Privacy Policy

BioHackMe - AI-Powered Health Tracking & Longevity Optimization

Last Updated: November 14, 2025

Effective Date: November 14, 2025

Introduction

Welcome to BioHackMe (displayed as BioHack Pro in the App Store). Your privacy and the security of your health data are our highest priorities. This Privacy Policy explains in clear, transparent language how we collect, use, store, and protect your personal information when you use our iOS mobile application.

Our Privacy-First Commitment

We believe your health data belongs to YOU, not to us. BioHackMe has been built from the ground up with privacy-first principles:

  • Local Storage First: All health data stays on your device by default
  • No Data Selling: We will never sell, rent, or trade your personal health information
  • Minimal Collection: We only collect what's absolutely necessary to provide our services
  • Full Transparency: This policy clearly explains what we do and don't do with your data
  • User Control: You maintain complete control over your data and permissions

Developer Information

  • Developer: Mike Reavey
  • App Name: BioHackMe (Display Name: BioHack Pro)
  • Platform: iOS only (React Native/Expo)
  • Contact: [email protected]

Information We Collect

1. Health Data (Stored Locally on Your Device)

BioHackMe accesses and stores the following health metrics locally on your iOS device only. This data is NOT transmitted to our servers and remains under your complete control.

Health Metrics from Apple HealthKit:

Data Type Purpose Storage Location
Blood Pressure (Systolic/Diastolic) Cardiovascular health tracking Local device only
Heart Rate & Resting Heart Rate Cardiovascular fitness monitoring Local device only
Heart Rate Variability (HRV) Recovery and stress assessment Local device only
Sleep Analysis (Duration, Stages, Quality) Sleep quality tracking Local device only
Weight & Body Composition Body composition tracking Local device only
Body Fat Percentage Body composition analysis Local device only
Workout Data (Type, Duration, Calories) Fitness activity tracking Local device only
Blood Glucose (CGM) Metabolic health tracking Local device only
VO2 Max Cardiorespiratory fitness Local device only

User-Entered Data:

Data Type Purpose Storage Location
Meal Logs & Descriptions Nutrition tracking Local device (AsyncStorage)
Meal Photos AI-powered nutrition analysis Temporarily sent to Anthropic Claude
Macronutrient Data Calorie and macro tracking Local device only
Frequent Meals Quick meal logging Local device only
User Notes & Observations Personal health journal Local device only

Storage Method: All local data is stored using AsyncStorage (React Native's persistent key-value storage), iOS App Sandbox (isolated from other apps), and iOS Device Encryption (encrypted at rest by default).

2. Data Sent to Third-Party AI Services

To provide AI-powered health insights, we send anonymized, aggregated health metrics to Anthropic's Claude AI API. This is the only health data that leaves your device.

What We Send to Anthropic Claude:

  • Aggregated daily/weekly metrics (averages, ranges, totals) - Example: "Average HRV: 68ms, Sleep: 7.5 hours, Resting HR: 58 bpm"
  • Relative time references (e.g., "today," "this week," "last 7 days")
  • Meal descriptions and photos (for nutrition analysis only)
  • General health patterns (trends, comparisons to previous periods)

What We DO NOT Send to Anthropic:

  • NO personally identifiable information (name, email, date of birth, address)
  • NO precise timestamps (only relative time like "yesterday")
  • NO device identifiers (UDID, advertising ID, etc.)
  • NO raw health data (only aggregated summaries)
  • NO location data
  • NO Apple ID or account information

Example of Data Anonymization:

✅ What we send:
"User's average HRV over the past 7 days was 68ms (range: 52-84ms). Sleep averaged 7.5 hours with 85% sleep efficiency. Resting heart rate trended down from 62 to 58 bpm."

❌ What we DON'T send:
"John Smith (DOB: 1985-03-15, email: [email protected]) recorded HRV of 68ms on 2025-11-14 at 07:32:15 AM at location 37.7749° N, 122.4194° W."

3. Information We Do NOT Collect

We want to be crystal clear about what we do NOT collect:

  • ❌ Your name, email, or contact information (unless you contact support)
  • ❌ Your precise location or GPS coordinates
  • ❌ Your contacts or address book
  • ❌ Your photos (except meal photos you explicitly select for AI analysis)
  • ❌ Your browsing history or activity in other apps
  • ❌ Device identifiers for advertising or tracking (no IDFA)
  • ❌ Biometric data (Face ID/Touch ID is handled by iOS, not us)
  • ❌ Payment information (handled by Apple, not us)
  • ❌ Social media profiles or connections

How We Use Your Information

Local Processing (On Your Device)

Your health data is processed locally on your iPhone/iPad to:

  1. Display Health Metrics - Show your current health stats in the dashboard, calculate daily, weekly, and monthly trends, generate charts and visualizations
  2. Track Progress - Monitor calorie deficit and nutrition goals, track workout frequency and Zone 2 cardio time, calculate weekly health scores (0-100 scale)
  3. Store Historical Data - Save meal logs and frequent meals, cache HealthKit data for faster performance, maintain personal health history

AI-Powered Analysis (Sent to Anthropic Claude)

Anonymized, aggregated health metrics are sent to Anthropic's Claude AI to:

  1. Generate Daily Insights - Personalized health analysis based on your metrics, identify patterns and trends, provide actionable recommendations
  2. Analyze Meal Photos - Estimate macronutrients from photos, suggest meal improvements, calculate estimated calorie content
  3. Provide Weekly Summaries - Comprehensive health trend analysis, grade your metrics (A-F scale), suggest areas for improvement
  4. Deliver Longevity Optimization - Evidence-based health recommendations, personalized insights for healthspan extension, context-aware coaching

Important: Meal photos are sent to Anthropic only when you explicitly request AI analysis, not stored permanently by Anthropic (per their data retention policy), deleted from their servers within 30 days maximum, and never used for AI model training (per Anthropic's policy).

Purposes We Do NOT Use Your Data For

  • Advertising - We don't show ads or sell your data to advertisers
  • Marketing - We don't use your health data for marketing
  • Insurance - We never share data with insurance companies
  • Employment - We don't provide data to employers
  • Research - We don't use your data for research without explicit consent
  • Training AI - Your data is not used to train AI models (per Anthropic's policy)

Data Storage & Security

Local Storage Security

All data stored on your iOS device is protected by multiple layers of security:

Storage Type Data Stored Security Measures
AsyncStorage Meal logs, frequent meals, preferences, cached AI analysis iOS app sandbox, encrypted at rest (iOS Data Protection API)
iOS Keychain Anthropic API key, Firebase tokens (if cloud backup enabled) Hardware-encrypted (Secure Enclave), biometric-protected
Apple HealthKit All raw health metrics (BP, HRV, sleep, workouts, etc.) Apple's secure HealthKit sandbox, per-app permissions, encrypted

iOS Security Features:

  • App Sandbox: BioHackMe runs in an isolated environment, preventing other apps from accessing its data
  • Data Protection: All files are encrypted using your device passcode/biometrics
  • Keychain Security: Sensitive tokens are stored in the hardware-encrypted Keychain
  • HealthKit Permissions: You control which health data the app can access

Network Security

When communicating with third-party services:

  • TLS 1.3 Encryption: All API calls use the latest encryption standards
  • Certificate Pinning: Prevents man-in-the-middle attacks
  • API Key Security: Anthropic API keys stored securely in iOS Keychain
  • No Third-Party Trackers: We don't use analytics SDKs that track you across apps

Data Retention

Data Type Retention Period Deletion Method
Local health data Indefinitely (until you delete app or clear data) Uninstall app or use "Clear All Data" in settings
Cached AI analysis 24 hours (to reduce API costs) Automatically deleted after 24 hours
Anthropic (Claude AI) Maximum 30 days (per Anthropic's policy) Automatically deleted by Anthropic
Firebase cloud backup Until you disable cloud backup Delete via app settings or revoke Apple Sign-In

Third-Party Services

We use a minimal number of third-party services, each carefully selected for privacy and security:

1. Anthropic (Claude AI)

Purpose: AI-powered health insights and meal photo analysis

Data Shared: Anonymized, aggregated health metrics, meal descriptions and photos (when you request AI analysis), NO personally identifiable information

Privacy Features:

  • HIPAA-ready: Anthropic meets HIPAA technical safeguards
  • No AI training: Your data is NOT used to train Claude models
  • 30-day retention: Data automatically deleted after 30 days maximum
  • Encryption: TLS 1.3 in transit, encrypted at rest

Learn More: Anthropic Privacy Policy

2. Apple HealthKit

Purpose: Read health metrics from Apple Health app

Data Shared: NONE - HealthKit data stays on your device

Privacy Features:

  • Read-only access: We only read data, never write to HealthKit
  • Granular permissions: You control which metrics we can access
  • Revocable: Disable HealthKit access anytime in iOS Settings

Learn More: Apple Privacy Policy

Your Privacy Rights

You have the following rights regarding your personal health data:

1. Right to Access

  • View all data: See all your health metrics in the app dashboard
  • Export data: Request a copy of your data (contact us)
  • HealthKit access: View source data in Apple Health app

2. Right to Delete

  • Clear local data: Use "Clear All Data" in app settings
  • Uninstall app: Deletes all local data immediately
  • Delete cloud backup: Disable cloud sync in settings (if enabled)
  • Request deletion: Contact us to delete data from third-party services

3. Right to Control

  • Revoke permissions: Disable HealthKit access in iOS Settings → Privacy → Health
  • Opt-out of analytics: Disable usage analytics in app settings
  • Disconnect services: Revoke Anthropic API access, disable cloud backup

How to Exercise Your Rights

Via App Settings:

  1. Open BioHackMe → Settings
  2. Privacy & Data Controls
  3. Choose action (Clear Data, Export Data, Disable Analytics, etc.)

Via Email:
Send requests to: [email protected]
Subject: "Privacy Rights Request"
Response time: Within 30 days

HIPAA, GDPR & CCPA Compliance

HIPAA Considerations (United States)

While BioHackMe is not a covered entity under HIPAA, we follow HIPAA-inspired best practices:

  • Technical Safeguards: Encryption, access controls, audit logs
  • Business Associate Agreements: Anthropic is HIPAA-ready
  • Minimum Necessary: We only collect data necessary for app functionality
  • User Control: You control access to your health data

Important: BioHackMe is a personal health tracking app, not a medical device or healthcare service. HIPAA does not apply to personal health apps used for individual wellness.

GDPR Rights (European Union Users)

If you're located in the EU/EEA, you have additional rights under GDPR:

  1. Right to Access (Article 15) - Request a copy of all personal data we process
  2. Right to Rectification (Article 16) - Correct inaccurate or incomplete data
  3. Right to Erasure / "Right to be Forgotten" (Article 17) - Request deletion of your personal data
  4. Right to Restrict Processing (Article 18) - Limit how we use your data
  5. Right to Data Portability (Article 20) - Receive your data in a structured, machine-readable format
  6. Right to Object (Article 21) - Object to data processing (e.g., analytics)

GDPR Contact: [email protected]
Response Time: Within 30 days (may extend to 90 days for complex requests)

CCPA Rights (California Users)

California residents have rights under the California Consumer Privacy Act (CCPA):

  1. Right to Know - What personal information we collect, use, disclose, and sell
  2. Right to Delete - Request deletion of personal information
  3. Right to Opt-Out of Sale - We do NOT sell personal information - there's nothing to opt out of
  4. Right to Non-Discrimination - We will not discriminate against you for exercising your CCPA rights
  5. Right to Correct - Request correction of inaccurate personal information

CCPA Contact: [email protected]
Response Time: Within 45 days (may extend to 90 days)

Children's Privacy

BioHackMe is designed for adults and is not intended for children under 13 years of age.

  • Minimum Age: 13+ (with parental consent)
  • Recommended Age: 18+
  • COPPA Compliance: We do not knowingly collect information from children under 13

Parental Notice

If you are a parent or guardian and believe your child under 13 has provided us with personal information:

  1. Contact us immediately: [email protected]
  2. We will delete it: We'll promptly delete any data from children under 13
  3. Account termination: We'll terminate the account if necessary

International Data Transfers

BioHackMe is developed and operated in the United States. Here's where your data is stored:

Data Type Storage Location Transfer Mechanism
Local health data Your iOS device (your country) No transfer
AI analysis requests Anthropic servers (United States) TLS 1.3 encryption
Cloud backup (optional) Google Firebase US servers Apple Sign-In, encryption

EU/EEA Users (GDPR)

If you use BioHackMe from the European Union:

  • Data stays local by default: Health data remains on your device in the EU
  • Optional transfers: AI analysis requires data transfer to US (with your consent)
  • Adequate safeguards: We use Standard Contractual Clauses (SCCs) and encryption
  • Your choice: You can use the app without AI features to keep all data local

Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in app features or functionality
  • Changes in privacy laws or regulations
  • Improvements to our privacy practices
  • User feedback and requests

Notice of Changes

When we make changes:

  1. Update "Last Updated" date at the top of this policy
  2. In-app notification for material changes (e.g., new data collection)
  3. Prominent notice in the app for significant changes

Your Acceptance: Continued use of the app after changes means you accept the updated policy. If you don't agree, you can stop using the app and delete your data.

Contact Us

We're here to help. Contact us about this Privacy Policy or your data:

Email: [email protected]

Developer: Mike Reavey

Response Time: Typically within 48 hours (max 30 days for GDPR/CCPA requests)

Data Rights Requests

To exercise your privacy rights (access, delete, export, etc.):

  • Email: [email protected]
  • Subject Line: "Privacy Rights Request - [Your Request]"
  • Include: Description of your request, what data you're referring to, preferred format for data export (if applicable)

Privacy Policy Summary (TL;DR)

Quick overview for those who prefer the highlights:

  • ✅ Your health data stays on your device - We don't store it on servers
  • ✅ AI analysis uses anonymized data - No personal identifiers sent to Anthropic
  • ✅ We NEVER sell your data - Not to advertisers, insurers, or anyone
  • ✅ You control everything - Revoke permissions anytime in iOS Settings
  • ✅ Minimal third-party sharing - Only Anthropic AI (for insights) and optional Firebase (cloud backup)
  • ✅ GDPR & CCPA compliant - Your rights are protected (access, delete, export, etc.)
  • ✅ Encrypted & secure - TLS 1.3, iOS Keychain, HealthKit sandbox, AES-256
  • ✅ No tracking or ads - We don't use advertising SDKs or cross-app tracking
  • ✅ Transparent & honest - This policy explains everything in plain language
  • ✅ HIPAA-inspired practices - We follow healthcare privacy best practices

Most Important:

  • 🏥 Your data is YOURS - You own and control all your health information
  • 🔒 Privacy by default - Cloud backup and analytics are opt-in, not opt-out
  • 🚫 Not medical advice - This is a wellness app, always consult healthcare professionals