Privacy Policy
Last updated: 2026-06-18
health4.ai ("we", "us") builds tools that sync Apple HealthKit data to a cloud database and expose it to AI agents via MCP. This policy explains what we collect, how we use it, and your rights.
1. What data we collect
- Health data — HealthKit metrics you authorize (sleep, HRV, steps, workouts, heart rate, etc.). This data is uploaded to Supabase.
- Account data — email address (waitlist sign-ups and hosted-tier accounts), auth tokens.
- Usage data — MCP API call counts, error logs (no health payload in logs). We use PostHog for analytics; it does not receive health data.
- No third-party access — Your health data is stored in a private database. We do not share it with third parties, advertisers, or data brokers.
2. How we use it
- To deliver the service — sync HealthKit data so AI agents can query it.
- To notify you at App Store launch (waitlist only).
- To improve reliability — aggregated, non-identifiable usage metrics.
We do not use your health data for advertising, sell it to third parties, or share it with any party not required to operate the service. Per Apple's HealthKit guidelines, health data will never be used for advertising or sold to data brokers.
3. Where data is stored
Your health data is stored in a private Supabase database (hosted on AWS us-east-1). Data is encrypted at rest and in transit (TLS 1.2+). Only you can query your data.
4. HIPAA
health4.ai is not a covered entity under HIPAA and does not operate as a HIPAA Business Associate unless a Business Associate Agreement (BAA) is separately executed in writing.
5. Your rights
- Access & export — request a copy of your stored data at any time.
- Deletion — request deletion of your account and all associated health data. We will complete deletion within 30 days.
- GDPR / CCPA — EU and California residents have additional rights (portability, rectification, opt-out of sale). We do not sell personal data. Contact us to exercise any right.
- Apple HealthKit data — you can revoke HealthKit permission at any time in iPhone Settings → Privacy & Security → Health → health4.ai.
6. Breach notification
In the event of a breach involving your health data, we will notify affected users within 60 days as required by the FTC Health Breach Notification Rule, and as soon as practicable.
7. Analytics & cookies
We use PostHog (US-hosted) for product analytics. PostHog receives page views and feature interaction events — no health data. We do not use advertising cookies or trackers.
8. Changes to this policy
We will update the "Last updated" date and notify hosted-tier users by email of any material changes.
9. Contact
Questions or data requests: privacy@health4.ai