Privacy Policy

Last updated: May 5, 2026

Lyph ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share information when you use the Lyph mobile application ("App") and related services.

By using Lyph, you agree to the practices described in this policy. If you do not agree, please do not use the App.

1. Information We Collect

Account Information: When you create an account, we collect your email address, display name, and authentication credentials. If you sign in with Apple, we receive the information you authorize Apple to share (typically name and email).

User-Generated Data: Lyph allows you to log and track various aspects of your daily life. This includes:

• Workout and exercise data (type, duration, notes)
• Nutrition data (meals, calories, macronutrients)
• Mood and emotional check-in data
• Habit tracking data (streaks, completions)
• Goals and milestones
• Focus session data (Pomodoro timer usage)
• Guided reflection entries
• Daily scores and achievement data

Apple Health (HealthKit) Data: If you choose to connect Apple Health, Lyph may read health data categories you explicitly authorize, such as step count, active energy burned, and workout data. HealthKit data is used solely to display information within the App and to contribute to your daily score. We do not sell, share, or use HealthKit data for advertising, marketing, or data-mining purposes. HealthKit data is not shared with any third party, including our AI coaching provider.

Device and Usage Information: We collect basic device information (device type, OS version, app version) and anonymous crash diagnostics via Sentry to improve app stability. We do not collect your IP address for tracking purposes.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the App and its features
• Display your personal dashboard, daily score, insights, and progress
• Power AI coaching features (see Section 4)
• Generate weekly reviews and monthly recaps
• Send notifications you have opted into (reminders, nudges, habit alerts)
• Respond to support requests and bug reports
• Detect and prevent abuse or unauthorized use

We do not sell your personal data. We do not use your data for advertising. We do not build profiles for third-party marketing.

3. Data Storage and Security

Your data is stored in Supabase, a managed PostgreSQL database service, using row-level security (RLS) to ensure that your data is completely isolated from other users. All data is encrypted in transit (TLS) and at rest.

Authentication is handled through Supabase Auth with support for email/password and Apple Sign In. Passwords are never stored in plaintext.

Some data is cached locally on your device using AsyncStorage for offline access. This data remains on your device and is cleared when you sign out or delete your account.

While we implement commercially reasonable security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

4. AI Coaching and Third-Party AI Services

Lyph's AI coach uses OpenAI's API (GPT-4o-mini) to provide personalized insights and recommendations based on your tracked data. When you interact with the AI coach:

• Relevant context from your tracked data (workouts, nutrition, mood, habits, goals) is sent to OpenAI's API to generate responses
• HealthKit data is not sent to OpenAI
• OpenAI does not use data submitted via their API to train their models (per their API data usage policy)
• OpenAI may retain API inputs/outputs for up to 30 days for abuse monitoring, after which they are deleted
• We do not send your email, password, or account credentials to OpenAI
• AI coaching is subject to usage limits (currently 50 coach messages and 20 insight calls per day)

AI-generated content is for informational and motivational purposes only and is not a substitute for professional medical, psychological, or fitness advice.

For more information, see OpenAI's API Data Usage Policy.

5. Third-Party Services

We use the following third-party services to operate the App:

• Supabase: Database hosting, authentication, and backend services (Privacy Policy)
• OpenAI: AI coaching and insight generation (API Data Policy)
• Sentry: Crash diagnostics and error reporting (Privacy Policy)
• Apple Sign In: Optional authentication provider
• Expo / EAS: App build and update distribution

Each third-party service has its own privacy policy. We encourage you to review them.

6. Data Sharing

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

• With third-party services listed above, as necessary to operate the App
• If required by law, regulation, legal process, or enforceable governmental request
• To protect the rights, property, or safety of Lyph, our users, or the public
• In connection with a merger, acquisition, or sale of assets (you will be notified)

7. Your Rights and Choices

Access: You can view all your data within the App at any time through the dashboard, history, and analytics screens.

Deletion: You can delete your account and all associated data at any time from the You tab in the App. Account deletion is permanent and immediate. Once deleted, your data cannot be recovered.

Apple Health: You can revoke Lyph's access to HealthKit at any time through your device's Settings > Privacy & Security > Health.

Notifications: You can manage or disable all notifications through your device settings or the App's settings screen.

Canadian Residents (PIPEDA): Canadian residents have the right to access, correct, and request deletion of their personal information. We process data in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). To exercise your rights, contact us at the email below.

California Residents (CCPA): California residents have the right to know what personal information we collect, request deletion of personal information, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at the email below.

European Residents (GDPR): If you are located in the European Economic Area, you have the right to access, correct, delete, or port your personal data, and to object to or restrict certain processing. Our legal basis for processing is your consent (which you can withdraw at any time) and our legitimate interest in providing the service. Contact us to exercise these rights.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, all associated data is permanently deleted immediately. We do not retain backups of deleted user accounts beyond standard database backup windows (up to 7 days), after which all data is purged.

9. Children's Privacy

Lyph is not intended for children under the age of 13 (or 16 in jurisdictions where applicable). We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information. If you believe a child under 13 has provided us with personal data, please contact us immediately.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App or on our website, with an updated "Last updated" date. Your continued use of the App after changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or your data, contact us at:

Email: support@lyph.app