Privacy Policy

1. Information We Collect

• Account and contact data, including Sign in with Apple identifiers, email address, profile details, and support messages.
• Health and wellness data you provide directly, including nutrition, water, supplements, medications, symptoms, habits, fasting records, vitals, notes, and lab biomarkers.
• Data you authorize from Apple Health/HealthKit and connected services, such as heart rate, resting heart rate, heart rate variability, sleep, workouts, steps, body measurements, glucose, ketones, blood pressure, and other supported metrics.
• Content you choose to submit for analysis or storage, such as chat messages, journal entries, uploaded lab reports, PDFs, meal photos, and other user-provided files.
• Calendar or reminder data when you authorize the app to create Apple Calendar events or Apple Reminders items.
• Voice and speech input if you use microphone or speech recognition features to interact with the app.
• Location data if you grant permission for sun exposure or UV-related features.
• Technical, diagnostic, and usage data, such as app version, device type, crash logs, telemetry, and product analytics.
• Subscription and transaction metadata from Apple. We do not receive or store your full payment card details.

2. Permissions and Optional Integrations

Depending on the features you use, the app may request permission to access Apple Health/HealthKit, Camera, Photos, Microphone, Speech Recognition, Calendars, Reminders, Notifications, and Location. These permissions are optional unless directly required for the feature you choose to use, and you can manage them in iOS Settings or within applicable in-app controls.

3. On-Device Storage and Cloud Processing

Human Codex uses a privacy-oriented architecture. A significant portion of your health and profile data is stored locally on your device using Apple technologies such as SwiftData, Keychain, and the iOS security model.

Some features require secure cloud or third-party processing to work. When you use features such as AI chat, lab report OCR and interpretation, food photo analysis, voice features, or other network-dependent tools, selected data relevant to that request may be transmitted to service providers.

Because some functionality depends on cloud processing, we do not describe the Services as operating exclusively on-device.

4. AI Processing and Language Models

Human Codex uses artificial intelligence, including large language models, to generate health-related summaries, explanations, action ideas, and other decision-support outputs. Our current primary AI processing provider is Google through the Gemini API. We may change or add providers over time.

We also use Anthropic (Claude) for certain analysis features, including lab insights and chat responses. Data sent to Anthropic is processed under their privacy terms and is not used to train their models.

• Selected data may be sent to AI providers only when you use AI-powered features and, where applicable, after explicit consent.
• Data sent may include relevant profile details, health goals and diet preferences, recent metrics, messages to the AI agent, and images or files you choose to share.
• Sign-in credentials, access tokens, and passwords are not intentionally sent to AI providers.
• We configure AI processing for product functionality, not advertising. Where provider terms and controls offer a no-training or equivalent setting, we do not intentionally provide user data for third-party model training.
• Provider handling and retention may vary depending on service configuration, provider terms, abuse-monitoring requirements, and law.
• AI-generated content is informational only and does not constitute medical advice, diagnosis, treatment, or emergency guidance.

5. How We Use Information

• Provide, maintain, and improve personalized health interpretation, AI assistance, and product functionality.
• Process user requests, including chat responses, lab interpretation, OCR, food analysis, reminders, calendar events, and summaries.
• Maintain security, reliability, performance, and abuse prevention.
• Process subscriptions, restore purchases, customer support, and service communications, and send optional updates if you choose to receive them.
• Comply with legal obligations and enforce our Terms of Service.
• Analyze product usage using aggregated, de-identified, or otherwise privacy-protective measurements where appropriate.

6. Health Data and HealthKit Commitments

We treat health-related information as sensitive data. For data obtained through Apple Health/HealthKit or other health-related features:

• The health data we may collect can include metrics such as heart rate, resting heart rate, heart rate variability, sleep, steps, workouts, body measurements, glucose, ketones, blood pressure, fasting information, nutrition logs, water logs, and lab-related entries where supported.
• HealthKit and other health data are not used for advertising, marketing, ad targeting, or data brokerage.
• We do not sell health data to third parties.
• Health data is shared only when reasonably necessary to provide a feature you request, operate the Services, or comply with law, and where required only after obtaining explicit permission.
• We do not write false, misleading, or clinically unsafe or inaccurate data into HealthKit.
• You can disable Health access through iOS Settings > Privacy & Security > Health and through applicable in-app controls.

7. Analytics, Diagnostics, and Telemetry

We may use analytics, diagnostics, crash reporting, and telemetry tools to understand performance, reliability, and feature quality. Current services may include Firebase Analytics, Firebase Crashlytics, Google Analytics on the website, and internal or hosted telemetry infrastructure.

These systems may process device and app metadata, hashed or pseudonymous identifiers, crash data, and product interaction events. We aim to minimize the inclusion of sensitive health content in analytics and telemetry and do not use health data from HealthKit or similar sources for advertising or use-based data mining.

8. How We Share Information

We may share information with:

• AI processing providers, currently including Google Gemini API and Anthropic (Claude), to fulfill AI-powered requests.
• Analytics and diagnostics providers, currently including Firebase Analytics, Firebase Crashlytics, and Google Analytics, for product measurement, reliability, and website traffic analysis.
• Apple, for Sign in with Apple, App Store subscription processing, billing metadata, and platform services you use through iOS.
• Connected services you choose to enable when you direct the app to connect or manage content on your behalf.
• Service providers acting on our instructions, such as infrastructure, security, support, or operational vendors, subject to contractual or operational data-protection obligations.
• Professional advisors and auditors under confidentiality obligations.
• Authorities where required by law, court order, or legal process.
• Successors in a merger, acquisition, financing, or asset transfer, subject to this Policy and applicable law.

We require service providers acting on our instructions to protect personal data in a manner consistent with this Policy and applicable law.

9. Cookies and Website Analytics

Our website may use essential cookies and similar technologies, including Google Analytics, to understand traffic, measure site performance, and improve the user experience. We do not use cookies for cross-site behavioral advertising or to build health-based advertising profiles.

10. Legal Bases and Consent

Depending on your jurisdiction, we may process information based on your consent, the performance of a contract, legitimate interests such as security and product improvement, and compliance with legal obligations. You can withdraw certain permissions and consents through iOS Settings or applicable in-app controls, subject to technical and legal limits.

11. Data Retention and Deletion

We retain personal data only for as long as necessary for the purposes described in this Policy, including legal, security, fraud-prevention, accounting, tax, and dispute-resolution needs. Our current retention targets are:

• Account, profile, subscription, and core service records: retained while your account is active, and generally deleted or de-identified within 90 days after account deletion unless a longer period is required for legal, tax, security, or dispute-resolution reasons.
• Health, wellness, journal, lab, chat, and uploaded content stored by the Services: retained while your account is active or until you delete the data or request deletion, subject to backup, legal, and provider-processing limitations.
• Local app data stored on your device: retained on your device until you clear it, delete your account, or remove the app.
• Product analytics and telemetry: generally retained in identifiable or pseudonymous form for up to 90 days, then deleted, aggregated, or de-identified where technically feasible.
• Crash logs and diagnostic logs: generally retained for up to 30 days unless needed longer to investigate reliability, abuse, security, or legal issues.
• Support, billing, tax, fraud-prevention, and legal records: retained as long as reasonably necessary for the relevant operational, accounting, or legal purpose.

Cloud-processed or provider-handled data may have different retention periods depending on the feature, provider, and applicable law. The app may include in-app options to clear data or delete your account. You can also contact us at privacy@humancodex.com to request deletion or ask questions about retention.

12. Your Choices and Privacy Rights

Depending on your location, including California and other states with privacy laws, you may have rights to:

• Access, correct, or delete personal data.
• Obtain a portable copy of certain personal data.
• Withdraw certain consents and revoke permissions.
• Opt out of the sale or sharing of personal data where applicable. We do not sell personal data.
• Appeal certain privacy decisions where local law provides that right.

If you reside in the European Economic Area, the United Kingdom, or Switzerland, you may have additional rights under the GDPR, UK GDPR, or similar laws, including the right to object to or restrict certain processing, request portability, withdraw consent, and lodge a complaint with your local supervisory authority.

If you reside in California, you may have additional rights under the California Consumer Privacy Act as amended by the CPRA, including the right to know, access, correct, delete, and obtain a copy of personal information, and to opt out of the sale or sharing of personal information where applicable. We do not sell health data or use it for cross-context behavioral advertising.

You can also manage permissions for Health, Photos, Camera, Microphone, Speech Recognition, Location, Calendars, Reminders, and Notifications through iOS Settings, and disconnect optional connectors through in-app controls when available.

To exercise your rights, contact us at privacy@humancodex.com.

13. Security

We use administrative, technical, and organizational safeguards designed to protect personal data, including sensitive health information, against unauthorized access, disclosure, alteration, and destruction. No method of storage or transmission is completely secure, but we work to apply reasonable and appropriate safeguards.

14. U.S. Health Privacy Laws

• HIPAA scope: Unless explicitly stated in a separate agreement, Human Codex does not act as a HIPAA covered entity or business associate. The Services are intended for consumer self-management, education, and wellness support.
• Breach notifications: Where applicable, we follow U.S. breach-notification obligations, including the FTC Health Breach Notification Rule and applicable state laws.

15. Children

Our Services are not directed to children under 13, or under a higher age where local law requires it. We do not knowingly collect personal data from children without legally required consent. If you believe a child has provided personal data to us, contact us and we will review and delete the information where appropriate.

16. International Transfers

If information is processed across borders, including by AI, analytics, diagnostics, or infrastructure providers, we use contractual and operational safeguards designed to protect data in line with applicable law, including Standard Contractual Clauses where required.

17. Changes to This Policy

We may update this Policy from time to time. Material updates may be communicated through the app, website, or other appropriate channels. The effective date at the top reflects the latest version.