Privacy Policy

1. Introduction

Intercept ("we", "our" or "app") values the privacy of our users. This Privacy Policy describes how we collect, use, store and protect your personal information when you use our health and wellness application.

By using Intercept, you agree to the collection and use of information in accordance with this policy. This policy complies with applicable data protection regulations including the General Data Protection Regulation (GDPR), the Brazilian General Data Protection Law (LGPD — Lei nº 13.709/2018), and the California Consumer Privacy Act (CCPA).

2. Data We Collect

We collect the following types of data to provide and improve our services:

2.1 Health & Biometric Data

• Food and nutrition records (manual entry, photo analysis, API lookups)
• Body weight, body fat percentage, and body measurements
• Hydration and caffeine intake data
• Exercise and workout records (including via optional Apple Health, Google Health Connect, Withings, Strava, and Fitbit integrations)
• Sleep patterns, heart rate, heart rate variability (HRV), resting heart rate, VO2Max and blood pressure (via health platform integrations and Withings)
• Body composition data from Bluetooth-connected smart scales or Withings (weight, body fat, muscle mass, water percentage)
• Food craving and impulse interception records (food, quantity, time, pause duration and outcome)
• Meal and label photos uploaded for AI recognition — processed in real time by Claude Vision and DISCARDED immediately after analysis. No photo is stored on our servers or used to train AI models. Only the analysis result (text/macros) is kept in your nutrition history
• Eating disorder risk flag (edSafetyFlag), generated from optional onboarding responses. When active, it automatically disables calorie tracking and proactive coaching. This flag is sensitive data and is kept encrypted until account deletion

2.2 Behavioral & Emotional Data (Sensitive)

• Emotional states during food impulses, selected from 6 fixed categories: stress, boredom, anxiety, sadness, fatigue and loneliness (no free-text field for emotion, reducing PII collection)
• Impulse intensity levels and outcomes (resisted or yielded)
• Behavioral trigger patterns (time of day, day of week, emotional context)
• Success and failure history for impulse interception
• Daily commitments and post-failure reflections (user-written text in the 4-stage Post-Failure Check-In, including identified pattern, detected triggers and strategies for next time)
• Coach feedback ratings (thumbs up/down)

2.3 Usage Data

• App interactions and feature usage history
• Preferences and settings
• Progress statistics and gamification data (streaks, points, levels, achievements)
• Session duration and engagement patterns

2.4 Weekly AI Coach Memory (Ember)

With your explicit dual-layer consent (local preference "AI_MEMORY" + mandatory X-Ai-Memory-Consent HTTP header on every call), the Ember coach keeps a weekly aggregated memory to make conversations contextual across devices. This summary contains:

• Aggregated count of weekly wins and slips
• Dominant emotion (among 6 fixed categories: stress, boredom, anxiety, sadness, fatigue, loneliness)
• Canonicalized risk period (morning/afternoon/evening/night) — no exact timestamps
• Auto-generated short narrative, sanitized to remove personal identifiers (PII)

2.5 Technical Data

• Device type, model, and operating system version
• Unique device identifier (used for authentication, stored securely)
• Error and crash logs (via Sentry, with your consent)
• App version and platform (iOS/Android)

3. How We Use Your Data

• Provide personalized app features and AI-powered coaching
• Generate health insights, behavioral pattern analysis, and recommendations
• Sync data between devices and maintain your progress history
• Improve user experience through anonymized analytics (with your consent)
• Send relevant notifications (with your permission)
• Perform aggregated and anonymous analysis for service improvement

3-A. Legal Basis for Processing

We process your data under the following legal bases, as required by GDPR Article 6, LGPD Article 7, and CCPA:

• Contractual necessity (GDPR Art. 6(1)(b) / LGPD Art. 7(V)): Core app functionality — food logging, progress tracking, streak management, data synchronization, and subscription management. This processing is necessary to deliver the Service you have contracted.
• Explicit consent (GDPR Art. 6(1)(a) + Art. 9(2)(a) / LGPD Art. 11(I)): Health and biometric data, emotional/behavioral data, Apple Health/Google Health Connect integration, Withings/Strava/Fitbit integration, Bluetooth smart scale data, AI coaching personalization, Ember weekly memory (DUAL-layer consent: local preference + X-Ai-Memory-Consent HTTP header), food photo recognition via Claude Vision and analytics/crash reporting (Mixpanel, Sentry). You may withdraw consent at any time via Settings > Privacy.
• Legitimate interest (GDPR Art. 6(1)(f) / LGPD Art. 7(IX)): Fraud prevention, service security, rate limiting, and essential technical logging. We have conducted a Legitimate Interest Assessment (LIA) confirming these interests do not override your fundamental rights.
• Legal obligation (GDPR Art. 6(1)(c) / LGPD Art. 7(II)): Retention of financial transaction records as required by tax and consumer protection laws.

Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal. After withdrawal, we will cease processing the relevant data categories, though core app functionality requiring contractual processing will continue.

4. Storage and Security

Your data is stored securely:

• Sensitive data is encrypted using AES-256
• Secure communication via HTTPS/TLS 1.3
• Local storage protected by Keychain (iOS) and Keystore (Android)
• Encrypted backups on secure servers
• Certificate pinning to prevent MITM attacks

We keep your data for as long as necessary to provide services or as required by law. You can request deletion at any time.

5. Data Sharing

We do not sell your personal data. We may share data only:

• With essential service providers (e.g., cloud hosting)
• When required by law or court order
• With your explicit consent
• In aggregated and anonymous form for research

6. Your Rights

Under data protection regulations, you have the following rights:

• Access: Request a copy of all your data
• Correction: Correct incorrect or outdated data
• Deletion: Request deletion of your data
• Portability: Receive your data in structured format
• Revocation: Withdraw consent at any time
• Information: Know who we share your data with
• Objection: Object to data processing

7. Third-Party Integrations & Data Processors

Intercept integrates with the following third-party services. All integrations (except essential infrastructure) are optional and require your explicit consent:

7.1 Health Platforms

• Apple Health (HealthKit) — Read/write health, workout, sleep, heart rate, and dietary data. Data stays on-device; processed locally.
• Google Health Connect — Read/write activity, sleep, and body metrics on Android. Data stays on-device; processed locally.
• Withings (OAuth 2.0) — Read weight, body fat, lean mass, heart rate, blood pressure and body temperature. OAuth tokens stored in device secure storage; client secret handled server-side only.
• Strava (OAuth 2.0) — Sync workout activities, distance, elevation, duration. OAuth tokens stored securely; client secret handled server-side only.
• Fitbit (OAuth 2.0 PKCE) — Sync activities, sleep, steps, weight, heart rate. Tokens stored in device secure storage.
• Bluetooth Smart Scales (BLE) — Receive weight and body composition data. Connection is local device-to-device only; data is not transmitted to any third party.

7.2 Data Processors

We use the following service providers to operate the Service. Data Processing Agreements (DPAs) are in place with each processor as required by GDPR Article 28 and LGPD Article 39:

You can disable any optional integration at any time via Settings > Integrations or Settings > Privacy. Disabling will immediately stop data sharing with that service.

8. Minors

Intercept is not intended for anyone under 18 years of age. We enforce age verification before granting access to the Service. We do not knowingly collect data from minors. If you are a parent/guardian and believe your child has provided us with personal data, please contact us immediately at [email protected]. See also Section 17 (Age Requirements by Jurisdiction) for jurisdiction-specific rules.

9. Changes to This Policy

We may update this policy periodically. We will notify you of significant changes through the app or by email. We recommend reviewing this policy regularly.

10. Contact

To exercise your rights or ask questions about privacy:

11. International Data Transfer

Your data may be processed on servers located outside your country of residence. We ensure such transfers are protected by:

• European Commission Standard Contractual Clauses
• Adequacy certifications (where applicable)
• Appropriate technical and organizational measures in compliance with GDPR and applicable laws

Infrastructure providers and their specific transfer safeguards:

All transfers use the European Commission’s 2021 Standard Contractual Clauses (SCCs) as the primary transfer mechanism, supplemented by technical measures including encryption in transit (TLS 1.3), encryption at rest (AES-256), and access controls. We regularly assess the legal framework in recipient countries and implement supplementary measures where necessary, in accordance with the Schrems II ruling.

12. Data Retention Periods

We retain your data for the following specific periods, in accordance with the data minimization principle (GDPR Art. 5(1)(e) / LGPD Art. 16):

• Account data: While account is active + 30 days after deletion request
• Health and behavioral data: Retained for the entire period the account is active. After deletion request, data is permanently removed within 30 days (see deletion steps below).
• Financial transaction records: As required by applicable tax and consumer protection laws (typically 5 years)
• Technical and error logs: 90 days
• Analytics data: 2 years (anonymized after 6 months; raw identifiers deleted after 6 months)

Upon account deletion request:

1. Immediate logical deletion (data no longer accessible to you or our systems)
2. Physical deletion from primary databases within 7 days
3. Physical deletion from backups within 30 days
4. Anonymized, non-reversible aggregated data may be retained for statistical analysis

12-A. Records of Processing Activities (ROPA)

In compliance with GDPR Article 30 and LGPD Article 37, we maintain detailed Records of Processing Activities (ROPA) documenting all categories of data processing, their purposes, legal bases, retention periods, and security measures. This register is available for inspection by data protection authorities upon request.

13. Automated Decision-Making

The Service uses automated processing, including artificial intelligence and machine learning, in the following ways:

• AI Coaching (Ember): Personalized motivational messages, behavioral insights and multi-turn dialogue generated by AI (Anthropic Claude Sonnet and Haiku; OpenAI/OpenRouter as fallback). With your explicit dual-layer consent, Ember uses an aggregated weekly memory (see Section 2.4) to contextualize responses. These outputs are informational and motivational only — they do not produce legal effects or similarly significant effects on you. A multi-armed bandit (Thompson sampling) decides which coach style (Direct, Empathetic, Analytic) tends to work best for you; you can lock a manual choice.
• Food Recognition and Nutritional Analysis: Plate and label recognition via vision AI (Claude Vision), multi-item Plate Scanner and text-description analysis via structured tool-use to estimate calorie and macro content. Photos are DISCARDED immediately after analysis — only the text result is kept. These are approximate estimates, not medical assessments.
• Crisis Detection: Automated keyword screening (self-harm, suicidal ideation, prolonged fasting, purging) executed BEFORE any AI call. When detected, the request is blocked (HTTP 409), no prompt is sent to the LLM, and the app displays local support resources (CVV in Brazil, NEDA in the US). Only an SHA-256 hash of the input is logged for audit purposes, without storing the original content.
• Wellbeing Screening (ED Safety Gate): Optional onboarding assessment that may trigger the edSafetyFlag. When active, the app automatically DISABLES calorie tracking, proactive coaching and the use of Ember memory in prompts. You can review and revoke this flag in Settings > Wellbeing.
• Behavioral Pattern Detection: Local machine learning (MiniNN, running on your device only) analyzes your impulse patterns, trigger correlations, and engagement signals to personalize your experience.
• Coaching Tier System: Automated content gating based on data sufficiency (e.g., cards are only shown when enough food log entries exist). This ensures relevant, non-misleading content.
• Engagement Intelligence: Analysis of session patterns and feature usage to optimize the user experience and detect potential churn risk.

Your rights regarding automated processing:

• You have the right to obtain meaningful information about the logic involved in any automated processing
• You have the right to request human review of any automated decision that significantly affects you
• You have the right to express your point of view and contest any automated decision
• No automated decision in this Service produces legal effects or similarly significant effects — all outputs are informational and motivational

We do not use automated decision-making for profiling that produces legal effects. Engagement and propensity scores are used solely for internal product improvement and are never shared with third parties or used to deny service.

14. Data Breach Notification

In the event of a security breach affecting your personal data, we will notify:

• You, within 72 hours of identifying the incident
• Relevant data protection authorities as required by law (GDPR, CCPA, LGPD)
• Other competent authorities, where applicable

We will take immediate steps to mitigate the effects of the breach and prevent recurrence.

15. CCPA Rights (California Residents)

If you are a California resident, you have the following additional rights under the CCPA and CPRA:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do NOT sell your personal information to third parties. We do NOT share your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You may limit our use of your sensitive personal information (health, emotional data) to what is necessary to provide the Service.

To exercise your CCPA rights, contact us at [email protected] or use the in-app data export and deletion features (Settings > Data Management).

16. Cookies, SDKs, and Tracking Technologies

As a mobile application, Intercept does not use browser cookies. However, we use the following tracking technologies:

• Analytics SDKs (Mixpanel): Collects anonymized event data and feature usage. Requires your opt-in consent. Can be disabled in Settings > Privacy.
• Error Tracking SDKs (Sentry): Collects crash reports and performance data. Requires your opt-in consent. Can be disabled in Settings > Privacy.
• Device Identifier: A unique device ID generated on first launch, stored securely in your device’s Keychain (iOS) or Keystore (Android). Used for authentication and data synchronization.
• AsyncStorage: Local encrypted storage used to persist your app state, preferences, and cached data on your device.
• Secure Storage (expo-secure-store): Used to store sensitive tokens (OAuth, API keys) with hardware-backed encryption.

You have full control over optional tracking. Essential tracking (device ID, local storage) is required for the Service to function. All optional tracking (analytics, error reporting) can be disabled at any time via Settings > Privacy, and we honor your choice immediately.

17. Age Requirements by Jurisdiction

Intercept is intended for users aged 18 and older. We enforce age verification before allowing access to the Service. The following jurisdiction-specific rules apply:

• European Union (GDPR Art. 8): Minimum age for data processing consent is 16 years (or lower as set by member states, minimum 13). Intercept sets a stricter requirement of 18+ due to the sensitive nature of health and behavioral data.
• Brazil (LGPD Art. 14): Processing of children’s data (under 12) requires specific and prominent parental consent. Adolescents (12-17) may consent with parental awareness. Intercept sets a stricter requirement of 18+.
• United States (COPPA): Children under 13 require verifiable parental consent. Intercept sets a stricter requirement of 18+.
• California (CCPA/CPRA): Additional protections for consumers under 16. Intercept sets a stricter requirement of 18+.

If we discover that a user under 18 has accessed the Service, we will promptly delete all associated data and terminate access. Parents or guardians who believe their minor has used the Service should contact us immediately at [email protected].

18. Version History

This policy is versioned for transparency. Material changes are communicated through the app and, where required, by email.

• v1.0 — January 2026: initial publication.
• v1.1 — March 2026: expansion with CCPA rights, comprehensive processor disclosure, legal basis for processing, automated decision-making, ROPA, and tracking technologies.
• v1.2 — May 2026: added Section 2.4 (Weekly AI Coach Memory "Ember") with dual-layer consent and 90-day TTL on Cloudflare KV; clarified the ephemeral photo flow for Claude Vision (Plate Scanner and Photo Food); added Withings integration to the health platforms, processors and international transfers lists; added Crisis Detection and Wellbeing Screening (ED Safety Gate) to automated decision-making; refined collected emotions to 6 fixed categories; mentioned 4-stage Post-Failure Check-In; mentioned OpenAI/OpenRouter as fallback AI provider.