Consumer Health Data Privacy Policy

Version 1.0 · Effective June 3, 2026

This Consumer Health Data Privacy Policy is required by the Washington My Health My Data Act (RCW 19.373) and the consumer health data laws of Nevada (SB 370) and Connecticut. It describes the consumer health data Idunia collects, the purposes and sources, the categories of third parties and affiliates it is shared with, and how you exercise your rights. It is separate from our general Privacy Policy and our Terms.

1. Categories of consumer health data we collect

You enter all of this yourself:

• Cycle / reproductive data — menstrual cycle dates, flow, and a single on/off setting for whether you track your cycle. We do not ask or store why you turn cycle tracking off.
• Nutrition data — foods you log and the resulting macro- and micronutrient totals.
• Training & body data — workouts, sleep, hydration, supplements, and body metrics you enter (age, height, weight, optional body-fat %).
• Health indicators we calculate — your energy-availability / RED-S indicators and micronutrient-sufficiency indicators, derived from the data above.

2. Sources

We collect consumer health data directly from you, through what you enter in the app. We do not buy it and do not obtain it from data brokers or advertising networks.

3. Purposes

Solely to provide the app's features to you: calculating your targets and indicators and showing your own history back to you. We do not use it for advertising, marketing, profiling, or to train models for anyone else.

4. Categories of consumer health data we share

We do not share or sell your consumer health data. We have no advertising, analytics, attribution, or tracking software in the app.

The only company that handles any of your data is our hosting provider, Supabase, Inc., which acts only as our service provider (a company we hire solely to run the app, which is contractually prohibited from using your data for any purpose of its own). Using a hosting provider to store data for you is not "sharing" or "selling" under these laws. Your cycle/reproductive data never reaches Supabase, because it stays on your device.

5. Categories of third parties and specific affiliates

• Specific affiliates: We have no affiliates.
• Third parties we share consumer health data with: None.
• Service provider (processor acting only for us): Supabase, Inc.

6. Where your data is stored and how it is protected

• Your cycle/reproductive data is stored only on your device, in an encrypted file whose key is held by your device's operating system. It is never sent to our servers, so we cannot access it or be compelled to produce it.
• Your other data is stored on our hosted backend (Supabase). It is encrypted in transit (TLS) and at rest, access is limited to operating the app, and we do not browse your health data.
• If you use the in-app "Report a problem" feature, the diagnostic logs we receive never include your cycle data and are sent only when you choose to send them.

7. Your rights

You may at any time:

• Access / confirm what consumer health data we hold and the list of any third parties or affiliates that received it. Our only service provider is Supabase, Inc. (privacy contact: privacy@supabase.com). We share your consumer health data with no other third parties or affiliates.
• Export your data (in a machine-readable file). Server-side data is included; cycle data is exported from your device.
• Delete your data. In Settings: delete cycle data (wipes it from your device) and/or delete your account (removes your server-side data). Deleting your account does not erase cycle data already on your device — delete cycle history or uninstall to remove that.
• Withdraw consent. Cycle tracking is optional — turn it off anytime and choose to delete it, and keep using the app. Nutrition and training data are required to run the app; to stop that collection, delete your account.

To exercise any right, use the in-app controls or email founders@maxoutput.ai. We respond as soon as we can and no later than 45 days; if we need more time we will tell you why. If we decline a request, we will explain why and how to appeal.

8. Retention

Cycle data stays on your device until you delete it or uninstall the app; we keep no server copy. Other data is retained until you delete it or close your account; we remove deleted data from active systems promptly and from backups within 90 days.

9. Changes

If we materially change what we collect or how we use it, we will ask for your consent again before the change applies to data already collected. We will not retroactively apply new uses to previously collected data without your opt-in.

Contact: founders@maxoutput.ai