PumpSync

A privacy-first Tandem Source to Apple Health sync app for people who want insulin and carbohydrate records in Apple Health without durable server-side storage of Tandem credentials or health payloads.

Get support Read privacy details
Sync model

Tandem Source

Credentials stay in Keychain and are sent only during an active HTTPS sync request.

PumpSync backend

The backend performs request-time sync work and does not persist Tandem credentials, tokens, raw events, or normalized samples.

Apple Health

Insulin and carbohydrate samples are written only after the user grants Apple Health permission.

Built for controlled health-data portability.

PumpSync is designed around explicit user action, Apple platform privacy controls, and minimal backend retention.

Hosted or self-hosted

Use PumpSync Hosted through an App Store subscription, or point the app at a backend you operate yourself.

Device-only credentials

Tandem credentials are stored by the app in Keychain with device-only accessibility.

HealthKit permission first

PumpSync writes insulin and carbohydrate samples only after Apple Health access is granted by the user.

No advertising use

PumpSync does not use HealthKit data for advertising, marketing, tracking, or data mining.

Request-time processing

Raw Tandem events and normalized samples are discarded after the sync response and Apple Health write flow complete.

Not medical advice

PumpSync is not a medical device and does not provide diagnosis, treatment, or dosing recommendations.

Two backend paths, one privacy boundary.

The hosted path verifies App Store subscription entitlement before issuing a short-lived service token. The self-hosted path lets users operate their own backend and storage.

  • Hosted subscription state, installation mapping, rate limits, sync attempts, and App Store notification idempotency are stored in backend operational storage.
  • Self-hosted users control their own backend data and should manage deletion directly in their own storage account or database.
  • Sign in with Apple is intentionally not part of the hosted access flow; durable hosted state is keyed by App Store transaction and installation identifiers.
  • Credential-bearing Tandem sync requests are not persisted as durable idempotency records.

Support and policy pages for App Review and users.

Use these public pages for support, privacy details, data deletion instructions, accessibility information, and age-suitability context.

Open support Data deletion