Privacy Policy

1. Who we are

Healup is operated by Web Ninja Solutions Private Limited, a company registered in India. When this Policy refers to "Healup", "we", "us", or "our", it means Web Ninja Solutions Private Limited.

Contact: contact@webninjasolutions.com

2. What data we collect

2.1 Account data

• Email address and password hash (or sign-in provider identifier if you use Sign in with Apple or Google).
• Your chosen display name and optional profile photo.

2.2 Profile & health parameters

• Date of birth, biological sex, height, weight, activity level, and dietary goal — entered by you during onboarding and editable at any time.
• Body weight log entries you add inside the app.

2.3 Nutrition & activity logs

• Meals, foods, and drinks you log — whether by AI scan, barcode, or manual entry.
• Exercise sessions and workouts you record.
• Water intake entries.
• Streak and achievement data.

2.4 Photos

When you use the AI food scanner, Healup resizes your photo to a maximum of 1,024 px on the longest side on-device before uploading it to our secure cloud storage. We retain the photo for up to 7 days, after which it is automatically and permanently deleted. We store a cryptographic hash of the request for billing reconciliation, but never the image itself beyond 7 days.

2.5 Device metadata

• Device model, operating system version, app version, locale, and time zone — used for analytics and crash debugging.
• A pseudonymous device identifier used by our analytics provider (PostHog).

2.6 Push notification token

An opaque token issued by Apple or Google to deliver reminders you have enabled. You can revoke this at any time in your device settings or inside Healup (Profile → Notifications).

2.7 Subscription state

Your subscription entitlement (Free / Trial / Premium) and expiry date, provided to us by RevenueCat after verifying your App Store or Google Play receipt.

3. How we use your data

• To create and manage your account and authenticate you.
• To calculate your personalised daily calorie targets, macro splits, and projections.
• To process AI food scans and return nutrition estimates to you.
• To send push reminders you have opted into.
• To display your history, trends, and progress charts.
• To aggregate de-identified analytics that help us improve the product (via PostHog).
• To diagnose and fix crashes (via Sentry — stack traces and device metadata only; no personal data).
• To prevent fraud and enforce our Terms of Service.
• To comply with legal obligations.

4. AI processing of photos

When you tap "Scan", a low-resolution copy of the photo is sent to OpenAI via their API for food identification. OpenAI returns a text response (food name, estimated portion, and macros). OpenAI's API data-usage policy states that API inputs are not used to train their models. We do not transmit any information that identifies you to OpenAI — only the anonymous food image.

Important: AI nutrition estimates are approximate. Actual values depend on preparation method, ingredient brand, and portion accuracy. Always use Healup data as a guide, not a clinical measurement.

5. Health data from Apple Health & Google Fit

With your explicit permission, Healup reads step counts and active energy burn from Apple Health (iOS) or Google Health Connect (Android) to compute your net calories. We do not write data back to these platforms. Health kit data stays on your device — we do not transmit raw health samples to our servers; we only use the values in-app to populate your daily summary.

6. Third parties we share data with

We share the minimum necessary data with the following trusted service providers:

• Supabase (EU/US data centres) — database, authentication, and file storage for your account and logs.
• OpenAI — anonymous food photo processing for AI scans.
• Apple / Google — payment processing for Premium subscriptions.
• RevenueCat — subscription receipt validation and entitlement management.
• Sentry — crash diagnostics. Stack traces and device metadata only.
• PostHog (EU-hosted instance) — pseudonymous product analytics. No email address or PII is sent.

We do not sell, rent, or trade your personal data. We do not run advertising SDKs or behavioural tracking.

7. Where your data is stored

Healup is headquartered in India. Your data is stored on Supabase infrastructure in the Sydney, Australia region (ap-southeast-2). Some data may transit through EU or US data centres of our sub-processors (OpenAI, Sentry, PostHog). By using Healup, you consent to this cross-border transfer. We ensure each sub-processor provides adequate data protection safeguards.

8. Your rights

You have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate data (most profile data is editable directly in the app).
• Erasure — delete your account and all associated data permanently via Profile → Settings → Delete account, or by emailing us.
• Portability — export your nutrition log as CSV or PDF (Premium feature, or on request).
• Restriction — ask us to restrict processing of your data while a dispute is resolved.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — revoke push notifications, camera access, or Health kit access at any time in device settings.

If you are located in the EU, UK, or California, you also have rights under GDPR / UK GDPR / CCPA respectively. We honour all verified requests within 30 days.

To exercise any right, contact contact@webninjasolutions.com from your registered email address.

9. Data retention

• Scan photos: deleted automatically after 7 days.
• Account and nutrition logs: retained while your account is active, then deleted within 30 days of account deletion.
• Crash logs (Sentry): retained for 90 days.
• Analytics (PostHog): pseudonymous events retained for 12 months.
• Subscription records: retained for 7 years for accounting and tax compliance.

10. Children's privacy

Healup is not directed to children under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If you believe a child has created a Healup account, please contact us and we will delete the account promptly.

11. Security

We protect your data using industry-standard practices: TLS 1.3 encryption in transit, AES-256 encryption at rest, and row-level security so each user can only read their own data. Access to production systems is limited to authorised personnel only. That said, no system is completely secure — if you discover a vulnerability, please report it to contact@webninjasolutions.com.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via an in-app notice and, where required by law, via email at least 14 days before the change takes effect. Continued use of Healup after the effective date constitutes acceptance of the updated policy.

13. Contact & complaints

For any privacy questions or requests, contact us at contact@webninjasolutions.com.

If you are in the EU and believe we have not resolved your complaint satisfactorily, you have the right to lodge a complaint with your local data protection authority.