Legal

Privacy Policy

Last updated: March 2026

The short version

My Revelation analyses your health and fitness data to find personalised insights. As much as possible is processed on your device. Your data is never sold. You can delete everything at any time.

Who we are

My Revelation (β€œwe”, β€œus”, β€œour”) is the data controller responsible for your personal data. If you have questions about how we handle your data, contact us at privacy@myrevelation.io.

What data we collect

Account information

When you sign up, we collect your email address and, if you choose to sign in with Google, your name and profile picture as provided by Google. We use this solely to identify your account.

Health and fitness data

You may connect data from Apple Health, Fitbit, Oura Ring, Whoop, or other wearable devices as they become available. This can include heart rate, heart rate variability, sleep duration and timing, workout sessions, steps, respiratory rate, body mass, and active energy. We only access data you explicitly choose to share.

Onboarding context

During setup, you provide information about your health goals, lifestyle, and priorities. This helps generate relevant, personalised Revelations.

Usage data

We collect basic analytics about how you interact with the app, such as pages visited and features used, to improve the service.

How we process your data

Client-side processing

Where possible, your health data is parsed and aggregated on your device before anything is sent to our servers. For example, Apple Health exports are processed entirely in your browser. Raw minute-by-minute data does not leave your device β€” only aggregated daily metrics are stored.

AI-generated insights

We use third-party AI services (currently Anthropic's Claude API) to analyse your aggregated metrics and generate your Revelation. The AI receives summarised data β€” not raw health exports. These AI providers process data under their own data processing agreements and do not use your data to train their models.

Third-party integrations

If you connect Oura Ring or WHOOP, we use OAuth to securely access your data from those services. We store access tokens to sync your data and never store your passwords for these services. You can disconnect at any time from the Integrations page, which revokes our access.

Why we process your data

We process your personal data on the following legal bases under GDPR:

Consent β€” You explicitly consent to the processing of your health data when you upload it or connect a wearable. Health data is a special category under GDPR and we only process it with your explicit consent. You can withdraw consent at any time.

Contract β€” Processing your account information and preferences is necessary to provide the service you signed up for.

Legitimate interest β€” We collect basic usage analytics to improve the product and fix issues.

Where your data is stored

Your account data and aggregated health metrics are stored in a Supabase-hosted database. The application is hosted on Vercel. Both services may process data outside the EEA, subject to appropriate safeguards (Standard Contractual Clauses). We do not store raw health exports on our servers.

Data sharing

We do not sell, rent, or trade your personal data. We share data only with the service providers necessary to operate the app (hosting, authentication, AI analysis), and only to the extent required. We will disclose data if required by law.

Data retention

We retain your data for as long as your account is active. If you delete your account, we will delete all associated personal data and health metrics within 30 days. Anonymised, aggregated data that cannot identify you may be retained for product improvement.

Your rights

Under GDPR (and the UK GDPR), you have the right to:

Access β€” Request a copy of the personal data we hold about you.

Rectification β€” Ask us to correct inaccurate data.

Erasure β€” Ask us to delete your data. You can also delete your account directly in the app.

Portability β€” Request your data in a machine-readable format.

Restrict processing β€” Ask us to limit how we use your data.

Withdraw consent β€” Withdraw your consent for health data processing at any time by disconnecting your data sources or deleting your account.

Complain β€” Lodge a complaint with your local data protection authority (the ICO in the UK, or Datatilsynet in Denmark).

To exercise any of these rights, email privacy@myrevelation.io.

Cookies

We use essential cookies to keep you signed in and maintain your session. We do not use advertising or third-party tracking cookies.

Children

My Revelation is not intended for use by anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify you via the app or by email. The β€œlast updated” date at the top of this page reflects the most recent revision.

Contact

If you have any questions about this privacy policy or how we handle your data, contact us at privacy@myrevelation.io.