypted before being written. In-app viewer: never plaintext on disk.
Encrypted .htbk backups
Proprietary HTBK1 format: AES-GCM encrypted envelope with AAD, atomic two-phase restoration (Phase A staging / Phase B commit) with automatic recovery if interrupted.
GDPR export
Article 15: export all of a client's data (records, sessions, animals, attachments) in a shareable ZIP with one click. Article 17: permanent deletion in two taps.
Global search
SQLite FTS5 with Unicode tokenizer, 200 ms debounce, smart cap. Finds clients, animals, sessions, concerns in milliseconds.
Anti-keylog keyboard
All sensitive fields (health notes, session reports) disable Gboard / SwiftKey learning. Your data does not feed the cloud models of third-party keyboards.
Monotonic auto-lock
Automatic lock after inactivity (1 to 60 min, configurable). Counter based on monotonic Stopwatch — immune to system clock rollback by a root attacker.
No Internet permission
The Android manifest does not declare the INTERNET permission. Verifiable with aapt dump permissions. The app is technically incapable of sending any data.
Bilingual FR / EN
Full interface in French and English. Language selector in Settings, follows the system locale by default. Localized legal documents and PDF exports.
PDF session reports
PDF export of a session or a client history with a "wellness, not medical advice" notice, compliant with the framework for non-healthcare practitioners.
Apache 2.0
Source code fully public on GitHub. Verify the privacy promises yourself, compile your own APK if you want.
Free
No subscription, no freemium, no client quota. Optional donation support, never tied to features.
How it works
A simple, defensive, readable architecture. Everything you need, nothing more.
1. You create your vault
On first launch, you choose a strong passphrase (12 characters minimum). This phrase is derived by Argon2id (m=64 MB, t=3, p=1) in a Dart isolate to avoid blocking the UI — the operation takes ~1 s on a modern phone. The derived key encrypts the SQLite database and the secrets vault.
2. You enter your clients and their sessions
Client record: first name, last name, date of birth, contact, recurring concerns, health notes. Linked animals (species, breed, date of birth, particulars). Sessions: date, duration, concerns, private session report, attachments (photos, PDF documents). Everything is written directly to the encrypted database — no plaintext copy.
3. You enable biometrics (recommended)
Settings → "Biometric unlock" toggle → place your fingerprint. The decrypted key is then wrapped by an Android Keystore hardware-backed key, tied to your fingerprint. The next launch unlocks with a single touch. If someone changes your Android fingerprints, the wrap is automatically invalidated (setInvalidatedByBiometricEnrollment).
4. You back up regularly
Settings → Encrypted backup → choose a long password (different from your passphrase). The app produces a .htbk file in the HTBK1 format: magic bytes + JSON header + AES-GCM AAD + 16-byte authentication tag. You can put it on a USB stick, email it to yourself, drop it on an external drive — it is unusable without the password.
5. If the worst happens
Phone lost or broken: new phone, you install Health Tech, import your .htbk, enter the password. Atomic two-phase restoration: if the phone shuts down midway, the app detects this at next startup and resumes (Phase A → staging) or rolls back (Phase B failed → original state intact).
Privacy commitment
No marketing promises. Only commitments verifiable in the code.
| Commitment | Health Tech | Verifiable |
|---|---|---|
| Internet permission | Removed from the manifest (tools:node="remove") | aapt dump permissions |
| Tracker / ad SDK | None | Inspection of source code on GitHub |
| Third-party crash reporter | None (no Crashlytics, Sentry, etc.) | No corresponding dependency in pubspec.yaml |
| Account / signup | None | No login screen |
| Data storage | SQLCipher AES-256 + Argon2id key | Database in /data/data/com.filestech.health_tech |
| Attachments | AES-GCM encrypted before disk write | data/repositories/attachment_repository.dart |
.htbk backups | AES-GCM encryption with AAD | data/services/backup_service.dart |
| Reminder notifications | Local AlarmManager — no FCM, no third-party push | No Firebase dependency |
| Source code | Full Apache 2.0 | github.com/gitubpatrice/health_tech |
Who it's made for
- Energy practitioners, magnetizers/healers, geobiologists who follow a client file over time and want serious professional secrecy
- Animal osteopaths, animal naturopaths who track humans and animals in the same tool
- Reiki practitioners, kinesiologists who take sensitive notes
- Wellness nomads who practice at home, in shared offices or on the move, without guaranteed network
- Sole-trader independents who want a simple, free, subscription-less, surveillance-free tool
Honestly, the limits
- The app is intended for wellness practices, not for regulated healthcare professionals. It is not HDS-certified (French health data hosting certification) — and does not need to be for wellness practices that do not process health data within the meaning of GDPR Article 9.
- No sync between devices — this is intentional (offline-first). If you have multiple phones, you have to back up/restore manually.
- No built-in billing or accounting (yet). The tool stays focused on session tracking, not on administrative management.
- If you forget your passphrase and biometrics is disabled, your data is permanently inaccessible. That is the price of an app that cannot betray you: it cannot rescue you either.
Wellness legal framework
Health Tech is a tool for wellness practitioners, not for regulated healthcare professionals.
Energy accompaniment, magnetism, geobiology, non-veterinary animal osteopathy, relaxation, etc. do not fall under the French Public Health Code: they do not establish a diagnosis, do not prescribe treatment, and do not replace medical advice. Each PDF session export carries the notice:
"This document is part of a wellness and energy accompaniment approach. It does not replace medical advice, diagnosis, or treatment prescribed by a healthcare professional or veterinarian."
On the GDPR side, you are the data controller of your client file. Health Tech is the tool you use; Files Tech (Patrice Haltaya, sole-trader business) is the software publisher and has no access to your data — the architecture makes that access technically impossible. See our privacy policy and the legal documents shipped with the app.
Open source code
For an app that claims your data never leaves your phone, independent code audit is essential — it is the only proof. Health Tech is published under Apache 2.0; you can read, verify and compile it yourself.