Legal
Privacy Policy
Last updated: 20 April 2026
The short version
My Revelation analyses your health and fitness data to find personalised insights. As much as possible is processed on your device. Your data is never sold. You can delete everything at any time.
Who we are
My Revelation (“we”, “us”, “our”) is the data controller responsible for your personal data. If you have questions about how we handle your data, contact us at privacy@myrevelation.io.
What data we collect
Account information
When you sign up, we collect your email address and, if you choose to sign in with Google, your name and profile picture as provided by Google. We use this solely to identify your account.
Health and fitness data
You may connect data from Apple Health (via Apple's HealthKit framework on iOS), Fitbit, Oura Ring, WHOOP, or other wearable devices as they become available. This can include heart rate, heart rate variability, resting heart rate, VO2 max, sleep duration and timing, workout sessions, active energy, steps, respiratory rate, and body mass. We only access data you explicitly choose to share.
Onboarding context
During setup, you provide information about your health goals, lifestyle, and priorities. This helps generate relevant, personalised Revelations.
Usage data
We collect basic analytics about how you interact with the app, such as pages visited and features used, to improve the service.
How we process your data
Client-side processing
Where possible, your health data is parsed and aggregated on your device before anything is sent to our servers. On iOS, data from HealthKit is read locally, aggregated into daily metrics, and only those aggregates are transmitted. On the web, Apple Health exports are processed entirely in your browser. In both cases, raw minute-by-minute data does not leave your device — only aggregated daily metrics are stored.
AI-generated insights
We use third-party AI services (currently Anthropic's Claude API) to analyse your aggregated metrics and generate your Revelation. The AI receives summarised data — not raw health exports. These AI providers process data under their own data processing agreements and do not use your data to train their models.
Third-party integrations
If you connect Oura Ring, WHOOP, or Fitbit, we use OAuth to securely access your data from those services. We store access tokens to sync your data and never store your passwords for these services. You can disconnect at any time from the Integrations page, which revokes our access.
Apple HealthKit
On iOS, My Revelation reads health data directly from Apple's HealthKit framework. HealthKit data is stored on your device and is only accessed with your explicit permission, which you grant through a standard iOS system prompt the first time you connect the app to Apple Health. You can choose which categories of data to share and which to withhold.
What we read
We read the following HealthKit data types: heart rate, heart rate variability, resting heart rate, VO2 max, sleep analysis, workout sessions, active energy, steps, respiratory rate, and body mass. We read this data when you open the app or trigger a sync. We do not read any HealthKit data types you have not authorised.
How we use it
HealthKit data is processed on your iPhone to compute aggregated daily metrics — for example, average heart rate, total sleep duration, and workout zone distribution. Only these aggregated values are sent to our servers. Raw minute-by-minute heart rate samples and similar granular data do not leave your device. Aggregated metrics are then used to generate your Revelation, following the processing described elsewhere in this policy.
What we do not do with HealthKit data
We do not use HealthKit data for advertising, marketing, or data mining. We do not share HealthKit data with advertising platforms, analytics services, data brokers, or information resellers. We never sell HealthKit data. HealthKit data is only shared with the sub-processors listed below, and only to the extent necessary to provide the health and fitness service you signed up for.
How to revoke access
You can revoke our access to HealthKit at any time through iOS Settings > Privacy & Security > Health > My Revelation. Revoking access prevents new data from being read, but does not automatically delete aggregated metrics already stored on our servers. To delete those, delete your account through the app — this removes all associated personal data and health metrics within 30 days.
Why we process your data
We process your personal data on the following legal bases under GDPR:
Consent — You explicitly consent to the processing of your health data when you upload it or connect a wearable. Health data is a special category under GDPR and we only process it with your explicit consent. You can withdraw consent at any time.
Contract — Processing your account information and preferences is necessary to provide the service you signed up for.
Legitimate interest — We collect basic usage analytics to improve the product and fix issues.
Where your data is stored
Your account data and aggregated health metrics are stored in a Supabase-hosted database (EU — Ireland). The application is hosted on Vercel (EU — Dublin, with global edge CDN). AI analysis is processed by Anthropic's Claude API (US). We do not store raw health exports on our servers.
These services may process data outside your home country. For transfers from the EEA or UK, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers from other jurisdictions, we ensure that appropriate safeguards are in place as required by local law.
By using My Revelation, you acknowledge that your data may be transferred to and processed in the United States and other countries where our service providers operate.
Security
All data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted to authorised team members using multi-factor authentication. We use Supabase's row-level security to isolate user data — one user cannot access another's records. Health data processing happens client-side where possible, reducing the amount of sensitive data that ever reaches our servers. We review our security practices regularly and will update them as the product scales.
Data sharing
We do not sell, rent, or trade your personal data. We share data only with the service providers necessary to operate the app (hosting, authentication, AI analysis), and only to the extent required. We will disclose data if required by law.
Sub-processors
We use the following third-party services to operate My Revelation. Each processes data under a Data Processing Agreement and only to the extent necessary to provide their service.
| Service | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU (AWS — Ireland) |
| Vercel | Application hosting | EU (Dublin/Edge) |
| Anthropic | AI analysis (Claude API) | US |
| OAuth sign-in | US | |
| SendGrid (Twilio) | Transactional email and OTP delivery | US |
| Drip | Marketing email | US |
| Resend | Contact form email | US |
| Oura | Wearable data sync (if connected) | US/EU |
| WHOOP | Wearable data sync (if connected) | US |
| Fitbit (Google) | Wearable data sync (if connected) | US |
We will update this list if we add new sub-processors. If a change materially affects how your data is processed, we will notify you in advance.
Data retention
We retain your data for as long as your account is active. If you delete your account, we will delete all associated personal data and health metrics within 30 days.
Anonymised and aggregate data
We may create anonymised, aggregate datasets from user data to improve the product — for example, understanding which types of insights are most useful across different activity profiles. This data is stripped of all identifying information using irreversible aggregation (no individual user can be re-identified from it). We will never create aggregate datasets from your health data without first obtaining your consent during onboarding. You can withdraw this consent at any time without affecting your access to the service.
Breach notification
If we become aware of a data breach that affects your personal data, we will notify the relevant supervisory authority within 72 hours where required by law. If the breach poses a high risk to your rights, we will notify you directly without undue delay via the email address associated with your account. We will tell you what happened, what data was affected, and what we're doing about it.
Your rights
Everyone
Regardless of where you live, you can:
Access — Request a copy of what we hold.
Delete — Delete your account in the app, or email us. We will remove all associated personal data within 30 days.
Withdraw consent — Disconnect your data sources or delete your account at any time.
European Economic Area and United Kingdom (GDPR)
If you're in the EEA or UK, you also have the right to:
Rectification — Ask us to correct inaccurate data.
Portability — Request your data in a machine-readable format.
Restrict processing — Ask us to limit how we use your data.
Object — Object to processing based on legitimate interest.
Complain — Lodge a complaint with your local supervisory authority. In the UK, that's the ICO (ico.org.uk). In Denmark, that's Datatilsynet (datatilsynet.dk).
California (CCPA/CPRA)
If you're a California resident, you have additional rights under the California Consumer Privacy Act and its amendments:
Right to know — You can request the categories and specific pieces of personal information we've collected about you, the sources, the business purpose, and the categories of third parties we've shared it with.
Right to delete — You can request deletion of your personal information, subject to certain exceptions.
Right to opt out of sale or sharing — We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. There is nothing to opt out of, but we state it here because the law requires us to.
No discrimination — We will not treat you differently for exercising your CCPA rights.
Under CCPA, health data is classified as “sensitive personal information.” We only process it with your explicit consent, and only to provide the service you signed up for.
Other jurisdictions
If your local data protection laws grant you rights beyond what's listed above, we will honour them. This includes rights under Brazil's LGPD, Canada's PIPEDA, South Africa's POPIA, Australia's Privacy Act, and other applicable frameworks. Contact us at privacy@myrevelation.io and we will respond within the timeframe required by your local law.
To exercise any of these rights, email privacy@myrevelation.io.
Cookies
We use essential cookies only:
Authentication cookies — Supabase sets cookies (prefixed sb-) to maintain your login state. An access token refreshes automatically in the background. Your session persists until you sign out.
We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individual users. If we introduce any non-essential cookies in future, we will ask for your consent first.
Children
My Revelation is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. In the United States, this is consistent with the Children's Online Privacy Protection Act (COPPA), which applies to children under 13 — our threshold is higher. If you believe a child has provided us with personal data, contact us at privacy@myrevelation.io and we will delete it promptly.
Not a medical service
My Revelation is a wellness product, not a medical device or healthcare service. The insights we generate are based on consumer wearable data and should not be used to diagnose, treat, or prevent any medical condition. Always consult a qualified healthcare professional before making changes to your health routine based on our output.
My Revelation is not subject to HIPAA (the US Health Insurance Portability and Accountability Act) because we are not a healthcare provider, health plan, or healthcare clearinghouse. We handle your health data with care, but under data protection law — not healthcare regulation.
Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you via the app or by email. The “last updated” date at the top of this page reflects the most recent revision.
Contact
If you have any questions about this privacy policy or how we handle your data, contact us at privacy@myrevelation.io.