Privacy Policy
1. Who we are
Supp is operated by Aperture Analytics Limited, a private limited company registered in Ireland (company number TBD, registered address TBD). For privacy questions, email privacy@supp.guru.
2. What data we collect
We collect identification data (email, name), authentication data (password hash, optional Google OAuth ID, session cookies), special- category health data (your supplement regimen, dosages, mood, sleep and energy scores, and any health conditions you record), payment references (Stripe customer and subscription IDs — we never see card numbers), preferences (notification settings), and technical metadata (IP-hashed audit records, push-notification endpoints, timezone).
See section 11 for the full inventory by sensitivity tier (HEALTH, PII, PAY, PREF, TECH).
3. Why we process it
We rely on three lawful bases:
- Article 6(1)(b) — performance of contract — for your account, billing, and notifications.
- Article 6(1)(a) + Article 9(2)(a) — explicit consent — for special-category health data (supplements, mood, sleep, energy, conditions). You give this consent at signup via a non-prechecked checkbox. Because consent is the lawful basis for processing your health data, withdrawal means we must close your account — there is no read-only or "lite" mode that operates without consent.
- Article 6(1)(f) — legitimate interests — for security logging, fraud prevention, and error monitoring.
4. Who we share your data with
We use a small number of third-party processors to operate Supp. The full list with contractual safeguards is at /sub-processors.
We may, with your separate explicit consent obtained at the time, share anonymised or pseudonymised data with research partners, supplement brands, or analytics providers for the purpose of supplement market research and product improvement. We will never share data that identifies you personally without asking you first. You can withdraw any such consent at any time. As of v1, we do not perform any such sharing.
5. International transfers
Your data is hosted in the European Union: Neon Postgres in Frankfurt (Germany) and Google Cloud in Belgium. Some processors are US-based: Stripe (payments), Resend (transactional email), Railway (application hosting). Transfers to those processors are made under the European Commission's Standard Contractual Clauses (SCCs).
6. How long we keep it
While your account is active: as long as the account exists. After 23 months without a login, we email you a 30-day warning and then purge your account if you don't log in. After deletion (yours or ours), we retain an anonymised tombstone (random email, no other personal data) for the establishment, exercise, or defence of legal claims (Art. 17(3)(e)). Backups: up to 90 days (Neon point-in-time recovery plus offsite encrypted dumps).
7. Your rights
Under the GDPR you can request access, rectification, erasure, restriction, portability, or withdrawal of consent. The fastest way is the self-service panel at /account/data; for anything else email privacy@supp.guru. We respond within 30 days (Art. 12(3)).
8. Automated decision-making
Supp does not perform automated decision-making within the meaning of Article 22.
9. Cookies
We use only first-party functional cookies (NextAuth session, CSRF). Our analytics is self-hosted Umami in cookieless mode. See /cookies.
10. UK users
For UK residents, the UK General Data Protection Regulation applies in addition to EU GDPR. Our Article 27 UK Representative is: TBD (to be appointed via Prighter or EDPO before the first paying UK user signs up).
11. Right to lodge a complaint
You have the right to complain to the Irish Data Protection Commission (DPC) at dataprotection.ie, or to the supervisory authority in your country of residence.
12. Do Not Sell My Personal Information
Aperture Analytics Limited does not sell your personal information.
13. Changes to this policy
Material changes are versioned (this is v1). When we change the policy, existing users see a blocking modal at next login asking them to read and accept the new version.