Privacy Policy

a) Account Information

• User ID — an automatically generated anonymous identifier
• Email address (optional — only if you sign in with Apple or Google and choose to share it)
• Name (optional — only if provided through Apple or Google sign-in)
• Authentication method (anonymous, Apple, or Google)

b) Health and Wellness Data

We collect the following health-related data that you voluntarily enter into the App:

• Medication information: name, dose amount, frequency, and preferred injection day
• Dose logs: medication, dose amount, injection site (e.g., left abdomen, right thigh), timestamp, and optional notes
• Weight records: weight value, unit (lbs or kg), and timestamp
• Side effects and symptoms: selected from a predefined list, with optional notes and timestamp
• Daily wellness check-ins: wellness rating, food noise level, completed daily tasks, and notes
• Body information: height, biological sex (optional), age (optional), and activity level

c) Nutrition and Food Data

• Food logs: meal type, description, optional photo, calories, protein, carbohydrates, and fat
• Input method: whether entries were typed, photographed, or entered manually
• AI estimation data: the raw response from AI food estimation and whether you edited the values
• Nutrition goals: daily calorie and macro targets

d) Progress Photos

Progress photos are stored locally on your device only and are never uploaded to our servers. We store only metadata (filename, timestamp, optional weight snapshot, and note) on our servers.

e) Onboarding Preferences

• Display name, journey stage (taking, starting, or exploring GLP-1)
• Medication selection, dose, and frequency
• Goal weight, pace preference, and activity level
• Side effect concerns and motivation choice

f) Subscription Data

• Subscription status (free, trial, or premium)
• Product identifier and expiration date
• We do not store payment card information — all payment processing is handled by Apple

g) Analytics and Technical Data

• Usage events and feature interactions (which screens you visit, which features you use)
• Session replays (text inputs are masked; images may be captured)
• Console logs (email addresses, tokens, and API keys are automatically redacted)
• Device information (operating system and platform)
• Ad attribution and diagnostics data such as ATT status, acquisition context, limited attribution identifiers, and subscription conversion events used to measure campaign performance

h) AI Processing Data

When you use AI food estimation, food photos and/or text descriptions are sent to third-party AI providers for processing. No personally identifiable information (name, email, user ID, or health data) is included in these requests.

i) Notification Data

• Push notification device token (used to deliver dose reminders and wellness notifications you configure)
• Notification preferences: reminder times, days, and enabled/disabled status
• We do not use push tokens for marketing or advertising

Supabase

Our backend database and authentication provider. Stores your account data, health data, food logs, and all tracking information. All database access is protected by row-level security policies ensuring you can only access your own data. Hosted in the US (Oregon).

RevenueCat

Our subscription management provider. Receives your user ID and purchase events from the App Store, and receives attribution identifiers used for subscription conversion measurement. Does not receive your health data.

PostHog

Our analytics provider. Receives your user ID, email (if shared), usage events, session replays, and device information. Text inputs in session replays are masked. Console logs have email addresses, tokens, and API keys automatically redacted.

Meta

Our mobile attribution and ad measurement provider. When enabled, Meta receives limited app events and attribution signals such as onboarding completion, paywall views, checkout intent, ATT status, and campaign measurement identifiers. Meta does not receive your health data.

Apple Search Ads / AdServices

We use Apple's attribution framework to measure Apple Search Ads campaign performance. This may include Apple Search Ads attribution tokens and related conversion reporting. It does not include your health data.

Google Gemini & OpenAI

Our AI providers for food estimation. Receive food photos and descriptions only when you explicitly use the AI food scanning feature. Requests are processed through our server-side functions — your device does not contact these providers directly. No personally identifiable information is included.

Apple & Google (Authentication)

If you choose to sign in with Apple or Google, these providers receive an authentication request and may provide us with your email and name, depending on your sharing preferences.

Stored on your device only (never sent to our servers):

• Progress photos
• AI consent status and timestamp
• Authentication tokens (encrypted via iOS Keychain)
• Language preference

Transiently processed through our servers (not stored):

• Food photos — when you use AI food estimation, your photo is sent through our server to the AI provider for analysis, then discarded. The photo is not saved on our servers or in any database.

Stored on our servers (Supabase, US — Oregon):

• All tracking data (doses, weights, symptoms, food logs, daily check-ins, nutrition goals)
• Account information and onboarding preferences
• Photo metadata (filename, timestamp, notes — but not the photos themselves)
• Subscription status

All Users

• Delete your account and all server data via Settings in the App
• Request a data export by contacting support@pynchapp.com
• Revoke AI consent at any time within the App
• Opt out of analytics by contacting support

GDPR (European Union / EEA)

If you are in the EU or EEA, you have the following rights:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to restrict processing
• Right to object to processing
• Right to withdraw consent at any time (without affecting the lawfulness of prior processing)
• Right to lodge a complaint with a supervisory authority

We will respond to rights requests within 30 days. Contact support@pynchapp.com to exercise these rights.

CCPA (California)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale of personal information — we do not sell personal information
• Non-discrimination for exercising your privacy rights

LGPD (Brazil)

If you are in Brazil, you have the right to:

• Confirmation and access to your personal data
• Correction of incomplete or inaccurate data
• Anonymization, blocking, or deletion of unnecessary data
• Data portability
• Deletion of data processed with your consent
• Withdrawal of consent at any time

Data Protection Officer contact: support@pynchapp.com

Mobile App

The iOS app does not use cookies. We use the PostHog SDK for analytics and local device storage for preferences and authentication tokens.

Website (pynchapp.com)

Our website uses PostHog for analytics and essential cookies for site functionality. We do not currently use advertising cookies or marketing pixels on the website.