Attune - Privacy Policy

At Attune AI, Inc. ("we," "our," or "us"), we are committed to protecting your privacy and the security of your personal information. This Privacy Policy describes how we collect, use, store, and protect your data when you use the Attune mobile application ("the App").

Attune is a wellness tracking application that allows you to analyze urine test strips and monitor biomarker readings over time. We understand that wellness data is deeply personal, and we take our responsibility to safeguard that data seriously.

By using Attune, you agree to the collection and use of information as described in this policy. If you do not agree with the terms outlined here, please discontinue use of the App.

Important Notice Regarding Wellness Data: Attune is a general wellness application and is not a medical device. The biomarker readings and analysis provided by the App are intended for personal wellness tracking purposes only and do not constitute medical advice, diagnosis, or treatment. If you have health concerns, please consult a qualified healthcare professional.

1. Information We Collect

We collect the following categories of information when you use Attune:

1.1 Account Information

Email address — used for account creation, authentication, and communication.
User profile information — such as your name and any optional profile details you choose to provide.
Authentication credentials — managed securely through our authentication provider (Supabase).

1.2 Wellness Data

Biomarker readings — numerical and categorical results derived from your urine test strip analyses, including readings for pH, glucose, ketones, protein, specific gravity, and other indicators.
Photos of test strips — images you capture within the App for analysis. These images are transmitted to third-party AI services for processing (see Section 4: Third-Party Services).
Daily check-in responses — answers to optional wellness questions (such as hydration, exercise, diet, and sleep habits) that you complete as part of your daily check-in.
Sleep data — sleep hours you optionally log during your daily check-in.
Historical tracking data — your results over time, trends, and any notes or context you associate with your readings.

1.3 Device and Usage Information

Push notification tokens — identifiers required to deliver push notifications to your device.
Timezone — your local timezone, used to schedule reminders at the appropriate time and to accurately record check-in dates.
Reminder preferences — your preferred time of day for check-in reminders.

1.4 Information We Do Not Collect

We do not collect precise geolocation data.
We do not access your device's contacts, microphone, or files beyond the camera functionality used for test strip photography.
We do not collect or store your payment card information directly. Payments are processed by Stripe, our third-party payment processor. We do collect your shipping address for order fulfillment (see Section 1.5).

1.5 Payment and Shipping Information

Shipping address — collected at checkout and used solely to fulfill your order (ship test strips to you). This information is shared with Stripe for payment processing and with our fulfillment process.
Payment information — payment card details are entered directly into Stripe's secure payment form and are never transmitted to or stored on our servers.

1.6 Cohort Leaderboard

If you are part of a cohort, your first name (or email address if no name is set), profile avatar, check-in streak, hydration percentage, and monthly check-in count are visible to other members of your cohort on the in-app leaderboard.

2. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Data Used	Legal Basis (GDPR)
Account creation and authentication	Email, profile info	Contractual necessity
Analyzing test strip photos to produce biomarker readings	Test strip photos, wellness data	Contractual necessity; Consent
Displaying your wellness trends and history	Biomarker readings, historical data	Contractual necessity
Sending push notifications (reminders, results)	Notification tokens, device info	Consent
Sending transactional emails (account verification, updates)	Email address	Contractual necessity; Legitimate interest
Improving App functionality and user experience (future)	Aggregated, non-identifiable usage patterns	Legitimate interest
Responding to your support requests	Email, profile info, relevant account data	Contractual necessity

We do not sell your personal data. We do not sell, rent, lease, or trade your personal information, including your wellness data, to any third party for any purpose, including marketing or advertising.

3. Data Storage and Security

3.1 Where Your Data Is Stored

Your data is stored in cloud infrastructure provided by Supabase, a backend-as-a-service platform. Supabase hosts data on secure, professionally managed cloud servers. Your account information, profile details, biomarker readings, and associated metadata are stored in Supabase's managed PostgreSQL databases.

3.2 Security Measures

We implement a range of technical and organizational measures to protect your data:

Encryption in transit — all data transmitted between the App and our servers is encrypted using TLS (Transport Layer Security).
Encryption at rest — data stored in Supabase databases is encrypted at rest using industry-standard encryption protocols.
Secure authentication — user authentication is managed through Supabase Auth, which implements secure session management, password hashing, and token-based authentication.
Row-level security — Supabase row-level security policies ensure that users can only access data they are authorized to view.
Access controls — internal access to production data is restricted to authorized personnel on a need-to-know basis.

3.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and any applicable regulatory authorities within the timeframes required by applicable law (within 72 hours for GDPR-covered individuals). Notifications will be sent to the email address associated with your account.

Your Responsibility: While we take extensive measures to protect your data, security also depends on you. Please use a strong, unique password for your Attune account and keep your login credentials confidential. Notify us immediately if you believe your account has been compromised.

4. Third-Party Services

We use a limited number of third-party services to operate the App. We do not share your data with third parties for their own independent marketing or commercial purposes. The third-party services we use, and the data shared with each, are detailed below:

4.1 AI Analysis Services

To analyze photos of your urine test strips and produce biomarker readings, we transmit your test strip images to the following AI service providers:

Anthropic (Claude API) — Test strip images are sent to Anthropic's API for visual analysis. Anthropic processes this data in accordance with their API data usage policies. Under Anthropic's API terms, data submitted through the API is not used to train their models. Anthropic provides privacy and security protections equivalent to or greater than those described in this policy.
OpenAI (GPT-4o API) — Test strip images may also be sent to OpenAI's API for analysis. Under OpenAI's API data usage policies, data submitted through the API is not used to train their models by default. OpenAI provides privacy and security protections equivalent to or greater than those described in this policy.

Your consent is required before any photo is shared with AI services. The first time you use automatic strip analysis, the App displays a consent screen that identifies Anthropic and OpenAI as the recipients of your photo, describes what data is transmitted, and asks for your explicit permission. You may decline at any time and enter your results manually instead. Your consent preference is stored in your account.

About AI Image Processing: When you capture a photo of your test strip, the image is transmitted to one or both of the AI services listed above for analysis. These services process the image to extract biomarker color readings and return structured results. We recommend that your test strip photos contain only the test strip itself and avoid including personally identifiable information in the background or frame of the image.

4.2 Payment Processing

Stripe — We use Stripe to process payments for subscriptions and one-time purchases. When you check out, your payment card details are submitted directly to Stripe and are never stored on our servers. Your shipping address and order information are shared with Stripe to facilitate payment and order management. Stripe's use of your data is governed by Stripe's Privacy Policy.

4.3 Authentication and Database

Supabase — Provides authentication services, database storage, and backend infrastructure. All account data, profile information, and biomarker readings are stored using Supabase.

4.4 Communication Services

Expo Push Notification Service — We use Expo's push notification infrastructure to deliver notifications to your device. This requires sharing your device's push notification token with Expo's servers.
Resend — We use Resend to send transactional emails (such as account verification and reminder emails). Your email address is shared with Resend for this purpose.

4.5 Summary of Third-Party Data Sharing

Service	Data Shared	Purpose
Anthropic (Claude)	Test strip photos	AI-powered image analysis
OpenAI	Test strip photos	AI-powered image analysis
Stripe	Shipping address, order info	Payment processing, order management
Supabase	All account and wellness data	Authentication, storage, backend
Expo	Push notification tokens	Push notification delivery
Resend	Email address	Transactional email delivery

5. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data. We are committed to honoring these rights for all users, regardless of jurisdiction.

5.1 Rights Under the General Data Protection Regulation (GDPR)

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have the following rights:

Right of Access — You may request a copy of the personal data we hold about you.
Right to Rectification — You may request that we correct inaccurate or incomplete personal data.
Right to Erasure ("Right to Be Forgotten") — You may request that we delete your personal data, subject to certain legal exceptions.
Right to Restriction of Processing — You may request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability — You may request to receive your personal data in a structured, commonly used, and machine-readable format.
Right to Object — You may object to the processing of your personal data for purposes based on legitimate interest.
Right to Withdraw Consent — Where we process data based on your consent (such as wellness data processing), you may withdraw that consent at any time without affecting the lawfulness of processing performed prior to withdrawal.

5.2 Rights Under the California Consumer Privacy Act (CCPA / CPRA)

If you are a California resident, you have the following rights:

Right to Know — You may request information about the categories and specific pieces of personal information we have collected about you, the purposes for collection, and the categories of third parties with whom we share it.
Right to Delete — You may request that we delete the personal information we have collected about you, subject to certain exceptions.
Right to Opt-Out of Sale — We do not sell your personal information. Therefore, there is no need to opt out. However, you retain this right should our practices ever change.
Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights.
Right to Correct — You may request that we correct inaccurate personal information.
Right to Limit Use of Sensitive Personal Information — You may request that we limit the use and disclosure of your sensitive personal information (which includes wellness data) to purposes necessary to provide the service.

5.3 Exercising Your Rights

To exercise any of the rights described above, please contact us by email at hq@attunehealthtracking.com.

We will respond to verifiable requests within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request. If we require additional time, we will inform you of the reason and the expected timeframe.

5.4 Data Deletion

You may request the deletion of your account and all associated data at any time. Upon receiving a verified deletion request, we will:

Delete your account and authentication credentials from Supabase.
Delete all biomarker readings, test strip photos, and wellness data associated with your account.
Delete your profile information and communication preferences.
Remove your push notification tokens.

Please note that deletion from our active systems will be completed within 30 days of your request. Residual copies in encrypted backups may persist for up to 7 days before being automatically overwritten. Data that has been transmitted to third-party AI services for analysis is subject to those services' respective retention and deletion policies.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Data Category	Retention Period
Account information (email, profile)	Duration of your account, plus 30 days after deletion request
Biomarker readings and wellness data	Duration of your account, plus 30 days after deletion request
Test strip photos	Retained only as long as needed for analysis; stored for your reference until account deletion
Push notification tokens	Until you disable notifications or delete your account
Backup copies	Up to 7 days after deletion from active systems

When your data is no longer needed, it is securely deleted.

7. Children's Privacy

Attune is not intended for use by individuals under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children under the age of 13. We comply with the Children's Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13 without verifiable parental consent.

If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to delete that data as promptly as possible. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at hq@attunehealthtracking.com so that we can take appropriate action.

8. International Data Transfers

Your data is processed and stored in the United States, where our third-party service providers (Supabase, Anthropic, OpenAI, Expo, and Resend) operate their infrastructure.

If you are located in the EEA, UK, or another jurisdiction with data transfer restrictions, please be aware that your data will be processed in the United States. We take reasonable steps to ensure your data is handled securely, and our service providers maintain their own security and privacy standards.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will:

Update the "Effective Date" at the top of this policy.
Notify you of material changes via email or an in-app notification before the changes take effect.
Where required by law, obtain your consent before implementing changes that materially affect how we handle your wellness data.

We encourage you to review this Privacy Policy periodically. Your continued use of the App after changes become effective constitutes your acceptance of the revised policy.

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company: Attune AI, Inc.
Email: hq@attunehealthtracking.com

For GDPR-related inquiries, you may also contact our designated data protection point of contact at the email address above.

If you are not satisfied with our response to your concern, you have the right to lodge a complaint with your local data protection supervisory authority.