Privacy Policy

1. Who We Are

Responsible party / Data controller: FNC Labs (Pty) Ltd, a private company registered in the Republic of South Africa under CIPC registration number 2026/345752/07, with its registered office at 47 Barbarossa Rd, Sonstraal, Durbanville, 7550, South Africa.

Sole director: Florian Heinrich.

POPIA Information Officer: Florian Heinrich (head of the responsible party, in accordance with POPIA s55). The Information Officer can be reached at support@glpwise.com.

All user-facing correspondence — privacy queries, data-subject access requests, support and any other contact — is handled at the single mailbox support@glpwise.com. The app does not operate separate privacy@ or legal@ mailboxes.

2. Information We Collect

We try to keep the data we hold to the minimum needed to make the app useful. Concretely:

2.1 Account information. Username, email address (optional, used for password recovery), display name. Passwords are hashed with bcrypt and we never see or store the plaintext. If you sign in with Google or Apple, we receive your email, name and the provider's stable user ID instead of a password.

2.2 Health tracking data. Everything you log in the app: weight entries, GLP-1 injection events, dose amounts, side-effect notes, body measurements, food entries, water intake, exercise records and personal goals. This is stored locally first on your device. When you are signed in, an encrypted-in-transit copy is also synced to your account on our server so that you can use multiple devices and recover your data if you lose your phone. Progress photos are an exception: they live only on your device and are never uploaded.

2.3 Subscription information. Your current subscription tier (Free or Pro), the renewal or expiry date, and whether you are inside a free trial. We do not see, store or process card numbers, bank details or any other payment instrument. All purchases are handled by Apple App Store, Google Play Billing and our subscription processor RevenueCat.

2.4 AI feature data. When you use a Pro AI feature, the relevant input is sent to our AI provider (OpenAI) for one inference call:

• AI food photo analysis: a single meal photo is forwarded to OpenAI for nutritional estimation. We do not write the photo to disk or to our database, and OpenAI does not retain it for training under their published API data-usage policy.
• AI food search: the food name you typed plus your country (for retailer-aware results) is forwarded to OpenAI on a cache miss. The query result is cached on our servers, keyed on (query text, country), so the same query does not re-hit OpenAI later.
• AI meal suggestions: a short text payload describing your recent food log is forwarded to OpenAI to generate suggestions.

None of these AI flows include your email, name, device identifier or other directly identifying information.

2.5 Session data. A server-issued session cookie keeps you logged in. The cookie carries no personal data of its own — it is a random opaque identifier looked up server-side.

2.6 Server-side logs. Our backend writes short technical logs of each request (HTTP method, path, response code, response time). These logs are run through an automated redactor that scrubs email addresses and any request-body content before they hit log retention. We do not collect advertising IDs, device fingerprints or analytics events.

2.7 Crash reports. If the app crashes unexpectedly, a crash report is sent to our processor Sentry so we can fix the bug. A crash report contains: the exception type and message, an anonymised stack trace, the OS name and version, the app version, and the device model (e.g. "iPhone 15"). Before the report leaves your device we strip out: any logged-in user identifier, IP address, request bodies, cookies and authentication headers. We do not attach your name, email or health entries to crash reports. Crash reporting only runs in the published builds we ship to the App Store and Google Play, and only when our crash-reporting key is configured for that build — if the key is missing the crash reporter is silently disabled.

2.8 Google Health Connect (Android only, opt-in). On Android we offer an optional integration with Google Health Connect, the on-device health data store built into Android 14+ (or installable from the Play Store on Android 13). The integration is off by default and only activates after you turn it on under Profile → Google Health Connect and grant the permissions in the Health Connect permission sheet. While enabled, GLP Wise reads four record types from Health Connect — Weight, Hydration, Exercise sessions and Active calories burned (the active-calories reading is only used to enrich the calorie figure shown on a matched exercise session) — and writes back three record types when you log them in GLP Wise — Weight, Hydration and Exercise sessions — so that other apps you have authorised in Health Connect (e.g. a smart scale, a running app) stay in sync with your GLP Wise log. We do not write Active calories back to Health Connect; the matching write permission is therefore not requested. Health Connect data is exchanged directly between GLP Wise and the Health Connect app on your own device — it does not travel through our servers, our processors, OpenAI, Sentry or RevenueCat, and we keep no separate copy of your Health Connect dataset on our infrastructure beyond the normal cloud sync of the GLP Wise entries you create. You can revoke any granted permission at any time from Settings → Apps → Health Connect → App permissions → GLP Wise, or simply switch the toggle off in GLP Wise — switching off stops further reads and writes immediately. Health Connect is not available on iOS or on the web; on those platforms the integration is hidden.

3. How We Collect Information

• Directly from you: account details you enter, every health entry, photos you choose to take, your subscription choice, your country setting.
• Automatically from the app or device: the session cookie, request logs (described above), and the on-device AsyncStorage schema version that lets the app migrate its local database safely. The schema version is never transmitted to our server.
• From third parties: Google or Apple (your email, name and stable user ID) only if you choose to sign in with them; RevenueCat (your subscription tier and renewal date) when a purchase or renewal happens.

4. Why We Use Your Information (purposes)

• Account information → create your account, sign you in, recover your account, support correspondence.
• Health tracking data → show you your own progress, generate your weekly summary, render charts, run side-effect pattern correlation, and (for Pro users) generate your Doctor Report PDF.
• Subscription information → gate Pro features, show your renewal date, restore purchases.
• AI feature data → answer the specific AI request you made (a food estimate, a search result, a meal suggestion).
• Session data → keep you logged in across requests.
• Server-side logs → diagnose errors, monitor uptime, prevent abuse.

We do not sell, rent or share your personal data with any party for advertising, profiling or marketing. We do not use your health data to train AI models.

5. Legal Basis for Processing

Under POPIA (s11) and GDPR (Art. 6 / Art. 9 for special-category data) we rely on the following grounds:

• Health data → your explicit consent, given in the in-app POPIA notice on first launch and renewable by uninstalling or by deleting your account.
• Account & subscription data → performance of a contract with you (we cannot give you the service without these).
• AI request payloads → your explicit consent, given each time you choose to use a Pro AI feature.
• Session cookies and request logs → our legitimate interest in keeping the service secure, available and free of abuse, balanced against your privacy by aggressive log redaction and short retention.

6. Third Parties We Share Data With

We use a small number of carefully chosen processors. For each one we link to their own privacy policy.

• OpenAI — AI inference for food photo analysis, food search and meal suggestions. Receives only the specific input for one call. Contractually prohibited from training on API traffic. openai.com/policies/privacy-policy.
• RevenueCat — subscription management and receipt validation. Receives your app user ID and the receipts issued by Apple / Google. Never sees your health data. revenuecat.com/privacy.
• Apple App Store / Google Play Billing — payment processing. They receive payment data directly from you; we never see card details. Apple privacy · Google privacy.
• Google Sign-In / Apple Sign-In — only if you choose social sign-in. We receive your email, name and the provider's stable user ID. Google privacy · Apple privacy.
• Cloud database hosting — our PostgreSQL database and application server are hosted by Replit on infrastructure typically located in the United States. replit.com/site/privacy.
• Sentry — crash reporting only. Receives the scrubbed crash report described in section 2.7 (exception, stack trace, OS version, app version, device model) and never receives your name, email or health entries. Sentry acts as our service-provider for diagnosing app failures and is contractually prohibited from using the data for any other purpose. sentry.io/privacy.

7. Cross-Border Data Transfers

You are most likely a South African user, and POPIA section 72 applies. Some of the processors above are located outside South Africa — primarily in the United States (OpenAI, RevenueCat, Replit hosting) and the European Union (Apple). When your data leaves South Africa it is transferred on the following bases:

• Your explicit consent at first launch (the in-app POPIA notice) and at the moment of using any AI feature.
• Each recipient is bound by a privacy framework that POPIA recognises as offering an adequate level of protection (linked above).

If you are a GDPR user, the equivalent Article 49(1)(a) consent basis applies for the same transfers.

8. Data Storage & Security

In transit: all client-to-server and server-to-third-party traffic uses HTTPS (TLS 1.2 or higher). Session cookies are issued with the Secure and HttpOnly flags in production.

At rest: our PostgreSQL database is encrypted at rest by the hosting provider. Account passwords are hashed with bcrypt. Local on-device data is held in the platform's encrypted application sandbox (iOS Keychain-protected app container, Android internal app storage).

Access controls: server-side access to the production database is restricted to authenticated administrators. Each API request is checked against a per-route auth middleware and rate limiter. We never log request bodies; an automated redactor scrubs email addresses and JSON payloads from error logs.

Honest limit: no system is perfectly secure. If a breach affects your personal information we will notify you and the South African Information Regulator without undue delay, as required by POPIA section 22.

9. Your Rights

Under POPIA and (where applicable) GDPR you have the right to:

• Access the personal information we hold about you.
• Correct information that is inaccurate or out of date — you can edit your profile and entries directly in the app.
• Delete your account and all associated server-side data. Use Profile → Settings → Delete Account in the app, or email us at support@glpwise.com.
• Export a copy of your data (Pro users can do this in-app via Data Export; free users can request an export by email).
• Withdraw consent for any processing based on consent. Withdrawing consent for health-data sync means switching to local-only mode by signing out, or by deleting your account.
• Lodge a complaint. In South Africa, the supervisory authority is the Information Regulator: inforegulator.org.za, complaints address POPIAComplaints@inforegulator.org.za. EU/UK users can complain to their local data protection authority.

10. Data Retention

• Local health data and progress photos: kept on your device until you delete the entry, sign out, or uninstall the app.
• Synced health data on our server: kept for as long as your account exists. Removed on account deletion (cascade delete — usually within seconds, in any case within 30 days).
• Account data: kept until you delete your account.
• Subscription records: kept while the subscription is active and for up to 7 years after cancellation, as required by South African tax record-keeping law.
• Food search cache: retained for up to 90 days, then pruned.
• AI usage counters: only the monthly count per user is kept, pruned on a rolling 12-month window.
• Session cookies: expire after 30 days of inactivity.
• Server logs: rotated after 14 days.

11. Children's Privacy

GLP Wise is intended exclusively for adults aged 18 and over. GLP-1 medications are prescription drugs intended for adult patients, and the app's safety, dosing and side-effect content is written for an adult audience. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, please email support@glpwise.com and we will delete the account.

12. Changes to This Policy

We may update this policy as the app evolves or as the law changes. The "Effective date" at the top of this page reflects the most recent version. If a change materially affects how we use your data we will notify you in-app on next launch and, where you have a verified email, by email.

13. Contact Us

All correspondence is handled at the single mailbox: support@glpwise.com.

Postal address (same as the registered office in section 1): FNC Labs (Pty) Ltd 47 Barbarossa Rd Sonstraal Durbanville, 7550 South Africa