Skip to content
Luma logoLumaRequest access

Privacy Policy

Effective Date: June 2, 2026Last Updated: June 2, 2026

1. Scope and Roles

This Privacy Policy applies to information we collect through the Service. It does not apply to third-party services, websites, or apps that integrate with or link from the Service, even if accessed from within the App. Those third parties have their own privacy practices, which we encourage you to review.

For users in California and other U.S. states with comprehensive privacy laws, Hashbury is the "business" that determines the purposes and means of processing personal information.

If we make the Service available in the European Economic Area ("EEA"), United Kingdom, or Switzerland in the future, Hashbury will be the "controller" of personal data processed through the Service, except where we act as a "processor" on behalf of a business customer.

2. Information We Collect

We collect the following categories of information:

2.1 Information You Provide

  • Account data: name, email address, password (hashed), date of birth (you must be 18 or older), sex/gender (optional), profile photo.
  • Health and fitness data: height, weight, body measurements, fitness goals and level, dietary preferences, allergies, workout preferences, and related wellness information you choose to enter.
  • Workout and nutrition logs: exercises performed, sets/reps/weights, food and meal entries (text), calories, macronutrients, and supplements.
  • Food photos (optional): If you use camera-based nutrition features, you may submit food or menu photos. These images are transmitted to our AI providers only to process your request and are not stored on our servers.
  • Voice input (optional): If you use voice features to dictate notes or logs, your speech is converted to text using on-device or platform speech recognition. We receive only the resulting text; we do not record or store the underlying audio.
  • Communications: support tickets, feedback, and other messages you send us (including optional screenshots attached to support requests).
  • Payment data: subscription tier and billing status. Full payment card numbers are processed by Apple or Google through in-app purchase and are never stored by us. We do not offer web checkout at this time.

We do not collect reproductive or menstrual data, mental-health or mood/journal entries, medical diagnoses or conditions, or body/progress photos.

2.2 Information Collected Automatically

  • Device and technical data: device model, operating system and version, app version, language, time zone, mobile carrier (where available), screen size, and approximate IP-based geolocation (country/region/city — we do not collect precise GPS location unless you explicitly grant permission for a feature that requires it).
  • Usage data: features used, screens viewed, taps, session duration, errors, and push-notification interaction, collected through our privacy-respecting analytics provider (see Section 6).
  • Identifiers: account ID, device identifiers (such as Apple's Identifier for Vendor (IDFV) or Google's Android ID), analytics IDs, and a subscription/purchase identifier used by our in-app purchase provider (RevenueCat) to manage your subscription. We do not use Apple's IDFA for tracking and do not show tracking-based advertising.

2.3 Information from Third-Party Sources

  • Apple HealthKit (iOS only): If you grant permission, we read only the categories you approve (see Section 4). We do not integrate with Google Health Connect on Android at this time.
  • Sign-in providers: If you sign in with Apple or Google, we receive limited profile information (such as name and email) per your platform settings.
  • AI providers: Outputs returned to us from third-party AI models in response to your inputs (see Section 5).

2.4 Sensitive Information

Some of the information above is considered "sensitive personal information," "special category data," or "consumer health data" under various laws (e.g., CCPA/CPRA, Washington's My Health My Data Act). This includes health, fitness, and related wellness information. We process this data only with your consent and only for the purposes described in this Policy.

3. How We Use Information

We use information to:

PurposeExamplesGDPR Legal Basis
Provide the ServiceCreate your account, store logs, generate workouts and meal plans, display progressContract (Art. 6(1)(b)); Consent for health data (Art. 9(2)(a))
Personalize contentTailor recommendations to your goals and historyContract; Consent for health data
Power AI featuresSend your inputs to AI providers to generate insights, plans, and summariesContract; Consent for health data
Process paymentsManage subscriptions and renewals through app storesContract
Communicate with youRespond to support requests and send service-related notices (e.g., security, account, transactional push notifications you enable)Contract; Legitimate Interests
Improve and develop the ServiceAnalyze usage trends, fix bugs, test new featuresLegitimate Interests
Security and fraud preventionDetect abuse, enforce our Terms, protect usersLegitimate Interests; Legal Obligation
Comply with lawRespond to lawful requests, defend legal claimsLegal Obligation

We do not use your data for targeted advertising. We do not sell your personal information. We do not "share" your personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.

We do not use your personal information, User Content, or health data to train Hashbury's own foundation models. See Section 5 for how third-party AI providers handle your inputs.

We do not make decisions about you that produce legal or similarly significant effects using solely automated processing.

4. Apple HealthKit (iOS)

On iOS, if you connect Apple HealthKit:

  • We access only the specific categories you approve. Depending on your selections, we may read: step count; walking/running, cycling, or swimming distance; heart rate; active energy burned; sleep analysis (including duration and sleep-stage summaries where available); workouts; body mass (weight); and height.
  • In-app consent before any sync: When you first connect HealthKit, the App shows an in-app explanation of what will be synced and why, and your HealthKit data is sent to our backend only after you grant the iOS HealthKit permission and enable the integration in the App. This is separate from, and in addition to, Apple's HealthKit permission prompt.
  • Selected summaries and workouts may be synced to our secure backend (hosted on Supabase) so you can view history across devices.
  • We do not write data to Apple HealthKit.
  • HealthKit data is used exclusively to provide and improve the core functionality of the Service.
  • HealthKit data is never used for advertising, marketing, or data brokerage.
  • HealthKit data is never sold or shared with third parties for their own independent use.
  • AI processing of HealthKit-derived data: To generate the health reports and insights you request, summarized or derived HealthKit metrics (for example, daily step counts and sleep summaries) may be included in prompts sent to our AI service providers (see Section 5). These providers process this data only as our service providers under contract, solely to return the output you requested; they do not use it for their own purposes, model training, or advertising, and we do not sell it. We do not send your full HealthKit history.
  • HealthKit data is encrypted in transit and at rest on our systems.
  • If you revoke HealthKit access — either in your iOS Settings or by disabling the integration in the App — we stop reading new HealthKit data and delete HealthKit-sourced data from our backend promptly (and in any event within 30 days), even if you do not delete your account.
  • You may revoke HealthKit permissions at any time in your iOS Settings.

These commitments mirror Apple's HealthKit policy requirements and are also our contractual promises to you.

The App does not integrate with Google Health Connect on Android at this time.

5. Artificial Intelligence Processing

Some features (such as generated workouts, meal suggestions, nutrition parsing, and health summaries) are powered by third-party AI providers: OpenAI, Anthropic (Claude), and Google (Gemini). When you use these features:

  • We transmit only the minimum information needed to generate the output you request. Depending on the feature, this may include: your fitness goal and level; age and sex/gender (if provided); height, weight, and nutrition goals; dietary preferences and allergies; recent food or workout logs you reference; free-text descriptions of meals or workouts; transient food or menu photos (not stored by us); workout-plan inputs (selected days, exercises, sets/reps/weights, modification notes); and summarized health-report metrics (e.g., scores and trends).
  • Where a feature uses HealthKit-derived data, we send only summarized or derived metrics (for example, daily step counts and sleep summaries), as described in Section 4. We do not send your full HealthKit history or raw HealthKit records to AI providers.
  • We contractually require AI providers not to use your inputs or outputs to train their general-purpose models. We use commercial API tiers that prohibit training on customer data, where available.
  • AI providers may retain inputs and outputs briefly for abuse-monitoring and safety purposes, consistent with their data-processing agreements.
  • AI-generated content is labeled as such in the App where it is presented to you.
  • AI Outputs are generated automatically and may be inaccurate; see Section 8 of the Terms of Service for important disclaimers.

You can avoid AI processing by not using AI-powered features.

6. How We Share Information

We share information only as described below. We do not sell your personal information for money or other valuable consideration.

  • Service providers (processors / sub-processors): Companies that perform services on our behalf under contractual confidentiality and data-protection obligations, including:
    • Cloud hosting and database: Supabase, Inc. (and its underlying infrastructure providers, e.g., AWS).
    • AI model providers: OpenAI, Anthropic, and Google (Gemini).
    • In-app purchases and subscription management: Apple App Store and Google Play (billing), and RevenueCat, Inc. (subscription management). RevenueCat receives a subscription/purchase identifier, your account user ID, and device identifiers (such as IDFV) to validate and manage your subscription. It does not receive your health data.
    • Analytics: Aptabase (privacy-respecting product analytics).
    • Push notifications: Expo push notification service (for reminders and health-report alerts you enable). We use the Expo platform for push-notification delivery and app build tooling only; we do not use an Expo over-the-air update service that transmits your personal data.
    • Email: Supabase Auth (account emails) and Resend (support request delivery).
  • At your direction: Apple HealthKit / Google Health Connect, sign-in providers, and any future integrations you enable.
  • Legal, safety, and compliance: When required by law, subpoena, court order, or other legal process; to protect the rights, property, or safety of Hashbury, our users, or others; to enforce our Terms; or to investigate fraud, abuse, or security incidents.
  • Business transfers: In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets. We will require the recipient to honor this Privacy Policy or notify you of material changes.
  • With your consent: In any other case, with your express consent.

A current list of subprocessors is available upon request at privacy@hashburytechnologiesllc.com.

7. Cookies, SDKs, and Tracking Technologies

The App uses limited SDKs for analytics and core functionality. We do not use third-party advertising SDKs or tracking technologies for cross-context behavioral advertising. We do not display the iOS App Tracking Transparency (ATT) prompt because we do not track you across other companies' apps and websites.

Our website (if any) may use strictly necessary cookies and, with your consent where required, limited analytics cookies. You can manage cookies through your browser settings.

8. Data Retention

We retain personal information only as long as needed to provide the Service and for the purposes described in this Policy, including:

  • Account data: Retained while your account is active. When you delete your account in the App, we delete your account and associated personal data from our systems immediately as part of the deletion request.
  • Health, workout, and nutrition data: Retained while your account is active. Deleted immediately when you delete your account.
  • HealthKit-sourced data after revocation: If you revoke HealthKit access or disable the integration without deleting your account, we delete HealthKit-sourced data from our backend promptly, and in any event within 30 days (see Section 4).
  • Database backups: We do not currently maintain database backups of your personal data. If we begin retaining backups in the future (for example, by enabling a backup add-on with our hosting provider), we will update this Policy to disclose the backup retention period.
  • Payment records: Apple and Google retain transaction and tax records for in-app purchases under their own policies. We do not maintain payment-card information.
  • Inactive accounts: We do not automatically delete accounts based solely on inactivity.
  • Aggregated and de-identified data: May be retained indefinitely because it no longer identifies you.

You can request deletion at any time (see Section 11).

9. Data Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect your information, including:

  • TLS encryption of data in transit.
  • Encryption at rest of databases and backups.
  • Row-level security (RLS) and least-privilege access controls in our backend.
  • Hashing of passwords using industry-standard algorithms.
  • Logging and monitoring for suspicious activity.
  • Regular software updates and dependency patching.

No security measure is perfect. We cannot guarantee absolute security and you acknowledge that you provide information at your own risk. If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators as required by law, including, where applicable, the FTC's Health Breach Notification Rule.

10. International Data Transfers

We operate from the United States. Your information is stored and processed in the U.S. and may be processed by our service providers in the U.S. or other countries where they operate.

At launch, the Service is intended for U.S. users. We may restrict access from the European Economic Area, United Kingdom, and other regions. If we later make the Service available in those regions, we will implement appropriate transfer mechanisms (such as Standard Contractual Clauses) as required by applicable law.

11. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights:

11.1 Everyone

  • Access and update: View and edit most of your information in the App settings.
  • Delete your account: Use the in-app "Delete Account" function in Settings. We will delete your personal data from our systems immediately, as described in Section 8.
  • Export your data: Request a copy of your data in a portable format by emailing privacy@hashburytechnologiesllc.com.
  • Revoke HealthKit access: At any time in your iOS Settings.
  • Manage push notifications: Through your device and in-app notification settings. We send transactional notifications (e.g., workout or meal reminders, health-report alerts) only when you enable them. We do not currently send promotional marketing push notifications.
  • Privacy and data requests: Contact privacy@hashburytechnologiesllc.com. We may verify your identity before processing your request. We aim to respond to verified requests within 30 days, or within the timeframe required by applicable law.

11.2 EEA, UK, and Switzerland (GDPR / UK GDPR)

In addition to the above, you have the right to: (a) access, (b) rectification, (c) erasure ("right to be forgotten"), (d) restriction of processing, (e) data portability, (f) object to processing based on legitimate interests, (g) withdraw consent at any time without affecting the lawfulness of prior processing, and (h) lodge a complaint with your local supervisory authority. We do not use solely automated decision-making with legal or similarly significant effects.

11.3 California (CCPA / CPRA)

California residents have the right to: (a) know the categories and specific pieces of personal information we collect, sources, business purposes, and recipients; (b) delete personal information; (c) correct inaccurate personal information; (d) opt out of "sale" or "sharing" of personal information (we do not sell or share); (e) limit use of sensitive personal information to what is necessary to provide the Service (we already limit it to that); and (f) be free from retaliation for exercising these rights.

We have not "sold" or "shared" personal information for cross-context behavioral advertising in the preceding 12 months. The Service is restricted to users 18 and older, and we do not knowingly collect, sell, or share the personal information of consumers under 18.

To exercise California rights, email privacy@hashburytechnologiesllc.com. We will verify your identity before fulfilling the request. You may designate an authorized agent to make requests on your behalf.

11.4 Other U.S. States (e.g., Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Indiana, Kentucky, Maryland, Rhode Island)

If you live in a state with a comprehensive privacy law, you may have rights similar to those above, including access, correction, deletion, portability, and the right to opt out of targeted advertising, sale, or certain profiling. We do not engage in targeted advertising, sale, or profiling with legal/significant effects. To exercise your rights, email privacy@hashburytechnologiesllc.com. You may appeal a denial of your request by replying to our response.

11.5 Washington and Nevada Consumer Health Data

For residents of Washington (under the My Health My Data Act) and Nevada (under SB 370), you have specific rights regarding "consumer health data," including the right to confirm whether we collect, share, or sell it; to withdraw consent to collection and sharing; to delete it; and to appeal a denial. We do not sell consumer health data. We collect and share consumer health data only with your affirmative, opt-in consent and only for the purposes described in this Policy. To exercise these rights, email privacy@hashburytechnologiesllc.com with the subject line "Consumer Health Data Request."

A separate Washington Consumer Health Data Privacy Policy applies to Washington residents.

11.6 Verifying Requests

To protect your information, we will verify your identity before responding to access, deletion, correction, or portability requests, typically by confirming control of your account email. Where we cannot verify, we may decline the request and will tell you why.

We will respond to verifiable requests within the timeframes required by applicable law (generally 30–45 days, extendable where permitted).

12. Children's Privacy

The Service is intended for users eighteen (18) years of age or older. We confirm age at sign-up by requiring your date of birth and blocking registration if you are under 18. We do not knowingly create accounts for, or collect personal information from, anyone under 18. If we learn we have collected personal information from a user under 18, we will promptly delete that information and terminate the account. If you later indicate you are under 16, we may lock your account pending review. Parents or guardians who believe their child has provided information may contact us at privacy@hashburytechnologiesllc.com.

13. Marketing Communications

We send transactional messages as part of providing the Service (e.g., account verification, password reset, security notices, and push notifications you enable for workouts, meals, or health reports). We do not currently send marketing emails or promotional push notifications. If we introduce marketing communications in the future, we will do so only as permitted by law and with any consent required.

14. Do Not Track

Our Service does not respond to "Do Not Track" browser signals, but we honor opt-out preference signals (such as Global Privacy Control) where required by law as a valid request to opt out of sale/sharing.

The Service may link to third-party websites, apps, or services. This Privacy Policy does not apply to those third parties. We are not responsible for their privacy practices, and we encourage you to review their privacy policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App, by email, or by other reasonable means and update the "Last Updated" date above. Your continued use of the Service after the changes take effect constitutes acceptance.

17. Contact Us

For questions, requests, or complaints about this Privacy Policy or our privacy practices:

Hashbury Technologies LLC
2323 Trinity Hills Court
San Jose, CA 95138
United States

General support: hashburycorp@hashburytechnologiesllc.com
Privacy requests: privacy@hashburytechnologiesllc.com

Data Protection Officer: We have not appointed a formal Data Protection Officer because we are not currently required to do so. For privacy-related questions or requests, contact privacy@hashburytechnologiesllc.com.

EU / UK Representative: Not applicable at launch. The Service is intended for U.S. users, and we may restrict access from the EEA and UK.

18. Accessibility

We are committed to making the Service accessible and usable for as many people as possible. We aim to follow recognized accessibility standards, including WCAG 2.1/2.2 Level AA where applicable.

If you experience difficulty using any part of the App, please contact us at privacy@hashburytechnologiesllc.com with a description of the issue and the device or assistive technology you are using. We will review accessibility feedback and prioritize improvements as part of our product development process.

Appendix A — California "Notice at Collection" Summary

In the prior 12 months, we have collected the following categories of personal information for the business purposes described in Sections 3 and 6:

CCPA CategoryExamplesCollected?Sold/Shared?
IdentifiersName, email, account ID, device identifiers, IPYesNo
Customer recordsName, email, payment statusYesNo
Protected characteristicsDate of birth (18+), sex/gender (optional)YesNo
Commercial informationSubscription historyYesNo
Internet/network activityApp usage and product interactionsYesNo
GeolocationApproximate (IP-based)YesNo
Sensory dataTransient food photos sent for AI processing (not stored)OptionalNo
Professional/employmentNoneNoNo
EducationNoneNoNo
InferencesPersonalized recommendationsYesNo
Sensitive PIHealth/fitness data, account credentialsYes (with consent)No

Retention: see Section 8.