Privacy Policy

1. Introduction

SuppaLog ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your personal data in compliance with the UK GDPR, Data Protection Act 2018, and applicable US state privacy laws (including CCPA).

Your data is stored in the United Kingdom (London, EU-West-2 region) to ensure compliance with UK and EU data protection laws.

Contact Us: If you have questions about this Privacy Policy, please contact us at hello@suppalog.app. We typically respond within 48 hours.

2. Information We Collect

We collect and process the following categories of personal data:

Account Information

• Email address and display name
• Authentication credentials (securely hashed)
• Profile preferences and settings

Health & Wellness Data (with explicit consent)

• Supplement intake logs and schedules
• Daily routine and life moments
• Health goals you set
• Supplement stack configurations
• Daily check-ins (mood, energy, digestion, stress, sleep)
• Nutrient tracking and RDA comparisons

Device & Technical Data

• Device identifiers and type
• App version and operating system
• Error logs and crash reports (via Sentry)
• Performance metrics

Usage Analytics (anonymized)

• Feature usage patterns
• Screen views and navigation
• Search queries (anonymized)

Optional Data (if you enable features)

• Camera access for barcode scanning and AI Vision
• Photo library for supplement images
• Push notification tokens
• Biometric authentication preferences (Face ID/Touch ID)

Important: We do NOT collect or store actual biometric data. Biometric authentication is handled entirely by your device's secure enclave.

We do NOT sell your personal data to third parties.

3. Legal Basis for Processing

We process your data under the following legal bases (UK GDPR):

• Consent (Article 6(1)(a)): You have given explicit consent for us to process your health and wellness data
• Contract (Article 6(1)(b)): Processing is necessary to provide our services to you
• Legitimate Interests (Article 6(1)(f)): To improve our service, ensure platform security, and prevent fraud

For special category health data, we rely on your explicit consent under Article 9(2)(a).

4. How We Use Your Information

We use your information to:

• Provide supplement tracking and logging services
• Generate AI-powered insights and safety analysis (Premium feature)
• Send reminders and notifications (if enabled)
• Enable stack sharing and social features
• Process payments and manage subscriptions
• Provide customer support
• Improve our service through anonymized analytics
• Ensure security and prevent fraud
• Comply with legal obligations

We do NOT:

• Use your data for advertising
• Sell your data to third parties
• Share your health data with data brokers
• Track you across other apps or websites

5. Data Storage and Security

Your data is stored securely using industry-standard practices:

Primary Storage - Supabase (London, UK)

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• Row-level security policies
• Regular security audits
• SOC 2 Type II certified

Additional Security Measures

• Secure password hashing (Argon2)
• Rate limiting and brute-force protection
• Regular vulnerability assessments
• Access controls and authentication

Data Retention

We retain your data for as long as your account is active. Upon account deletion, your data is permanently removed within 30 days, except where retention is required by law.

6. Your Rights

Under UK GDPR (and similar rights under CCPA for California residents), you have the right to:

• Access (Article 15): Request a copy of your personal data
• Rectification (Article 16): Correct inaccurate data
• Erasure (Article 17): Request deletion of your data
• Portability (Article 20): Export your data in JSON/CSV format
• Restriction (Article 18): Limit how we process your data
• Objection (Article 21): Object to certain processing
• Withdraw Consent (Article 7): Revoke consent at any time
• Non-Discrimination (CCPA): We will not discriminate against you for exercising your rights

To exercise these rights:

• Use "Export My Data" or "Delete Account" in Settings
• Email us at hello@suppalog.app
• Lodge a complaint with the ICO (UK): https://ico.org.uk

7. Third-Party Services

We do NOT sell your data. We use the following GDPR-compliant third parties:

Infrastructure & Authentication

• Supabase (UK) - Database hosting, authentication
• Privacy Policy: supabase.com/privacy

AI Services

• Anthropic Claude (US) - AI-powered supplement insights, chat assistance, and stack safety analysis. Only supplement names and dosages are sent, never personal identifiers.
• Google Gemini/Vertex AI (US) - AI Vision for supplement identification from images. Only the image you upload is processed; no personal identifiers are sent.

Analytics (Anonymized)

• PostHog (EU) - Product analytics with privacy-first approach. Data is anonymized and no PII is collected.
• Privacy Policy: posthog.com/privacy

Error Monitoring

• Sentry (EU) - Crash reporting and error tracking. No screenshots or PII captured.
• Privacy Policy: sentry.io/privacy

Payments

• RevenueCat - Subscription management
• Apple App Store / Google Play - Payment processing

Push Notifications

• Apple Push Notification Service (APNs)
• Firebase Cloud Messaging (FCM)

All third parties process data under strict data processing agreements.

8. App Tracking & Advertising

iOS App Tracking Transparency

On iOS 14.5+, we request your permission before tracking. If you decline, we respect your choice and disable analytics tracking.

We do NOT:

• Sell your data to advertisers
• Use your data for targeted advertising
• Share your data with data brokers
• Track you across other apps or websites

Analytics we collect (if permitted) are used solely to improve SuppaLog.

9. International Data Transfers

Your data is primarily stored in the United Kingdom. Some processing may occur in:

• European Union (PostHog analytics, Sentry error monitoring)
• United States (Anthropic Claude, Google Vertex AI, Apple/Google services)

For US transfers, we rely on Standard Contractual Clauses (SCCs) and ensure all processors maintain appropriate safeguards. AI requests contain only supplement data or images you upload, never personal identifiers.

10. Children's Privacy

SuppaLog is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, please contact us immediately and we will delete it.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. For significant changes, we will:

• Notify you via email or in-app notification
• Update the "Last Updated" date
• Provide a summary of changes

Continued use of SuppaLog after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy questions, data requests, or to exercise your rights:

Email: hello@suppalog.app
Response Time: Within 30 days for data requests
Website: suppalog.app
Support: suppalog.app/support

Data Protection Authority:
UK Information Commissioner's Office (ICO)
https://ico.org.uk