1. Scope
This policy applies to shred.md's website, iOS application, backend APIs, and connected integrations. It covers data you provide directly, data pulled from integrations you authorize, and data generated by the service while operating the product.
2. Data We Collect
Account data
Email address, authentication identifiers, account settings, phase preferences, goals, and support communications.
Health and wellness data
HealthKit metrics, wearable data, workouts, sleep, recovery data, heart-rate data, body-composition data, nutrition logs, and derived wellness features or inferences.
Meal content
Meal photos, image uploads, barcode results, text meal entries, item-level edits, serving counts, meal timing, and stored meal history.
Bloodwork content
Bloodwork report text, normalized lab markers, panel dates, units, and interpretation outputs you request.
Location and device data
Optional current meal location, device type, operating system, request logs, coarse operational telemetry, and app diagnostic data needed to run the service.
Voice and speech input
If you choose voice meal logging, audio may be processed by device or platform speech-recognition services, and resulting transcripts may be stored if you use them in meal notes.
Website storage
The public website currently stores waitlist signup state in your browser's local storage. This is device-local and not currently synced to a hosted CRM in this repository state.
3. Where the Data Comes From
- Directly from you, including account registration, meal logs, photos, bloodwork uploads, support messages, and settings changes.
- From Apple HealthKit and other integrations you connect, such as Whoop and Withings.
- From your device sensors and permissions, including optional camera, photo library, location, microphone, and speech-recognition access.
- From our service providers that authenticate users, host data, store files, or run requested AI inference.
4. How We Use Data
- Provide the app, authenticate accounts, sync integrations, and store your history.
- Generate wellness outputs such as meal estimates, daily targets, projections, correlations, nudges, and trend summaries.
- Operate requested AI features such as food-photo analysis or bloodwork text parsing.
- Secure the service, investigate bugs, prevent abuse, and maintain logs and backups.
- Improve service quality, including through aggregated or de-identified analytics where permitted by law.
- Comply with legal obligations, resolve disputes, and enforce our Terms.
5. HealthKit and Sensitive Health-Style Data
HealthKit rule: We do not use HealthKit data for advertising, marketing advertising profiles, or data-broker purposes, and we do not sell HealthKit data.
shred.md is built around health-style data. That includes actual measurements and inferred health or wellness signals. We treat these categories as sensitive, even if some laws do not classify every field the same way.
6. AI Processing and Service Providers
When you request AI-powered features, selected inputs may be transmitted to third-party providers acting as service providers on our behalf. In the current product, this may include Google Cloud, Firebase, and Google Gemini for authentication, hosting, storage, and structured AI inference. We may add or replace service providers over time if needed to operate the product.
AI outputs can be incomplete, wrong, or unsafe if taken literally. For that reason, you should treat the output as wellness information and not as medical advice, diagnosis, or a substitute for professional judgment.
7. How We Share Data
- Service providers: Infrastructure, storage, authentication, analytics, AI inference, security, and support vendors acting on our behalf.
- Connected providers you authorize: For example, HealthKit, Whoop, and Withings workflows you initiate.
- Legal and safety reasons: To comply with law, respond to lawful requests, prevent harm, protect rights, or enforce agreements.
- Business transactions: If the service is involved in a merger, financing, restructuring, or sale, subject to appropriate confidentiality and legal protections.
We do not sell personal data for third-party advertising. We do not knowingly share HealthKit data for advertising purposes.
8. Retention
We retain data for as long as reasonably necessary to operate the service, maintain user-requested history, secure the platform, comply with legal obligations, and resolve disputes. Retention may vary by data type. Account, meal, wearable, and bloodwork records may persist until deleted, subject to backups, fraud prevention, tax, legal, or security retention needs.
9. Security
No security program is perfect. We use commercially reasonable administrative, technical, and organizational measures designed to protect data, but we cannot guarantee absolute security.
10. Your Choices and Rights
- Disconnect integrations through platform permissions or the service where supported.
- Limit optional permissions such as camera, photo library, location, microphone, or speech recognition in device settings.
- Request access, correction, export, or deletion by emailing vgurbuxani@gmail.com.
- Where applicable law gives you additional privacy rights, we will honor them as required.
If you are a Washington resident or your data qualifies as consumer health data under applicable law, see our Consumer Health Data Notice.
11. Children's Privacy
The service is intended for adults 18 and older. We do not knowingly offer the service to children or knowingly collect personal data from children under 18 for use of this product.
12. Cross-Border and U.S. Processing
Data may be processed in the United States or other jurisdictions where our service providers operate. By using the service, you understand that your data may be transferred to and processed in places that may have different legal protections than your home jurisdiction.
13. HIPAA Positioning
Unless we expressly state otherwise in a separate signed agreement, shred.md is offered as a consumer wellness product and not as a HIPAA-covered service or business associate service.
14. Changes
We may update this policy from time to time. The effective date at the top of this page will change when the policy changes materially.
15. Contact
For privacy questions or requests, email vgurbuxani@gmail.com.