GLiPra is a mobile application operated by Leonava, a Texas company ("Company," "we," "us," or "our"). We are the controller of the personal information described in this Privacy Policy.
Registered address: [REGISTERED ADDRESS]
Privacy inquiries and data requests: legal@glipra.com
This Privacy Policy applies to the GLiPra mobile application (iOS and Android), our website at glipra.com, and any related services. It does not apply to third-party services we integrate with (Apple Health, Google Health Connect, Apple App Store, Google Play Store), which have their own privacy policies.
This Policy applies to users in the United States, including residents of California, Washington, Texas, and all other states. GLiPra is not intended for use by children under 13.
We process your personal information based on: performance of a contract (delivering the Service you signed up for); your consent (for sensitive health data — you may withdraw consent at any time); legitimate interests (security, fraud prevention, product analytics); and legal obligation (compliance with applicable law).
| Category | Examples | Sensitive? |
|---|---|---|
| Account information | Name, email address, password | No |
| Health profile | Height, starting weight, activity level, health goals | Yes |
| Medication data | GLP-1 medication type, dosage, injection schedule | Yes |
| Injection logs | Date, time, injection site, dose administered | Yes |
| Weight logs | Date, weight measurement | Yes |
| Symptom logs | Reported symptoms and severity | Yes |
| Meal data | Food items, meal photos, nutritional estimates | Yes |
| Notes | Free-text notes attached to logs | Yes |
| Category | Examples |
|---|---|
| Device information | Device model, OS version, app version |
| Usage data | Screens viewed, features used, crash logs |
| Analytics identifiers | Anonymous device identifier — not your name or email |
| Push notification tokens | Used to send reminders and alerts |
With your permission, we may read weight, step count, and active energy from Apple Health (iOS) or Google Health Connect (Android). We never write inferred data back to these services.
What we do not collect: payment card information (handled by Apple or Google directly), precise GPS location, or social media account data.
AI features: When you use meal-photo analysis, your photo is transmitted to our servers and processed via third-party AI. We do not use your photos to train AI models. Photos are deleted within 24 hours of analysis. AI prompts for coaching and guidance contain only anonymized context — never your name, email, or identifying information.
We do not sell your personal information. We do not share your information for third-party advertising or cross-context behavioral advertising.
We share data only with service providers (subprocessors) under written data processing agreements restricting their use to performing services for us:
| Subprocessor | Role | Health data? |
|---|---|---|
| Supabase | Database, auth, storage, edge functions | Yes — primary store |
| OpenAI | AI meal analysis and coaching (anonymized prompts only) | Anonymized only |
| RevenueCat | Subscription entitlement management | No |
| PostHog | Product analytics (anonymized events) | No |
| Sentry | Crash reporting (anonymized events) | No |
| Resend | Transactional email | No |
| Apple / Google | App distribution, payments, push notifications | Per their policies |
We may also disclose information when required by law, in connection with a business transfer (with advance notice), or with your explicit consent. See our full Subprocessor List for details.
| Category | Retention period |
|---|---|
| Health logs (weight, injections, meals, symptoms) | Duration of account + 30 days after deletion request |
| Meal photos | Deleted within 24 hours of AI analysis |
| Anonymized analytics | Up to 2 years in non-identifiable form |
| Crash logs | 90 days |
When you delete your account, we initiate deletion of your personal information within 30 days, subject to legal hold obligations.
No system is completely secure. In the event of a breach likely to result in high risk to your rights, we will notify you as required by applicable law.
If you are a Washington state resident, the Washington My Health My Data Act (WMHMD Act) applies to your weight measurements, medication data, injection records, symptom reports, and meal data.
We use this consumer health data solely to provide the Service to you. We do not sell consumer health data.
Your rights under the WMHMD Act:
To exercise these rights, email legal@glipra.com with subject "Washington Health Data Rights Request." We will respond within 45 days and may verify your identity before processing.
California residents have the right to: know what personal information we collect and how we use it; delete personal information; correct inaccurate information; opt out of sale or sharing (we do not sell or share for targeted advertising — no action needed); limit use of sensitive personal information (we use health data only to provide the Service); and non-discrimination for exercising these rights.
To submit a verifiable request, email legal@glipra.com. We will respond within 45 days.
Texas residents have the right to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data or use it for targeted advertising.
To exercise these rights, email legal@glipra.com. We will respond within 45 days. If we deny your request, you may appeal by emailing legal@glipra.com with "TDPSA Appeal" in the subject line. If your appeal is denied, you may contact the Texas Attorney General.
GLiPra is not directed to children under 13. We do not knowingly collect personal information from children under 13. Users aged 13–17 must have parental or guardian consent. If you believe your child under 13 has provided us with personal information, contact legal@glipra.com and we will delete it.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by in-app notification, email, or by updating the "Last updated" date. Continued use after the effective date constitutes acceptance.
For privacy inquiries or to exercise any rights described in this Policy:
We aim to respond to all privacy inquiries within 30 days.
Attorney review required before publication. Key areas: (1) Washington WMHMD Act — verify explicit consent flow and authorization mechanism; (2) CCPA/CPRA sensitive personal information handling; (3) COPPA — confirm no under-13 access; (4) AI subprocessor DPAs with OpenAI for health context; (5) Verify Supabase and all subprocessor DPA terms and data residency.