Privacy Policy
Last updated: April 2026
1. Who We Are
Gila ("we", "us", "our") is a behavioral companion app for people on GLP-1 medications. We are the data controller for the personal data collected through our mobile application and website (gila.coach).
For any questions about this policy or your data, contact us at support@gila.coach.
2. Data We Collect
Account Data
When you create an account, we collect your name, email address, and authentication credentials (via Google Sign-In, Apple Sign-In, or email/password). During pilot signup, we also collect your medication status, journey stage, and device platform.
Health & Wellness Data
You choose what to share. When you use Gila, you may provide:
- Body weight and measurements
- Mood and well-being scores
- Medication doses, schedules, and side effects
- Food intake (via text search, barcode scanning, or photo recognition)
- Habits, goals, and behavioral patterns
- Journal entries and personal notes
- Progress photos
This data is sensitive. We treat all health and wellness data with the highest level of care and never use it for advertising purposes.
Device & Health Platform Data
With your explicit permission, Gila can sync data from Apple Health (iOS) or Health Connect (Android), including steps, exercise minutes, sleep duration, and heart rate. This sync is optional and can be disabled at any time in your device settings.
Usage & Technical Data
We collect anonymized usage analytics (screen views, feature interactions) to improve the app experience. We also collect technical data such as device type, operating system version, and push notification tokens to deliver our services.
3. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we process your data based on:
- Your consent (Article 6(1)(a) and Article 9(2)(a)) — for processing health and wellness data, syncing health platform data, and sending marketing communications. You can withdraw consent at any time.
- Contract performance (Article 6(1)(b)) — to provide the Gila service you signed up for, including account management and core app features.
- Legitimate interest (Article 6(1)(f)) — for anonymized analytics, security monitoring, and service improvement, where our interest does not override your rights.
4. How We Use Your Data
- Personalized insights — generating your journal narrative, progress trends, and behavioral patterns
- AI-powered features — habit suggestions, food recognition, coaching, and report generation
- Progress tracking — weight trends, medication adherence, habit streaks, and health summaries
- Communications — transactional emails (welcome, account), and with your consent, personalized updates and tips
- Service improvement — understanding how features are used to make Gila better (using anonymized, aggregated data)
- Security — protecting against fraud, abuse, and unauthorized access
5. AI Processing
Gila uses artificial intelligence to provide personalized habit suggestions, food recognition, behavioral insights, and health report narratives. Here is how your data is handled in AI features:
- Relevant context from your profile and recent activity is sent to our AI providers to generate personalized responses
- We use Google Gemini as our primary AI provider. Data sent to Gemini is processed under their data processing terms and is not used to train their models
- We use Perplexity for research grounding to provide evidence-based habit suggestions with cited sources
- AI-generated content is informational only and is not medical advice
- We minimize the data sent to AI providers to only what is necessary for the specific feature
6. Who We Share Data With
We never sell your personal data. We never share your health data with advertisers.
We use the following third-party service providers (data processors) to operate Gila:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | All account and app data |
| Firebase (Google) | Push notifications, authentication | Device tokens, auth credentials |
| Google Gemini | AI features (habits, food vision, reports) | Contextual profile and activity data |
| Perplexity | Research grounding for habit suggestions | Anonymized topic queries |
| FatSecret | Nutrition database lookups | Food search queries (no personal data) |
| Resend | Transactional and marketing email | Email address, name |
| Vercel | Website hosting | Standard web request data |
| Google Analytics | Website analytics | Anonymized page views and interactions |
| PostHog | Product analytics | Anonymized app usage events |
| Cloudflare | Bot protection (Turnstile) | Browser interaction signals |
All processors are bound by data processing agreements. We only share the minimum data necessary for each service to function.
7. Data Storage & Security
Your data is stored on Supabase infrastructure (powered by AWS). We implement the following security measures:
- Encryption in transit (TLS/HTTPS) and at rest
- Row-level security (RLS) ensuring you can only access your own data
- Secure authentication via OAuth 2.0 (Google, Apple) or hashed passwords
- Regular security reviews of our codebase and infrastructure
- Minimal access principles — our team accesses personal data only when necessary for support or debugging
8. Data Retention
We retain your data for as long as your account is active. When you delete your account:
- Your personal data, health data, journal entries, and photos are deleted from our primary databases
- Automated backups containing your data are purged within 30 days
- Anonymized, aggregated data (which cannot identify you) may be retained for service improvement
- Data required for legal obligations (such as transaction records) is retained for the legally mandated period
9. Your Rights
Under the GDPR and applicable data protection laws, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your personal data ("right to be forgotten")
- Data portability — receive your data in a structured, machine-readable format
- Restriction — request that we limit how we process your data
- Objection — object to processing based on legitimate interest
- Withdraw consent — withdraw previously given consent at any time, without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at support@gila.coach. We will respond within 30 days as required by law.
10. Deleting Your Account
You can delete your account at any time through:
- The account settings in the Gila app
- Our self-service page at gila.coach/delete-account
- Emailing support@gila.coach
Account deletion is permanent. All personal data, health records, journal entries, and photos will be removed as described in the Data Retention section above.
11. Children's Privacy
Gila is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it promptly.
12. Cookies & Tracking
Our website (gila.coach) uses:
- Essential cookies — required for the website to function (authentication, preferences)
- Google Analytics — anonymized website usage data to understand how visitors interact with our content
We do not use advertising cookies or tracking pixels. We do not participate in ad networks or retargeting.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes — especially those affecting how we handle health data — we will notify you via email or in-app notification at least 30 days before the changes take effect.
14. Contact Us
If you have questions, concerns, or requests about your privacy or this policy, contact us at:
Email: support@gila.coach
If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority (in Spain: Agencia Española de Protección de Datos — aepd.es).