Privacy Policy

1. Introduction & Data Controller

GutFix ("we," "our," or "us") is committed to protecting your privacy and complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the UK Data Protection Act 2018.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered gut health application.

2. Legal Basis for Processing

Under GDPR, we process your data based on the following legal grounds:

Health data, genetic data, and biometric data are classified as "special category data" under GDPR Article 9. We only process these with your explicit, granular consent, which you can withdraw at any time in Settings → Privacy & Security.

3. Information We Collect

Personal Information

• Email address and name (for account creation)
• Health symptoms, conditions, and severity ratings
• Dietary preferences, restrictions, and food diary entries
• Current medications, supplements, and health conditions
• Lifestyle data (sleep, stress, exercise, water intake)
• Plan progress, daily check-in data, and symptom tracking
• AI chat conversations and feedback

Wearable Device Data (Whoop Integration)

If you choose to connect your Whoop device, we access:

• Recovery scores and trends
• Heart rate variability (HRV) data
• Sleep performance and duration
• Daily strain scores
• Resting heart rate

We do not access continuous heart rate data or raw sensor data. You can revoke Whoop access at any time in Settings.

Genetic Data (DNA Analysis)

If you upload a DNA file (from 23andMe, AncestryDNA, or similar), we process your genetic data to analyse specific health-relevant SNPs (single nucleotide polymorphisms). We store only the computed analysis results (risk assessments and recommendations) — raw genetic data is processed server-side and is not permanently stored. You may request deletion of your DNA analysis at any time.

Payment Information

Payment processing is handled entirely by Stripe. We never store, process, or have access to your credit card numbers. We only store your Stripe customer ID and subscription status.

4. How We Use Your Information

• Personalised Plans: Generate gut health suggestions based on your symptoms, diet, and health data
• AI Analysis: Provide contextual AI-powered troubleshooting and coaching using your health data
• Biometric Insights: Correlate Whoop wearable data with gut health patterns when connected
• Progress Tracking: Monitor your improvement journey over time through daily check-ins and food diary
• Safety Checks: Detect supplement contraindications and die-off reactions
• Genetic Insights: Analyse DNA data for health-relevant genetic variants when uploaded

5. AI Data Processing

Your health data (symptoms, medications, plan context, and wearable biometrics) is sent to Anthropic's Claude AI for analysis when you use AI features such as plan generation and the troubleshooting chat.

• Anthropic does not use API data for model training
• Data sent to Anthropic is retained for up to 30 days for safety monitoring, then deleted
• We do not send your email, name, or payment information to Anthropic — only health-relevant context
• AI-generated content is clearly labelled and not a substitute for medical advice

6. Data Storage and Security

Your data is stored securely on Supabase (hosted on AWS infrastructure) with encryption at rest and in transit (TLS 1.2+). All database tables are protected with Row-Level Security (RLS) policies, ensuring your data is only accessible to your authenticated account.

Wearable device tokens are stored securely and used only to fetch your data on your behalf. We do not share your personal health data with third parties for marketing or advertising purposes.

7. Data Retention

8. Third-Party Data Processors

We share your data with the following processors, each bound by data processing agreements:

9. International Data Transfers

Your data is processed by services located in the United States. For transfers of personal data from the UK/EEA to the US, we rely on the following safeguards:

• EU-US Data Privacy Framework (DPF): Where processors are DPF-certified (e.g., Stripe, Vercel)
• Standard Contractual Clauses (SCCs): For processors not covered by DPF, we ensure SCCs are in place
• UK International Data Transfer Agreement (IDTA): For UK-specific transfers, we apply the UK addendum to SCCs where required

We regularly review the data protection practices of our processors to ensure ongoing compliance with applicable transfer mechanisms.

10. Cookies and Tracking

GutFix uses the following categories of cookies:

PostHog: When you consent to analytics cookies, we load PostHog to understand how users navigate our app and identify areas for improvement. PostHog is hosted on EU servers (Frankfurt) and only activates after you opt in via the cookie banner. Data collected includes page views, button clicks, and funnel progression. No data is collected before consent. You can opt out at any time by clearing your cookie preferences.

Vercel Web Analytics: We use Vercel Web Analytics for basic performance monitoring. This tool is cookie-less and does not use any tracking cookies or collect personally identifiable information. It operates under our legitimate interest (Art. 6(1)(f)) and does not require consent.

Meta Pixel: When you consent to marketing cookies, we load the Meta (Facebook) Pixel to measure the effectiveness of our advertising campaigns. The Pixel may collect your IP address, browser information, and page views. This data is processed by Meta Platforms, Inc. in accordance with their Privacy Policy. You can opt out at any time by clearing your cookie preferences or using the cookie banner.

Reddit Pixel: When you consent to marketing cookies, we load the Reddit Pixel to measure the effectiveness of our advertising campaigns on Reddit. The Pixel may collect your IP address, browser information, and page views. We also use the Reddit Conversions API (server-side) to send hashed email addresses for conversion attribution. This data is processed by Reddit, Inc. in accordance with their Privacy Policy. You can opt out at any time by clearing your cookie preferences or using the cookie banner.

You can manage your cookie preferences via the cookie banner shown on your first visit, or by clearing your browser's localStorage.

11. Your Rights Under GDPR

Under UK GDPR and EU GDPR, you have the following rights:

• Right of Access (Art. 15): Request a copy of all data we hold about you
• Right to Data Portability (Art. 20): Download your data in JSON format via Settings → Privacy
• Right to Erasure (Art. 17): Request permanent deletion of your account and all associated data via Settings → Privacy or by emailing us
• Right to Rectification (Art. 16): Update or correct inaccurate information via Settings or by contacting us
• Right to Restrict Processing (Art. 18): Request we limit how we use your data
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time via Settings → Privacy & Security. Withdrawal does not affect the lawfulness of processing prior to withdrawal

To exercise these rights, use the Data Management options in Settings or email us at privacy@gutfix.ai. We will respond within 30 days.

12. Consent Management

We collect granular consent for each type of special category data processing:

• Health data processing: Required to use the app (symptoms, conditions, diet, lifestyle)
• AI data processing: Required for AI-powered features (data sent to Anthropic)
• DNA data processing: Collected when you first upload a DNA file
• Biometric data processing: Collected when you connect Whoop

Consent records are stored with timestamps and version numbers for audit purposes. You can view and withdraw consent at any time in Settings → Privacy & Security.

13. Age Restrictions

GutFix is intended for users aged 18 and older. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a minor, we will promptly delete it.

14. Health Data Disclaimer

15. Data Breach Notification

In the event of a personal data breach:

• We will notify the relevant supervisory authority (ICO for UK users) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay (GDPR Article 34)
• Notifications will include the nature of the breach, the data affected, likely consequences, and the measures taken to address it

16. Right to Lodge a Complaint

If you believe we have not handled your data in accordance with data protection law, you have the right to lodge a complaint with a supervisory authority:

17. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. For significant changes affecting your data rights, we will provide notice via email and may request renewed consent where required.

18. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, please contact us: