Privacy Policy

Last updated: June 20, 2026

⚖️ Attorney review required before launch. This document is a comprehensive starting template. Before going live in production, it must be reviewed and adapted by an attorney licensed in your operating jurisdictions (Ohio, USA, EU, UK, Canada, Australia) to confirm compliance with current law.

1. Plain-English Summary

Adipofyte is an adults-only wellness application for people aged 18 and over. We collect the information you give us (account, body measurements, food and movement logs, messages with Maya), use it to power your personalized plans, never sell it to advertisers, and let you export or delete it at any time from your dashboard. Photos, journal entries, and your conversations with Maya are never shared with anyone — including your household members — without your explicit action.

2. Who We Are (Data Controller)

"Adipofyte", "we", "us", and "our" refer to the operator of the Adipofyte platform. For the purposes of EU/UK GDPR, we are the data controller for personal data submitted through the Service. For privacy enquiries, data-subject requests, and CCPA/CPRA / PIPEDA / GDPR requests, contact: privacy@adipofyte.com.

3. Adults-Only Service (18+)

Adipofyte is intended exclusively for adults aged 18 or older. By creating an account you represent and warrant that you are at least 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete it promptly. Parents or guardians who believe their child has provided personal information to us should email privacy@adipofyte.com.

This Service is not directed to children under 13 (or under 16 in the EU/UK), and is not subject to COPPA. We do not run a "general audience" website for minors.

4. Information We Collect

4.1 Information You Provide

Account: name, email address, password (hashed), display name.
Health and wellness data: body measurements (waist, hips, weight, etc.), self-reported health conditions and medications, food allergies/sensitivities, dietary preferences, sleep, mood, hunger, energy ratings, journal entries, mindset reframes.
Photos: any progress photos you choose to upload (stored privately to your account).
Maya conversations: the messages you exchange with our AI concierge, used to power personalized plans.
Household membership: the household you belong to (if any) and the per-data-kind privacy choices you make for it.

4.2 Information Collected Automatically

Service logs: IP address, browser type, device type, time of access, pages requested.
Cookies and local storage: a session cookie required for login (essential), and preferences such as cookie consent. We do not use third-party advertising or cross-site tracking cookies.
Privacy-friendly analytics: we may use Plausible Analytics or a similar cookie-free, GDPR-compliant tool that measures aggregate visits without identifying you.

4.3 Information from Third Parties

Stripe (payments): if you subscribe, Stripe collects and processes your payment details directly. We never see or store your full card number; we receive only a customer identifier and your subscription status.
AI providers: when you message Maya, the text of your message is sent to our AI provider (e.g. OpenAI, Groq, or a self-hosted model) to generate the reply. We choose providers that contractually commit not to use submitted data to train their models.

5. Sensitive / Special Category Data

Several fields you may submit (health conditions, medications, body measurements, GLP-1 status) qualify as special category data under EU/UK GDPR, sensitive personal information under CCPA/CPRA, and similar designations elsewhere. We process this data:

Only with your explicit consent, which you give by entering it during onboarding;
Only to deliver the Service you requested (personalized coaching);
Never to train AI models, never sold, never used for advertising;
You may withdraw consent at any time by deleting that data from your dashboard or by deleting your account.

6. How We Use Your Information

To provide, personalize, and maintain the Service (rotation tracking, meal plans, coaching).
To process subscription payments and manage your account.
To communicate with you (account emails, support replies, opt-in product updates).
To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
To comply with our legal obligations and enforce our agreements.
To produce de-identified, aggregate analytics about Service usage that cannot be linked back to you.

7. Legal Bases for Processing (EU/UK GDPR)

Contract: processing necessary to deliver the Service you subscribed to.
Consent: for special category health data, marketing emails, and optional features.
Legitimate interests: service improvement, security, fraud prevention — balanced against your rights.
Legal obligation: tax, accounting, lawful requests from authorities.

We do not sell or rent your personal information. We share it only with:

Service providers (processors): hosting (e.g. Microsoft Azure), payments (Stripe), email delivery, AI providers, analytics, error monitoring — under written contracts that limit use to providing the service.
Household members: only the specific data kinds you explicitly opt to share via your household privacy controls. Photos, journal entries, and Maya conversations are architecturally never shareable — there is no setting that exposes them.
Legal compliance: when required by law, court order, or to protect rights, safety, or property.
Business transfers: if Adipofyte is acquired, merged, or restructured, your data may transfer to the successor entity, subject to this Privacy Policy.

9. International Data Transfers

Adipofyte is operated from the United States. If you access the Service from outside the US, your information will be transferred to, processed in, and stored in the US and/or other countries where our service providers operate. For transfers from the EU/UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK Addendum. By using the Service, you consent to these transfers.

10. Data Retention

Account, health, and check-in data: retained while your account is active and for up to 30 days after deletion (to allow recovery), then permanently deleted or anonymised.
Subscription and billing records: retained for the period required by tax and accounting law (typically 7 years).
Support correspondence: retained for up to 3 years for service-quality and dispute purposes.
Anonymised, aggregate analytics: retained indefinitely; cannot be linked back to you.

11. Your Rights

Depending on where you live, you have the right to:

Access the personal information we hold about you (GDPR Art. 15, CCPA §1798.110, PIPEDA Principle 9).
Rectify inaccurate information (GDPR Art. 16).
Erase your information ("right to be forgotten") (GDPR Art. 17, CCPA §1798.105).
Restrict or object to processing (GDPR Arts. 18, 21).
Port your data to another service in machine-readable form (GDPR Art. 20, CCPA §1798.130).
Withdraw consent at any time, without affecting prior lawful processing.
Opt out of "sale" or "sharing" of personal information (CCPA/CPRA) — note: we do not sell or share your data, so there is nothing to opt out of, but you may submit a request as confirmation.
Non-discrimination: we will not deny you service, charge you a different price, or provide a different quality of service for exercising your rights.
Lodge a complaint with your local supervisory authority (e.g. ICO in the UK, national DPAs in the EU, the OPC in Canada, or your state attorney general in the US).

You can exercise most of these rights directly from Account → Dashboard → Export My Data and the Delete Account controls. For anything else, email privacy@adipofyte.com. We will verify your identity and respond within 30 days (45 days for complex CCPA requests).

12. Security

We use industry-standard safeguards: HTTPS for all transport, hashed passwords (ASP.NET Identity), encrypted database backups, role-based access controls for staff, and audit logging for sensitive actions. No system is 100% secure. You are responsible for keeping your password confidential and for notifying us immediately of any suspected unauthorised access at security@adipofyte.com.

13. Cookies and Tracking

We use only essential cookies required to keep you signed in and to remember your cookie-consent choice. We do not use third-party advertising cookies, fingerprinting, or cross-site tracking. If we add privacy-friendly analytics (e.g. Plausible), they operate without cookies and without collecting personal data.

14. Do Not Track and Global Privacy Control

Our Service does not currently respond to Do Not Track (DNT) signals because there is no industry consensus on how to interpret them. We honour Global Privacy Control (GPC) signals as an opt-out of "sale" or "sharing" of personal information for residents of jurisdictions where the law requires it (such as California).

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top and, for material changes, notify you by email or by an in-app notice. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

16. Contact Us

Adipofyte — Privacy Office
Email: privacy@adipofyte.com
Security incidents: security@adipofyte.com
Postal address: [insert business mailing address before launch]