Skip to content
MyGut.Coach
Sign in Get started
Privacy

Privacy Policy

Last updated: 2026-04-26 · Effective: 2026-04-26
Questions or requests: privacy@mygut.coach

1. About this Policy

This Privacy Policy ("Policy") explains how MyGut.Coach ("MyGut", "we", "us", "our") collects, uses, discloses, retains, and otherwise processes Personal Data when you (the "User", "you") access or use the MyGut.Coach website, web application, progressive web app, APIs, and related services (collectively, the "Service"). This Policy also forms part of, and is incorporated by reference into, our Terms of Service.

By creating an account, accessing, or using the Service, you acknowledge that you have read and understood this Policy and, where applicable, you consent to the processing of your Personal Data — including Special Category Personal Data (health data) — as described below. Where consent is the legal basis for a given processing activity, you may withdraw it at any time, subject to the limitations set out in Section 12.

2. Data Controller

For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended ("CCPA/CPRA"), and other applicable data protection laws, the data controller is the operator of MyGut.Coach. Contact details are provided in Section 17.

3. Categories of Personal Data we collect

We collect the following categories of Personal Data, directly from you, automatically through your use of the Service, or from third parties you authorise to share data with us:

  • Account & identification data — email address, display name, password (stored only as a salted PBKDF2-SHA256 hash), avatar image, account role, account creation and modification timestamps.
  • Profile data — date of birth, biological sex, height, weight, allergies, dietary restrictions, goals, free-text notes, and any other information you choose to provide.
  • Special Category Personal Data (health data) — meals, food photographs, habit logs, sleep records, heart-rate variability, recovery and readiness scores, workout records, blood test results, laboratory PDFs, raw genetic data uploads (e.g., 23andMe / AncestryDNA), and clinical observations or notes attached by linked practitioners.
  • Connected-account data — when you authorise a connection to a third-party wearable, fitness, or health platform (including but not limited to Whoop, Oura, Fitbit, Garmin, Polar, Suunto, Strava, Ultrahuman, Apple Health, and Google Health Connect), we receive OAuth access and refresh tokens, the third-party's user identifier, and the data fields permitted by the scopes you authorise.
  • Usage & technical data — IP address, user-agent string, device and browser metadata, session cookies, pages visited, features used, request timestamps, error reports, and aggregate usage counters.
  • Communications — the contents of any email, support ticket, in-app message, or other correspondence you send to us, including attachments.
  • Audit metadata — administrative actions, AI inference invocations, version history of ledger entries, login attempts, and other forensic records generated by the Service.

4. Legal bases for processing

We process your Personal Data on one or more of the following legal bases (Articles 6 and 9 GDPR):

  • Contract (Art. 6(1)(b)) — to provide and operate the Service you have requested, fulfil our obligations to you, and enable account features.
  • Consent (Art. 6(1)(a) and Art. 9(2)(a)) — for the processing of Special Category Personal Data (your health data), AI photo inference, marketing communications, and any other activity for which we expressly request your consent. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legitimate interests (Art. 6(1)(f)) — to operate, maintain, secure, debug, defend, develop, improve, and commercialise the Service; to prevent fraud, abuse, and unauthorised access; to enforce our Terms; to evaluate product performance; to derive aggregated and de-identified insights; and to pursue and defend legal claims. We have considered our legitimate interests and concluded they are not overridden by your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, anti-money-laundering, court orders, and other legal requirements.
  • Vital interests (Art. 6(1)(d) and Art. 9(2)(c)) — where processing is necessary to protect your life or that of another person, including in medical emergencies surfaced through the Service.
  • Public health and preventive medicine (Art. 9(2)(h) and (i)) — where applicable to coaching, preventive health, and the management of health services rendered by linked practitioners.

5. Purposes of processing

We use Personal Data for the following purposes, which we consider broad and may evolve as the Service develops:

  • creating, authenticating, and securing your account;
  • delivering core features (food logging, habit tracking, lab uploads, wearable sync, doctor collaboration, AI photo inference);
  • providing customer support and responding to your enquiries;
  • operating, maintaining, monitoring, debugging, securing, and continuously improving the Service, including its underlying infrastructure, models, prompts, and algorithms;
  • developing new products, features, and integrations;
  • generating aggregated, statistical, and de-identified data for any purpose, including commercial purposes (see Section 9);
  • preventing, detecting, and responding to fraud, abuse, security incidents, harmful behaviour, and violations of our Terms;
  • complying with applicable law, court orders, regulatory requests, and lawful requests by authorities;
  • establishing, exercising, or defending legal claims;
  • negotiating, evaluating, or completing any actual or contemplated merger, acquisition, financing, reorganisation, asset sale, or similar corporate transaction;
  • sending operational, transactional, and (with your consent or as permitted by law) marketing communications.

6. AI-assisted features

Certain features rely on third-party artificial intelligence services. Today this includes Google Gemini for inferring nutritional information from meal photographs you submit. When you invoke such a feature:

  • your submission (e.g., a resized photo with EXIF stripped on-device) and a model prompt are transmitted to the third-party AI provider;
  • the provider returns a structured response which we store in our ledger together with model identifier, prompt version, cost, and timestamps;
  • per the providers' published policies for paid API tiers, your inputs and outputs are not used to train their general-purpose models, although providers may retain content for limited abuse-monitoring periods;
  • you may disable AI inference in Profile → Privacy; manual logging remains available.

We may add, replace, or supplement AI providers in the future and will update this Policy or the in-app disclosure accordingly.

7. Connected wearables and third-party platforms

If you connect a third-party platform (such as Whoop, Oura, Fitbit, Garmin, Polar, Suunto, Strava, Ultrahuman, Apple Health, or Google Health Connect), MyGut acts as a controller for the data ingested into the Service and the third party remains controller for the data within its own platform. The connection is governed by the third party's privacy policy and your authorisation scopes. You may revoke the connection at any time in Profile → Connected accounts; revocation stops future synchronisation but does not, by itself, delete data already synced into the Service (see Section 11).

8. Sub-processors and recipients

We disclose Personal Data to the following categories of recipients, each of whom is contractually bound to confidentiality and to processing the data only on our instructions and in accordance with applicable law:

  • Cloud infrastructure — Cloudflare, Inc. (Workers, Pages, D1, R2, KV, Tunnel, Access);
  • AI inference — Google LLC (Gemini API) and any successor or supplementary providers we may engage;
  • Email delivery — Resend, Inc. or comparable transactional-email providers;
  • Wearable / health-data integrations — third-party platforms you authorise (see Section 7);
  • Practitioners you link — registered doctors and clinicians whom you actively connect to your account;
  • Professional advisers — auditors, lawyers, accountants, insurers, and similar advisers, where reasonably necessary;
  • Authorities — law-enforcement, courts, and regulators where compelled or reasonably necessary;
  • Successors — any acquirer, investor, lender, or successor entity in connection with a corporate transaction described in Section 5.

We may engage additional sub-processors as the Service evolves. A current list is maintained at /legal/subprocessors (or available on request) and we will use commercially reasonable efforts to keep it up to date. We do not sell Personal Data within the meaning of the CCPA/CPRA, and we do not engage in cross-context behavioural advertising.

9. Aggregated and de-identified data

We may aggregate, anonymise, or de-identify Personal Data such that it can no longer reasonably be linked to you or any identifiable individual. We may use, retain, share, license, and commercialise such aggregated and de-identified data indefinitely and for any purpose, including research, benchmarking, product development, scientific publication, partnerships, and commercial offerings, without further notice to you. Such data is no longer Personal Data and is not subject to the rights described in Section 12.

10. International transfers

The Service is provided from infrastructure that may process or store data in the European Economic Area, the United Kingdom, the United States, and other jurisdictions where our sub-processors operate. Where Personal Data is transferred outside the EEA or UK to a country not covered by an adequacy decision, such transfers are made under the European Commission's Standard Contractual Clauses (2021), the UK International Data Transfer Addendum, or another lawful transfer mechanism, supplemented by additional safeguards where necessary.

11. Retention

We retain Personal Data for as long as your account is active and thereafter for the periods described below, except where a longer period is required or permitted by law:

  • Account, profile, and ledger data — for the duration of your account and for up to seven (7) years after closure or last activity, to satisfy clinical record-keeping expectations, professional liability, audit, accounting, and statutory limitation periods.
  • Backups and disaster-recovery copies — up to thirty-six (36) months on rolling cycles; deletion requests are honoured in primary systems first and propagated to backups in the ordinary course of overwriting.
  • Audit logs and security telemetry — up to seven (7) years.
  • Aggregated and de-identified data — indefinitely, as described in Section 9.
  • Communications and support records — up to five (5) years after the last interaction.

We may retain Personal Data for longer where reasonably necessary to (i) comply with legal, regulatory, tax, or accounting obligations; (ii) establish, exercise, or defend legal claims; (iii) prevent fraud or abuse; or (iv) enforce our Terms. Following expiry of the applicable retention period, we will delete or anonymise the relevant Personal Data within a reasonable time consistent with the operation of our systems.

12. Your rights

Subject to applicable law and the limitations and exemptions set out in the GDPR, UK GDPR, CCPA/CPRA, and other relevant laws, you may have the following rights with respect to your Personal Data:

  • Access — to request confirmation as to whether we process your Personal Data and a copy thereof;
  • Rectification — to request correction of inaccurate or incomplete data;
  • Erasure — to request deletion of your Personal Data, subject to retention obligations and exemptions;
  • Restriction — to request that processing be restricted in specified circumstances;
  • Portability — to receive certain data in a structured, commonly used, machine-readable format;
  • Objection — to object to processing based on legitimate interests, including profiling, on grounds relating to your particular situation;
  • Withdrawal of consent — where processing is based on consent;
  • Non-discrimination (CCPA/CPRA) — we will not discriminate against you for exercising your rights;
  • Complaint — you may lodge a complaint with your local supervisory authority.

To exercise any right, write to privacy@mygut.coach. We will respond within the periods required by applicable law (typically thirty (30) days, extendable by a further sixty (60) days where requests are complex or numerous). We may need to verify your identity and may decline or limit a request where an exemption applies, where retention is required by law, where compliance would adversely affect the rights of others, or where the request is manifestly unfounded or excessive. In such cases we will explain our reasoning.

13. Children

The Service is not directed at, and we do not knowingly process Personal Data of, individuals under the age of sixteen (16). If you believe a child has provided us with Personal Data without parental authorisation, please contact us and we will take reasonable steps to delete it.

14. Security

We implement administrative, technical, and organisational safeguards appropriate to the nature of the Personal Data, including encryption in transit (TLS 1.2+) and at rest (provider-managed), salted password hashing (PBKDF2-SHA256), least-privilege access controls, audit logging, and a documented incident-response process. Notwithstanding the foregoing, no system is perfectly secure, and we do not warrant that the Service will be free from unauthorised access. You are responsible for maintaining the confidentiality of your login credentials and for any activity under your account.

15. Cookies and similar technologies

We use a single first-party session cookie (mgc_session; HttpOnly, Secure, SameSite=Strict) to keep you signed in, and minimal first-party storage for application state. We do not use third-party advertising, analytics, or behavioural-tracking cookies. Where required by applicable law (including the EU ePrivacy Directive as transposed locally), we will obtain consent before placing any non-essential cookie.

16. Changes to this Policy

We may amend this Policy from time to time. Where changes are material, we will notify you in-app or by email at least fourteen (14) days before they take effect. Where changes are immaterial — including clarifications, typographical corrections, sub-processor list updates, or changes required to comply with law — we may make them with effect from posting. The "Last updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Service following the effective date of any change constitutes acceptance of the revised Policy.

17. Contact and complaints

For privacy enquiries, requests, or complaints, contact: privacy@mygut.coach.

If you are located in the EEA, the United Kingdom, or another jurisdiction with a data protection supervisory authority, you have the right to lodge a complaint with that authority. We would, however, appreciate the opportunity to address your concerns first.

18. Governing law

This Policy and any non-contractual obligations arising out of or in connection with it are governed by, and construed in accordance with, the laws of the jurisdiction in which the data controller is established, without prejudice to mandatory consumer-protection provisions of your country of residence and to your statutory rights under the GDPR, UK GDPR, CCPA/CPRA, and other applicable data protection laws.