Privacy Policy

Last updated: 1 July 2026 · Version 1.0 · Applies to: Sup AI iOS app and supaiapp.com

This Privacy Policy explains how Sup AI ("we", "us", "our") collects, uses, stores and protects your personal data when you use the Sup AI mobile application and website at supaiapp.com. We are committed to protecting your privacy and handling your data — particularly your health data — with the care it deserves.

Sup AI is operated by Rhys Buttle, a sole trader based in England and Wales, United Kingdom. ICO Registration Number: [YOUR ICO NUMBER].

To contact us about your data: privacy@supaiapp.com

1. What Data We Collect

1.1 Account Data

1.2 Health & Wellness Data

This is special category data under UK GDPR Article 9 and receives the highest level of legal protection. We only collect it with your explicit consent.

1.3 Supplement Data

1.4 AI Conversation Data

1.5 Usage Data

1.6 Payment Data

2. Why We Collect It — Lawful Basis

2.1 Explicit Consent (UK GDPR Article 6(1)(a) & Article 9(2)(a)) — our primary lawful basis for all health-data processing. We obtain explicit consent separately for: processing health data from Apple Health or Garmin; and sending your health summary and supplement log to Claude AI (Anthropic) to generate personalised recommendations. You can withdraw any consent at any time in Settings > Privacy without losing access to core app features.

2.2 Contract (UK GDPR Article 6(1)(b)) — we process account data (name, email) because it is necessary to provide you the Sup AI service.

2.3 Legitimate Interests (UK GDPR Article 6(1)(f)) — we use anonymised, aggregated usage and crash data to keep the app working and fix bugs. This never includes your health data, supplement data, or AI conversations.

3. How We Use Your Data

4. Third Parties We Share Data With

We do not sell your data. We do not share your data with advertisers.

4.1 Anthropic (Claude AI) — when you use the Ask AI feature, we send a compressed summary of your health context to Anthropic's Claude AI model to generate a personalised response. We send: biological sex and approximate age, health goals, current supplement stack (names and doses only), and a compressed summary of recent health metrics. We do not send your name, email address, or any directly identifying information to Anthropic. Anthropic does not use your data to train its models. See: anthropic.com/privacy

4.2 Supabase — our database and authentication provider (Supabase Inc., a US company). All app data (your account, supplement logs, health snapshots and AI conversation history) is stored in the Supabase project region we have selected: [YOUR SUPABASE REGION — e.g. London (eu-west-2)]. Where personal data is stored in, or accessed from, a country outside the UK, that transfer is covered by the safeguards described in Section 4.6. Supabase provides a GDPR-compliant Data Processing Addendum incorporating the EU Standard Contractual Clauses and the UK Addendum. See: supabase.com/privacy and supabase.com/legal/dpa

4.3 Apple (HealthKit & App Store) — if you connect Apple Health, Apple provides your health data to the app through the on-device HealthKit framework. We do not send HealthKit data back to Apple. See: apple.com/legal/privacy

4.4 Garmin — if you connect your Garmin account, Garmin provides health and activity data through the Garmin Connect API. You can disconnect Garmin at any time in Settings. See: garmin.com/en-GB/privacy/global-privacy-statement

4.5 Supplement Reminders — supplement reminders are scheduled and shown locally on your device by Apple's on-device notification system. Their content stays on your device — it is not sent to us or to any third party.

4.6 International Data Transfers — some of the providers above are based outside the United Kingdom, so providing the service involves transferring personal data internationally. We only do this where an appropriate safeguard recognised by UK GDPR (Chapter V) is in place:

You may request a copy of the relevant safeguard by emailing privacy@supaiapp.com. If you do not want your data transferred to Anthropic in the United States, do not grant AI consent and do not use the Ask AI feature — the rest of the app remains fully available.

5. How Long We Keep Data

6. Your Rights Under UK GDPR

To exercise any of these rights, contact us at privacy@supaiapp.com. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

7. Children's Privacy

Sup AI is not intended for anyone under the age of 16. We use a date-of-birth check at registration to prevent under-16s from creating accounts. If we become aware that a user is under 16, we will immediately delete their account and all associated data. If you believe a child under 16 has created an account, please contact us at privacy@supaiapp.com.

8. Data Security

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and in-app notification at least 30 days before the change takes effect. The current version is always available at supaiapp.com/privacy and in the app under Settings > Privacy Policy.

10. Contact Us

Email: privacy@supaiapp.com
Website: supaiapp.com/privacy

We aim to respond to all data-related enquiries within 5 working days and will always respond within 30 days as required by UK GDPR.