Working draft pending external counsel review. The body below is the Sprint 019 v1.0.0 engineering working draft of Mamalytics’ Privacy Policy. It has not yet been reviewed by external counsel. Items requiring counsel input are marked TBD-counsel inline. The upstream source lives in the mia-mvp repo at documentation/legal/privacy-policy.md; this page mirrors it.

Privacy Policy

Effective date: TBD on counsel sign-off Version: 1.0.0

1. Who we are and how to reach us

This Privacy Policy describes how Mamalytics (“Mamalytics”, “we”, “us”, “our”) collects, uses, shares, and protects information about you when you use the Mamalytics mobile app and the related website at mamalytics.app (together, the “Service”).

Entity: TBD-counsel (legal entity name and incorporation jurisdiction to be confirmed with founder and counsel).
Postal address: TBD-counsel (to be confirmed with founder).
Privacy contact email: privacy@mamalytics.app

If you have questions about this policy or want to exercise any of the rights described below, email us at privacy@mamalytics.app. We aim to respond within 30 days (sooner where required by law).

2. Data we collect

We collect only what we need to run the Service. Categories:

Account data. When you sign up we receive your email address and an Auth0 user identifier. We do not store your password — Auth0 handles authentication on our behalf.

Profile data. Information you enter during onboarding and in Settings:

First name and last name (optional)
Date of birth
Country (ISO 3166-1 alpha-2 country code)
Timezone
Pregnancy details: due date, last menstrual period, conception date, current pregnancy week, pregnancy type (singleton / twins / multiples), whether this is your first pregnancy
Pre-pregnancy weight and height (used to compute baseline BMI)
Pre-existing conditions, allergies, current medications
A preference for whether your health background is included in AI chat context
Notification preferences (weekly guide, daily summary, health alerts)

Health metrics. Numeric measurements you log over time — for example blood pressure, weight, blood glucose, fetal biometry, mood, symptoms, and any custom metric supported by the app. Each entry includes a value, unit, optional notes, timestamp, and how it was recorded (manual entry, device sync, AI-extracted from chat, or extracted from an uploaded image).

Daily logs. Mood tags, symptom tags, and free-text notes you enter for a given day.

Kick sessions. Start and end times, kick count, and timestamps of individual kicks recorded during fetal-movement counting sessions.

Chat messages. The text of messages you send to and receive from Mamalytics, the AI companion. Messages include sender (you or AI), type (text, voice, image), and any attached metadata. We retain the conversation history so Mamalytics can refer back to it during future conversations.

Uploaded documents and images. Photos and documents you upload — for example lab reports, ultrasound images, prescriptions, or medical records. We store the file, its filename and MIME type, and any structured data we extract from it.

Voice messages. Audio you record for voice chat. Per current product design, voice messages are retained for 90 days and then deleted.

Push notification tokens. A device-issued token from Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM) so we can send the notifications you opt in to.

Subscription state. If you purchase a subscription, RevenueCat sends us your subscription tier (Free, Premium) and entitlement state. Payment details (card number, billing address, App Store / Play Store account) are handled by Apple, Google, and RevenueCat — we never see them.

Device and app data. App version, platform (iOS or Android), operating system version, and the device-bound install identifier issued by Apple or Google.

Product telemetry (Mixpanel). With your consent (see §8 for defaults), we send anonymized usage events to Mixpanel so we can understand how the app is being used. The event allowlist is the single source of truth at documentation/analytics-events.md. No event ever includes your email, your Auth0 identifier, raw health values, the text of your messages, or any other directly identifying field. Users are identified in Mixpanel by sha256(User.id + salt) truncated to 32 characters — see §5.

Audit log. When we perform privileged operations on your account (for example through the admin dashboard), we record the action, the resource it affected, the IP address and user agent of the actor, and a timestamp. Audit-log entries do not contain message content.

Feedback. If you submit feedback via the in-app feedback form, we store the message text, the app version, and the platform.

Server logs. Our servers record technical request data (IP address, request path, response code, timing) for operational and security purposes. We do not log the body of your chat messages.

We do not collect: precise geolocation, contacts, calendar entries, microphone or camera content outside of audio you record or photos you upload, advertising identifiers, social-graph information, or biometric identifiers.

3. How we use your data

We use the data described in §2 to:

Run the AI companion. Your chat messages, profile, and (if you have opted in) selected health background are sent to Anthropic’s Claude API so Mamalytics can respond. Voice messages are transcribed; images you upload are sent for extraction.
Generate daily summaries and insight reports. We use your logged metrics, daily logs, and chat history to produce summaries and trend reports.
Power health features. Kick session timing, metric trends, and pregnancy-week content rely on the data you log.
Send notifications. We send the daily-summary, weekly-guide, and health-alert notifications you opt in to.
Authenticate you. Auth0 verifies your identity each time you sign in.
Process subscriptions. RevenueCat tells us which tier you are on so the right features are unlocked.
Improve the product. Where you have opted in, we analyze anonymized Mixpanel telemetry to understand which features are useful and where people get stuck.
Operate, secure, and debug the Service. Server logs, audit logs, and rate limiting protect against abuse and let us diagnose problems.
Comply with legal obligations and respond to lawful requests from authorities.

We do not use your data to train AI models — neither our own nor those of our processors. See §4 for processor commitments.

4. Third-party processors

We rely on the following processors to run the Service. Each receives only the data needed for its specific function:

Processor	What they receive	Purpose
Anthropic (Claude API)	Your chat messages and the system prompt we build from your profile and (if opted in) health context	Generates Mamalytics’s chat responses. Anthropic’s commercial terms commit to not training on customer API data.
OpenAI	Images you upload for metric extraction and the prompts wrapping them	Extracts structured health metrics from lab reports and metric snapshots. OpenAI’s API terms exclude submitted content from training by default.
Auth0 (Okta)	Your email, password (handled by Auth0; we never see it), and authentication metadata	Authenticates you on every sign-in and issues the JWT we use to identify you.
Apple Push Notification Service (APNs)	Push tokens and notification payloads	Delivers iOS push notifications.
Firebase Cloud Messaging (FCM)	Push tokens and notification payloads	Delivers Android push notifications.
Mixpanel	Anonymized event payloads and user properties (anonymized ID, trimester bucket, plan tier, app version, platform)	Product analytics. No PII or raw health values. Off by default for EU/EEA/UK users and disableable in Settings.
RevenueCat	Your subscription identifiers and entitlement state	Manages subscription state. Payment details are handled by Apple App Store and Google Play, not by RevenueCat or by us.
Apple App Store / Google Play	The transaction details required to process in-app purchases	Bills you for paid subscriptions. We see only the resulting entitlement, not your payment details.
Cloudflare	All website traffic to `mamalytics.app`	Hosts and protects the marketing site. Provides cookieless analytics for the marketing site only.
Resend	Your email address (only if you opt in to launch updates via the marketing site)	Sends marketing-list emails. Separate from in-app notifications.
Railway	All API traffic and the data stored in our managed PostgreSQL instance	Hosts our API server and database.

We review processors periodically. If we add or change a processor, we will update this policy and, where the change is material, surface it in-app for re-consent (see §12).

5. Anonymized user identifiers in product analytics

When we send events to Mixpanel, we identify you using an anonymized identifier — never your email or our internal user ID. The identifier is computed on your device as SHA-256(User.id + salt) truncated to the first 32 characters, where the salt is a value bundled into each app build.

This means:

Mixpanel cannot reverse the identifier back to your account.
Anyone with access to Mixpanel cannot link your activity to your email or to records in our database.
If we ever need to break the mapping (for example after a security incident), rotating the salt in the next app release intentionally severs Mixpanel continuity.

We never put your email, Auth0 ID, raw health values, or message text into a Mixpanel payload.

6. How long we keep your data

While your account is active, we retain your account data, profile, health metrics, daily logs, kick sessions, chat messages, uploaded documents, daily summaries, and insight reports.
Voice messages are retained for 90 days and then deleted.
Audit log entries are retained for 1 year for security and compliance purposes.
Server logs are retained for 30 days.
Anonymized Mixpanel events are retained according to Mixpanel’s data-retention policy and our Mixpanel project settings. Because the identifier is anonymized client-side (§5), these events cannot be associated with your account.

Account deletion. You can delete your account at any time from Settings → Account → Delete account in the mobile app, or by emailing privacy@mamalytics.app. When you delete your account, we cascade-delete all of your associated profile data, metrics, logs, messages, uploaded files, subscription record, push tokens, and feedback rows. We complete the deletion within 30 days.

We retain narrow categories beyond account deletion only where the law requires us to (for example tax or fraud-prevention records). Any such retained record is kept separately from the operational data and is not used for product purposes.

If you are in the European Union, the United Kingdom, or the European Economic Area (Iceland, Liechtenstein, Norway), the General Data Protection Regulation (GDPR) gives you the following rights:

Article 15 — Right of access. Request a copy of the personal data we hold about you.
Article 16 — Right to rectification. Ask us to correct inaccurate or incomplete personal data.
Article 17 — Right to erasure (“right to be forgotten”). Ask us to delete your personal data. The in-app Delete account action exercises this right.
Article 18 — Right to restriction of processing. Ask us to stop processing your personal data while we resolve a dispute.
Article 19 — Notification obligation. Where we rectify, erase, or restrict processing, we will notify processors that received the data.
Article 20 — Right to data portability. Receive a machine-readable copy of the personal data you provided to us. Email privacy@mamalytics.app to request an export.
Article 21 — Right to object to processing based on legitimate interests, including profiling.
Article 22 — Rights related to automated decision-making. We do not make solely-automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, email privacy@mamalytics.app from the address associated with your account. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority.

Legal basis. We rely on (a) your consent for product telemetry and the use of optional health background in AI context; (b) the performance of our agreement with you for the core Service; (c) our legitimate interest in operating, securing, and improving the Service; and (d) compliance with legal obligations.

8. Your rights in California (CCPA / CPRA)

California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to know what personal information we collect, use, share, and sell or share for cross-context behavioral advertising.
Right to delete your personal information (the in-app Delete account action exercises this right).
Right to correct inaccurate personal information.
Right to opt out of “selling” or “sharing.” We do not sell your personal information for money, and we do not share it for cross-context behavioral advertising. The CCPA defines “sharing” broadly; the only form of “sharing” we do is sending the anonymized product-telemetry events described in §2 and §5 to Mixpanel. You can disable that at any time in Settings → Privacy → Share anonymous usage data. For users with a country code in the EU, EEA, or UK, this toggle is off by default.
Right to limit use of sensitive personal information. We process pregnancy-related health data, which is “sensitive personal information” under the CPRA. We use it only for the purposes described in §3 and never to infer characteristics about you for advertising.
Right to non-discrimination. We will not deny you the Service, charge you more, or provide a lower quality of service because you exercised any of these rights.

Our marketing site at mamalytics.app carries a “Do Not Sell or Share My Personal Information” link in the footer as required by California law. The linked page restates the position above.

To exercise any California right, email privacy@mamalytics.app from the email address associated with your account. We will verify your identity (typically by confirming a code we send to that address) and respond within 45 days.

9. Children

The Service is intended for users aged 18 and older. You confirmed during onboarding that you are at least 18 years old. We do not knowingly collect personal information from anyone under 13 in the United States or under 16 in the EU / EEA / UK. If you believe we have inadvertently collected information from a minor, contact privacy@mamalytics.app and we will delete it.

10. Security

We use a layered approach to protect your data:

All traffic between the app and our servers is encrypted in transit using TLS 1.2 or higher.
Data at rest in our PostgreSQL database is encrypted by our managed-database provider.
Authentication is delegated to Auth0, which enforces password complexity and, where you have enabled it, multi-factor authentication. We never see or store your password.
All authenticated API endpoints validate a JWT issued by Auth0.
We rate-limit endpoints to defend against abuse.
We log privileged actions to an audit log.
We never log the body of your chat messages.

No system is perfectly secure. If you suspect unauthorized access to your account, contact privacy@mamalytics.app immediately.

11. International transfers

Mamalytics is operated from the United States. Our processors are based in the United States and (in some cases) other regions. If you use the Service from outside the United States, your data is transferred to and processed in the United States.

For users in the EU, EEA, and UK, this transfer is governed by the standard contractual clauses (SCCs) approved by the European Commission, supplemented by the processor-specific safeguards described in §4. By using the Service, you acknowledge that your data will be processed in the United States.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will:

Update the version number and effective date at the top of this document.
Add a row to the Revision history table at the end.
For changes we consider material, present a re-consent prompt the next time you open the app. You will not be able to continue using the Service until you accept the updated policy. If you do not want to accept the new policy, you can use the Delete my account instead action in the re-consent prompt to exercise your deletion right and exit cleanly.

Examples of material changes include adding a new third-party processor, expanding the categories of data we collect, or broadening how we use existing data. Examples of non-material changes include typo fixes, clarifying rewrites that do not change meaning, and updates to contact details.

13. Effective date and revision history