Privacy Policy

Last updated: May 3, 2026

This Privacy Policy describes how Supplemented ("we", "us", "the app") collects, uses, stores, and protects information when you use the Supplemented mobile or web application. We designed Supplemented to be private by default. We do not sell your data, ever.

1. Information We Collect

Account information: email address and an encrypted password if you create an account.
Supplement & wellness data you enter: your supplement stack, dosages, schedules, journal entries, mood, energy, sleep notes, and goals.
Apple Health (HealthKit) data you authorise (see Section 3 below).
Photos you choose to attach: supplement labels and progress images you explicitly add.
Approximate location only if you enable circadian-based reminders (used solely to compute local sunrise/sunset times on-device).
Diagnostic data: minimal, anonymous crash and performance logs needed to keep the app stable.

2. How We Use Your Information

To deliver core app functionality (your stack, reminders, logs, journal, dashboards).
To sync your data across your own devices when you sign in.
To generate personal trends and insights shown only to you.
To process payments for optional subscriptions (handled by Stripe and Apple).
To send transactional email (e.g. password reset) via our email provider.

3. Apple Health (HealthKit)

HealthKit data is never sold, shared with advertisers, or used for marketing.

When you grant Supplemented permission to access Apple Health, we may read and/or write the following categories — only those you explicitly authorise in the iOS Health permission sheet:

Read (from Apple Health into Supplemented):

Steps, walking + running distance, active energy
Heart rate, resting heart rate, heart rate variability
Sleep analysis (time in bed, asleep duration and stages)
Body weight, body mass index, body fat percentage
Mindful minutes, workouts, VO₂ max

Write (from Supplemented into Apple Health, only when you opt in):

Water / hydration intake you log
Mood and mindfulness sessions
Energy level entries (mapped to mindful minutes / state of mind)
Sleep duration entries you log manually
Body weight entries you log manually

Where it is stored: HealthKit data read from Apple Health is processed on your device to power dashboards and correlations. When you sign in with an account and enable cloud sync, an encrypted copy of the values you have logged inside Supplemented is stored on our servers (operated by reputable cloud providers in the United States) so that your stack and history are available across your devices. You can disable sync, revoke HealthKit permission in iOS Settings → Privacy & Security → Health, or delete your account at any time to remove this data.

What we never do with HealthKit data: we do not sell it, share it with third-party advertisers or data brokers, use it for advertising, share it with employers or insurance companies, or use it for any purpose other than providing the in-app features you have asked for.

4. Service Providers

We rely on a small set of trusted processors to operate the service:

Stripe — subscription billing. Stripe receives only the data needed to process payments; we never see your full card number.
Resend — transactional email delivery (password resets, receipts).
OpenAI — when you use AI-assisted features (e.g. label scanning, recommendations), the relevant prompt is sent to OpenAI for processing under their data processing terms. We do not send Apple Health data to OpenAI.
Cloud hosting — encrypted data is stored with our hosting and database providers in the United States.

5. Data Retention & Deletion

Your data is retained while your account is active. You can delete individual entries at any time, clear all local data from Settings, or delete your account from Settings → Account → Delete Account. Account deletion permanently removes your stored profile, stack, logs, journal entries, and any synced HealthKit-derived values from our servers within 30 days.

6. Security

We use HTTPS for all transport, hash passwords with industry-standard algorithms, and restrict server access to authenticated requests scoped to your user. No system is perfectly secure, but we follow current best practices and continuously improve.

7. Children

Supplemented is not directed to children under 13 (or under 16 in the EEA / UK). We do not knowingly collect data from children. If you believe a child has used the app, contact us and we will delete the account.

8. Your Rights

Depending on where you live (including the EEA, UK, and California), you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. You can exercise most of these rights directly inside the app, or by emailing us at privacy@supplemented.life.

9. Changes to This Policy

If we materially change this policy we will update the "Last updated" date and, where appropriate, notify you in-app before the change takes effect.

10. Contact

Questions or requests? Email privacy@supplemented.life.