Skip to main content

Last updated: 2026-05-16

Health Data Notice

This is a focused notice about how Gila handles your health data. It is a "bolt-on" to the main Privacy Policy — most of the rules and your rights are the same, but health data triggers stricter requirements under several laws and we want to be clear about them in one place.

If a sentence here ever conflicts with the main Privacy Policy, this Health Data Notice controls for the specific topic of health data.

1. Why this notice exists

Health data is "special category" data under most modern privacy laws. That means it is held to a higher standard:

  • EU and EEA users — Article 9 of the GDPR. Processing health data is prohibited unless one of ten specific conditions applies. We rely on Article 9(2)(a), your explicit consent.
  • UK users — UK GDPR Article 9 plus Data Protection Act 2018 Schedule 1. Same explicit-consent path.
  • Swiss users — Article 5(c) of the revised Federal Act on Data Protection (revFADP). Health data is "sensitive personal data" and triggers heightened obligations.
  • Turkish users — Article 6 of the Law on the Protection of Personal Data (KVKK, Law No. 6698). Health data is "special category personal data" (özel nitelikli kişisel veri). The default rule is that we must obtain your explicit consent (açık rıza) for every distinct processing purpose, because we are not a healthcare professional or institution acting under Turkish health law.
  • Brazilian users — Article 11 of LGPD (Law 13.709/2018). Same family: sensitive data, explicit consent, plus a parallel set of conditions.
  • Washington State users (USA) — the My Health My Data Act (RCW 19.373), which classifies calorie data, weight data, food intake, mood, medication, and similar fields as "consumer health data." Provides a private right of action to sue if we fail to comply. We obtain separate explicit consent and never sell or share this data.

Because we operate globally, we apply the most-protective rule by default. The explicit-consent gate appears for every user regardless of where they live (decision-log entry #6).

2. What health data Gila collects

Here is the full list. We try to be precise rather than vague.

2.1 Body measurements

  • Body weight (weight_kg) — manually logged and/or synced from Apple Health / Health Connect.
  • Body measurements — chest, waist, hips, arms, legs (optional, only if you log them).
  • Starting weight and goal weight captured during onboarding.

2.2 Medication (GLP-1 specific)

  • Medication name (Wegovy, Ozempic, Mounjaro, Zepbound, Saxenda, Rybelsus, etc.).
  • Dose in milligrams.
  • Injection cadence (weekly, monthly, etc.) and the date and time of each shot.
  • Injection zone (anatomical site you used: abdomen left/right, thigh, upper arm, etc.).
  • Pain level at the injection site (0–10 self-report).
  • Free-text notes you choose to attach to a shot.

This combination — medication + dose + cadence + injection zone — is essentially a prescription record. We treat it as the most sensitive single category of data we hold.

2.3 Side-effects

  • Self-described side-effect description.
  • Severity rating.
  • Date and time.
  • Free-text notes.

2.4 Mood and mental-state

  • Mood label and emoji picked from a palette.
  • Mood category (e.g., low energy, anxious, motivated, content).
  • Free-text description of how you are feeling and why.
  • Date and time.
  • Mental-state data falls within GDPR Recital 35's definition of health data, so the same rules apply.

2.5 Food intake

  • Meal sessions — the calories, protein, carbs, fat, fiber, sugar, sodium of each meal you log, plus meal type (breakfast, lunch, dinner, snack) and date.
  • Favourite foods — saved meals with their serving-level macros.
  • Food search history — the text queries you typed when searching food databases.
  • Meal photos when you use the AI food vision feature. The photo itself may incidentally show your face or surroundings.
  • Nutrition goals — your target calories, macros, water intake, and pace.

Calorie tracking, weight tracking, and food intake are explicitly named as "consumer health data" under Washington's MHMDA. We treat them as such for all users.

2.6 Apple Health and Android Health Connect sync (optional)

When you turn it on, we read the following from your phone's health store and write a daily aggregate to our database:

  • Steps, active minutes, calories in / out.
  • Sleep duration and quality where available.
  • Heart rate summary metrics.
  • Exercise minutes and workout types.
  • Weight records.

We never write data back to Apple Health or Health Connect without your explicit opt-in. The OS-level permission prompt happens separately from our in-app consent.

2.7 Journal entries (free text)

Free-text reflections are stored as you write them. They are technically text fields, but they often contain health-related content (mood, symptoms, dietary thoughts, body-image content). We treat the entire journal as health-sensitive even though our database does not enforce that classification at the column level.

2.8 Profile photos and habit-evidence photos

Photos you upload may reveal physical attributes (body shape, skin appearance, visible medical devices). They are stored encrypted, accessed through signed short-lived URLs, and removed when you delete an entry or your account.

2.9 AI-derived inferences

Outputs we generate about you from your data using AI — for example, your weekly coaching narrative, activity-goal recommendations, habit suggestions tailored to your stated medication, and the persona type assigned during onboarding. These are inferences and we treat them as health data for the same reasons your inputs are health data.

3. Washington MHMDA disclosure — "consumer health data"

For users in or related to Washington State (USA), we make the following explicit disclosures under RCW 19.373:

  • Yes, Gila collects and processes consumer health data as defined by MHMDA. That includes your weight, body measurements, food intake (calories and macros), mood entries, medication data, side-effect data, and Apple Health / Health Connect sync data.
  • We obtain your explicit consent during onboarding through the in-app Legal Consent Gate. The consent receipt is stored in our consent_log table with the policy version, the date, your jurisdiction, and the consent categories you accepted.
  • We do NOT sell consumer health data. Ever. There is no carve-out, no exception, no "anonymized sale" workaround.
  • We do NOT share consumer health data with third parties for those third parties' own purposes. The processors listed in section 6 act only on our instructions, on your data, for our service. They are not allowed to use your data to advertise to you, build profiles of you, or sell it onward.
  • You can withdraw your consent at any time in-app (Settings → Privacy → Health Data Consent) or by submitting a request at gila.coach/dsar. Withdrawal does not affect processing that already happened.
  • You can ask us to delete your consumer health data at any time through the same channels. Deletion is described in section 8 below.
  • You have a private right of action under MHMDA. If we fail to comply with our obligations to you under that law, you can sue us directly under the Washington Consumer Protection Act (RCW 19.86). We hope you never need to — write to dpo@gila.coach first and we will try to fix it.

4. How we use your health data

We use it only for the purposes you would expect from a behavior-change companion app:

4.1 Show you your own data

We display your weight trend, your mood patterns, your medication adherence, your food logs, and your habit history. This is the core service you signed up for.

4.2 Generate personalized insights

We compute trends, streaks, percentages, and contextual cues based on your data. Some of this happens on your device; some happens server-side after you accepted the corresponding consent.

4.3 Power AI features (only if you opted in)

When you have explicitly enabled AI features, your health data is included in the contextual snapshot sent to our AI providers for the specific feature you triggered. See section 5 for the detailed breakdown.

4.4 Sync with Apple Health / Health Connect

If you have enabled the sync, we read selected fields from your phone's health store on a periodic basis. You can disable this at any time in iOS Settings, Android Settings, or in-app Settings.

4.5 Compute aggregates for server-side features

We compute daily summary aggregates (health_daily_summaries) that downstream features — your weekly narrative, the habit-signal pipeline, your activity-goal recommendation — read from. Computing the aggregate does not change the legal basis: it is still your health data, still under your explicit consent.

4.6 What we never do with your health data

  • Never sell it to anyone.
  • Never share it with advertisers or for targeted advertising.
  • Never use it to train third-party AI models — our contracts with Google Gemini and Perplexity prohibit this and we verify the no-training flag on every API call.
  • Never use it to derive a score that gates your access to features, content, or any other benefit. AI in Gila shows you suggestions you can accept, edit, or ignore — it never makes "automated decisions" in the Article 22 GDPR sense (see section 9 below).
  • Never combine it with data from data brokers, social media platforms, or any third-party identity graph.

5. AI processing of your health data

If you turned on the AI-features consent, your health data is processed by external AI providers. We are explicit about which features, which providers, and which fields per feature.

5.1 Feature-by-feature breakdown

Feature What it does AI provider Health data sent per request
Food vision Identifies the meal in your photo and estimates calories and macros Google Gemini (multimodal, primary). Anthropic Claude and OpenAI are available as opt-in A/B paths — off by default in production. Perplexity is used as a research fallback for ambiguous foods (no PII in queries) The meal photo (Tier 1), your current nutrition goals for context, your recent meal history (optional context for portion calibration)
Activity-goal recommendation Suggests exercise or movement targets Google Gemini Your recent step count, exercise minutes, weight trajectory
Nutrition-goal calibration Generates personalised calorie + macro targets Google Gemini Recent weight trend, goal, baseline, GLP-1 medication context, dietary preferences
Habit suggestions Suggests new habits matched to your stated goals and recent activity Google Gemini Your onboarding profile (medication, journey stage, goals), recent mood, recent habit completion patterns
Habit Lab (playground) An interactive AI playground for refining your own habit ideas Anthropic Claude (Haiku / Sonnet / Opus, primary for the playground experience) + Google Gemini (2.5 Flash + 3 Flash Preview as secondary models) The habit ideas + context you provide for refinement; recent habit + mood data for personalisation
Onboarding "AI moment" Personalises the onboarding output based on what you told us Google Gemini Your onboarding answers (medication, goals, motivation, persona) — no PII identifiers (no name, no email)
Weekly coaching narrative Generates a short progress story for the past week Google Gemini The week's weight logs, mood entries, medication adherence summary, meal-session summary, habit completion summary
Health analysis AI-assisted analysis of your aggregated weight, mood, medication adherence Google Gemini Aggregated weight + mood + medication adherence (no journal text unless you enabled it)
Weekly briefing Optional push-notification narrative summarising your week Google Gemini Last 7 days summary metrics
Journal embeddings Vector embeddings for semantic search and "find similar entries" Google Gemini (embedding-001) Sanitised text segments (no direct PII identifiers); embeddings stored within Supabase, not transferred to a third party for retention
Community-submission safety review AI safety + quality review of habit / stack content other users submit to the public library Google Gemini Submitted habit / stack text + metadata (not your personal health data)
Habit-signal agent (server-side cron) Ranks suggested habits + grounds them with source citations Google Gemini + Perplexity sonar-pro (grounding on anonymised topics) Curated activity snapshot — no free-text journal content unless you explicitly enabled "include journal in AI"

We also use Anthropic Claude (Sonnet) internally for our QA evaluation pipeline (eval-score). This is not user-facing in production; it scores anonymised test pairs to validate AI quality before changes ship.

5.2 Contractual no-training commitments from our AI providers

  • Google Gemini — covered by the Google Generative AI API terms of service. Customer data submitted to the API is not used to train Google's models. We set the no-training flag on every request and verify it in the response metadata.
  • Anthropic Claude — covered by the Anthropic Commercial Terms. Customer data submitted via the API is not used to train Anthropic's models. Anthropic is certified under the EU-US Data Privacy Framework.
  • OpenAI — covered by the OpenAI Business Terms. Customer data submitted via the API is not used to train OpenAI's models by default. OpenAI is used only as an opt-in A/B path in food vision and is off by default.
  • Perplexity — covered by the Perplexity API terms. Customer data submitted via the API is not used to train Perplexity's models. We send only anonymised topical queries (e.g., a food name, a habit topic). Your personal data is not sent to Perplexity at all.

If any provider changes its terms to reverse the no-training default, we will re-evaluate this notice and ask you to re-consent before the change takes effect. Your WA MHMDA explicit consent and your GDPR Article 9(2)(a) explicit consent are provider-agnostic — a single AI-features consent toggle covers all four providers, so the same consent base applies whether AI processing is routed through Gemini, Claude, OpenAI, or Perplexity.

5.3 EU AI Act Article 50 transparency

Under the EU AI Act (Regulation 2024/1689) Article 50, you have the right to be told when you are interacting with an AI system. Every AI-generated surface in Gila is labelled "AI-generated" with the provider name in the in-app information panel. There is no covert AI behavior in the product.

5.4 Article 22 GDPR — no "solely automated" decisions

GDPR Article 22 protects you from being "subject to a decision based solely on automated processing… which produces legal effects concerning [you] or similarly significantly affects [you]." We analyzed every AI feature in Gila against this rule. None of them qualify:

  • A food calorie estimate informs your logging; you decide whether to accept or edit it. No legal effect.
  • A habit suggestion is a recommendation, not an obligation. No legal effect.
  • A weekly narrative is an informational story. No legal effect.
  • No Gila AI feature gates access to a service, denies a right, imposes a contract, or sends you to a different tier based on a score.

Full analysis is in our internal Data Protection Impact Assessment (available on request from dpo@gila.coach). If we ever ship a feature where AI does make a meaningful automated decision about you, we will add Article 22 safeguards (a right to human review, a right to express your view, a right to contest) and ask you to re-consent.

6. Who we share your health data with

The short version: nobody outside our processor list, and never for their own purposes.

The longer version: we use a small set of vendors ("processors" under GDPR) to actually run the service. They act on our written instructions, only on the data we hand them, only for the purposes we set.

6.1 The processors that touch health data

Processor Country What they touch Safeguard
Supabase USA (Ohio, us-east-2) Stores all of your account data, encrypted at rest (AES-256), with row-level security so only you can read your rows SCC Module 2 + Supabase DPA
Google (Firebase + Gemini) USA Firebase handles push-notification tokens (no health data in the payload). Gemini processes the AI requests in section 5.1 with the no-training flag set (primary AI provider for 13 features) EU-US Data Privacy Framework + SCC fallback + Google DPA
Anthropic (Claude) USA Processes AI requests for the Habit Lab (user-facing), the QA evaluation pipeline (not user-facing), and the food-vision A/B opt-in path (off by default). Anthropic Commercial Terms set the no-training default EU-US Data Privacy Framework + SCC fallback + Anthropic Commercial Terms / DPA
OpenAI USA Processes AI requests for the food-vision A/B opt-in path only (off by default in production) SCC + OpenAI Business Terms / DPA
Perplexity USA Receives anonymized topical queries for habit-signal grounding and food-vision research fallback — no personal data, no health values SCC + Perplexity DPA
Apple HealthKit (on iOS) On-device Reads your selected health metrics on your device when you grant the OS permission and uploads the daily aggregate to us Apple's HealthKit framework — health data stays on-device unless you grant the read scope
Health Connect (on Android) On-device Same model as Apple HealthKit on the Android side Google's Health Connect framework
FatSecret USA Receives anonymous food-name queries (no user identifier) when we need to hydrate nutrition values not already in our internal knowledge base OAuth-based DPA

We do not send health data to:

  • Sentry (error tracking) — per our engineering guidelines, no Tier-1 health data is included in error events. If a leak is discovered, we treat it as a privacy incident under our 72-hour notification commitment.
  • PostHog (analytics) — only event names and screen names, never values like weight or calorie counts. Same incident-treatment commitment applies.
  • Resend (email) — health data does not appear in email subjects or bodies.
  • Beehiiv (newsletter) — only your email and first name.
  • Cloudflare Turnstile — only the bot challenge token.
  • RevenueCat (when subscriptions launch) — only subscription state.

6.2 Cross-border transfers

Because our processors are in the US (and edge points globally), your health data is transferred outside your country of residence. We use the following legal mechanisms:

  • EU/EEA, UK, Switzerland → US — Standard Contractual Clauses (SCC Module 2 Controller → Processor) with supplementary measures (TLS 1.3 in transit, AES-256 at rest, row-level security, vendor commitments). For DPF-certified vendors (Google, Anthropic, etc.) the EU-US Data Privacy Framework is the primary basis, with SCC as fallback. OpenAI is engaged only via the food-vision A/B opt-in path (off by default in production) and is covered by the same SCC framework.
  • Türkiye → US — under KVKK Article 9, the US is not on the Board's list of "adequate countries." We rely on your explicit consent for the cross-border transfer, given through the in-app Legal Consent Gate.
  • Brazil → US — LGPD Article 33 specific consent.
  • Canada → US — PIPEDA accountability transfer (we remain liable).
  • Australia → US — APP 8 cross-border disclosure.

Full detail on each corridor and the supplementary measures we apply is in our internal Transfer Impact Assessment (available on request from dpo@gila.coach).

7. Your rights specific to health data

The standard DSAR rights apply — see DSAR Instructions for the full mechanics. A few specific call-outs:

7.1 Withdraw your health-data consent

You can withdraw your Article 9(2)(a) explicit consent at any time. Visit our self-service rights form or email dpo@gila.coach to withdraw any consent. We action withdrawal as soon as the verified request lands and typically complete it within 24 hours. Withdrawing:

  • Disables every feature that depends on health-data processing (most of the app).
  • Triggers deletion of the health data you specify in the withdrawal flow (you choose: "delete all", "delete specific categories", or "keep but stop processing").
  • Does not invalidate the lawful processing that happened before withdrawal.
  • Is logged in consent_log so you and we can see the history.

7.2 Withdraw your AI-features consent (independent of health-data consent)

You can keep health-data journaling on while turning AI features off. Visit our self-service rights form or email dpo@gila.coach to withdraw AI-features consent. When AI features are off:

  • We stop sending your health context to Google Gemini and Perplexity.
  • The AI surfaces (food vision, weekly narrative, habit suggestions, etc.) become unavailable in the app.
  • Your underlying logged data stays as you left it.

7.3 Export your health data

A full export, including all health categories and any AI-derived inferences we have stored about you, is available at gila.coach/dsar. We deliver as structured JSON with a plain-English summary.

7.4 Restrict specific processing

You can ask us to keep your data but stop using it for a specific purpose — for example, "stop including my journal entries in the weekly narrative but keep them stored." Visit our self-service rights form or email dpo@gila.coach and tell us what to restrict.

7.5 Object to AI-derived inferences

If we generated an inference about you that you disagree with (for example, a persona-type assignment from onboarding that does not feel right), you can ask us to delete or correct it. Inferences are first-class fields in our data export.

8. How long we keep your health data, and what happens when you delete

8.1 While your account is active

Health data is retained indefinitely while your account is active. You can edit, delete, or annotate any individual entry at any time.

8.2 When you delete your account

  • Primary database — all health-data tables (weight logs, medication shots, side-effects, mood entries, meal sessions, food search history, nutrition goals, habit logs, habit evidence, journal entries, AI-derived inferences, health daily summaries) are purged within 24 hours of the verified deletion request.
  • Storage bucket — your profile photo, progress photos, and habit-evidence photos are purged in the same window via Phase 4c cleanup triggers.
  • Apple HealthKit / Health Connect — these stores are on your device. Deleting your Gila account does not delete data from your phone's health store. To clear that, use the iOS Settings → Health → Browse → [data type] → Edit, or Android Settings → Apps → Health Connect.
  • Backups — encrypted backup snapshots from before the deletion roll off within 30 days under our normal rotation. During this window, restoring from a backup would not re-create your account (the deletion flag would re-fire), but the raw backup bytes still exist.
  • Logs and audit records — consent receipts (consent_log) are retained as audit evidence with your user_id set to NULL so they can no longer identify you. This is required for accountability under GDPR Article 5(2) and KVKK Article 12.

We send you a deletion confirmation email when production deletion completes, with a summary of what was deleted and what (if anything) was retained for legal reasons.

8.3 Per-entry deletion

Without deleting your whole account, you can delete any individual entry from the relevant in-app screen. Per-entry deletion follows the same 24-hour primary / 30-day backup window.

9. Mental-health and vulnerability note

Many people who use Gila are dealing with chronic illness, history of disordered eating, body-image vulnerability, or mental-health treatment. We designed several aspects of this notice and the product itself around that:

  • AI outputs avoid weight-shaming framing. Our system prompts explicitly tell the model to be supportive and never to comment on appearance.
  • Milestone celebrations are opt-in, with separate toggles in Settings.
  • Push-notification copy is intentionally non-revealing (e.g., "Time for a check-in" rather than "Time for your Wegovy shot") so a notification on a locked phone does not disclose medication content to anyone glancing at the screen.
  • Mood and journal entries are stored only on our servers under your account; they are never used in marketing emails, social proof, or aggregated public content.

If you are in mental-health crisis, Gila is not the right tool. Please contact a real human:

  • In the EU/EEA and Türkiye, call 112 for any emergency.
  • In the UK, call 999 (emergency) or 111 (NHS).
  • In the US, call or text 988 (Suicide and Crisis Lifeline) or 911 (emergency).
  • In Türkiye, the Ministry of Health helpline is 184.
  • In Spain, the suicide-prevention hotline is 024.
  • In other countries, please use your local equivalent.

10. Talking to us about health data

For health-data-specific questions or concerns:

  • Email: dpo@gila.coach — a real human reads every message at this address.
  • DSAR form: gila.coach/dsar for any of the rights described in section 7.
  • Postal: the address on file with the Turkish tax authority, supplied on request.
  • EU and UK representatives: to be appointed before EU/UK paid launch — see Privacy Policy for the published name and address (decision-log entry #3 tracks the procurement).

10.1 Supervisory authorities you can complain to

If we cannot resolve your concern directly, you can lodge a complaint with the data protection authority in your country. See DSAR Instructions section 7 for the directory.

For Washington State residents specifically, you can complain to the Washington State Attorney General and you have a private right of action under MHMDA + Washington CPA.

11. Changes to this notice

We will update this notice when we add new health-data features, change AI providers, change processors that touch health data, or to reflect new law.

For material changes (anything that changes what health data we collect, who we send it to, what purposes we use it for, or your rights over it):

  • We will give you at least 30 days' notice before the new version takes effect.
  • We will show an in-app banner (LegalChangeBanner) and email your account address.
  • For changes that introduce a new processing purpose or a new processor for your health data, we will ask you to re-consent before that specific processing begins.

For non-material changes (typo fixes, link updates, clearer wording), we will simply bump the version and date at the top.

12. Useful internal references

For transparency, here are the internal documents this notice is consistent with. They are not public but are produced on request to supervisory authorities at dpo@gila.coach:

  • Record of Processing Activities — the Article 30 GDPR record listing every processing activity, including the seven health-data activities and the legal bases per activity.
  • Data Protection Impact Assessment — the Article 35 DPIA covering health-data + AI processing, with a 17-risk register and the planned mitigations.
  • Transfer Impact Assessment — the Schrems II compliance assessment for every US-resident processor.
  • Data Inventory — the field-by-field catalog of every personal data point Gila collects.
  • Decision Log — the locked product and legal decisions that shape this notice.

This document is the master English source. Translations into Spanish and Turkish are kept in sync with this version. If a translation diverges from this English source, the English version controls, except where local law requires otherwise.

Last reviewed: 2026-05-16.