← Cardiometabolic

Privacy Policy

Last updated: 5 June 2026

Cardiometabolic ("we", "us") provides a personal, preventive cardiometabolic monitoring platform. This policy explains what data we process, why, how we protect it, and the choices you have. We process health data only with your explicit consent and only to provide the service to you.

1. Data we process

  • Account data: an identifier, email, and timezone.
  • Connected-device health data retrieved from providers you link (e.g. Withings, Garmin): body weight and composition, height, and — where available — heart rate, HRV, sleep, stress, activity and related wellness metrics.
  • Provider access tokens (OAuth), stored encrypted.
  • Technical data: minimal logs (timestamps, request IDs) for reliability and security. We do not log token values or raw health payloads in plaintext.

2. How we collect it

You connect a provider via its official OAuth flow and grant access. We then retrieve your measurements through the provider's API and via webhook notifications when new readings are available. We never see your provider password.

3. How we use it

  • Display your measurements and body composition.
  • Compute trends and aggregates (daily, multi-day, long-term).
  • Generate advisory, non-diagnostic insights to support preventive awareness and questions for your clinician.

We do not sell your data or use it for advertising.

4. Legal basis

We process health data on the basis of your explicit consent, given when you connect a provider. You may withdraw consent at any time (see "Your rights").

5. Storage & security

  • Provider tokens are encrypted at rest (AES-256-GCM).
  • All traffic uses HTTPS.
  • Raw provider data is stored immutably for auditability; derived metrics are reproducible from it.
  • Access to sensitive endpoints is authenticated.

6. Sharing & third parties

We share data only with the infrastructure providers needed to run the service (e.g. hosting and database), and with the device providers you have connected. We do not sell data or share it with advertisers. We may disclose data if required by law.

7. Data retention

We keep your data while your account is active. If you disconnect a provider or delete your account, we delete or anonymize the associated data within a reasonable period, except where retention is legally required.

8. Your rights

Depending on your jurisdiction (including the EU/EEA under GDPR), you may have the right to access, correct, export, or delete your data, and to withdraw consent. You can:

  • Disconnect a provider to stop further data collection.
  • Revoke our access from your provider account (e.g. in your Withings or Garmin account settings).
  • Request access, export, or deletion by contacting us at privacy@cardiometabolic.ai.

9. AI & medical disclaimer

Insights are produced with AI assistance and are advisory and non-diagnostic. Cardiometabolic does not diagnose disease, provide medical advice, or replace a healthcare professional. Always consult a qualified clinician about your health, and seek urgent care for any emergency.

10. Cookies

We use only essential cookies needed to operate the app. We do not use advertising or third-party tracking cookies.

11. International transfers

Your data may be processed in countries other than your own. Where required, we use appropriate safeguards for such transfers.

12. Children

The service is not directed to children under 16, and we do not knowingly collect their data.

13. Changes

We may update this policy. Material changes will be reflected by the "Last updated" date above.

14. Contact

Questions or requests: privacy@cardiometabolic.ai.