← Back to home

Privacy Policy

Last updated: March 11, 2026·Terms of Service →

Your health data is yours. Elaya processes your data solely to provide the Service. We do not sell personal data, share it with advertisers, or use it for any purpose beyond what is described in this Policy. Blood test documents are processed using AI with PII anonymization. All data is encrypted at rest and in transit.

1. Overview & Data Controller

This Privacy Policy explains how Elaya Health Inc. ("Elaya," "we," "us," or "our") collects, uses, stores, and protects your personal data when you use the Elaya website, mobile application, and related services (collectively, the "Service"). It applies to all users worldwide, with additional protections for users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with specific privacy requirements.

Data Controller: Elaya Health Inc. is the data controller responsible for your personal data. Contact details are provided in Section 14.

Special Category Data: Blood test results and health information are classified as special category (sensitive) personal data under GDPR Article 9. We process this data only with your explicit consent, which you provide when you upload blood test documents or enter health information into the Service.

2. Data We Collect

2.1 Information You Provide Directly

CategoryData Points
AccountEmail address, password (hashed), account creation date.
Health QuizGender, age, height, weight, primary health goals (e.g., weight loss, energy), dietary preferences and restrictions, food allergies and intolerances, exercise habits, and lifestyle factors.
Blood Test DocumentsPDF files of laboratory reports you choose to upload. We extract biomarker names, values, units, and reference ranges from these documents.
Biomarker DataParsed values from blood tests, including (but not limited to) CBC, metabolic panel, lipid panel, thyroid markers, vitamins, minerals, and hormones.
Health PlansMeal plans, workout plans, supplement recommendations, and AI-generated insights generated by the Service.
Progress DataWeekly check-in responses, body weight logs, adherence records, energy scores, and other self-reported progress metrics.
Chat HistoryMessages you send to the AI health assistant and responses received.
Payment InfoSubscription plan selection, billing country, and transaction records. Full card numbers are never stored by Elaya — payment processing is handled by Solidgate.

2.2 Information Collected Automatically

  • IP address and approximate geographic location (country/city level).
  • Device type, operating system, and browser.
  • Pages viewed, features used, and navigation patterns within the Service.
  • Session timestamps, referral sources, and interaction events (e.g., button clicks).
  • Error logs and diagnostic information to improve the Service.

2.3 Information We Do NOT Collect

  • Full credit or debit card numbers (handled exclusively by Solidgate).
  • Government-issued identification numbers.
  • Medical records from healthcare providers.
  • Social Security Numbers or national identification numbers.
  • Data from children under 18.

3. How We Use Your Data

We use your data for the following purposes:

Service Delivery: To provide personalized meal plans, workout recommendations, supplement suggestions, and AI-powered health insights based on your quiz responses and blood test data.

AI Processing: Blood test documents and biomarker data are processed by AI (powered by Anthropic Claude API) to extract nutritionally relevant information. Before transmission to the AI, documents are processed to remove or anonymize personally identifiable information (PII) such as name, address, and date of birth.

Account Management: To create and manage your account, authenticate your identity, and communicate with you about your account.

Subscription & Billing: To process subscription payments, manage billing cycles, send invoices and receipts, and handle refund requests.

Service Improvement: To analyze usage patterns, identify bugs, improve the accuracy of AI recommendations, and develop new features. Aggregate and anonymized data may be used for research purposes.

Communications: To send transactional emails (account creation, password reset, subscription confirmations), product updates, and — with your consent — marketing communications about new features.

Legal & Safety: To comply with legal obligations, enforce our Terms of Service, prevent fraud, and protect the safety of our users and the public.

We do not sell, rent, or share your personal data with advertisers or data brokers. We do not use your health data for advertising targeting.

5. Third-Party Sub-processors

Elaya uses the following third-party service providers to operate the Service. All sub-processors are bound by data processing agreements (DPAs) that require them to protect your data in accordance with applicable privacy law.

Anthropic (Claude API)AI Processing
📍 United States

Powers the AI analysis of quiz data and (anonymized) blood test information to generate personalized wellness plans and respond to health assistant queries.

Data handling: Anthropic processes data as a data processor under a DPA. Blood test documents are anonymized prior to transmission — personally identifiable information (name, date of birth, address, patient ID) is stripped before being sent to the API. Anthropic does not use your data to train its models under our enterprise agreement.

Privacy Policy ↗
SupabaseDatabase & Storage
📍 European Union (primary)

Hosts the Elaya database, including user accounts, quiz responses, biomarker data, health plans, progress logs, and uploaded blood test documents.

Data handling: Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Row-Level Security (RLS) policies ensure each user can only access their own data. Supabase operates within SOC 2 Type II certified infrastructure.

Privacy Policy ↗
SolidgatePayment Processing
📍 European Union

Processes subscription payments, manages billing, and handles card transactions. Elaya never receives or stores full card numbers.

Data handling: Solidgate is PCI DSS 4.0 certified. Payment data is handled exclusively within Solidgate's systems. We receive only transaction status, masked card details, and subscription metadata.

Privacy Policy ↗
PostHogProduct Analytics
📍 European Union (EU Cloud)

Collects anonymized usage analytics to help us understand how users interact with the Service, identify friction points, and improve the product.

Data handling: Analytics are collected only after you accept the cookie consent banner. IP addresses are anonymized. No health data or blood test content is sent to PostHog. You can opt out at any time via the cookie preferences in Settings.

Privacy Policy ↗
VercelApplication Hosting & CDN
📍 United States / Global CDN

Hosts the Elaya web application and serves content globally via CDN.

Data handling: Vercel processes request logs (IP address, URL, response codes) for infrastructure security and performance monitoring. Logs are retained for a limited period.

Privacy Policy ↗

6. International Data Transfers

Your data is primarily stored in the European Union (Supabase EU region). However, some sub-processors, including Anthropic (AI processing) and Vercel (hosting), operate in the United States.

For transfers of personal data from the EEA to the United States or other non-adequate countries, we rely on:

  • Standard Contractual Clauses (SCCs) — the EU Commission-approved contractual safeguards incorporated into our DPAs with all US-based sub-processors.
  • Data minimization — blood test documents are anonymized before being sent to the Anthropic API, reducing the amount of personal data transferred internationally.

You may request a copy of the relevant transfer mechanisms by contacting us at privacy@elaya.app.

7. Data Retention

Data TypeRetention Period
Account & profile dataWhile your account is active + 90 days after account deletion.
Blood test PDFsWhile your account is active + 90 days after deletion. You may delete uploaded documents at any time from your account.
Biomarker dataWhile your account is active + 90 days after deletion.
Health plans & progressWhile your account is active + 90 days after deletion.
Chat historyWhile your account is active + 90 days after deletion.
Payment records7 years for tax and legal compliance purposes (financial records obligation).
Analytics dataAnonymized analytics data retained for up to 24 months for product improvement.
Backup dataEncrypted backups may persist for up to 30 additional days after the primary deletion.

When you request account deletion, your personal data is permanently deleted from our active systems within 30 days of the request. You can initiate deletion from Settings → Account → Delete My Data or by contacting us.

8. Security

We implement technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. Our security measures include:

  • 🔒Encryption at rest: All data stored in Supabase is encrypted using AES-256.
  • 🔐Encryption in transit: All communications between your device and our servers use TLS 1.3.
  • 🛡️Row-Level Security (RLS): Database policies ensure each user can only read and write their own data.
  • 🔑Password hashing: Passwords are hashed using bcrypt and never stored in plain text.
  • 📄PDF anonymization: Blood test documents have PII removed before AI processing.
  • 💳PCI DSS compliance: Payment data is handled by Solidgate (PCI DSS 4.0 certified). We never receive full card numbers.
  • 🔍Access controls: Employee access to production data is restricted by role and requires multi-factor authentication.
  • 📊Security monitoring: We monitor for anomalous access patterns and potential security incidents.

Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately at security@elaya.app. To report a security vulnerability, please disclose it responsibly to the same address.

9. Your Rights (GDPR / EU Users)

If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights regarding your personal data under GDPR. Many of these rights can be exercised directly in your account settings:

Right of Access
Art. 15Settings → Export Data

Request a copy of all personal data we hold about you. Available in Settings → Privacy → Export My Data, or by contacting us.

Right to Rectification
Art. 16Settings → Profile

Correct inaccurate or incomplete personal data. Most profile data can be updated directly in your account settings.

Right to Erasure ("Right to be Forgotten")
Art. 17Settings → Delete My Data

Request deletion of your personal data. Deletion is completed within 30 days. Note: some data may be retained for legal obligations (e.g., tax records).

Right to Data Portability
Art. 20Settings → Export My Data

Receive your personal data in a structured, machine-readable format (JSON) that you can transfer to another service.

Right to Restrict Processing
Art. 18Contact us

Request that we temporarily restrict processing of your data while a complaint or correction is pending.

Right to Object
Art. 21Settings → Cookie Preferences

Object to processing based on legitimate interests (e.g., analytics). You can opt out of non-essential analytics via cookie settings.

Right to Withdraw Consent
Art. 7(3)Settings → Privacy

Withdraw consent for processing at any time without affecting prior lawful processing. Withdrawal of consent for health data processing will prevent AI plan generation.

Right to Lodge a Complaint
Art. 77Your national DPA

Lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or your national DPA in the EU) if you believe your rights have been violated.

To exercise your rights, contact us at privacy@elaya.app. We will respond within 30 days. We may request identity verification before fulfilling your request.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to know what personal information is collected, used, shared, or sold.
  • Right to delete personal information we have collected from you.
  • Right to opt-out of the sale or sharing of personal information. (Elaya does not sell personal information.)
  • Right to non-discrimination for exercising your privacy rights.
  • Right to correct inaccurate personal information.
  • Right to limit the use of sensitive personal information.

In the past 12 months, Elaya has not sold or shared California residents' personal information with third parties for cross-context behavioral advertising. To exercise your California rights, contact privacy@elaya.app.

11. Cookies & Analytics

11.1 Essential Cookies

We use strictly necessary cookies to operate the Service, including authentication session tokens and security cookies. These cannot be disabled as they are essential for the Service to function.

11.2 Analytics Cookies (PostHog)

With your consent, we use PostHog to collect anonymized product analytics. PostHog cookies help us understand how users navigate the app, which features are used, and where users encounter friction. PostHog is configured with:

  • IP anonymization enabled — we never store your full IP address.
  • No cross-site tracking.
  • EU-region data storage (PostHog EU Cloud).
  • Data not shared with advertising networks.

Cookie consent: Analytics tracking is activated only after you accept the cookie consent banner displayed on first visit. You can update your cookie preferences at any time in Settings → Cookie Preferences or by clicking the cookie icon in the app footer.

11.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies will prevent you from using the Service. Disabling analytics cookies will not affect your ability to use the Service but will reduce our ability to improve it.

12. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal data from, individuals under the age of 18. Users must be at least 18 years old to create an account or use the Service, as stated in our Terms of Service.

If we become aware that we have inadvertently collected personal data from a person under 18, we will delete that data as promptly as possible. If you believe a minor has created an account or provided data to us, please contact us immediately at privacy@elaya.app.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page.
  • Send an email notification to your registered email address at least 30 days before material changes take effect.
  • Display a prominent notice within the Service.

For processing of special category health data (blood test results), any material change in how we use that data will require fresh explicit consent from you before the change takes effect.

Your continued use of the Service after a policy update constitutes acceptance of the revised policy, except where re-consent is required.

14. Contact & Data Protection

For any privacy-related questions, requests to exercise your rights, or to report a privacy concern, please contact us:

Elaya Health Inc.

Privacy inquiries: privacy@elaya.app

General support: support@elaya.app

Security issues: security@elaya.app

Website: elaya.app

We aim to respond to all privacy requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority:

  • EU: Your national data protection authority (find yours at edpb.europa.eu).
  • UK: Information Commissioner's Office (ICO) at ico.org.uk.
  • USA (California): California Attorney General at oag.ca.gov/privacy.
Read our Terms of Service →·← Back to Elaya