Privacy Policy

Principled is published by Parallel Works, LLC (Middletown, Maryland, USA). For any privacy request — access, correction, or deletion — contact privacy@parallelworks.ventures.

Principled requires an account to use the app. We use email one-time passcodes (OTP): you enter your email, we send a 6-digit code, you enter it. We do not use passwords, and we do not use social or third-party login.

• What we collect: your email address.
• Why: it is your identity across the phone app and the web app, and it is how your data syncs, backs up, and powers competitions you join. The account is the core of how the app works — sync, backup, competitions, and web access are all tied to it.
• Authentication is provided by Supabase (see §7).

With your permission, Principled reads health and fitness data from Apple Health (HealthKit) on iOS and Health Connect on Android, and writes the workouts you log back to those stores.

Categories we read (only the ones you choose to track or compete on — we request each permission at the moment you add that metric, not all upfront):

• Steps
• Active energy burned
• Exercise minutes
• Body mass (weight)
• Body fat percentage
• Resting heart rate
• VO₂ max
• Heart rate (to summarize logged workouts)
• Sleep analysis (duration)

Categories we write (workouts you log in the app):

• Workouts (exercise sessions)
• Heart rate samples for those workouts
• Active energy for those workouts

How we use it: to display your training history, light up your daily metric tiles, score competitions you opt into, and power the weight-loss trend and calorie-target features. We never use HealthKit or Health Connect data for advertising, marketing, or use-based data mining, and we never sell it or share it with data brokers. We do not use it to determine employment or insurance eligibility, and we never share it socially without your action.

Health data stays on your device and in your own cloud rows (see §6–§7). You can revoke health access at any time in Apple Health / Health Connect settings; the app keeps working without it.

When you log a meal, you may type it, snap or pick a photo, scan a barcode, or speak it. To estimate macros, the meal text or photo is sent to a third-party AI provider for processing (see §5). Barcode scans are looked up against public food databases. Camera, photo-library, microphone, and speech access are used only for meal logging and only when you start one.

Principled uses AI to estimate the macros of a meal from your description or photo, and to summarize data. To do this, the relevant meal text or photo (and, where used, health context) is sent to a third-party AI provider for processing, through our own secure server proxy.

• Provider: requests are routed via OpenRouter to Anthropic Claude Haiku (text) and Google Gemini Flash (photo). Our proxy sends a data_collection: "deny" instruction on every request, which directs the provider not to retain or train on your content.
• Consent: the app asks for your explicit permission before any meal or health data is sent to the AI provider, and tells you it is an estimate.
• What is NOT sent: your email/identity is not sent to the AI provider with the content; requests are authenticated server-side.
• Estimates are not medical advice. See the in-app disclaimer (§11).

Competitions are opt-in. If you create or join one, the following becomes visible to the other participants in that competition only:

• A display name you type (you choose it; it need not be your real name).
• Your score on the chosen metric (e.g., percent weight lost), and any stakes or competition title text you enter.

Competitions are joined by a 6-character pairing code you share with people you choose. You can leave a competition. We do not make competition data public or searchable. (You are responsible for the display name and text you enter — see our content rules in the app and §9.)

Your data syncs to Supabase (Postgres database and authentication), operated on our behalf as our cloud provider.

• Every row is protected by row-level security keyed to your account — you can only ever read or write your own data; other users cannot see it.
• Data is encrypted in transit (HTTPS/TLS) between your device and the cloud, and encrypted at rest by the cloud provider.
• The free web app lets you view your own data in a browser by signing in with the same email OTP. The web app is read-only and can only access your own rows.

• No advertising. No ads SDKs. No ad identifiers.
• No sale of your data, ever (no "sale" or "sharing" under CCPA/CPRA).
• No tracking across other companies' apps or websites.
• No use of health data for marketing, profiling, or data mining.
• We do not put personal information into analytics.

• Account and synced data: kept while your account is active. When you delete your account (§10), your account and all associated synced rows are deleted.
• AI request logs: we keep minimal, de-identified usage/cost metering (token counts and cost — no meal content) to operate the service.
• Inactivity: accounts inactive for an extended period may be deleted after notice.

You can delete your account and all associated data two ways:

1. 1In the app: Settings → Delete account. This permanently deletes your Supabase account and all of your synced rows (weights, workouts, meals, fasting windows, goals, competitions data, and stack entries). This cannot be undone.
2. 2On the web, if you've uninstalled the app: principled.parallelworks.ventures/delete-account lets you request deletion of your account and data by signing in with your email.

Deleting your account does not remove data you previously wrote to Apple Health or Health Connect — manage that in those apps directly.

Macro and calorie figures, trend weights, and any AI-generated output are estimates for general informational and fitness purposes only. They are not medical advice and are not a substitute for a qualified professional. Consult a healthcare professional before making medical, dietary, or training decisions. Do not use Principled to diagnose or treat any condition.

Principled is not directed to children under 13 and we do not knowingly collect data from anyone under 13. If you believe a child under 13 has created an account, contact privacy@parallelworks.ventures and we will delete it.

• Access, correction, deletion, portability: the app already gives you full visibility and export of your own data, and one-tap deletion (§10). For any additional request, email privacy@parallelworks.ventures.
• Legal bases (GDPR): performance of our agreement with you (providing the app), and your consent for health-data access and AI processing — which you can withdraw at any time.
• California (CCPA/CPRA): we do not sell or share your personal information, and we do not use sensitive personal information for purposes beyond providing the service. You have rights to know, delete, and correct.
• No automated decisions that produce legal or similarly significant effects are made about you.

Our AI providers and cloud infrastructure are US-based. If you use Principled from outside the US, your data is processed in the US under appropriate safeguards.

We will update this policy as the app evolves and post the new version here with a new "Last updated" date. Material changes will be surfaced in the app.