Privacy Policy
Last updated: 1 July 2026 · Version 1.0 · Applies to: Sup AI iOS app and supaiapp.com
This Privacy Policy explains how Sup AI ("we", "us", "our") collects, uses, stores and protects your personal data when you use the Sup AI mobile application and website at supaiapp.com. We are committed to protecting your privacy and handling your data — particularly your health data — with the care it deserves.
Sup AI is operated by Rhys Buttle, a sole trader based in England and Wales, United Kingdom. ICO Registration Number: [YOUR ICO NUMBER].
To contact us about your data: privacy@supaiapp.com
1. What Data We Collect
1.1 Account Data
- Full name
- Email address
- Password (stored as a secure hash — we never see your actual password)
- Year of birth (retained as proof of our age-verification check)
- Biological sex (optional — used only to personalise wellness recommendations)
- Height and weight (optional)
1.2 Health & Wellness Data
This is special category data under UK GDPR Article 9 and receives the highest level of legal protection. We only collect it with your explicit consent.
- Sleep data (sleep score, hours, sleep stages) — from Apple Health or Garmin
- Step count and daily activity
- Resting heart rate and heart rate variability (HRV)
- Recovery and body battery scores — from Garmin
- Stress scores — from Garmin
- Health goals you tell us about
- Any sensitivities or conditions you choose to share
1.3 Supplement Data
- Supplements you log manually or through the app
- Dosage, timing and frequency of each supplement
- Supplement adherence history
1.4 AI Conversation Data
- Messages you send to the Sup AI assistant
- AI responses generated for you
- The model used and approximate token count (for cost management)
1.5 Usage Data
- Which screens and features you use
- App session times and frequency
- Device type, operating system version
- Crash reports and error logs
1.6 Payment Data
- Subscription status (free or Pro)
- Transaction identifiers from the Apple App Store
- We never see or store your payment card details — these are handled entirely by Apple
2. Why We Collect It — Lawful Basis
2.1 Explicit Consent (UK GDPR Article 6(1)(a) & Article 9(2)(a)) — our primary lawful basis for all health-data processing. We obtain explicit consent separately for: processing health data from Apple Health or Garmin; and sending your health summary and supplement log to Claude AI (Anthropic) to generate personalised recommendations. You can withdraw any consent at any time in Settings > Privacy without losing access to core app features.
2.2 Contract (UK GDPR Article 6(1)(b)) — we process account data (name, email) because it is necessary to provide you the Sup AI service.
2.3 Legitimate Interests (UK GDPR Article 6(1)(f)) — we use anonymised, aggregated usage and crash data to keep the app working and fix bugs. This never includes your health data, supplement data, or AI conversations.
3. How We Use Your Data
- To create and manage your account
- To personalise supplement recommendations based on your health data and goals
- To send your health context to Claude AI (Anthropic) to generate AI responses — see Section 4 for exactly what is sent
- To remind you to take your supplements at times you choose (delivered locally on your device — see 4.5)
- To track supplement adherence and show you your progress over time
- To calculate your daily Health Score from Garmin and Apple Health data
- To process your Pro subscription payment through Apple
- To send you important account emails (verification, password reset, policy updates)
4. Third Parties We Share Data With
We do not sell your data. We do not share your data with advertisers.
4.1 Anthropic (Claude AI) — when you use the Ask AI feature, we send a compressed summary of your health context to Anthropic's Claude AI model to generate a personalised response. We send: biological sex and approximate age, health goals, current supplement stack (names and doses only), and a compressed summary of recent health metrics. We do not send your name, email address, or any directly identifying information to Anthropic. Anthropic does not use your data to train its models. See: anthropic.com/privacy
4.2 Supabase — our database and authentication provider (Supabase Inc., a US company). All app data (your account, supplement logs, health snapshots and AI conversation history) is stored in the Supabase project region we have selected: [YOUR SUPABASE REGION — e.g. London (eu-west-2)]. Where personal data is stored in, or accessed from, a country outside the UK, that transfer is covered by the safeguards described in Section 4.6. Supabase provides a GDPR-compliant Data Processing Addendum incorporating the EU Standard Contractual Clauses and the UK Addendum. See: supabase.com/privacy and supabase.com/legal/dpa
4.3 Apple (HealthKit & App Store) — if you connect Apple Health, Apple provides your health data to the app through the on-device HealthKit framework. We do not send HealthKit data back to Apple. See: apple.com/legal/privacy
4.4 Garmin — if you connect your Garmin account, Garmin provides health and activity data through the Garmin Connect API. You can disconnect Garmin at any time in Settings. See: garmin.com/en-GB/privacy/global-privacy-statement
4.5 Supplement Reminders — supplement reminders are scheduled and shown locally on your device by Apple's on-device notification system. Their content stays on your device — it is not sent to us or to any third party.
4.6 International Data Transfers — some of the providers above are based outside the United Kingdom, so providing the service involves transferring personal data internationally. We only do this where an appropriate safeguard recognised by UK GDPR (Chapter V) is in place:
- Anthropic (Claude AI) — United States. When you use the Ask AI feature, the health context described in Section 4.1 is processed by Anthropic in the United States. This transfer is governed by Anthropic's Data Processing Addendum, which is incorporated into Anthropic's Commercial Terms of Service and includes the EU Standard Contractual Clauses (Module Two) together with the UK International Data Transfer Addendum. Anthropic does not use API inputs or outputs to train its models, and its API logs are deleted by default within a short retention window.
- Supabase — [YOUR SUPABASE REGION]. If your selected region is inside the UK or EU, no international transfer of stored data occurs. If it is outside the UK/EU, the transfer is covered by Supabase's Data Processing Addendum, which incorporates the EU Standard Contractual Clauses and the UK Addendum.
- Apple and Garmin. To the extent Apple or Garmin process your data outside the UK, each relies on its own appropriate transfer safeguards (such as the Standard Contractual Clauses and the UK Addendum), as set out in their respective privacy policies linked above.
You may request a copy of the relevant safeguard by emailing privacy@supaiapp.com. If you do not want your data transferred to Anthropic in the United States, do not grant AI consent and do not use the Ask AI feature — the rest of the app remains fully available.
5. How Long We Keep Data
- Account data: retained for the lifetime of your account plus 30 days after deletion
- Health data snapshots: retained for 13 months, then automatically deleted
- Supplement logs: retained for the lifetime of your account plus 30 days after deletion
- AI conversation history: retained for 12 months, then automatically deleted
- Year of birth: retained indefinitely as proof of our age-verification check
- Payment records: retained for 7 years as required by UK tax law
- Consent records: retained for the lifetime of your account plus 3 years
6. Your Rights Under UK GDPR
To exercise any of these rights, contact us at privacy@supaiapp.com. We will respond within 30 days.
- Right of Access: request a copy of all personal data we hold about you
- Right to Rectification: ask us to correct inaccurate data
- Right to Erasure: delete your account and all associated data in Settings > Account > Delete Account
- Right to Restrict Processing: ask us to stop processing your data in certain ways
- Right to Data Portability: request a copy of your supplement history and health data in a machine-readable format by emailing privacy@supaiapp.com
- Right to Object: object to processing based on legitimate interests (Section 2.3)
- Right to Withdraw Consent: withdraw any consent at any time in Settings > Privacy
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
7. Children's Privacy
Sup AI is not intended for anyone under the age of 16. We use a date-of-birth check at registration to prevent under-16s from creating accounts. If we become aware that a user is under 16, we will immediately delete their account and all associated data. If you believe a child under 16 has created an account, please contact us at privacy@supaiapp.com.
8. Data Security
- All data is encrypted in transit using HTTPS/TLS 1.3
- All data is encrypted at rest using AES-256 in Supabase
- Row-level security ensures you can only access your own data
- API keys and service credentials are stored in server-side environment variables — never in the app code
- Your password is hashed — we never store or see your actual password
- In the event of a data breach, we will notify affected users and the ICO within 72 hours as required by UK GDPR Article 33
9. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and in-app notification at least 30 days before the change takes effect. The current version is always available at supaiapp.com/privacy and in the app under Settings > Privacy Policy.
10. Contact Us
Email: privacy@supaiapp.com
Website: supaiapp.com/privacy
We aim to respond to all data-related enquiries within 5 working days and will always respond within 30 days as required by UK GDPR.