Privacy Policy
Last Updated: June 11, 2026 | Effective: June 11, 2026
Health and Beauty AI ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (the "App"). This policy applies globally and addresses the requirements of applicable privacy laws including the EU/UK GDPR, US state privacy laws (CCPA/CPRA, Virginia CDPA, Colorado CPA, and others), Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, Japan's APPI, South Korea's PIPA, and other international data protection regulations.
This App is not a HIPAA-covered entity. However, as a health and wellness application, we are subject to the FTC Health Breach Notification Rule and treat all health-related data with the highest standard of care.
1. Data Controller & Privacy Officer
Data Controller: Health and Beauty AI is the data controller responsible for your personal data.
Privacy Officer / Data Protection Contact:
Email: privacy@healthbeauty.app
Website: healthbeauty.app
For EU/EEA/UK residents, you may also contact your local data protection supervisory authority. For Brazil residents, you may contact the Autoridade Nacional de Proteção de Dados (ANPD).
2. Information We Collect
2.1 Information You Provide Directly
- Account Information: Email address, display name, and authentication identifiers when you sign in using Google, Apple Sign-In, or email/password.
- Health and Fitness Data (classified as sensitive personal information / special category data):
- Food tracking data (calories, macronutrients, micronutrients, meal photos)
- Weight logs and body composition data (body fat %, muscle mass, visceral fat, bone mass)
- Activity and exercise logs (type, duration, intensity, heart rate)
- Water intake records
- Sleep logs (duration, quality, disruptions, factors)
- Progress photos
- Supplement logs, library, timing, and stack information
- Menstrual cycle information (cycle milestones, flow intensity, symptoms, basal body temperature)
- Mood logs (mood rating, stress levels, anxiety, triggers)
- Digestion logs (Bristol scale, symptoms, severity)
- Energy logs (energy ratings, crash tracking, time-of-day patterns)
- Skin health logs (scores, conditions, affected areas, breakout counts)
- Health goals and daily step progress
- Voice & Audio Data:
- Audio recorded during Push-to-Talk or Realtime Voice sessions is transmitted to AI providers for real-time speech-to-text transcription.
- Voice audio is processed ephemerally and is not stored on our servers. Audio is not retained by OpenAI beyond the duration of the session.
- We do not extract, store, or create voiceprints or biometric identifiers from your voice.
- User-Generated Content: Notes, descriptions, journal entries, AI chat messages, and other text you enter.
- Payment Information: Subscription and purchase data processed through Stripe, Apple App Store, or Google Play. We do not store credit card numbers.
2.2 Information Collected Automatically
- Device Information: Device type, operating system version, unique device identifiers, and mobile network information.
- Usage Data: Features used, interaction patterns, session duration, and app performance metrics.
- Apple Health Data (iOS only): Steps, sleep data, weight, and workout data you explicitly choose to sync via HealthKit. We only read the specific data types you authorize in iOS Settings.
- Error & Crash Data: Technical logs collected via Sentry for debugging, which may include device state and stack traces but not health data content.
2.3 Photo Data & Metadata
When you submit photos for AI analysis (food, supplements, progress photos):
- Photos are transmitted to AI providers for analysis; the analysis results are then stored.
- EXIF metadata (including location data) is stripped before transmission to AI providers.
- Progress photos are stored in Vercel Blob and are not shared with AI providers unless you explicitly submit them for analysis.
- Original photos may be stored on our servers for display purposes and are deleted upon account deletion.
2.4 Information from Device Permissions
The App requests the following permissions only when needed:
- Camera: To capture photos of food and supplements for AI analysis.
- Photo Library: To select existing photos for food analysis, supplement import, and progress photos.
- Microphone: For voice chat features (Push-to-Talk and Realtime Voice modes). Active only during voice sessions.
- Apple Health (iOS): To read/write steps, sleep, weight, and workout data. You control which data types are shared in iOS Settings > Health > Data Access & Devices.
You may revoke any permission at any time through your device settings. Revoking permissions may limit certain features but will not affect your account or previously collected data.
3. Apple HealthKit Data
When you grant the App permission to read Apple HealthKit data, the following information may be synced: step counts, sleep analysis, and body weight measurements. This data is used exclusively to populate your health logs, personalize AI coaching responses, and display your progress within the App.
Apple HealthKit data is never used for advertising or marketing purposes, and is never sold or shared with data brokers or third-party advertisers. When HealthKit-derived data is included in an AI coaching or analysis request, it is forwarded to OpenAI or Google Gemini as described in Section 5 below, solely to generate your personalized response. Both providers are prohibited from using this data for any purpose other than fulfilling the request.
You can revoke HealthKit access at any time in iOS Settings > Health > Data Access & Devices > Health & Beauty AI.
4. Legal Basis for Processing
We process your personal data under the following legal bases (relevant to GDPR, UK GDPR, LGPD, and similar frameworks):
- Consent (Article 6(1)(a) / Article 9(2)(a) GDPR): For processing health data (special category data), voice data, AI-powered analysis, and cross-border transfers. You provide explicit consent when creating your account and when enabling specific features. You may withdraw consent at any time (see Section 9), though withdrawal does not affect the lawfulness of processing performed before withdrawal.
- Performance of a Contract (Article 6(1)(b) GDPR): To provide the App's core services including food tracking, supplement management, and health logging as described in our Terms of Service.
- Legitimate Interests (Article 6(1)(f) GDPR): For security measures, fraud prevention, service improvement, and error tracking. We do not rely on legitimate interests for processing sensitive/health data.
- Legal Obligation (Article 6(1)(c) GDPR): To comply with applicable laws, tax requirements, and respond to lawful government requests.
We have conducted a Data Protection Impact Assessment (DPIA) for our processing of health data at scale with AI providers, as required under GDPR Article 35. A summary is available upon request to our Privacy Officer.
5. AI Processing & How We Use Your Information
We use the information we collect for the following specific purposes:
- Provide Core Services: Track your nutrition, fitness, supplements, and health goals.
- AI-Powered Analysis: Food photos and text descriptions are forwarded to OpenAI (GPT models) and Google (Gemini models) to estimate nutritional content including macros and micronutrients. Health data you submit — including data synced from Apple HealthKit (steps, sleep, weight, workouts) — is forwarded to these providers to generate personalized coaching responses. These providers act as data processors on our behalf under signed Data Processing Agreements (DPAs) and are contractually prohibited from using your data to train their general models.
- Supplement Intelligence: Analyze your supplement stack for conflicts, synergies, and optimal timing using AI.
- Voice Coaching: Voice audio is streamed to AI providers for real-time transcription and response generation. Audio is processed ephemerally and not retained after the session ends.
- Personalized Recommendations: Generate AI-powered recommendations based on your goals, health conditions, dietary preferences, and tracked data. These are informational only and do not constitute medical advice.
- Progress Image Storage: Progress photos are stored in Vercel Blob. These images are not shared with AI providers unless you explicitly submit them for analysis.
- Service Improvement: Analyze anonymized and aggregated usage patterns to improve features and user experience.
- Customer Support & Security: Respond to inquiries and detect/prevent fraud, abuse, and unauthorized access.
5.1 AI Provider Safeguards
- OpenAI and Google Gemini act as data processors/sub-processors under signed Data Processing Agreements.
- Your data is not used to train AI models. API access terms prohibit training on customer data.
- We do not allow these providers to use your data for advertising, marketing, or any purpose beyond delivering the Service to you.
- Data sent to AI providers is processed in real-time and not retained beyond their standard API processing windows (typically seconds to minutes).
5.2 Automated Decisions
None of the automated outputs produced by our AI features produce legal effects or similarly significant effects on you. All AI-generated content is informational and advisory. The App does not make decisions about healthcare, insurance, employment, credit, or any other domain with legal significance. You may contest or disregard any AI recommendation, and you may request human review of any AI output by contacting our Privacy Officer.
6. Information Sharing & Disclosure
We do not sell, rent, lease, or trade your personal information. We do not share your data for third-party advertising or cross-context behavioral advertising.
6.1 Service Providers (Data Processors)
We share information with the following service providers, all bound by Data Processing Agreements:
- AI Providers: OpenAI (San Francisco, USA) and Google Gemini (USA) — food analysis, supplement intelligence, chat coaching, and voice transcription. Health data forwarded to these providers is used solely to generate responses within the Service and is not used for advertising, marketing, or sale. See OpenAI's Privacy Policy and Google's Privacy Policy.
- Cloud Infrastructure & Storage: Vercel (USA) for application hosting, database services, and Vercel Blob for progress photo storage.
- Authentication: Firebase/Google (USA) for secure sign-in. See Google's Privacy Policy.
- Payment Processing: Apple App Store, Google Play, and Stripe process subscription and one-time purchases. We do not store credit card numbers. See Stripe's Privacy Policy.
- Error Monitoring: Sentry (USA) for crash reporting and error tracking. See Sentry's Privacy Policy.
6.2 Legal Requirements
We may disclose your information if required by law, subpoena, court order, or other governmental request. We will notify you of such requests where legally permitted.
6.3 Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred. We will notify you via email and/or prominent notice in the App before your data is transferred and becomes subject to a different privacy policy.
6.4 With Your Consent
We may share your information for purposes not described here only with your explicit, informed consent.
7. International Data Transfers
Your data is processed primarily in the United States. If you are located outside the United States, your data will be transferred internationally. We implement the following safeguards:
- EU/EEA: Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by Transfer Impact Assessments where required. Where applicable, we rely on the EU-US Data Privacy Framework.
- United Kingdom: UK Standard Contractual Clauses (UK SCCs) and the UK-US Data Bridge where applicable.
- Brazil: Standard contractual clauses or explicit consent as permitted under the LGPD.
- Canada: Contractual obligations consistent with PIPEDA requirements.
- Australia: Reasonable steps to ensure overseas recipients handle your data consistently with the Australian Privacy Principles.
- Other jurisdictions: Contractual safeguards and technical measures (encryption in transit and at rest) regardless of where data is processed.
You may request details about the specific safeguards applied to your data transfers by contacting our Privacy Officer.
8. Data Retention
We retain your data for specific periods based on the type and purpose:
- Account & Health Data: Retained while your account is active. Deleted within 30 days of account deletion.
- Voice Audio: Processed in real-time for transcription and not retained. Text transcripts of AI conversations are retained while your account is active.
- Progress Photos: Retained while your account is active. Deleted within 30 days of account deletion.
- Payment Records: Transaction records retained for 7 years as required for tax and accounting compliance.
- Error & Crash Logs: Retained for up to 90 days by Sentry, then automatically purged.
After account deletion, all personal data is permanently and irreversibly removed within 30 days, except where retention is required by law. We also instruct our processors to delete your data from their systems.
9. Your Rights and Choices
Depending on your location, you have some or all of the following rights. To exercise any right, contact privacy@healthbeauty.app. We will respond within the timeframe required by applicable law (typically 30–45 days).
9.1 Rights for All Users
- Access Your Data: View all data associated with your account through the App.
- Delete Your Account: Permanently delete your account and all associated data via Settings → Delete Account inside the App, or by emailing privacy@healthbeauty.app with the subject "Account Deletion Request." Deletion is irreversible and removes your data from our servers within 30 days (subject to legal retention obligations).
- Correct Your Data: Request correction of inaccurate personal data.
- Data Portability: Request a copy of your data in a portable format by contacting us.
- Withdraw Consent: Withdraw consent for any processing based on consent at any time.
- Revoke Permissions: Adjust camera, microphone, photo library, and Apple Health permissions in your device settings at any time.
9.2 EU/EEA & UK Residents (GDPR / UK GDPR)
In addition to the rights above, you have:
- Right to Restrict Processing: Request that we limit how we use your data while disputes are resolved.
- Right to Object: Object to processing based on legitimate interests.
- Right Regarding Automated Decision-Making: Right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 5.2.
- Right to Lodge a Complaint: You may file a complaint with your local Data Protection Authority. A list of EU DPAs is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).
9.3 United States Residents (CCPA/CPRA and State Privacy Laws)
Depending on your state, you may have additional rights under state privacy laws including the CCPA/CPRA (California), CDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), TDPSA (Texas), and others.
- Right to Know / Access: Request the categories and specific pieces of personal information we have collected about you.
- Right to Delete: Request deletion of your personal information.
- Right to Correct: Request correction of inaccurate information.
- Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of your health data to what is strictly necessary to provide the services you requested.
- Right to Non-Discrimination: We will not discriminate against you for exercising any privacy right.
- Washington Residents (My Health My Data Act): We obtain affirmative consent before collecting, using, or sharing consumer health data. We do not sell consumer health data. You may withdraw consent or request deletion at any time.
- Maryland Residents (MODPA): We do not sell sensitive data, including health data. Your health data is collected and used only as strictly necessary to provide the services described in this policy.
9.4 Brazil Residents (LGPD)
Under the Lei Geral de Proteção de Dados, you have the right to access, correct, anonymize, block, delete, obtain data portability, and revoke consent. We process your sensitive health data exclusively based on your explicit consent (LGPD Article 11(I)). You may file a complaint with the ANPD at gov.br/anpd.
9.5 Canada Residents (PIPEDA)
You have the right to access your personal information, request corrections, and withdraw consent. You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
10. Data Storage & Security
- Local-First Architecture: Your data is stored locally on your device first. The App functions fully offline and syncs to our servers when connectivity is available.
- Encryption in Transit: All network communications use TLS 1.2+ encryption.
- Encryption at Rest: Server-side data is encrypted at rest using AES-256 or equivalent industry-standard encryption.
- Authentication: Firebase Authentication with Google, Apple, and email/password sign-in options.
- Single-Device Sessions: Only one active session per account to prevent unauthorized access.
- Access Controls: Employee and contractor access to personal data is limited to those with a business need, bound by confidentiality obligations.
No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable security measures, we cannot guarantee absolute security. In the event of a data breach involving your personal information, we will notify you and relevant authorities as required by applicable law, including within the timeframes mandated by the FTC Health Breach Notification Rule (60 days), GDPR (72 hours to supervisory authority), and applicable US state breach notification laws.
11. Account Deletion
To delete your account and all associated data:
- In-App: Go to Settings and tap "Delete Account"
- By Email: Send a message to privacy@healthbeauty.app with the subject "Account Deletion Request"
Deletion is permanent and irreversible. All health logs, food data, progress photos, chat history, supplement data, goals, and profile information are removed from our servers and all processor systems within 30 days.
12. Children's Privacy
The App is not intended for children under the age of 13 (16 in most EU member states under GDPR). We do not knowingly collect personal information from children below the applicable age. If you believe a child has provided us with personal information, please contact us immediately at privacy@healthbeauty.app. We will delete such information promptly.
13. Do Not Track & Global Privacy Control
The App does not track you across third-party websites. We honor Global Privacy Control (GPC) signals and similar universal opt-out mechanisms. When we detect a GPC signal, we treat it as a valid opt-out of any sale or sharing of personal information, as required by applicable US state laws.
14. Third-Party Services
- Firebase (Google): Authentication and backend services. See Google's Privacy Policy.
- Apple Sign-In: Authentication service. See Apple's Privacy Policy.
- OpenAI / Google Gemini: AI analysis and coaching. See OpenAI's Privacy Policy and Google's Privacy Policy.
- Sentry: Error tracking and crash analytics. See Sentry's Privacy Policy.
- Stripe: Payment processing. See Stripe's Privacy Policy.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date, notify you through the App, and (for material changes affecting how we process health data) obtain your renewed consent where required by applicable law.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Privacy Officer Email: privacy@healthbeauty.app
Website: healthbeauty.app
Response Time: We aim to respond to all privacy inquiries within 30 days, or sooner as required by applicable law.
See also: Terms of Service
This Privacy Policy is provided in English. If there is a conflict between this English version and any translated version, the English version shall prevail to the extent permitted by applicable law.