Privacy Policy for Supplement AI Inc.

1. Introduction

Supplement AI Inc. ("Supplement AI," "we," "us," or "our") respects your privacy and is committed to protecting the personal data we collect from you. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use our website and services (collectively, the "Service").

2. Information We Collect

We collect the following categories of personal data:

• Identification Information: Name and email.
• Transactional Information: Account details and purchase history.
• User Activity Information: Device information, IP addresses, usage analytics.
• Supplement and Health Data: Non-HIPAA-covered health-related information voluntarily provided by users.

We do not process or store health data subject to HIPAA. We do not knowingly collect sensitive personal information such as racial or ethnic origin, political opinions, religious beliefs, or biometric data. Any health-related information you provide is voluntary and limited to supplement usage, goals, and general wellness data.

3. How We Use Your Data

We process your personal data to:

• Provide personalized supplement recommendations based on AI and scientific research.
• Operate interactive chatbot guidance and maintain service history for continuity.
• Facilitate user onboarding and dashboard functionalities.
• Conduct research search and analysis related to supplements.
• Track user interactions, progress, and feedback.
• Process transactions and manage billing.
• Improve our Service through analytics, error tracking, and internal research using pseudonymized and aggregated data.
• Analyze usage patterns, trends, and behaviors to enhance recommendations, features, and overall Service quality.
• Protect data and ensure Service security.

Your data is strictly used for educational and informational purposes. We may use de-identified, pseudonymized, or aggregated data for research, analytics, and service improvements without restriction.

4. Sharing of Data

We never sell your data. Supplement AI will not sell, rent, or share your personal data with third parties for their own commercial purposes. Your data is shared only with trusted subprocessors as necessary to deliver the Service, or as required by law.

Supplement AI engages the following subprocessors to deliver the Service:

• MongoDB: Encrypted data storage (has access to stored user data).
• Firebase: User authentication and identity management (has access to email addresses for authentication).
• OpenAI: AI-powered features and natural language processing (receives conversation context; does not receive name or email unless you explicitly include it in your messages).
• PostHog: Analytics and product insights (receives pseudonymized user identifiers only; does not receive names or email addresses).
• SendGrid: Transactional email services (has access to email addresses for delivery purposes only).
• Cloudflare: CDN and security services (processes connection data).
• Vercel: Hosting, deployment, and performance monitoring (has access to application data).
• Stripe: Payment processing services (processes payment information only).

These service providers process data on our behalf under strict contractual obligations and are prohibited from using your data for their own purposes. We implement data minimization practices to limit the information each subprocessor receives to only what is necessary for their specific function.

5. Data Security

We use commercially reasonable technical and organizational security measures including:

• Encryption of direct identifiers: Names and email addresses are encrypted at rest using AES-256-CBC encryption.
• Encryption in transit: All data transmitted is encrypted using HTTPS/TLS protocols.
• Pseudonymization: User data is associated with unique identifiers (UIDs) in system operations.
• Regular security assessments and testing.
• Controlled user identification and access management.
• Event logging and secure systems configuration.
• Data minimization, quality assurance, and limited data retention.

Health and personal data is protected through access controls, pseudonymization, and secure database configurations. All subprocessors maintain SOC 2 and/or ISO 27001 certifications.

6. Data Transfers

Supplement AI operates primarily in the United States. Your data may be transferred internationally to our subprocessors and service providers. Where required by law, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved by data protection authorities for international transfers of personal data, ensuring compliance with GDPR, UK GDPR, and other applicable laws.

7. Your Data Rights

You have rights regarding your personal data, including:

• Access to your data.
• Correction or update of your data.
• Request deletion of your data.
• Data portability: Request a copy of your personal data in a commonly used, machine-readable format.
• Opt-out: Request that we not sell or share your personal information (note: we do not sell personal data).
• Withdraw consent at any time where applicable.

These rights are provided in accordance with applicable laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). To exercise your rights, contact us at [email protected].

8. Retention of Data

We retain your personal data only as long as necessary to fulfill the purposes for which it was collected, provide ongoing Service functionality, or as required by applicable laws. You may request deletion of your account and associated data at any time through your account settings or by contacting us.

9. Cookies and Tracking Technologies

We use cookies, local storage, and similar technologies to enhance user experience, maintain preferences, analyze traffic, and improve Service functionality. By using our Service, you consent to our use of these technologies. Where required by law (such as in the European Union or United Kingdom), we will obtain your consent before placing non-essential cookies or similar tracking technologies on your device.

10. Compliance with Laws

We comply with all applicable data protection and privacy laws, including GDPR and CCPA. Supplement AI is classified as a "service provider" under CCPA.

11. Changes to This Privacy Policy

We may update this policy occasionally. Any changes will be posted on this page, with the "Effective Date" updated accordingly.

12. Contact Information

If you have questions or concerns about this Privacy Policy, please contact:

By using Supplement AI, you acknowledge and agree to the practices described in this Privacy Policy.