Privacy Policy — Feel More Energy

1.Introduction

Feel More Energy (“we,” “our,” or “us”) is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (iOS and Android) and associated web application (together, the “App”), including the Fuel (nutrition), Move (training), and Recharge (recovery) features and the Crea AI coach.

This Policy applies to all users globally and is drafted to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), COPPA, and Apple App Store / Google Play Store privacy requirements. Where those frameworks differ, we apply the higher standard.

2.Data Controller & Contact

Feel More Energy is the data controller responsible for your personal data.

Company	Feel More Energy
Email	support@feelmoreenergy.com
Address	1000 Brickell Avenue, Suite 715 PMB 431, Miami, FL 33131, USA
Privacy Requests	support@feelmoreenergy.com (subject: Privacy Request)

3.What the App Is — and Is Not

Feel More Energy is a wellness coaching application. It is important to understand its scope:

Not medical advice: The AI-powered analyses of blood work, MRI imagery, and nutrition are for educational and wellness purposes only. The App is not a medical device, is not registered with the FDA, MHRA, COFEPRIS, or any other medical regulator, and does not provide clinical diagnoses or treatment recommendations.

The App does NOT:

Provide medical diagnoses or clinical treatment recommendations
Collect your device location (no location permission is requested)
Use Apple In-App Purchase — all paid subscriptions are processed via Stripe on the web
Make fully automated decisions with legal or similarly significant effects (GDPR Art. 22) — all AI outputs are advisory and user-reversible
Sell your personal data or health data to any third party
Allow account creation by anyone under 13 (US) or 16 (EU/EEA)
Transmit raw microphone audio — speech-to-text runs entirely on-device; only the text transcript is sent to our servers

4.Information We Collect

4.1Identity & Account

Email address and hashed password (via Supabase Auth — we never see your plaintext password)
Name (optional) and profile photo (optional)
Google or Apple OAuth tokens for social sign-in
IP address (captured incidentally in server access logs)

4.2Demographics & Lifestyle

Age, sex, height, weight, pronouns
Diet style, food allergies, activity level, chronotype, meals per day
Health conditions (free-text — may include medically sensitive details)
Life stage, profession, coaching-tone preference, current supplements

Sensitive narrative data: During onboarding you may provide open-text answers to three fields: your biggest wellness challenge, why prior efforts have failed, and your relationship with food. These fields may contain highly personal information and are treated with the same care as special-category health data.

4.3Daily Targets & Preferences

Calorie, protein, carbohydrate, fat, fibre, and hydration targets
Bedtime target, wake-time, sleep-hours goal, workout days per week, movement minutes per day
Caffeine cutoff override, notification preferences, timezone, units (metric/imperial), and language (English/Spanish)

4.4Logged Activity Data

The following data is created as you use the App day-to-day:

Meal logs — what you ate, when, estimated macros, and optional meal photos
Supplement logs — supplement name, dose, and time
Workout sessions & exercises — exercises, sets, reps, weight, duration, intensity, optional notes
Sleep logs — duration, quality rating, optional notes
Recovery sessions — meditation, stretching, and similar activities
Stress check-ins — subjective rating and optional notes
Rest days, streaks, personal records (best lifts)
Daily Energy Score — a 0–100 number computed from your logs, and its contributor breakdown

4.5AI-Generated Content

Crea AI coach conversation history (stored per message; you can clear at any time)
AI-generated meal plans, personalised insights, workout routines, and sport programs
Food-scan results from photo analysis

4.6Health-Document Uploads (Special Category — GDPR Art. 9)

Special category data: Blood-work results (PDFs or photos) and MRI images qualify as data concerning health under GDPR Article 9. We process these exclusively on the basis of your explicit consent, given at the time of upload. You may withdraw consent and delete this data at any time.

Blood-work uploads — image or PDF stored in encrypted cloud storage; AI analysis results stored in our database
MRI uploads — image stored in encrypted cloud storage; AI interpretation stored in our database
Food-scan photos — stored temporarily to return nutritional estimates

4.7Device & Technical Data

Push notification token (Expo / APNs / FCM)
App version, operating system version, locale (captured incidentally in request headers)

We do NOT collect: device location, advertising identifiers (IDFA/GAID), contacts, calendar, microphone audio, or camera roll contents beyond images you explicitly choose to upload.

5.Apple HealthKit Integration

On iOS, the App can read and write data through Apple HealthKit with your explicit consent. HealthKit access is strictly opt-in: nothing is read or written until you grant permission via the iOS system sheet, and you may revoke any or all permissions at any time in iOS Settings → Privacy & Security → Health → Feel More Energy.

5.1Data We Read

Step count
Active energy burned
Heart rate (resting and active)
Sleep analysis (duration and stage data)
Workouts (type, duration, energy burned)
Mindful minutes

We only request the categories listed above. If a future release adds new categories, we will update this Policy and request additional permission before reading anything new.

5.2Data We Write

Mindful sessions started inside the App
Workouts logged inside the App

Writes only happen for activities you explicitly create in the App, so those activities remain available to other Health-aware apps on your device.

5.3How HealthKit Data Is Stored

HealthKit reads happen on-device. Raw HealthKit samples (individual readings, timestamps, source metadata) are not transmitted off your device.
Only daily aggregates — for example, total steps for the day, total sleep minutes, total mindful minutes — are stored to your authenticated Supabase profile, so the same daily picture is available across your devices under the same account.
Daily aggregates live in the health_samples table, protected by row-level security policies that only allow read and write by the owning user.

5.4How HealthKit Data Is Used

HealthKit-derived data is used exclusively to:

Personalize your daily Energy Score and the training, recovery, and nutrition guidance the App shows you.

HealthKit-derived data is never:

Sold to any third party
Shared with any third party for marketing or advertising
Used to derive any non-health insights about you
Used to identify you for tracking purposes across other apps or websites
Transmitted to any of our sub-processors, including Anthropic. Crea does not receive HealthKit data, summaries derived from HealthKit data, or aggregates derived from HealthKit data in any prompt or tool call.

This complies with App Review Guideline §5.1.3 (Health and Health Research).

5.5Revoking Access and Deleting Data

Revoke permission— in iOS Settings → Privacy & Security → Health → Feel More Energy, toggle off any or all categories. The App stops reading the revoked data on next session.
Delete stored aggregates — deleting your account (Settings → Danger Zone → Delete Account in the App) cascade-deletes all health_samples rows belonging to your user. See §13.2 for the full deletion flow.
Data Apple holds in HealthKit— data already stored in the Apple Health app is governed by Apple’s privacy policy and is not something we can remove on your behalf. You manage it directly in Apple Health.

6.Energy Score & Goal Profiles

The Energy Score is a daily 0–100 rating automatically computed from your logged meals, workouts, sleep, and recovery activities. The weighting depends on the Goal Profile you select during onboarding (balanced, athlete, recovery, nutrition_focus, or founder_exec). The Score is a wellness indicator only — it does not constitute a medical assessment and has no legal or similarly significant effect on you.

7.How We Use Your Data

Purpose	Data Used	Legal Basis (GDPR)
Provide core app features (Energy Score, logging, plans)	All logged activity, profile, targets	Contract (Art. 6(1)(b))
Personalised AI coaching (Crea, meal plans, insights)	Profile, logs, AI chat history	Consent (Art. 6(1)(a))
AI analysis of blood work & MRI imagery	Uploaded health documents	Explicit consent (Art. 9(2)(a))
Push notifications (morning check-in, bedtime reminder, caffeine cutoff)	Notification preferences, bedtime target	Consent (Art. 6(1)(a))
App security, fraud prevention, and debugging	Device data, logs, IP address	Legitimate interests (Art. 6(1)(f))
Service improvement and new feature development	Anonymised aggregate usage data	Legitimate interests (Art. 6(1)(f))
Subscription billing	Email; billing handled entirely by Stripe	Contract (Art. 6(1)(b))
Legal compliance and fraud investigation (post-deletion audit record only)	Deleted-account audit row (no content)	Legal obligation (Art. 6(1)(c))

We do not use your health data for advertising, marketing, or any purpose unrelated to providing App functionality.

8.Crea AI Coach — What Data Crea Can Access

Crea is our AI wellness coach, powered by Anthropic Claude models (server-side). For transparency, here is the complete list of data Crea can read or write on your behalf:

Tool	Access	Data Touched
get_user_goals	Read	Your resolved daily calorie, macro, and hydration targets
get_training_load	Read	Last 4 weeks of workout sessions
get_caffeine_cutoff	Read	Your bedtime target (used to calculate cutoff)
get_workout_history	Read	Your workout session records
get_saved_meals	Read	Your personal saved-meals library
save_meal_to_library	Write	Inserts a new entry into your saved-meals library
add_saved_meal_to_plan	Write	Pins a saved meal into your meal plan
log_meal_from_library	Write	Logs a saved meal as today’s intake
generate_week_with_favorites	Write	Creates or updates a 7-day meal plan using your saved meals

Crea cannot read other users’ data, modify your profile fields, delete any data, or change your billing. Free-tier users have a daily message cap; paid-tier users have a higher cap.

9.AI Processing Transparency

The App uses AI-powered features including:

Food recognition from meal photos
Blood-work interpretation (educational summaries only)
MRI image analysis (educational summaries only)
Personalised meal plan generation
Workout routine and sport-plan generation
Crea conversational coaching
Periodic personalised insights (e.g., sleep patterns correlated with training time)

No fully automated consequential decisions: AI outputs are advisory. No AI feature produces decisions with legal or similarly significant effects within the meaning of GDPR Article 22. You remain in control of all choices.

Human oversight: AI-generated content (meal plans, workout plans, interpretations) is presented for your review. You can accept, modify, or discard any AI suggestion.

Opt-out: You may decline to use AI-powered features (food scan, document analysis, Crea) without affecting core logging functionality.

10.Push Notifications

The App sends the following scheduled notifications, timed to your local timezone:

Morning check-in reminder — at your preferred wake time
Bedtime reminder — 90 minutes before your target bedtime
Rest-day nudge — at 09:00 local if no activity has been logged by then
Caffeine cutoff reminder — at your calculated cutoff time (bedtime minus 8 hours)
Weekly meal plan — generated on Sundays for paid subscribers

Notifications are routed through Expo’s push proxy service, which delivers them via Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android. You may disable notifications at any time via your device settings or within the App.

11.Sharing of Data & Sub-Processors

We share your data only with the vendors listed below, each bound by a Data Processing Agreement (DPA) requiring them to process data solely on our instructions and to maintain appropriate security safeguards. We do not sell personal data or health data.

Vendor	Purpose	Data Shared
Supabase	Database, authentication, file storage, server-side logic	All user data (the database itself). Hosted on AWS with SOC 2 Type II certification.
Anthropic (Claude API)	LLM inference for Crea, meal plans, food scan, blood-work & MRI analysis, insights	Prompt content, which includes profile data, conversation history, and uploaded images for vision endpoints (including blood-work / MRI imagery). Anthropic enterprise terms exclude API content from model training by default.
Stripe	Subscription billing, checkout, refunds	Email, name, billing address (entered in Stripe Checkout). Card data never touches our systems.
Apple APNs	Push notifications on iOS	Push token + notification payload
Firebase FCM (Google)	Push notifications on Android	Push token + notification payload
Expo (push proxy)	Routes push notifications to APNs / FCM	Push token + notification payload
Google Sign-In / Apple Sign-In	OAuth social authentication	Email and basic profile returned by the OAuth provider
Vercel	Hosts the Next.js web app (sign-up, billing pages)	Anonymous web traffic; account data only if you sign in on the web

We do not use Google Analytics, Meta Pixel, Mixpanel, Amplitude, Segment, Sentry, or any third-party advertising or crash-reporting SDK.

Apple HealthKit is not a sub-processor. HealthKit is an on-device API provided by iOS; data flows from Apple to your device, not from us to Apple. No HealthKit data — raw or derived — is transmitted to any sub-processor listed above (see §5.4).

12.International Data Transfers

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in the United States where our sub-processors operate. All such transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
Sub-processor DPAs requiring equivalent protection
Encryption in transit (TLS) and at rest

13.Data Retention & Account Deletion

13.1Retention While Active

Personal data is retained for as long as your account is active and necessary to provide the App’s services. Health-document uploads (blood work, MRI) are retained only while your account is active unless you delete them earlier.

13.2Account Deletion

You may permanently delete your account from within the App (Settings → Danger Zone → Delete Account). Deletion is a hard delete — there is no soft-delete or recovery period. The deletion process:

Verifies your identity via your session token
Deletes all user-scoped storage objects (photos, scans, MRI uploads, avatar)
Cancels any active Stripe subscription
Issues a full refund if you are within 14 days of your last paid invoice
Cascade-deletes all user-scoped database rows (including health_samples aggregates synced from Apple HealthKit)
Deletes your authentication record

The only record retained after deletion is an audit row in a separate compliance table containing: user ID, email, deletion timestamp, platform source, cancellation outcome, and refund outcome — no logged content. This record is retained for legal compliance and fraud-prevention purposes.

13.3Backups & Third-Party Records

Supabase performs automated backups with its own retention schedule; deleted user rows phase out of backups within a small number of weeks. Stripe retains transaction records in accordance with its own policy and applicable financial regulation — this is outside our control.

14.Your Privacy Rights

Depending on your location, you have the following rights regarding your personal data:

Right	Description	How to Exercise
Access	See all data we hold about you	Via the App (all logs visible in-app)
Rectification	Correct inaccurate data	Edit profile, targets, or logs in-app; or email support
Erasure	Delete your account and all associated data	Settings → Danger Zone → Delete Account
Portability	Receive a machine-readable copy of your data. A one-button export is in development; until it ships, submit a request by email.	Email support@feelmoreenergy.com
Restrict Processing	Limit how we use your data in specific circumstances	Email support@feelmoreenergy.com
Object	Object to processing based on legitimate interests	Email support@feelmoreenergy.com
Withdraw Consent	Withdraw consent for AI features or health-data processing at any time	App settings or email support
Opt Out of Sale (CCPA)	We do not sell personal data — this right is not applicable, but you may request confirmation	Email support@feelmoreenergy.com

You also have the right to lodge a complaint with your local data protection authority (e.g., your national DPA within the EU/EEA). We ask that you contact us first so we can address your concern directly.

15.Cookies, Tracking & Apple ATT

The mobile App does not implement the Apple App Tracking Transparency (ATT) prompt because we use no SDKs that perform cross-app tracking. The web app uses only essential session cookies required for sign-in and Stripe Checkout — no advertising cookies or third-party tracking pixels are used on any surface.

16.Data Security

We implement appropriate technical and organisational measures to protect your data:

Encryption in transit using TLS (HTTPS) for all network traffic
Encryption at rest for database content and storage objects via Supabase / AWS
Row-Level Security (RLS) on all database tables — database policies ensure each user can access only their own rows
JWT-based authentication on every API request
Speech-to-text processing runs on-device — raw audio never leaves your phone
Access controls restricting internal access to production data
Security monitoring and breach-response procedures

No system is perfectly secure. If you believe your account has been compromised, contact support@feelmoreenergy.com immediately.

17.Children’s Privacy

The App is not directed to children. We do not knowingly collect personal data from anyone under 13 years of age (United States, per COPPA) or under 16 years of age (EU/EEA, per GDPR for information society services). Age verification is handled at the App Store / Google Play Store install layer. If you believe a child has provided us personal data, please contact support@feelmoreenergy.com and we will delete it promptly.

18.Subscriptions, Billing & Refunds

All paid subscriptions (monthly and annual, billed in USD globally and COP for Colombian users) are processed via Stripe Checkout on the web. The iOS and Android apps contain no in-app purchase flow. If you delete your account within 14 days of your last paid invoice, we will automatically refund that charge and cancel your subscription.

19.Apple App Store Compliance Notes

19.1Data Collected — App Store Connect Categories

Apple Category	Examples
Contact Info	Email address
Health & Fitness	Meal logs, workout sessions, sleep logs, blood-work uploads, MRI uploads, Energy Score, Apple HealthKit daily aggregates (steps, active energy, heart rate, sleep, workouts, mindful minutes)
Sensitive Info	Open-text onboarding fields, health conditions, relationship with food narrative
User Content	Meal photos, food-scan photos, blood-work uploads, MRI images, avatar photo
Identifiers	User ID (internal)
Diagnostics	App version, OS version (incidental)

19.2Other Compliance Items

Account deletion: Settings → Danger Zone → Delete Account (satisfies Guideline 5.1.1(v))
Tracking: None. No ATT prompt required.
In-App Purchase: None. Subscription link visible only on the web app, not inside iOS.
Speech recognition: NSSpeechRecognitionUsageDescription and NSMicrophoneUsageDescription declared; audio processed on-device only.
Camera: Declared via expo-image-picker for food scan and document upload.
Encryption: ITSAppUsesNonExemptEncryption = false (standard TLS only, no custom cryptography).
HealthKit: NSHealthShareUsageDescription and NSHealthUpdateUsageDescription declared. Data usage is described in §5. Complies with App Review Guideline §5.1.3 (Health and Health Research).

20.Changes to This Policy

We may update this Privacy Policy periodically. For material changes — such as new data categories, new sub-processors, or changes to legal bases — we will notify you through the App and/or by email at least 14 days before the change takes effect. Your continued use of the App after that date constitutes acceptance of the updated Policy. The effective date at the top of this document will always reflect the most recent version.

21.Glossary

Term	Definition
Energy Score	A daily 0–100 wellness rating computed from your logged meals, workouts, sleep, and recovery activities, weighted by your chosen Goal Profile.
Goal Profile	One of five coaching archetypes — balanced, athlete, recovery, nutrition_focus, founder_exec — that adjusts the Energy Score weighting and AI recommendations.
Crea	The AI wellness coach embedded in the App. Powered by Anthropic Claude server-side.
Edge Function	A server-side function running on Supabase’s Deno runtime, used for AI inference, scheduled tasks, and business logic.
RLS	Row-Level Security — a PostgreSQL feature that enforces per-user data isolation at the database level.
JWT	JSON Web Token — the access token issued by Supabase Auth at sign-in, used to identify you on every request.
DPA	Data Processing Agreement — a contract requiring a sub-processor to handle data only on our documented instructions and to maintain appropriate safeguards.
SCCs	Standard Contractual Clauses — EU Commission-approved contractual mechanisms for lawful international data transfers.

22.Contact Us

For any privacy-related questions, rights requests, or concerns, please contact:

Feel More Energy — Privacy Team
Email: support@feelmoreenergy.com
Address: 1000 Brickell Avenue, Suite 715 PMB 431, Miami, FL 33131, USA
Response time: We aim to respond to all privacy requests within 30 days.