Privacy Policy

Last Updated: January 1, 2026 β€’ Effective Date: January 1, 2026

πŸ”’ Your Privacy Matters

At Health Mentor AI, your privacy and the security of your health data are our top priorities. This Privacy Policy explains how we collect, use, protect, and share your personal information when you use our website and mobile application. We are committed to transparency and giving you control over your data.

1. Who We Are

Data Controller

Company Name: Health Mentor AI Ltd

Health Mentor AI Ltd is the data controller responsible for your personal information. This means we determine how and why your data is processed.

2. Information We Collect

We collect different types of information depending on how you interact with our services:

πŸ“ Information You Provide

  • Account Information: Name, email address, password (encrypted)
  • Profile Information: Age, gender, height, weight, fitness goals
  • Health & Fitness Data:
    • β€’ Food logs (meals, calories, macronutrients, micronutrients)
    • β€’ Workout logs (exercise type, sets, reps, duration, distance)
    • β€’ Supplement logs (supplement names, dosages, timing)
    • β€’ Sleep data (duration, quality ratings)
    • β€’ Body measurements and progress photos (optional)
  • Device Health Data (Optional): Data from HealthKit (iOS) or Health Connect (Android) - only with your explicit permission:
    • β€’ Steps, active calories, heart rate
    • β€’ Sleep patterns from wearable devices
    • β€’ Workout data from fitness trackers
  • Communications: Messages you send us via email or in-app support
  • Payment Information: Processed securely by Stripe (we don't store card details)

πŸ” Information We Collect Automatically

  • Usage Data: Pages visited, features used, time spent, actions taken
  • Device Information: Device type, operating system, browser type, screen resolution
  • Location Data: Approximate location based on IP address (country/city level)
  • Cookies & Analytics: See our Cookie Policy for details
  • Log Data: IP addresses, access times, error logs for security and debugging

πŸ‘₯ Information from Third Parties

  • HealthKit/Health Connect: Health data synced from your device (with your permission)
  • Referral Information: If you were referred by another user, we receive your referral code
  • Trainer Access: If you share data with a personal trainer, we receive their viewing permissions

3. How We Use Your Information

We use your information for the following purposes:

Core Service Functions

  • βœ“ Provide the App: Enable you to log food, workouts, supplements, and track your progress
  • βœ“ AI-Powered Insights: Generate personalized recommendations and feedback based on your data (see section 4 for AI processing details)
  • βœ“ Sync Across Devices: Keep your data synchronized across all your devices
  • βœ“ Calculate Metrics: Compute health scores, recovery scores, and longevity scores
  • βœ“ Trainer Collaboration: Allow you to share your data with personal trainers (only with your permission)
  • βœ“ Referral Program: Track referrals and calculate commission payments

Communication & Support

  • βœ“ Account Management: Send welcome emails, password resets, account notifications
  • βœ“ Customer Support: Respond to your questions and provide technical assistance
  • βœ“ Product Updates: Inform you about new features, improvements, and important changes
  • βœ“ Marketing (Optional): Send promotional emails about our services (you can opt-out anytime)

Legal & Security

  • βœ“ Security: Detect and prevent fraud, abuse, and security incidents
  • βœ“ Legal Compliance: Comply with legal obligations and respond to lawful requests
  • βœ“ Terms Enforcement: Enforce our Terms of Use and protect our rights
  • βœ“ Analytics: Understand how users interact with our app to improve it (anonymized where possible)

4. AI Processing & OpenAI

πŸ€– How AI Uses Your Data

We use OpenAI's API to provide personalized AI coaching and insights. Here's exactly what data is shared and how:

What Gets Sent to OpenAI:

  • βœ“ Calculated Health Scores: Your health score, recovery score, and longevity score (0-100 ratings)
  • βœ“ Activity Logs: When you ask questions about specific meals, workouts, or supplements, we send:
    • β€’ Food details (food type, calories, macros, some micros)
    • β€’ Workout details (exercise type, sets, reps, distance)
    • β€’ Supplement details (names, dosages)
  • βœ“ Aggregated Summaries: When generating insights, we create summaries of your data IN-APP first, then send only the summary to OpenAI (e.g., "average protein intake: 150g/day")
  • βœ“ Your Questions: Any questions you ask the AI assistant

What Does NOT Get Sent to OpenAI:

  • βœ— Raw HealthKit/Health Connect Data: We never send raw health data from your device to OpenAI
  • βœ— Personal Identifiers: Your name, email, and account details are not shared
  • βœ— Complete History: We don't send your entire database - only relevant context for the specific query

⚠️ Important: OpenAI Data Retention

OpenAI retains data sent via their API for up to 30 days for abuse monitoring purposes. After 30 days, your data is automatically deleted from OpenAI's systems. OpenAI does not use your data to train their models. For more information, see OpenAI's Privacy Policy.

5. Third-Party Services & Data Transfers

We use trusted third-party services to provide and improve our application. Your data may be transferred to and processed by these services:

πŸ”₯ Firebase (Google)

Purpose: Database, authentication, cloud storage, analytics

Data Location: europe-west-2 (London, UK)

Data Stored: All app data, user profiles, activity logs

πŸ“§ SendGrid (Twilio)

Purpose: Transactional and marketing emails

Data Location: United States (global infrastructure)

Data Stored: Email addresses, names, email engagement data

Retention: Email bodies (max 72 hours), recipient data (max 37 days), engagement data (up to 1 year)

πŸ€– OpenAI

Purpose: AI-powered insights and recommendations

Data Location: United States

Data Sent: Health scores, activity logs, aggregated summaries (see section 4)

Retention: 30 days for abuse monitoring, then deleted

πŸ’³ Stripe

Purpose: Payment processing and referral commission payouts

Data Location: Global (EU and US data centers)

Data Stored: Payment information (we never see card numbers), transaction history

πŸ“Š Google Analytics

Purpose: Website usage analytics (only with your consent)

Data Location: United States

Data Stored: Anonymized usage data, page views, device info

🌍 International Data Transfers

Some of our third-party services are located in the United States. When we transfer your data outside the UK/EEA, we ensure appropriate safeguards are in place:

  • β€’ Standard Contractual Clauses (SCCs): Legal agreements approved by the UK and EU authorities
  • β€’ Data Processing Agreements: Contracts with all third-party processors
  • β€’ Encryption: Data is encrypted in transit and at rest
  • β€’ Limited Access: Only necessary data is transferred for specific purposes

6. Data Retention

We keep your data only as long as necessary to provide our services and comply with legal obligations:

Retention Periods

  • Active Account Data: Retained while your account is active
  • After Account Deletion: All personal data deleted immediately upon request
  • Backup Data: Removed from backups within 30 days of account deletion
  • Legal Requirements: Some data may be retained longer if required by law (e.g., financial records for tax purposes)
  • Anonymized Analytics: Aggregated, non-personal analytics may be retained indefinitely

βœ… Subscription Cancellation

If you cancel your subscription but don't delete your account, your data remains stored and accessible. You can still log in and use the free features. Your data is only deleted when you explicitly request account deletion.

7. Data Security

We implement industry-standard security measures to protect your data:

Technical Measures

  • β€’ End-to-end encryption for data in transit (TLS 1.3)
  • β€’ Encryption at rest for stored data
  • β€’ Secure password hashing (bcrypt)
  • β€’ Regular security audits and penetration testing
  • β€’ Automated vulnerability scanning

Organizational Measures

  • β€’ Limited employee access to personal data
  • β€’ Confidentiality agreements with staff
  • β€’ Regular security training
  • β€’ Incident response procedures
  • β€’ Data breach notification protocols

⚠️ Data Breach Notification

If we discover a data breach that affects your personal information, we will notify you and relevant authorities within 72 hours as required by GDPR. We will provide details about the breach, its impact, and steps we're taking to resolve it.

8. Your Rights Under GDPR

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

πŸ” Right to Access

You can request a copy of all personal data we hold about you. We'll provide this within 30 days.

✏️ Right to Rectification

You can request correction of inaccurate or incomplete data. You can also update most information directly in the app.

πŸ—‘οΈ Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We'll delete everything immediately, with removal from backups within 30 days.

⏸️ Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances.

πŸ“¦ Right to Data Portability

You can request your data in a machine-readable format (JSON/CSV) to transfer to another service.

🚫 Right to Object

You can object to certain types of processing, including marketing communications and profiling.

❌ Right to Withdraw Consent

Where we process data based on your consent, you can withdraw that consent at any time.

πŸ“ž Right to Lodge a Complaint

You can complain to the Information Commissioner's Office (ICO) in the UK or your local data protection authority in the EU.

How to Exercise Your Rights

To exercise any of these rights, contact us at [email protected]

We'll respond within 30 days (or 60 days for complex requests). You can also delete your account directly in the app settings.

9. Age Restrictions

Minimum Age: 16 Years

Health Mentor AI is only available to individuals aged 16 years or older. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child under 16 has provided us with personal information, please contact us immediately at [email protected] and we will delete their information.

10. Marketing Communications

We may send you marketing emails about our products, features, and offers. You can opt-out at any time by:

  • Clicking "Unsubscribe" at the bottom of any marketing email
  • Updating your preferences in app settings
  • Emailing us at [email protected]

Note: Even if you opt-out of marketing, we'll still send essential emails about your account, security, and service updates.

11. Cookies & Tracking

We use cookies and similar tracking technologies. For detailed information about:

  • What cookies we use
  • Why we use them
  • How to control them

Please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will:

  • Update the "Last Updated" date at the top
  • Notify you via email or in-app notification
  • Request fresh consent if required by law

We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

πŸ“§ Questions or Concerns?

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: [email protected]

πŸ›‘οΈ Your Data Protection Authority

If you're not satisfied with our response or believe we're not processing your data lawfully, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane

Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113

Website: ico.org.uk