Skip to content
Being Optimal
Trust CenterPrivacyTermsPlans

Legal / Privacy Policy

Privacy Policy

Version 1.0.0-draft · Effective 2026-07-13 · Operator [PENDING: LEGAL_ENTITY_NAME]

Operator draft — not legal advice; counsel review required before relying on this text.

At a glance

  • We process pregnancy and health data you provide (LMP/EDD, DOB, ethnicity where collected, weight, labs, symptoms, meals) to run the planner — under an explicit consent posture for special-category data.
  • The AI assistant may send health-related context to AI Model Providers and stores conversations in our database.
  • Data is processed primarily in the United States with global edge delivery; see regional annexes (GDPR / UK / CCPA / APAC).
  • Help Center search runs in your browser and does not leave your device — that promise does not apply to the AI assistant or cloud sync.
  • We do not use third-party ads, session replay, or marketing analytics pixels. First-party catalog analytics is consent-gated. Our Hosting Provider may process limited page-view telemetry when platform analytics is enabled.
  • Account deletion and export have honest caveats (forum anonymization, some table lag, partial export). Contact [email protected] for help.

The full terms below control.

Contents

  1. 1. Who we are
  2. 2. Scope
  3. 3. Special-category health data (read this first)
  4. 3.1 What we mean
  5. 3.2 Legal basis posture (EEA/UK and similar)
  6. 3.3 Your control
  7. 4. Personal Data we collect (inventory)
  8. 4.1 Data you provide
  9. 4.2 Data collected automatically
  10. 4.3 Data from providers
  11. 4.4 Data we do
  12. 4.5 Children’s data
  13. 5. How we use Personal Data (purposes)
  14. 6. Legal bases (summary table)
  15. 7. AI assistant data flows (important)
  16. 7.1 What happens when you chat
  17. 7.2 International transfer
  18. 7.3 Retention of AI data
  19. 7.4 Not the same as Help search
  20. 7.5 Automated outputs
  21. 8. Location / reverse geocoding
  22. 8.1 Accurate claim: we do not
  23. 8.2 Transmission disclosure
  24. 8.3 Edge geo signals
  25. 9. Sharing and sub-processors
  26. 9.1 Role-based processors
  27. 9.2 Community SSO scope
  28. 9.3 Other disclosures
  29. 9.4 What we do
  30. 9.5 Nutrient Data Source
  31. 10. International transfers
  32. 10.1 US-skewed infrastructure
  33. 10.2 Safeguards
  34. 10.3 Your responsibility
  35. 11. Retention
  36. 12. Your rights
  37. 12.1 Account deletion mechanism (current product reality)
  38. 12.2 In-product export — environment-scoped and partial
  39. 13. Deletion and erasure caveats (honesty section)
  40. 13.1 Community forum — anonymized, not fully deleted
  41. 13.2 Orphan application tables (possible lag)
  42. 13.3 External systems we do not fully purge today
  43. 13.4 Custom ingredients
  44. 13.5 Deprovision process
  45. 13.6 Legal holds and exceptions
  46. 14. Security
  47. 15. Children
  48. 16. Cookies and similar technologies
  49. 17. Automated decision-making
  50. 18. Third-party links and partners
  51. 19. Changes to this Policy
  52. 20. Contact
  53. Regional annexes
  54. Annex A — EEA / EU (GDPR)
  55. A.1 Controller
  56. A.2 Special category data
  57. A.3 Transfers
  58. A.4 Rights
  59. A.5 Art. 22
  60. A.6 Data Protection Officer
  61. Annex B — United Kingdom
  62. B.1 Law
  63. B.2 Special category / transfers / rights
  64. Annex C — United States (CCPA/CPRA and state laws)
  65. C.1 Categories collected
  66. C.2 Sources and purposes
  67. C.3 “Sale” / “Share”
  68. C.4 Sensitive personal information
  69. C.5 Rights
  70. C.6 HIPAA note
  71. C.7 Children
  72. Annex D — APAC (Singapore PDPA, Australia Privacy Act/APPs, Hong Kong PDPO, and similar)
  73. D.1 Contact
  74. D.2 Notification and consent
  75. D.3 Cross-border transfer
  76. D.4 Access and correction
  77. D.5 Australia APP note
  78. D.6 Singapore PDPA note
  79. D.7 Hong Kong PDPO note
  80. 21. Related documents
  81. 22. Document control

1. Who we are

[PENDING: LEGAL_ENTITY_NAME] (Being Optimal, we, us, our), trading as Being Optimal, Site Nutrition (product surfaces may say “Site Nutrition”), provides a pregnancy-nutrition consumer application and related websites.

Item Detail
Controller [PENDING: LEGAL_ENTITY_NAME]
Registered address [PENDING: REGISTERED_ADDRESS]
Incorporation [PENDING: INCORPORATION_JURISDICTION]
Privacy contact [email protected]
DPO / privacy lead [PENDING: DPO_CONTACT]
EU representative [PENDING: EU_REP]
UK representative [PENDING: UK_REP]
APAC privacy contact [email protected]
Website https://beingoptimal.org

For how to exercise rights, see Section 12 and Data Subject Request Procedure. Master definitions: Definitions.


2. Scope

This Privacy Policy applies to Personal Data we process when you:

  • Visit beingoptimal.org and related first-party sites (help, assets, community entry points)
  • Create an account and use the nutrition planner / dashboard
  • Use the AI assistant, Learning Center, quizzes, notifications, or sharing features
  • Participate in the community forum (where enabled)
  • Contact support or privacy channels
  • Click partner/affiliate outbound links we instrument

It does not govern third-party websites you visit after leaving our Services (except our disclosure of click measurement). Community software is operated with a Community Platform Provider; additional forum privacy notices may apply on https://community.beingoptimal.org.


3. Special-category health data (read this first)

3.1 What we mean

Being Optimal is a pregnancy-nutrition product. In ordinary use we process data that is special category under GDPR Article 9 and similar laws (Special Category Health Data), including:

Data Examples
Pregnancy timing Last menstrual period (LMP), estimated due date (EDD), gestational context derived from those anchors
Demographics related to health targets Date of birth (DOB), ethnicity (where you choose to provide it for target personalization)
Body measures Weight and related body stats you enter
Clinical-ish self-reports Blood-marker / lab values you type in; symptoms you journal
Nutrition behavior Meal logs, combos, templates, custom ingredients used to infer nutrient intake

Day Scores, nutrient flags, optimizer suggestions, and AI replies are generated from this data and may themselves reveal health-related information.

3.2 Legal basis posture (EEA/UK and similar)

For Special Category Health Data, our primary posture is explicit consent (GDPR Art. 9(2)(a) / UK equivalent), obtained through account terms/privacy acceptance and your voluntary provision of health data and use of health features.

Implementation caveat: As of this draft, a separate first-run AI consent gate dedicated solely to Art. 9 AI processing may not yet be shipped. We recommend product follow-on for explicit AI consent. Until then, we rely on Privacy/Terms acceptance plus voluntary use of AI and health features. Counsel should confirm adequacy for launch markets.

Other non-special Personal Data may rely on contract (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), legal obligation (Art. 6(1)(c)), or consent (Art. 6(1)(a)) as described in Section 6.

3.3 Your control

You choose what health fields to enter. Some features work poorly without timing/profile data. You may request deletion or restriction as described in Section 12, subject to caveats in Section 13.


4. Personal Data we collect (inventory)

4.1 Data you provide

Category Examples Notes
Identity & contact Name, email Via Authentication Provider
Account profile Display preferences, locale/theme
Pregnancy / health profile LMP, EDD, DOB, ethnicity, weight Special category
Labs & symptoms User-entered blood markers, journal symptoms Special category; not a medical record system of your clinic
Nutrition logs Meals, quantities, combos, templates, custom ingredients Special category when used for intake inference
AI conversations Messages you send; assistant replies Persisted; may include health context
AI preferences Settings for assistant behavior
Quiz / Knowledge Score Progress and answers Educational
Community UGC Posts, uploads, profile on forum
Support communications Emails you send us
Billing identity (when live) Email, subscription status Card data at Billing Provider, not stored by us

4.2 Data collected automatically

Category Examples Notes
Technical IP address, user agent, device/browser type Used for security, rate limits, approximate geo at edge
Auth/session Session tokens, device sessions Authentication Provider
Product logs API errors, entitlement checks, security events Operational
Push subscription Endpoint URL, keys If you enable Web Push
Outbound clicks brand_id, url, surface, partner flag Pseudonymous — no user_id; IP transient only
First-party catalog analytics Catalog choice events Consent-gated when enabled
Approximate location labels Country / region See Section 5.4 (coordinates transmitted, not stored)

4.3 Data from providers

Source Examples
Authentication Provider Account id, email, profile fields, session lifecycle webhooks (via Webhook Transport)
Billing Provider (when live) Subscription state, invoices metadata
Community Platform Provider Forum user id linkage, moderation signals
AI Model Providers Model outputs returned to us (we do not receive advertising profiles from them)

4.4 Data we do not intentionally collect

  • Full payment card PANs/CVVs (handled by Billing Provider)
  • Precise GPS storage (see Section 5.4)
  • Third-party advertising profiles
  • Background continuous device location tracking

4.5 Children’s data

Services are not directed to children under 18. Age is self-attested; we do not operate a hard age-verification gate. See Section 15.


5. How we use Personal Data (purposes)

Purpose Examples Categories
Provide the Services Auth, sync meals, compute scores/targets, environments Identity, health, meals, technical
Personalize nutrition context Gestational timing, targets, flags Health profile
AI assistant Generate replies; optional propose-only writes Conversations, health context snippets
Safety Red-flag redirects, abuse detection, rate limits Messages, technical, rate-limit rows
Notifications Transactional email; optional push Contact, push keys, notification prefs/logs
Community SSO identity, host discussions Identity, UGC
Improve product Consent-gated catalog analytics; aggregated stats Pseudonymous / aggregate
Partner measurement Outbound click events Pseudonymous click rows
Security & fraud Session integrity, anomaly detection Technical, auth
Legal compliance Tax, accounting (when billing live), lawful requests As required
Communications Terms updates, support Contact

We do not sell Personal Data for money. See US annex regarding “share” for cross-context behavioral advertising (we do not engage in that practice with third-party ad networks).


6. Legal bases (summary table)

Processing Primary basis (EEA/UK-style)
Account + core planner contract Art. 6(1)(b) contract
Special Category Health Data in planner Art. 9(2)(a) explicit consent (+ Art. 6 consent/contract as applicable)
AI with health context Explicit consent posture (Art. 9) + contract/legitimate interests for non-special metadata; see §3.2 caveat
Security, fraud, rate limits Art. 6(1)(f) legitimate interests
Transactional email Art. 6(1)(b) / (f)
Optional push Consent (browser + product)
Consent-gated analytics Consent
Pseudonymous outbound clicks Legitimate interests (measurement, abuse prevention)
Legal obligations Art. 6(1)(c)
Aggregated / de-identified research stats Legitimate interests; not Personal Data when truly anonymous

Legitimate interests include securing the service, preventing abuse, understanding feature performance in aggregate, and measuring partner links without building ad profiles. You may object where applicable (Section 12).


7. AI assistant data flows (important)

7.1 What happens when you chat

When you use the AI assistant:

  1. Your message and relevant health/context snippets from your environment may be assembled server-side.
  2. That prompt content is sent to one or more AI Model Providers to generate a response.
  3. Conversation content is persisted in our application database (conversation and message tables — full bodies, not merely run metadata).
  4. Separate AI run metadata records may store operational fields without full prompt/response bodies.
  5. Safety pre-checks may inspect content for red-flag patterns before or after generation.

7.2 International transfer

AI Model Providers process data primarily in the United States (and potentially other regions they operate). Using the assistant means international transfer of conversation and health context to those providers under their data processing terms.

7.3 Retention of AI data

Store Retention posture
Our conversation/message tables While account active unless deleted; external Model Provider copies per provider DPA
AI run metadata Operational retention while account active / as needed for security and debugging
AI Model Provider copies Per provider DPA/retention; we do not currently call provider-side deletion APIs when you erase your account

7.4 Not the same as Help search

Marketing or UI statements that “your questions never leave your device” apply only to browser-based Help Center search (client-side Pagefind over help content). They do not apply to:

  • The AI assistant
  • Cloud-synced planner data
  • Server-side analytics or geo reverse-lookup

7.5 Automated outputs

Scores, flags, optimizer suggestions, lab comparisons, Knowledge Scores, and AI text are automated or semi-automated informational outputs — not medical decisions. Details: Automated Decisions & AI Transparency.


8. Location / reverse geocoding

8.1 Accurate claim: we do not store GPS coordinates

When you use a feature that resolves approximate place (for example, country/region for localization), your device may supply latitude/longitude to our application briefly.

8.2 Transmission disclosure

Raw coordinates may be transmitted to our Reverse-Geocoding Provider to convert lat/lng into place labels. We then:

  • Persist country/region (or similar coarse labels) as needed for the feature
  • Do not store the raw GPS coordinates in our application database as a retained location history

The Reverse-Geocoding Provider receives coordinates for the lookup request under its terms.

8.3 Edge geo signals

Our CDN / Edge Network Provider and Hosting Provider may see IP-derived geo signals as part of normal HTTP delivery. That is separate from optional device GPS reverse-lookup.


9. Sharing and sub-processors

9.1 Role-based processors

We use infrastructure and service providers under contracts. Bodies of legal docs use role labels. Named vendors appear in the Sub-processor List.

Role Purpose (summary) Typical data
Authentication Provider Sign-in, sessions, identity Email, name, session tokens
Webhook Transport Deliver auth lifecycle webhooks Webhook payloads, user events
Database Provider Primary app data with access controls Health profile, meals, AI conversations, prefs
Hosting Provider Web application hosting HTTP requests, cookies
CDN / Edge Network Provider DNS, CDN, edge security/gateway IP, headers, geo signals
Cloud Infrastructure Provider Privileged backend compute, object storage Backend-processed data, forum uploads
Email Delivery Provider Transactional email Recipient email, message content
AI Model Providers Generative assistant Conversation content, health context snippets
Community Platform Provider Forum + SSO Identity, posts, uploads
Reverse-Geocoding Provider Lat/lng → place labels Raw coordinates transient
Billing Provider Subscriptions when live Billing email, subscription status (no card PAN with us)
Email Design Provider Operator-side email templates Template assets (not consumer health DBs)

9.2 Community SSO scope

Forum single sign-on sends identity fields needed to create or link a community profile. Pregnancy timing fields (LMP/GA/trimester) are not shared via SSO under current product configuration.

9.3 Other disclosures

We may disclose Personal Data:

  • To professional advisors under confidentiality
  • In connection with a merger, acquisition, or asset sale (with notice where required)
  • To comply with law, lawful process, or mandatory government requests (see Law Enforcement Guidelines)
  • To protect rights, safety, and security of users, public, or Being Optimal
  • With your direction (for example, share links you create)

9.4 What we do not share for ads

We do not integrate third-party ad networks, sell personal information to data brokers, or run third-party session-replay or marketing analytics pixels on the consumer app. Our Hosting Provider may collect limited page-view / performance telemetry (platform web analytics) separate from consent-gated first-party catalog analytics — see the Sub-processor List.

9.5 Nutrient Data Source

Public nutrient composition data (Nutrient Data Source) is a data source, not a Personal Data sub-processor.


10. International transfers

10.1 US-skewed infrastructure

Primary application processing and storage regions: Primarily United States; global edge delivery (primarily United States; global edge delivery).

10.2 Safeguards

Where we transfer Personal Data from the EEA/UK/Switzerland or other regions requiring safeguards, we rely on appropriate mechanisms such as:

  • Standard Contractual Clauses (SCCs) or UK IDTA/Addendum with providers
  • Provider certifications or frameworks where valid
  • Technical measures (TLS in transit; encryption at rest as provided by vendors)
  • Least-privilege application access patterns (see Security Overview)

Details vary by sub-processor; see DPAs referenced via the Sub-processor List.

10.3 Your responsibility

If you enter another person’s health data, you must have a lawful basis and any required consents.


11. Retention

Data class Retention
Account & planner data Active account lifetime; deletion on account close subject to Privacy Policy caveats
AI conversations While account active unless deleted; external Model Provider copies per provider DPA
First-party analytics As needed for product improvement (first-party, pseudonymous)
Outbound click rows As needed for partner reporting and abuse prevention
Auth logs / security logs Provider and operational defaults; security need
Email provider logs Per Email Delivery Provider retention
Billing records (when live) [PENDING: BILLING_RECORD_RETENTION]
Legal holds Legal hold suspends deletion where required by law
Backups Rolling backup windows; residual copies expire with backup cycle

Deletion is not always instantaneous or complete across every system — see Section 13.


12. Your rights

Depending on your location, you may have rights to:

Right Description
Access Confirm processing and obtain a copy
Correction Fix inaccurate data
Deletion / erasure Request deletion (subject to exceptions and §13 caveats)
Portability Receive data in a structured format (see §12.2 export limits)
Restriction Limit processing in certain cases
Objection Object to legitimate-interests processing
Withdraw consent Where processing is consent-based (including special category)
Appeal / complain Lodge a complaint with a supervisory authority
US consumer rights Know, delete, correct, opt-out of sale/share, limit sensitive use — as applicable

How to exercise: email [email protected] (or use in-product export where available). Procedure: Data Subject Request Procedure. We may need to verify your identity.

12.1 Account deletion mechanism (current product reality)

There may be no separate in-app “delete everything” button beyond Authentication Provider account deletion controls. Closing your account via the Authentication Provider typically triggers lifecycle webhooks that run our deprovisioning job. Contact [email protected] if you need assistance.

12.2 In-product export — environment-scoped and partial

The self-serve export feature is:

  • Environment-scoped (exports the selected planning environment, not necessarily every account object), and
  • Partial relative to a full “download all personal data” expectation.

Current export generally does not include:

  • AI conversation / message bodies
  • AI preferences (as applicable)
  • Quiz / Knowledge Score data
  • Notifications, push subscriptions, notification logs
  • Shares
  • AI run metadata (ai_runs)
  • Inactive custom ingredients

For broader portability, contact [email protected]. We will fulfill applicable legal rights even where self-serve export is incomplete.


13. Deletion and erasure caveats (honesty section)

We automate deprovisioning on account deletion, but the following limitations currently apply. We state them so this Policy matches the product. Engineering remediation is tracked separately; wording will be upgraded when fixes ship.

13.1 Community forum — anonymized, not fully deleted

Forum posts and uploads are typically anonymized (display name/email cleared) rather than hard-deleted. Content may remain visible in anonymized form. Staff accounts are handled differently. Anonymization is best-effort and may fail silently in edge cases.

13.2 Orphan application tables (possible lag)

Some rows may not yet cascade automatically on deprovision, including notification and quiz/rate-limit related tables (for example: push subscriptions, notification log/preferences, quiz progress, AI rate-limit hits). [Fix planned.] Contact [email protected] for assistance purging stragglers.

13.3 External systems we do not fully purge today

System Caveat
AI Model Providers Copies may remain per provider DPA; we do not currently call provider deletion APIs
Email Delivery Provider logs Retain per provider retention
Cloud object storage for forum uploads May not be purged on every path
CDN/hosting logs Short-lived operational logs

13.4 Custom ingredients

Custom ingredients may be soft-deactivated and later removed with environment cleanup rather than instant hard delete.

13.5 Deprovision process

Deprovisioning is automated but not guaranteed fully atomic/transactional across all stores. We do not yet issue certified deletion receipts. [Fix planned] for stronger orchestration and certificates.

13.6 Legal holds and exceptions

We may retain data when required by law, dispute, security investigation, or Legal hold suspends deletion where required by law.


14. Security

We implement administrative, technical, and organizational measures appropriate to risk, including:

  • Encryption in transit (TLS)
  • Encryption at rest as provided by Database Provider and cloud storage
  • Authentication via Authentication Provider
  • Application data access patterns designed around user-scoped authorization (row-level security with user JWT; no service-role keys in the public web application tier — privileged operations run on isolated backend infrastructure)
  • Least-privilege operational access

No method of transmission or storage is 100% secure. Details and non-overclaim posture: Security & Compliance Overview. Report vulnerabilities: Vulnerability Disclosure Policy · [email protected].


15. Children

The Services are for users 18+. They are not directed to children under 18. We do not knowingly collect Personal Data from children under 18. Age is self-attested; we do not currently verify age with identity documents at sign-up. If you believe a child under 18 provided data, contact [email protected] and we will take appropriate steps.


16. Cookies and similar technologies

We use essential authentication cookies, functional storage, optional push, and pseudonymous outbound click beacons. We do not currently deploy non-essential third-party advertising cookies. Full detail: Cookie Policy.

Help Center browser search runs on-device; that is a search implementation detail, not a cookie, and is not an AI privacy promise.


17. Automated decision-making

We use automated processing to generate informational scores, flags, optimizer suggestions, lab comparisons, Knowledge Scores, and AI replies. These are not intended to produce legal or similarly significant medical decisions about you without human involvement (you and your clinician decide care). See Automated Decisions. You may contact [email protected] to contest or seek explanation of significant automated outputs where law provides that right.


18. Third-party links and partners

Outbound partner links may record pseudonymous click events (Section 4.2). Partner sites have their own privacy policies. Advertising disclosures: Advertising & Affiliate Disclosure.


19. Changes to this Policy

We may update this Privacy Policy. Material changes (especially new AI purposes, new special-category uses, or new tracking) will be noticed by reasonable means and may require re-acceptance. The “Effective” date and suite version will update.

Version: 1.0.0-draft · Effective: 2026-07-13


20. Contact

Topic Contact
Privacy requests [email protected]
DPO / privacy lead [PENDING: DPO_CONTACT]
Legal [email protected]
Support [email protected]
Security [email protected]
EU rep [PENDING: EU_REP]
UK rep [PENDING: UK_REP]
APAC [email protected]

Postal: [PENDING: REGISTERED_ADDRESS]


Regional annexes

These annexes apply when you are in the relevant region. If they conflict with the main body on a region-specific mandatory point, the annex controls for that point.


Annex A — EEA / EU (GDPR) [ON]

A.1 Controller

[PENDING: LEGAL_ENTITY_NAME] is controller for Personal Data processed in connection with the Services. EU representative: [PENDING: EU_REP] (if required and appointed).

A.2 Special category data

Processing of health-related data relies on Art. 9(2)(a) explicit consent, together with an Art. 6 basis for the overall processing. You may withdraw consent without affecting prior lawful processing, but we may be unable to provide health features thereafter.

A.3 Transfers

Transfers outside the EEA use appropriate safeguards (Section 10), including SCCs with sub-processors where applicable.

A.4 Rights

You have GDPR rights of access, rectification, erasure, restriction, portability, objection, and consent withdrawal. You may lodge a complaint with your local supervisory authority. Identity verification may be required.

A.5 Art. 22

Informational scores and AI guidance are not intended as solely automated decisions producing legal or similarly significant effects. If you believe a particular output has such effect, contact [email protected].

A.6 Data Protection Officer

[PENDING: DPO_CONTACT]


Annex B — United Kingdom [ON]

B.1 Law

UK GDPR and Data Protection Act 2018 apply to UK users as applicable. UK representative: [PENDING: UK_REP] (if required).

B.2 Special category / transfers / rights

Substantively parallel to Annex A, with UK transfer tools (IDTA/Addendum) where used. Complaints may be directed to the UK Information Commissioner’s Office (ICO) and to [email protected].


Annex C — United States (CCPA/CPRA and state laws) [ON]

C.1 Categories collected

We collect identifiers; customer records information; protected health-adjacent information you submit (not necessarily HIPAA covered — Being Optimal is generally not a HIPAA covered entity or business associate for this B2C consumer app); internet/technical data; geolocation labels (coarse); inference-like scores generated from your logs; and sensory-adjacent content only if you upload media to community features.

C.2 Sources and purposes

See Sections 4–5. Purposes include providing the Services, security, analytics (first-party, consent-gated), and partner click measurement.

C.3 “Sale” / “Share”

We do not sell Personal Information for monetary consideration. We do not share Personal Information for cross-context behavioral advertising with third-party ad networks. Pseudonymous outbound click logs are first-party measurement, not a third-party ad auction.

If you believe an opt-out still applies under a broad state definition, contact [email protected] or use any published preference signal process we enable. We will honor Global Privacy Control where legally required for covered selling/sharing once such activity exists; under current practices, there is no adtech sale/share to opt out of.

C.4 Sensitive personal information

Pregnancy and health information you provide is treated as sensitive. We use it to provide the Services you request, not for unexpected secondary ad profiling. You may request limitation of sensitive PI use to what is necessary to perform the Services by contacting [email protected].

C.5 Rights

California and certain other states provide rights to know, delete, correct, portability, and non-discrimination for exercising rights. Submit requests to [email protected]. Authorized agents may submit with proof as required by law. We will respond within statutory timelines.

C.6 HIPAA note

Unless we expressly enter a BAA for a future covered offering, this consumer app is not designed as a HIPAA electronic health record. Do not assume HIPAA applies.

C.7 Children

We do not knowingly sell or share personal information of consumers under 16. Services are 18+.


Annex D — APAC (Singapore PDPA, Australia Privacy Act/APPs, Hong Kong PDPO, and similar) [ON]

D.1 Contact

[email protected] (defaults to privacy channel).

D.2 Notification and consent

We notify you of purposes via this Policy and product UI. Where local law requires consent for health data or cross-border transfer, your account acceptance and voluntary use of features constitute consent to the extent permitted; we may implement additional just-in-time consents.

D.3 Cross-border transfer

Personal Data may be transferred to and processed in the United States and other countries where our sub-processors operate. We take reasonable steps to ensure recipients protect Personal Data consistently with this Policy and applicable law.

D.4 Access and correction

You may request access and correction via [email protected]. We respond within timeframes required by local law (for example, PDPA access timelines).

D.5 Australia APP note

We handle personal information in accordance with the Australian Privacy Principles as applicable to our activities. Overseas disclosures are described in this Policy. Complaints: contact us first; you may also contact the OAIC.

D.6 Singapore PDPA note

Deemed consent and contractual necessity may apply to account processing; health data is collected for the purpose of providing nutrition planning features you request. Withdrawal of consent may mean we cannot continue those features.

D.7 Hong Kong PDPO note

Data is used for purposes stated herein. You may request access/correction under PDPO via [email protected].


21. Related documents

Document Link
Terms of Service Terms Of Service
Cookie Policy Cookie Policy
Acceptable Use Acceptable Use Policy
Electronic Communications Electronic Communications
Medical Disclaimer Medical Disclaimer
Sub-processor List Sub Processor List
DSAR Procedure Data Subject Request Procedure
Automated Decisions Automated Decisions
Security Overview Security And Compliance
Preflight accuracy decisions (operators) PREFLIGHT DECISIONS

22. Document control

Field Value
Suite version 1.0.0-draft
Effective date 2026-07-13
Session legal-suite-20260713
Status Operator draft — counsel review required
Regional annexes EEA ON · UK ON · US ON · APAC ON

Content hash: 21a208518b45… · Built 2026-07-15

← Back to Legal hub

© 2026 Being Optimal · Planning context, not medical advice.

Legal hub · Terms · Privacy · Cookies · Medical disclaimer · Contact