GlucoPal

Privacy

Last Updated: September 23rd, 2025

Privacy at a glance

  • On‑device first. Your medication logs, symptoms, nutrition, weight, and progress photos are stored locally on your device. If you choose to analyze a meal photo, that photo is sent to our AI image‑analysis vendor solely to generate a calorie estimate; progress photos are never sent.
  • No account, no PII. We don’t ask for your name, email, or address.
  • No backups. We configure GlucoPal data to not be backed up to iCloud device backups.
  • Limited sharing. We use reputable vendors for subscriptions, analytics, diagnostics, paywalls, AI functionality, and attribution.
  • Health analytics (no photos). With your permission and as allowed by law, some health data you enter may be sent to our analytics/diagnostics tools strictly for product improvement (never for ads). We do not send progress or meal photos to analytics tools. Meal photos are only sent to our AI functionality vendor to return a calorie estimate.
  • Apple Health (HealthKit). We can import data with your permission. Apple Health data is never used for advertising or shared with ad platforms.
  • No selling. We do not sell your personal information or consumer health data.
  • Your rights. You can ask us to access, export, or delete data held with our vendors. Local, on‑device data can be removed by clearing data or uninstalling the app.

1) Who we are & how to contact us

GlucoPal is an on‑device GLP‑1 tracking app by Not So Serious Ventures LLC (“we”, “our”, “us”), a New York limited liability company.

  • Email (privacy & requests): hello@glucopal.com
  • Data Controller: Not So Serious Ventures LLC (New York, USA)
  • Intended users: Age 16+. GlucoPal is not intended for children.

Medical disclaimer. GlucoPal provides tracking and educational features. It is not a medical device and does not provide medical advice. Always consult your clinician about diagnosis or treatment.

2) Scope of this policy

This policy covers our iOS mobile app and any marketing website we operate. It explains what we collect, how we use and share it, your choices and rights, and how to contact us.

3) What we collect

A. Health & wellness data (stored locally on your device)

If you choose to log them, GlucoPal saves the following data on your device (no cloud sync; not backed up):

  • Medication: GLP‑1 type, dosage, frequency, injection‑related notes you add
  • Symptoms & notes: side effects, well‑being notes
  • Weight & goals: current, target, trends/graphs
  • Daily nutrition: e.g., calories, protein, water
  • Progress Photos: e.g., progress/timeline photos (never sent to analytics)

By design, these entries remain local to your device. You control them.

B. Apple Health (HealthKit) (optional, opt‑in)

With your permission, GlucoPal can read/import certain data (e.g., weight or activity) from Apple Health to make tracking easier.

  • We do not use Apple Health data for advertising or sell it.
  • We do not share Apple Health data with advertising platforms.
  • You can manage permissions anytime in iOS Settings → Health → Data Access & Devices.

C. Non‑health technical & usage data

To operate and improve GlucoPal, we may collect non‑health technical information and usage telemetry, such as:

  • App version, device model, OS version, language, time zone
  • App stability data (e.g., Crashlytics) and performance metrics
  • Pseudonymous analytics/attribution identifiers (e.g., IDFV or SDK‑scoped IDs)
  • Paywall interactions and subscription status (no health content)

D. Health analytics (strictly for product improvement)

With your permission and only to improve app features and reliability, GlucoPal may transmit a limited subset of the health data you enter (e.g., that a dose was logged, dose amount ranges, weight entries, symptom categories) to product analytics and diagnostics tools.

  • Never photos. We never transmit your photos to analytics.
  • Never for ads. We do not use health data for advertising or share it with ad platforms.
  • Minimization. We send only what’s necessary for measuring feature adoption, usability, and quality.
  • Masking. We configure session/experience tools to mask/redact fields likely to contain free‑text health content whenever possible.

Important for Apple Health data: HealthKit‑sourced data is not used for advertising and is not shared with ad platforms. Where Apple policies require, we do not include HealthKit‑sourced data in analytics beyond what App Store rules permit.

E. Purchase data

We process in‑app purchases and entitlements via:

  • RevenueCat (purchase validation, subscription status)
  • SuperWall (purchase validation, subscription status)
  • Apple App Store (platform billing)

We do not receive your full payment card details.

F. Marketing website (if/when you visit)

We may use basic analytics to understand aggregate traffic (pages visited, referrers). We do not collect your app health entries on our website.

G. Data we do not collect

  • No names, emails, postal addresses, phone numbers
  • No precise GPS location, contacts, or calendars
  • No photos are sent off‑device

4) How we collect data

  • You enter it (manual logging in the app)
  • Apple Health (if you opt in and grant permission)
  • Automatic telemetry (crash logs, performance, pseudonymous analytics IDs)
  • Purchases (entitlement state via RevenueCat/SuperWall/App Store)
  • Attribution (install/conversion signals from AppsFlyer; see §7)

5) How we use data (purposes)

  • Provide core features (logging, reminders, charts, on‑device calculations like estimated medication levels)
  • Product improvement (feature adoption, usability, stability, diagnostics)
  • Security & integrity (fraud prevention, abuse detection, troubleshooting)
  • Purchases & subscriptions (entitlements, receipts, refunds)
  • Compliance (legal obligations, audits, responding to lawful requests)

We do not use your health data for cross‑context behavioral advertising and do not sell personal or health data.

6) Legal bases (GDPR/UK GDPR/EEA)

  • Consent: collection/processing of consumer health data and any HealthKit data; analytics involving health data; optional notifications.
  • Legitimate interests/Contract: app operation, security, crash reporting, purchases, non‑health analytics strictly necessary for functionality.
  • Compliance with law: responding to lawful requests, audits, accounting.

You may withdraw consent at any time (see §13). Where required (e.g., Washington/Nevada), we seek affirmative consent before collecting or sharing consumer health data beyond your device.

7) Sharing & processors (who we work with)

We share data only with service providers (processors) that help us run GlucoPal—under contracts that limit use to our instructions. We do not sell data.

Key vendors & what they receive

VendorPurposeHealth data?Photos?Region/StorageNotes
RevenueCatSubscription validation, entitlementsNoNoUS/EU (vendor)Purchase receipts, product IDs, status.
GroqCalorie estimation from meal photos / descriptionsNoYes (meal photos only)US/EU (vendor)Used solely to return a calorie estimate.
Apple (App Store)Billing & distributionNoNoPer ApplePlatform purchase flows.
Firebase (e.g., Crashlytics/Analytics)Stability, performance, product analyticsYes (limited, for product improvement)NoUS/EU (vendor)Health values limited; free‑text masked where possible.
MixpanelProduct analyticsYes (limited)NoUS/EU (vendor)Pseudonymous IDs; minimal fields.
PostHogProduct analyticsYes (limited)NoUS/EU (vendor)Self/managed cloud per vendor.
UXCamExperience analytics/session diagnosticsYes (limited)NoUS/EU (vendor)Configured to redact sensitive inputs.
SuperwallPaywall UI & experimentsNoNoUS (vendor)Paywall impressions/tries only.
AppsFlyerAttribution & campaign measurementNo health dataNoUS/EU/Global (vendor)Install/conversion events; not health content.

Progress photos are never transmitted to any vendor. Only photos used for nutritional analysis of meals are shared with vendors.

We do not share consumer health data with advertising platforms and we do not use health data for targeted advertising.

We may disclose information if required by law, to protect rights/safety, or during a corporate transaction (with notice and appropriate safeguards).

8) Advertising & attribution

We advertise on platforms such as Apple Search Ads, TikTok, and Facebook. We may receive aggregated campaign‑level reports and use AppsFlyer for install attribution.

  • We do not send your in‑app health entries or photos to ad platforms.
  • We do not use consumer health data for targeted ads.

9) Data location, storage & backups

  • Your logs, photos and health entries: stored locally on your device.
  • No backups: GlucoPal is configured to exclude app data from iCloud device backups.
  • Vendor systems: telemetry, analytics (including limited health analytics), paywall, and attribution data are stored by our processors in their secure cloud environments (commonly US/EU). All data in transit uses TLS/HTTPS; vendors encrypt data at rest per their standards.

10) Retention

  • On‑device data: kept until you delete it or uninstall the app.
  • Vendor analytics/telemetry: retained per vendor defaults and our settings (commonly 90 days to 26 months).
  • Purchases/entitlements: retained as necessary for accounting, fraud prevention, and legal compliance.

When we no longer need data, we instruct vendors to delete or de‑identify it.

11) Security

We apply technical and organizational measures to protect data:

  • Encryption in transit (HTTPS/TLS)
  • Vendor encryption at rest
  • Access controls and data minimization (e.g., progress photos never leave device; meal photos are transmitted to our AI capabilities vendor; masking/redaction where supported)

No method is 100% secure. If a security incident impacts your information, we’ll follow applicable notification laws.

12) Children

GlucoPal is intended for individuals 16 years and older. We do not knowingly collect data from children under 16. If you believe a child has used GlucoPal, contact hello@glucopal.com so we can assist.

13) Your privacy rights & choices

Depending on your location (e.g., GDPR/UK GDPR, California CPRA, and other U.S. state laws), you may have the right to:

  • Access the data we hold about you with our vendors
  • Export/Port data in a machine‑readable format
  • Correct inaccurate data (where applicable)
  • Delete data (including instructing our vendors to delete)
  • Withdraw consent (for health analytics and any optional processing)
  • Object/Restrict certain processing

Exercising your rights

  • Local app data (on device): remove entries, clear app data (if available), or uninstall the app.
  • Vendor data (analytics/telemetry/purchases): email hello@glucopal.com.
    • Because we don’t have accounts or emails, we may ask for device details (e.g., app version, device model) and allow you to share SDK identifiers (e.g., an in‑app “Analytics ID” if/when exposed) so we can locate records with processors.
    • We’ll verify requests and respond within the timelines required by law (generally 30–45 days, with possible extension where permitted).

Withdrawing consent for health analytics will stop future health analytics events and we’ll instruct processors to delete existing records to the extent feasible.

14) U.S. state privacy notices (summary)

California (CPRA)

  • We do not sell or share personal information for cross‑context behavioral advertising.
  • We process Sensitive Personal Information (health data) only for the purposes described above (providing the service, product improvement with consent, security/compliance).
  • You can exercise rights listed in §13.

Colorado / Connecticut / Virginia / Utah (and similar)

We honor applicable state privacy rights as described in §13.

15) Consumer Health Data Addendum (Washington & Nevada)

This Addendum supplements the policy to comply with Washington’s My Health My Data Act (MHMDA) and Nevada’s Consumer Health Data Privacy Law.

What is “consumer health data”?
Any personal data linked or reasonably linkable to you that identifies your health status—e.g., your medication logs, dosage values, symptoms, weight, and nutrition entries.

Collection & purposes.
 We collect consumer health data to:

  • Provide you with GlucoPal’s core functionality
  • Maintain and secure the app (e.g., crash reporting)
  • Improve product features and reliability via limited health analytics (never progress photos; never for ads)
  • Comply with legal obligations

Consent.
 Where required, we request your affirmative consent before collecting or sharing consumer health data outside your device (e.g., sending limited health analytics to processors). You may withdraw consent at any time (see §13). Without consent, we will restrict health data processing to what is strictly necessary to provide the app (i.e., local/on‑device).

Sharing.
We do not sell consumer health data. We share consumer health data only with processors that support the purposes above (see §7) and only under contracts requiring confidentiality and security.

Geofencing.
We do not use geofencing to target locations providing health services.

Access, deletion, and appeals.
You may request access to or deletion of your consumer health data (§13). If we deny your request, you may appeal by replying to our decision. We will respond with our reasoning and further options, including how to contact your state Attorney General.

16) International transfers

Some processors may store or process data outside your state/country. Where required (e.g., EEA/UK), we rely on Standard Contractual Clauses or comparable safeguards.

17) Changes to this policy

We reserve the right to change and reissue this Privacy Policy at any time by posting an updated version on our website. If we make material changes in the way we collect, use, or disclose your data, we will provide you reasonable advanced notice of the changes before they take effect for you. If we have an existing relationship with you we may provide you notice through our mobile app or directly using the contact information you have provided to us. If we do not have an existing relationship with you (for instance, if you only visit our website), any notice we provide will be posted to our website. If you continue using the services after those changes are in effect, our processing of your data will be subject to the new Privacy Policy. We encourage you to regularly review this Privacy Policy to ensure that you remain aware of what data we collect, how we use and otherwise process it, under what circumstances we will disclose it to third parties, and your privacy rights and choices.

18) Contact us

Questions, requests, or appeals: hello@glucopal.com

19) Glossary (helpful definitions)

  • Consumer health data: Health‑related personal data covered by laws like WA MHMDA and Nevada’s CHD law.
  • Health data analytics: Limited health data (never progress photos) used in product analytics/diagnostics to improve features and reliability—not for ads.
  • Progress photos: Body/timeline photos you store in the app. These never leave your device.
  • Meal photos: Food/food label images you choose to upload for AI calorie estimation. These are sent to our AI image‑analysis vendor solely to return a result; the photos are not sent to analytics or ad platforms.
  • Processor/Service provider: A vendor that handles data on our behalf under contractual limits (e.g., RevenueCat, Firebase).
  • Sell/Sale: Exchange of personal data for monetary or other valuable consideration (we do not sell).
  • Share (CPRA): Disclosure for cross‑context behavioral advertising (we do not share for ads).
  • Pseudonymous ID: An identifier that doesn’t directly reveal your identity (we don’t collect names/emails).