SuppsBuddySuppsBuddyGet the App

Privacy Policy

This Privacy Policy explains how SuppsBuddy LLC collects, uses, stores, shares, and protects information about you when you use the SuppsBuddy mobile application and website. We do not sell your data. We do not share your data with advertisers.

Version 1.0  |  Last updated: May 9, 2026
Overview
Quick reference tableInformation we collectSensitive health informationHow we use informationHow we share informationYour rights & choices
Details
Data retention & legal holdSecurity & breach notificationAI processing & automated decisionsThird-party SDKsCalifornia, GDPR & state rightsContact & privacy requests

1. Quick Reference — What We Collect and How We Use It

The table below is a plain-language summary. Full details are in the sections that follow.

Data CategoryWhat We CollectWhy We Collect It
AccountEmail, password hash, first nameAuthentication & account management
ProfileAge, gender (optional), health goalsPersonalizing Fit Scores and recommendations
Supplement DataStack items, scores, intake logs, scheduleCore Service functionality
Health Data (Sensitive)Questionnaire responses, lab report data, biomarkersGenerating personalized educational analyses
Uploaded FilesSupplement label images, lab report photos/PDFsAnalysis via ScanIQ and lab analysis feature
Device & UsageDevice type, OS, usage patterns, crash logsPerformance, debugging, Service improvement
Push TokenNotification token (if permission granted)Delivering supplement reminders only
CommunicationsSupport emails, in-app feedbackSupport responses and product improvement
We do NOT: Sell your data. Share your data with advertisers. Collect precise GPS location. Access your contacts or calendar. Store your payment information. Use your identifiable health data to train AI models without your explicit consent.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration:

  • Email address
  • Password (stored as a cryptographic hash by Supabase Auth — plaintext passwords are never stored)
  • First name

Profile Information:

  • Age (year of birth)
  • Gender (optional; used for personalization only)
  • Health goals (up to 3 selected from a predefined list)

Supplement and Health Data:

  • Supplement products scanned, searched, or added to your stack or watchlist
  • Quality Scores, Fit Scores, and analysis outputs from scans and searches
  • Daily supplement intake logs (which supplements marked as taken and at what time)
  • Supplement reminder schedule (supplements, times, days of week)
  • Health questionnaire responses (35-item assessment across 8 wellness domains)
  • Laboratory test reports and blood test results you upload (including biomarker values and reference ranges)
  • Analysis outputs (stored to enable longitudinal health tracking)

Uploaded Content:

  • Images of supplement product labels (front label and supplement facts panel)
  • Photographs or PDF files of laboratory reports and blood test documents

Communications:

  • Feedback submissions (emoji ratings, written comments)
  • Support emails and in-app communications

2.2 Information Collected Automatically

  • Device information: device type, operating system version, unique device identifiers
  • App usage data: screens viewed, features used, tap interactions, session duration
  • Performance data: crash reports, error logs, and technical performance metrics
  • Network information: approximate geographic location derived from IP address (city/region level — not precise GPS)
  • Push notification token (only if you grant notification permission)

2.3 Information We Do NOT Collect

  • Precise real-time GPS or location data
  • Device contacts, calendar, or messaging data
  • Biometric identifiers used for identification purposes (fingerprints, face geometry, voice prints)
  • Advertising identifiers (IDFA) — we do not use cross-app tracking
  • Financial account numbers or payment card details (processed exclusively by Apple)
  • Social media credentials or social graph data
  • Browsing history from other apps or websites
Biometric Data Clarification: Users may upload photographs of supplement labels or laboratory documents that incidentally contain images of individuals. SuppsBuddy does not use any such incidental imagery for biometric identification, facial recognition, or any purpose other than the specific supplement or lab analysis requested. Any incidental personal imagery is not retained beyond what is necessary to complete the requested analysis and does not constitute collection of biometric identifiers for the purposes of biometric privacy laws such as BIPA.

2.4 Apple Privacy Nutrition Label Disclosure

Data Linked to You (associated with your SuppsBuddy account):

  • Contact Info: Email address, first name
  • Health & Fitness: Health goals, questionnaire responses, lab data, supplement stack, intake logs
  • User Content: Uploaded supplement images, lab report files
  • Identifiers: Account/user ID
  • Usage Data: App interactions, feature usage
  • Diagnostics: Crash reports, performance data

Data Not Linked to You: Aggregated, de-identified supplement product popularity statistics.

We do NOT use your data for: third-party advertising, advertising measurement, cross-app tracking, or data broking.

3. Sensitive Health Information

IMPORTANT: SuppsBuddy collects and processes sensitive personal health information including laboratory values, biomarkers, and wellness questionnaire data. We treat this information with the highest level of care. We do not sell it, share it with advertisers, or use it for targeted advertising under any circumstances.

HIPAA Status

SuppsBuddy LLC is not a HIPAA-covered entity (we are not a healthcare provider, health plan, or healthcare clearinghouse) and your use of the Service does not create a HIPAA-protected relationship. However, we voluntarily implement technical security practices consistent with HIPAA’s safeguards requirements.

Consumer Health Data Laws

We acknowledge and comply with applicable state consumer health data laws, including the Washington State My Health MY Data Act (MHMDA), Nevada SB 370, Connecticut CTDPA health provisions, and similar state laws. If you reside in a state with specific consumer health data rights, the rights described in Section 9 apply.

Health Data Consent

You are not required to provide health data to create a basic account. Health data is required only for specific advanced features (lab analysis, questionnaire, personalized recommendations). By providing health data, you affirmatively consent to its processing as described in this Privacy Policy. You may withdraw consent at any time by deleting your account.

Data Minimization

We collect only the health data necessary to provide the specific features you use. We do not collect health data speculatively or beyond what is needed for the Service’s educational functions.

4. How We Use Your Information

4.1 To Provide and Operate the Service

  • Authenticate identity and maintain your account
  • Generate Quality Scores, Fit Scores, and Stack Scores for supplements
  • Process supplement label images via ScanIQ analysis
  • Store and display your supplement stack, watchlist, and intake logs
  • Generate and manage your supplement schedule and push notification reminders
  • Process health questionnaire responses into educational domain assessments
  • Analyze uploaded laboratory reports to generate educational biomarker interpretations
  • Generate personalized supplement protocol recommendations
  • Power the Intelligence Engine for stack-protocol comparison analysis

4.2 To Deliver Push Notifications

If you grant notification permission, we use your device push notification token exclusively to deliver supplement reminders per your configured schedule. We do not use push notifications for advertising, promotions, or any commercial purpose.

4.3 To Improve the Service

  • Analyze aggregated usage patterns to improve product design and feature development
  • Debug technical issues, crashes, and performance problems
  • Develop and test new features and model improvements

4.4 AI Training Policy

We will NOT use your personally identifiable health information (lab results, questionnaire responses, biomarker data) to train AI models without your explicit, separate, informed consent. We may use de-identified, aggregated supplement product data (e.g., ingredient quality patterns) to improve analysis accuracy, provided such data cannot reasonably be linked back to you.

4.5 To Communicate With You

  • Respond to support requests and feedback
  • Send transactional communications (password resets, security alerts, material policy changes — cannot be opted out of)
  • Send optional product updates and feature announcements (may be opted out of at any time)

4.6 For Legal and Safety Purposes

  • Comply with applicable laws, regulations, and legal processes
  • Enforce our Terms & Conditions
  • Detect, prevent, and respond to fraud, abuse, or security incidents
  • Protect the rights, safety, and property of SuppsBuddy, users, and the public

5. How We Share Your Information

WE DO NOT SELL YOUR PERSONAL INFORMATION. WE DO NOT SHARE YOUR PERSONAL INFORMATION WITH ADVERTISERS OR DATA BROKERS. We share information only as described in this section.

5.1 Service Providers (Third-Party Data Processors)

ProviderRoleData ProcessedPrivacy Policy
Supabase, Inc.Database, Auth, StorageAll account, health, supplement, and file datasupabase.com/privacy
OpenAI, L.L.C.Language model & vision processingSupplement images, health goals, relevant health data for generating analysesopenai.com/privacy
Apple Inc.App distribution, IAP, push notifications (APNS)Push notification tokens; subscription transaction dataapple.com/legal/privacy

OpenAI Note: Data transmitted to OpenAI is processed solely to generate your analysis results. We contractually require that OpenAI not use your data to train general OpenAI models.

5.2 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or governmental authority, or if we believe in good faith that disclosure is necessary to: (a) comply with applicable law; (b) protect SuppsBuddy’s rights or property; (c) prevent wrongdoing in connection with the Service; or (d) protect user or public safety. Where legally permissible, we will attempt to notify you before disclosing your information in response to governmental requests.

5.3 Business Transfers

If SuppsBuddy is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will provide 30 days’ advance notice where possible. A successor entity must honor this Privacy Policy or provide materially equivalent protections.

5.4 With Your Explicit Consent

We may share your information for purposes not described in this Privacy Policy when we have obtained your explicit, specific, informed, and freely given consent.

5.5 Aggregated and De-Identified Data

We may share aggregated or de-identified information (data that cannot reasonably be linked to you) for research, analytics, or business purposes. We apply de-identification standards consistent with the NIST de-identification framework or HIPAA Safe Harbor method. We do not attempt to re-identify de-identified data.

6. Data Retention

Data TypeRetention PeriodBasis
Account data (email, name, profile)Account lifetime + 90 days post-deletionService provision
Supplement stack and intake logsAccount lifetime + 90 days post-deletionCore feature functionality
Health questionnaire analysesAccount lifetime + 90 days post-deletionLongitudinal health tracking
Lab report analysesAccount lifetime + 90 days post-deletionLongitudinal comparison feature
Uploaded files (images/PDFs)Deleted after analysis completionData minimization principle
Usage and diagnostic logs12 monthsSecurity and performance
Support communications3 yearsLegal defense and dispute resolution
Legal Hold: Notwithstanding the retention periods stated above, SuppsBuddy reserves the right to retain any personal information for a longer period if: (a) such retention is required by applicable law, regulation, or government directive; (b) the information is subject to a valid legal hold, litigation hold, regulatory investigation, subpoena, or court order; (c) the information is necessary to resolve an active dispute, complaint, or legal proceeding to which SuppsBuddy is a party; or (d) such retention is necessary to enforce SuppsBuddy’s legal rights. During any legal hold period, the normal deletion process for the affected data is suspended. We will lift legal holds and resume normal deletion schedules when the legal matter is resolved.

7. Data Security

  • Row Level Security (RLS) on all database tables — each user can only access their own data
  • TLS/HTTPS encryption for all data transmission between the App and our servers
  • Cryptographic password hashing via Supabase Auth — passwords are never stored in plaintext
  • Access-controlled secure file storage for uploaded documents
  • Regular security monitoring and vulnerability assessment
  • Principle of least privilege for staff and system access
No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable security measures, we cannot guarantee absolute security. If you discover a security vulnerability or suspect a breach affecting your account, notify us immediately at support@suppsbuddy.com.

7.1 FTC Health Breach Notification

SuppsBuddy is subject to the Federal Trade Commission’s Health Breach Notification Rule (16 CFR Part 318). In the event of a data breach involving your identifiable health information, we will notify you and the FTC in accordance with applicable legal requirements via email and/or in-app notice within the legally required timeframe.

8. AI Processing and Automated Decision-Making

  • Quality Scores, Fit Scores, and Stack Scores are generated by our intelligence engine analyzing supplement composition data and your health goals. These are educational metrics, not binding clinical assessments.
  • Lab report interpretations are educational summaries of documents you upload. They may contain errors and must be reviewed by your healthcare provider.
  • Supplement protocol recommendations are informational suggestions, not prescriptions.
  • The underlying model used is OpenAI GPT-4o-mini. Content you submit is transmitted to OpenAI for processing under the terms described in Section 5.1.
No Automated Decision with Legal or Medical Effect: No output from the Service constitutes a binding medical decision, legal determination, or clinical judgment. You are never subject to legally or medically consequential automated decisions based solely on our outputs. You retain full autonomy and are always advised to consult qualified professionals before acting on any output.

9. Your Privacy Rights and Choices

9.1 Access and Portability

You may request a copy of the personal information we hold about you. Email support@suppsbuddy.com with subject line “Data Access Request.” We will respond within 30 days.

9.2 Correction

Update profile information directly in the App at any time. For corrections to other data, contact us at the email above.

9.3 Account and Data Deletion

Delete your account at any time via Settings > Account > Delete Account in the App, or by emailing us. Account deletion is permanent and irreversible. All personal data will be permanently deleted within 30 days, subject to Legal Hold provisions in Section 6. This complies with Apple’s in-app account deletion requirement.

9.4 Consent Withdrawal for Health Data

You may withdraw consent for health data processing at any time by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.

9.5 Push Notifications

Disable via: iOS Settings > Notifications > SuppsBuddy, or within the App. Disabling notifications does not delete your supplement schedule data.

9.6 Camera and Photo Library

Revoke access via: iOS Settings > Privacy & Security > Camera or Photos. Revoking prevents ScanIQ scanning and document upload features.

9.7 Do Not Track / App Tracking Transparency

The SuppsBuddy App does not engage in cross-app behavioral tracking. We do not use advertising identifiers or tracking technologies subject to DNT signals. No App Tracking Transparency (ATT) prompt appears because SuppsBuddy does not track users across other companies’ apps or websites.

9.8 Marketing Communications

Opt out of non-essential marketing emails via the unsubscribe link in any marketing email, or by emailing us. Transactional communications (account security, subscription notices, policy updates) continue regardless of marketing preferences.

9.9 California Residents — CCPA/CPRA Rights

  • Right to Know: Request disclosure of categories and specific pieces of personal information we collect, use, and disclose
  • Right to Delete: Request deletion of your personal information (subject to legal exceptions, including Legal Holds)
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for advertising
  • Right to Limit Use of Sensitive Personal Information: Request we limit use of sensitive personal information to service-providing purposes only
  • Right to Non-Discrimination: We will not discriminate against you for exercising any CCPA/CPRA right

To exercise California rights: Email support@suppsbuddy.com with subject “California Privacy Request.” Response within 45 days.

9.10 European and UK Users — GDPR Rights

  • Right of Access (Article 15): Request a copy of personal data we process
  • Right to Rectification (Article 16): Request correction of inaccurate data
  • Right to Erasure (Article 17): Request deletion in specified circumstances
  • Right to Restriction of Processing (Article 18): Request processing restriction
  • Right to Data Portability (Article 20): Request data in structured, machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making (Article 22): Not to be subject to solely automated decisions with legal effect (see Section 8)

Legal Bases for Processing:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service
  • Legitimate Interests (Article 6(1)(f)): Fraud prevention, security, service improvement
  • Explicit Consent (Article 9(2)(a)): Processing of sensitive health data — withdrawable by deleting your account

To exercise GDPR rights: Email support@suppsbuddy.com with subject “GDPR Data Rights Request.” Response within 30 days. You have the right to lodge a complaint with your local supervisory authority.

9.11 Washington State — My Health MY Data Act (MHMDA)

Washington State residents have additional rights under the My Health MY Data Act, including the right to confirm data collection, access consumer health data, withdraw consent, and request deletion. Contact us with subject “Washington Health Data Request.”

9.12 Other State Privacy Laws

Residents of states with comprehensive privacy laws (Virginia, Colorado, Connecticut, Texas, Utah, Nevada, Montana, and others) may have additional rights to access, correct, delete, and opt out of certain processing. Contact us at the email below to exercise applicable state rights.

10. Third-Party SDK and API Disclosure

In compliance with Apple App Store requirements for third-party SDK disclosure:

SDK / ServicePurposeData AccessedPrivacy Link
Supabase JS ClientDatabase, auth, storageAll account and health datasupabase.com/privacy
OpenAI APISupplement and lab analysisSupplement images, health goals, relevant health dataopenai.com/privacy
Expo NotificationsLocal push notification deliveryPush notification tokenexpo.dev/privacy
Apple APNSPush notification infrastructurePush notification tokensapple.com/legal/privacy
Apple StoreKitIn-app purchase processingSubscription transaction dataapple.com/legal/privacy

11. Cookies and Tracking Technologies

Mobile App: The SuppsBuddy App does not use cookies or advertising tracking technologies.

Website (www.suppsbuddy.com): The website may use:

  • Essential session cookies: Required for website authentication. Cannot be disabled without loss of website functionality.
  • Analytics: We may use privacy-respecting analytics that do not identify you personally and are never linked to your health information.

We do not use: advertising cookies, tracking pixels, retargeting technologies, cross-site behavioral advertising, or data management platforms.

12. Children's Privacy

The Service is not directed to or intended for individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If we discover a user under 18 has provided personal information, we will delete that information and terminate the account immediately.

Parents and guardians: If you believe your child under 18 has provided personal information to SuppsBuddy, contact us immediately at support@suppsbuddy.com.

13. International Data Transfers

SuppsBuddy is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

For EEA/UK users: Data processed by Supabase is stored in the United States. Data transmitted to OpenAI is processed in the United States. By using the Service, you acknowledge and consent to these international transfers as necessary to deliver the Service to you.

14. Evolving Privacy Regulations

The legal landscape for health app data privacy is actively evolving. Legislation including HIPRA (Health Information Privacy and Rights Act, introduced November 2025), potential federal AI privacy frameworks, and new state consumer health data laws may affect our privacy practices. We monitor regulatory developments and will update this Privacy Policy as required, providing advance notice of material changes.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, the Service, or applicable law. For material changes, we will:

  • Post the updated Privacy Policy with a new Effective Date
  • Send email notification to the address associated with your account at least 30 days in advance
  • Display a prominent in-app notice

Your continued use of the Service after the effective date constitutes acceptance. If you disagree with material changes, you may delete your account before the effective date takes effect.

16. Contact — Privacy Requests

For all privacy questions, requests, or concerns:

SuppsBuddy LLC — Privacy

Email: support@suppsbuddy.com

Subject line format: “Privacy Request — [Request Type]”

Website: www.suppsbuddy.com/privacy

  • California: Subject line “California Privacy Request” | Response within 45 days
  • Washington State: Subject line “Washington Health Data Request” | Response within 30 days
  • GDPR/UK GDPR: Subject line “GDPR Data Rights Request” | Response within 30 days
  • All other requests: Response within 30 days
View Terms & Conditions
Back to Home