Privacy Policy

1. Information We Collect

We collect the following categories of information to provide our service:

1.1 Account Data

• Full name and email address (collected at registration)
• Authentication data (OTP codes, session tokens stored as httpOnly cookies)

1.2 Health Metrics

• Heart Rate Variability (HRV) — entered manually or synced from wearables
• Sleep duration, quality scores, and sleep stage data
• Stress levels and readiness scores
• Resting heart rate
• Daily step counts and activity data
• Screenshots submitted for AI-based metric extraction (images are analyzed and not stored after extraction)

1.3 Blood Test Results

• Biomarker results you upload or enter manually
• All blood test data is encrypted at rest using Fernet symmetric encryption

1.4 Nutrition Data

• AI-generated meal plans and your daily nutrition logs
• Food photos submitted for calorie and macro estimation (not stored after analysis)
• Pantry inventory and recipe preferences

1.5 Device & Technical Data

• Browser type, operating system, and device type
• IP address (used for security and fraud prevention; not linked to health data)
• Session identifiers and authentication tokens

1.6 Wearable Integration Data

• Health and activity data synced via OAuth integrations with Oura, Whoop, Fitbit, and Huawei Health
• OAuth access tokens stored securely to enable ongoing data synchronization
• Only data types you explicitly authorize during the OAuth flow are collected

2. How We Use Your Information

We use your data for the following purposes, each grounded in a lawful basis under GDPR:

• Service Delivery (Contract Performance): Generating personalized, AI-adapted nutrition plans based on your health metrics and physiological state
• Health Trend Analysis (Contract Performance): Analyzing your metrics over time to provide progress reports and adaptive recommendations
• Communications (Legitimate Interest / Consent): Sending transactional emails including OTP verification codes, plan generation notifications, and service updates
• Service Improvement (Legitimate Interest): Using aggregated, anonymized data to improve AI model accuracy and overall service quality. Individual health data is never used in identifiable form for model training without explicit consent
• Security & Fraud Prevention (Legitimate Interest): Monitoring for unauthorized access, detecting abuse, and maintaining platform security
• Legal Compliance (Legal Obligation): Complying with applicable laws, regulations, and lawful requests from authorities

3. AI Processing of Your Health Data

AdaptNX uses Google Gemini AI models to process your health data and generate personalized nutrition plans. This is a core function of the service and requires transmitting health metric data to Google's AI infrastructure.

3.1 Nutrition Plan Generation

Your health metrics (HRV, sleep, stress, steps, blood test markers) are included in AI prompts sent to Google Gemini to generate contextually appropriate meal plans. Only the data necessary to generate the plan is included in each request.

3.2 Screenshot Analysis

Screenshots you upload (e.g., from wearable apps) are analyzed by AI to extract health metrics. The image itself is not stored after the extraction is complete — only the extracted numerical values are saved to your profile.

3.3 Food Photo Analysis

Food photos submitted for calorie and macro estimation are sent to Google Gemini for visual analysis. As with screenshots, the image is not stored after analysis is complete.

3.4 Automated Decision-Making

Nutrition plans are generated automatically by AI without human review. Under GDPR Article 22, you have the right to request human review of any automated decision that significantly affects you. Contact [email protected] to exercise this right.

4. Data Storage & Security

4.1 Encryption at Rest

Sensitive health data — including blood test results, health metric columns, and authentication tokens — is encrypted at rest using Fernet symmetric encryption (AES-128-CBC with PKCS7 padding and HMAC-SHA256 authentication). Encryption keys are managed separately from the data they protect.

4.2 Encryption in Transit

All data transmitted between your device and AdaptNX is protected by HTTPS/TLS. Cloudflare provides SSL termination and DDoS protection at the edge.

4.3 Server Location

Your data is stored on servers located in the European Union — specifically Oracle Cloud Infrastructure in the Stockholm (EU-Stockholm-1) region. This ensures that primary data storage complies with EU data residency principles under GDPR.

4.4 Access Controls

Access to production systems and databases is restricted to authorized personnel only, protected by SSH key authentication, VPN, and principle-of-least-privilege access controls. We do not share database access with third parties.

4.5 Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

5. Data Retention

• Account data (name, email): Retained for the duration your account is active, plus a brief administrative period after deletion
• Health metrics and nutrition logs: Retained until you delete them individually or delete your account
• Blood test results: Retained until you delete them or request account deletion
• Screenshot and food photo content: Deleted immediately after AI extraction/analysis is complete — not stored
• Session tokens: Expire after a defined inactivity period (rolling expiry)
• On account deletion: All personal data is permanently and irreversibly deleted from our systems within 30 days of your deletion request. Backups containing your data are purged on their normal rotation schedule

6. Data Sharing & Third-Party Processors

We do NOT sell, rent, or trade your personal or health data to any third party.

We share data only with the following third-party service providers ("data processors") who process data on our behalf and under strict data processing agreements:

We may also disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the safety of any person or to prevent fraud or illegal activity.

7. Your Rights Under GDPR (EU/EEA Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you, including the categories of data, purposes of processing, and recipients
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data. We will comply unless we have a legal obligation to retain it
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transfer it to another controller
• Right to Restriction of Processing (Art. 18): Request that we limit how we use your data while a dispute is resolved
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Where processing is based on your consent, withdraw it at any time without affecting prior lawful processing
• Right Not to be Subject to Automated Decision-Making (Art. 22): Request human review of decisions made solely by automated processing that significantly affect you
• Right to Lodge a Complaint: Lodge a complaint with your national data protection supervisory authority if you believe your rights have been violated

8. For California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

8.1 Your Rights

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it
• Right to Delete: You have the right to request deletion of personal information we hold about you, subject to certain exceptions (e.g., legal obligations, security purposes, completing a transaction)
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale or Sharing: You have the right to opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. No action is needed on your part, but this right is always available to you
• Right to Non-Discrimination: We will not deny you services, charge you different prices, provide a different level or quality of service, or suggest any of the foregoing because you exercised your privacy rights

8.2 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: Name, email address, IP address, session identifiers
• Health information: HRV, sleep data, stress levels, resting heart rate, step counts, blood test results, weight, body composition, nutrition logs
• Internet or electronic network activity: Browser type, device type, usage data related to service interactions
• Inferences: Health trend analyses and AI-generated nutrition recommendations derived from your data

8.3 How to Exercise Your Rights

To submit a verifiable consumer request, email [email protected]. We will verify your identity before processing your request. You may also designate an authorized agent to submit a request on your behalf; the agent must provide written authorization and we may still require you to verify your identity directly.

We will respond within 45 days of receiving your verifiable request, with the possibility of a 45-day extension when reasonably necessary. Any extension will be communicated to you with an explanation.

9. For Washington State Residents (My Health My Data Act)

If you are a Washington State resident, the Washington My Health My Data Act (MHMDA) provides you with additional rights regarding your consumer health data. This section supplements our general privacy practices with Washington-specific disclosures.

9.1 Health Data We Collect

AdaptNX collects the following categories of consumer health data:

• Heart Rate Variability (HRV) and resting heart rate
• Sleep duration, quality, and sleep stage data
• Stress levels and readiness scores
• Blood test results and biomarker data
• Weight, body composition, and body measurements
• Nutrition logs, dietary intake, and meal plans
• Activity data including step counts

9.2 Purpose of Collection

We collect and process this health data for the sole purpose of providing personalized, AI-adapted nutrition recommendations and health trend analysis as part of the AdaptNX service.

9.3 Third Parties Who Receive Health Data

Your health data is shared with Google Gemini for ephemeral AI processing to generate personalized nutrition plans. Health metric data is included in AI prompts sent to Google's infrastructure; this processing is ephemeral and Google does not retain your health data for its own purposes under our data processing agreement.

9.4 Consent

By creating an account and accepting our Terms of Service, you consent to the collection and processing of your health data as described in this Privacy Policy. This consent is informed, voluntary, and specific to the purposes outlined herein.

9.5 Your Rights

• Right to Withdraw Consent: You may withdraw your consent to health data processing at any time by deleting your account. Account deletion permanently removes all health data from our systems within 30 days
• Right to Access: You may request a copy of all health data we hold about you
• Right to Delete: You may request deletion of specific health data or all health data associated with your account

9.6 Geofencing

We do not use geofencing technology around healthcare facilities. We do not collect precise geolocation data, and we do not combine location information with your health data for any purpose.

10. For All US Users

10.1 FTC Health Breach Notification

In compliance with the FTC Health Breach Notification Rule (16 CFR Part 318), in the event of a confirmed breach of unsecured personally identifiable health information, we will notify all affected users and the Federal Trade Commission (FTC) within 60 days of discovering the breach. If a breach affects 500 or more individuals, we will also notify prominent media outlets serving the affected area.

10.2 Contact for Privacy Concerns

For any privacy-related questions or concerns, including requests to exercise your rights under any applicable US privacy law, please contact us at [email protected].

11. Do Not Sell My Personal Information

12. Cookies & Local Storage

9.1 Essential Cookies

AdaptNX uses a single essential authentication cookie:

This cookie is strictly necessary for the service to function and cannot be disabled. It does not track you across websites.

9.2 No Tracking or Analytics Cookies

We currently do not use any third-party tracking cookies, advertising cookies, or analytics platforms (such as Google Analytics). We do not engage in cross-site behavioral tracking.

9.3 Cookie Consent

Cookie consent is managed via a banner displayed on your first visit. Because we only use strictly necessary cookies, no consent is required under ePrivacy Directive rules. Should we introduce non-essential cookies in the future, we will update this policy and obtain appropriate consent before setting them.

13. Children's Privacy

AdaptNX is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a person under 16, we will delete that data promptly.

If you believe a child under 16 has provided us with personal information, please contact us immediately at [email protected].

14. International Data Transfers

Your primary data is stored within the European Union (Oracle Cloud, Stockholm). However, certain service operations involve international data transfers:

• AI Processing (Google Gemini): Health metric data is transmitted to Google's AI infrastructure, which may process data in data centers globally, including outside the EEA. These transfers are conducted under Google's Standard Contractual Clauses (SCCs) as approved by the European Commission
• Email Delivery (Resend): Your email address is transmitted to Resend for transactional email delivery. Resend operates under appropriate data transfer safeguards
• CDN (Cloudflare): Network traffic may be routed through Cloudflare edge nodes globally. Cloudflare participates in the EU-US Data Privacy Framework and operates under SCCs

Where your data is transferred outside the EEA, we ensure that appropriate safeguards are in place as required by GDPR Chapter V, including Standard Contractual Clauses, adequacy decisions, or other approved transfer mechanisms.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Send a notification email to your registered email address
• Display a notice within the AdaptNX application

We encourage you to review this policy periodically. Your continued use of AdaptNX after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please reach out:

If you are unsatisfied with our response, you have the right to lodge a complaint with your national data protection authority. For EU users, a list of supervisory authorities is available at edpb.europa.eu.