Legal

Privacy Policy

Last updated: March 14, 2026

Updated 3 weeks ago
15

At ZuraLog ("we," "us," or "our"), your privacy isn't just a policy checkbox — it's the foundation of everything we build. This Privacy Policy explains what information we collect, why we collect it, and how we use it when you access our platform, mobile applications, and related services (collectively, the "Services").

This policy applies to users in the United States and incorporates your rights under the California Consumer Privacy Act (CCPA/CPRA) and other applicable state privacy laws, including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Texas (TDPSA), and Montana (MCDPA). If you are located outside the United States, please see Section 13 ("International Users") for additional information.

ZuraLog is a consumer wellness application. We are not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA). Health data you share with us is processed under this Privacy Policy, not HIPAA.

1. Information We Collect

1.1 Account & Profile Information

When you create an account, join our waitlist, or complete onboarding, we collect:

  • Name, email address, and display name
  • Date of birth (optional, used for age-based personalization)
  • Gender (optional, self-identified)
  • Fitness level (e.g., beginner, active, athletic)
  • AI coach persona preference (e.g., tough love, balanced, gentle)
  • Health and wellness goals you select

1.2 Health & Fitness Data

With your explicit permission, ZuraLog may access health and wellness data from connected third-party services (e.g., Apple Health, Google Health Connect, Strava, Fitbit, Oura, Polar, Withings, Garmin, Whoop). This includes:

  • General fitness & activity: steps, workouts, calories burned, distance, exercise minutes, activity type, and similar activity metrics
  • Biometric data: heart rate, heart rate variability (HRV), blood oxygen (SpO2), resting heart rate, respiratory rate, body temperature, and blood pressure
  • Body composition: weight measurements and related metrics
  • Mental & emotional wellness: stress scores, mood logs, and recovery readiness indicators
  • Sleep data: sleep duration, sleep stages (REM, deep, light), sleep quality scores, sleep efficiency, and sleep latency
  • Nutrition & hydration: dietary calories, macronutrients (protein, carbs, fat), water intake, and meal logs

We collect only the data categories you explicitly authorize and use them solely to deliver and improve the Services.

1.3 User-Generated Wellness Data

You may voluntarily provide additional health data through the Services, including:

  • Journal entries: daily subjective wellness ratings (mood, energy, stress, sleep quality) and free-text notes
  • Quick logs: rapid metric snapshots such as water intake, mood, energy, stress, pain levels, and notes
  • Tags: user-created categories for wellness tracking (e.g., "headache," "travel")
  • Emergency health card: blood type, allergies, medications, medical conditions, and emergency contact information. This data is stored locally on your device by default and is only synced to our servers if you explicitly enable cloud backup.

1.4 AI Coach Interactions

When you interact with our AI health coach, we collect and store:

  • Conversation histories (your messages and AI responses)
  • Attachments you share in chat (e.g., meal photos for nutritional analysis)
  • AI-generated context and memory (personalization data the AI uses to provide relevant coaching, such as "prefers morning workouts")

You can view and delete your AI memory items at any time from the Settings screen.

1.5 Subscription & Payment Data

If you subscribe to ZuraLog Pro, we collect your subscription tier and expiration date. Payment processing is handled entirely by RevenueCat through the Apple App Store or Google Play Store — we do not collect or store your credit card number, billing address, or other payment instrument details.

1.6 Usage & Device Data

We automatically collect certain technical information when you use the Services, including:

  • IP addresses and approximate location derived from IP
  • Device identifiers, platform (iOS/Android), and operating system version
  • App version and build number
  • Pages viewed, screen navigation, and interaction events
  • App lifecycle events (launch, foreground, background) and session duration
  • Push notification delivery and read status
  • Error logs and crash reports

You can opt out of analytics data collection at any time from Settings → Privacy & Data → Analytics.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Services
  • Generate personalized health and fitness insights using AI analysis across your connected data sources
  • Power your AI health coach with relevant context from your health data, journal entries, and past conversations
  • Send push notifications including health insights, anomaly alerts, streak milestones, achievement notifications, daily briefings, and reminders (subject to your notification preferences and quiet hours settings)
  • Track your engagement streaks and unlock achievements
  • Communicate with you about product updates, support, and promotions
  • Detect and prevent fraud, abuse, or security incidents
  • Monitor application performance and diagnose errors
  • Comply with applicable legal obligations

3. AI & Automated Processing

ZuraLog uses artificial intelligence to provide personalized health coaching and insights. Here is how your data is processed by AI systems:

  • AI coaching: When you send a message to the AI coach, your message — along with relevant health context (recent metrics, journal entries, goals, and preferences) — is sent to a third-party large language model (LLM) provider for response generation. The AI may also retrieve data from your connected integrations in real time to answer your questions.
  • Personalization memory: To provide more relevant coaching over time, the AI generates short contextual summaries (e.g., "user is training for a marathon") that are stored as vector embeddings in a secure database. These embeddings are isolated per user and cannot be accessed by other users.
  • Insights generation: We analyze your health data to surface trends, anomalies, and actionable insights. This processing is automated but is not used to make decisions that produce legal or similarly significant effects.

You can delete your AI memory at any time from Settings. AI-generated insights are provided for informational and wellness purposes only and do not constitute medical advice.

4. We Do Not Sell Your Data

ZuraLog does not sell, rent, or share your personal information — including your health and biometric data — with third parties for advertising, marketing, or any commercial purpose. We do not engage in cross-context behavioral advertising. This applies to all users, including residents of California and all other US states with consumer privacy laws.

5. Limited Data Sharing

We may share information only in the following limited circumstances:

  • Service providers: trusted vendors who help us operate the Services under strict confidentiality agreements that prohibit them from using your data for their own purposes. These include:
    • Cloud infrastructure: Supabase (database and authentication), Railway (application hosting), Redis (caching)
    • AI processing: OpenRouter (LLM inference), OpenAI (text embeddings), Pinecone (vector search)
    • Analytics & monitoring: PostHog (product analytics, subject to your opt-out preference), Sentry (error monitoring and crash reporting)
    • Push notifications: Firebase Cloud Messaging (notification delivery)
    • Payments: RevenueCat (subscription management via App Store and Google Play)
  • Health platform integrations: when you connect a third-party health platform (e.g., Strava, Fitbit, Oura, Polar, Withings), we exchange data with that platform using OAuth 2.0 authorization that you explicitly grant. We access only the data scopes you authorize, and you can disconnect any integration at any time from Settings.
  • Legal obligations: when required by law, subpoena, court order, or to protect the rights, safety, or property of ZuraLog or its users.
  • Business transfers: in the event of a merger, acquisition, or asset sale, your data may transfer to the successor entity subject to the same privacy protections described here. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. Sensitive Personal Information

The following categories of data we collect are considered sensitive personal information under applicable state laws:

  • Biometric data: heart rate, HRV, SpO2, body temperature, blood pressure, and respiratory rate
  • Health data: sleep metrics, nutrition data, weight, stress scores, mood, recovery indicators, and medical information from your emergency health card

We process this data solely to deliver your in-app health insights and AI coaching. We do not use it for cross-context behavioral advertising, profiling unrelated to the Services, or any purpose beyond what is described in this policy. We collect sensitive data only with your explicit consent and you may withdraw that consent at any time by disconnecting integrations or deleting your account.

We comply with applicable state biometric privacy laws, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act, and the Washington Biometric Identifier law. We do not sell biometric data, and we retain biometric data only for as long as your account is active or as required to fulfill the purpose for which it was collected.

7. Your Privacy Rights

7.1 Rights for All Users

Regardless of where you live, you can:

  • Access and review the personal data we hold about you through the Settings screen
  • Delete your AI memory items (individually or all at once)
  • Disconnect any third-party health integration at any time
  • Opt out of analytics data collection
  • Customize your notification preferences and set quiet hours
  • Request deletion of your account and all associated data

7.2 California Privacy Rights (CCPA/CPRA)

If you are a California resident, you additionally have the right to:

  • Know: request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it
  • Delete: request deletion of your personal information, subject to certain exceptions
  • Correct: request correction of inaccurate personal information
  • Data portability: receive your personal information in a structured, commonly used, machine-readable format
  • Limit use of sensitive personal information: direct us to use your sensitive personal information only as necessary to provide the Services (this is already our default practice)
  • Opt out of sale/sharing: we do not sell or share your data for cross-context behavioral advertising, but you may submit a request to confirm this
  • Non-discrimination: we will not discriminate against you for exercising any of these rights

California residents under age 16: we do not knowingly sell or share the personal information of consumers under 16 years of age.

7.3 Additional State Privacy Rights

If you reside in Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, or another state with a comprehensive consumer privacy law, you may have similar rights, including the rights to access, correct, delete, and obtain a portable copy of your personal data, as well as the right to opt out of targeted advertising (which we do not engage in), the sale of personal data (which we do not do), and profiling in furtherance of decisions producing legal or similarly significant effects (which we do not perform).

7.4 How to Exercise Your Rights

To exercise any of these rights, contact us at support@zuralog.com. We will verify your identity before processing your request and will respond within 45 days as required by applicable law. If we need additional time, we will notify you of the extension and the reason.

7.5 Appeal Process

If we decline to take action on your privacy request, you may appeal our decision by emailing support@zuralog.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within 60 days. If you are not satisfied with our response to your appeal, you may contact your state's attorney general.

8. Global Privacy Control & Do Not Track

ZuraLog honors the Global Privacy Control (GPC) signal. If your browser or device sends a GPC signal, we will treat it as a valid opt-out request under applicable state privacy laws. We do not currently respond to "Do Not Track" (DNT) browser signals, as there is no uniform industry standard for DNT compliance.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Services. Specific retention practices include:

  • Account and profile data: retained until you delete your account
  • Health and fitness data: retained until you delete your account or disconnect the relevant integration
  • AI conversation history: retained until you delete individual conversations or your account
  • AI memory and personalization: retained until you manually clear your AI memory or delete your account
  • Usage analytics: retained in aggregated, de-identified form; individual-level analytics data is retained for up to 24 months
  • Error and crash logs: retained for up to 90 days

You may request deletion of your account and all associated data at any time by contacting support@zuralog.com or through the Privacy & Data screen in Settings. We will process your request within 45 days.

10. De-Identified & Aggregated Data

We may create de-identified or aggregated data from the information we collect. This data cannot reasonably be used to identify you. We may use de-identified and aggregated data for research, product improvement, and analytics purposes. We commit to maintaining and using such data only in de-identified form and will not attempt to re-identify it.

11. Security

We employ industry-standard security measures to protect your data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security policies isolating each user's data in our database
  • Per-user namespace isolation for AI memory and vector data
  • OAuth 2.0 token management with automatic token refresh and secure storage for all third-party integrations
  • Sensitive credentials (API tokens, authentication tokens) stored in encrypted secure storage on your device
  • Strict access controls and regular security reviews

Given the sensitivity of health data, we apply heightened protections to biometric and wellness information. No system is 100% secure — if you believe your account has been compromised, contact us immediately at support@zuralog.com.

12. Cookies & Tracking Technologies

Our website uses cookies and similar technologies as described in our Cookie Policy. Our mobile application uses the following tracking technologies:

  • PostHog SDK: product analytics (subject to your opt-out preference in Settings → Privacy & Data)
  • Sentry SDK: error monitoring and crash reporting
  • Firebase SDK: push notification delivery and device token management

We do not use tracking technologies for targeted advertising or cross-context behavioral profiling.

13. International Users

The Services are primarily designed for and directed to users in the United States. If you access the Services from outside the United States, please be aware that your data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Services, you consent to this transfer. We do not specifically target users in the European Economic Area (EEA), the United Kingdom, or other jurisdictions with comprehensive data protection frameworks (such as the GDPR), and we do not currently appoint an EU representative or conduct data protection impact assessments under the GDPR.

14. Children's Privacy

The Services are not directed to children under 13 (or under 16 in jurisdictions where applicable). We do not knowingly collect personal data from children under 13. We do not knowingly sell or share the personal information of consumers under 16 years of age. If we learn we have collected personal data from a child under 13, we will delete that data promptly. If you believe a child has provided us personal information, please contact us at support@zuralog.com.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was most recently revised. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

16. Contact

Questions, concerns, or privacy requests? Reach us at support@zuralog.com. We take every inquiry seriously and aim to respond within 5 business days.

NextTerms of Service