Privacy Policy

1. Overview

Gradual ("the App") is built with a privacy-first approach. Your health data is stored securely on your device and synced via Apple's iCloud service using CloudKit. Your data is never stored on Lawton Labs servers. Certain features involve third-party services as described below.

2. Data We Collect

The App collects and stores the following data locally on your device:

• Profile information — Your name and preferences entered during onboarding.
• Health metrics — Data from Apple HealthKit (steps, heart rate, HRV, sleep, VO2max, and other metrics) with your explicit permission.
• Activity data — Workout and activity information from Strava.
• Lab results — Biomarker values extracted from lab reports you import.
• Supplement protocols — Supplements, dosages, and adherence logs you create.
• Mood check-ins — Daily mood and stress ratings you record.

3. Data Shared with Third Parties

OpenAI (Lab Report Processing)

When you use the lab import feature and choose AI parsing, your lab report PDF is sent to OpenAI's API for AI-powered biomarker extraction. This means:

• Your lab report PDF — which may include your name, biomarker values, reference ranges, lab name, and test dates — is transmitted to OpenAI's servers for processing.
• OpenAI processes this data according to the OpenAI API Terms of Use and Privacy Policy.
• Under OpenAI's API data usage policy, data sent via the API is not used to train OpenAI's models.
• The data is transmitted via encrypted HTTPS connection.
• No device identifiers or personal information beyond the report content are transmitted.
• If the AI parser fails, the App falls back to a fully local regex-based parser that does not transmit any data.

You can avoid sharing lab data with OpenAI by not using the PDF lab import feature. The "Paste Results" option uses an on-device parser that does not transmit any data.

4. Apple HealthKit Data

Health data accessed through Apple HealthKit is handled according to Apple's HealthKit guidelines:

• Data is only accessed after you grant explicit permission.
• HealthKit data is read only — the App does not write data to HealthKit.
• HealthKit data is synced via your personal iCloud account using Apple's CloudKit. This data is stored in your private iCloud container and is never stored on Lawton Labs servers or transmitted to third parties.
• HealthKit data is never used for advertising or marketing purposes.

5. Strava Integration

When you connect your Strava account:

• Authentication uses OAuth 2.0 with PKCE — the App never sees or stores your Strava password.
• Only activity data (type, duration, distance, heart rate) is retrieved from Strava's API.
• Retrieved activity data is cached locally on your device.
• You can disconnect Strava at any time from the Profile screen.

6. Data Storage and Security

• Sensitive data (API keys, tokens, health data) is stored using expo-secure-store, which uses the iOS Keychain for encrypted storage.
• Health metrics stored in SQLite are encrypted with application-layer AES-256-GCM. The encryption key is stored in the iOS Keychain.
• Your data syncs to your personal iCloud account via Apple's CloudKit. This data is stored in a private CloudKit container accessible only to you. No health data is stored on servers operated by Lawton Labs.
• Data export is available in JSON format from the Profile screen.

7. Data Retention and Deletion

• All data is stored on your device and synced to your personal iCloud account. Data persists until you delete it.
• You can delete all data at any time using the "Delete All Data" option on the Profile screen. This removes data from your device and iCloud.
• Uninstalling the App removes all locally stored data. Data in your iCloud account may persist until deleted via the App or iCloud settings.
• Data sent to OpenAI for lab parsing is processed transiently and is not retained by OpenAI for model training purposes, per OpenAI's API data usage policies.

8. Children's Privacy

The App is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13.

9. Analytics and Error Tracking

The App uses the following services for analytics and error tracking:

• Amplitude — Anonymous usage analytics to help us understand how features are used and improve the App. No health data or personally identifiable information is sent to Amplitude.
• Sentry — Crash and error reporting to help us identify and fix bugs. Error reports may include device type, OS version, and stack traces, but do not include your health data.

Neither service receives your health data, biomarkers, or personally identifiable health information.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App. Continued use of the App after changes constitutes acceptance of the updated policy.

11. Your Rights

You have the right to:

• Access all your data stored in the App.
• Export your data in a portable format (JSON).
• Delete all your data at any time.
• Disconnect any third-party service at any time.
• Choose not to use features that involve third-party data processing (lab import).

12. Contact

For questions about this Privacy Policy or your data, please contact us at lawtonlabsapps@gmail.com.