Privacy Policy

Olana collects health and fitness data from your connected wearable devices (Apple Watch, Whoop, Oura, Fitbit, etc.) via Apple HealthKit, Google Health Connect, or direct API integrations. This includes:

• Heart rate, resting heart rate, and heart rate variability (HRV)
• Sleep duration and sleep stage data
• Steps, calories burned, and workout data
• Blood oxygen (SpO2) and respiratory rate
• Weight and body composition
• Substance logs you manually enter (coffee, water, alcohol)
• Meal logs, photos, and voice descriptions you voluntarily submit

We also collect your email address or phone number for authentication, and basic device information (platform, app version) for troubleshooting. Voice recordings for meal logging are processed on-device and are not stored — only the transcribed text is sent to our AI service.

• AI Health Insights: Your health data is sent to our AI service to generate personalized briefings, answer your questions, and provide contextual explanations of your metrics.
• Dashboard & Trends: We display your data back to you in charts, summaries, and daily briefings.
• Push Notifications: If enabled, we use your data to send morning briefings and contextual reminders.
• Service Improvement: Aggregated, anonymized usage statistics help us improve the app. We never sell individual health data.

When you interact with Olana's AI features (chat, explain, morning briefing), your health data is sent to third-party AI providers (currently OpenAI and/or Anthropic) to generate responses. These providers:

• Process data only to generate your response
• Do not use your data to train their models (per their API terms)
• Do not store your data beyond the request lifecycle

If you use the BYOK (Bring Your Own Key) feature, your data is sent to whichever AI provider you configure. Olana is not responsible for third-party data handling in BYOK mode.

Your data is stored in Supabase (PostgreSQL) with row-level security enabled. Each user can only access their own data. All data is encrypted in transit (TLS 1.3) and at rest (AES-256).

Authentication tokens and sensitive credentials are stored using platform-native secure storage (iOS Keychain / Android Keystore).

We do not sell, rent, or share your personal health data with third parties, except:

• AI providers (as described in Section 3) to generate your insights
• Firebase Cloud Messaging (Google) to deliver push notifications (device token only, no health data)
• When required by law or valid legal process

You can:

• Export your data at any time from Settings
• Delete your account and all associated data from Settings
• Revoke health permissions via your device's system settings
• Disable notifications at any time

Account deletion is permanent and removes all your data from our servers within 30 days.

Olana reads health data from Apple HealthKit (iOS) and Google Health Connect (Android) with your explicit permission. We never write data to these platforms. Data obtained from HealthKit and Health Connect is not used for advertising, marketing, or data-brokering purposes, in compliance with Apple and Google policies.

On Android, Olana may also read Health Connect data while the app is in the background (with your separate, explicit permission). This is used to keep your dashboard and weekly trends up to date and to process inferred sleep windows that finish while the app is closed. You can revoke background access at any time from your device's Health Connect settings without losing the rest of the app.

Olana is not intended for users under 16 years of age. We do not knowingly collect data from children.

We may update this policy from time to time. Significant changes will be communicated via in-app notification. Continued use of Olana after changes constitutes acceptance.

Questions about this policy? Contact us at privacy@getolana.com