Terms of Use, Medical Disclaimer, and Privacy Notice
1. What MyMetabolism Is (and Isn't)
- Educational only. Not medical advice. MyMetabolism provides education and self-tracking tools for metabolic health (e.g., GKI logging, nutrition logging and AI vision assist, recipes, habit "quests," chat/diary). MyMetabolism does not diagnose, treat, or replace your clinician.
- No emergency or crisis care. If you feel unwell or in danger, call your local emergency number (e.g., 911 in the US) or contact your clinician immediately.
- Adults only. You must be 18+ to use MyMetabolism.
- Current status: v1 is not HIPAA-compliant (no Business Associate Agreements). Do not submit information you consider PHI unless you accept the risks described here.
- Regulatory status: MyMetabolism is not a regulated medical device. If our features ever require regulation (e.g., FDA/TGA/CE), we will seek appropriate authorization before release.
2. Key Definitions
- Personal Data: Any information that identifies or can reasonably identify an individual.
- Health Data / Sensitive Data: Data revealing health information (e.g., glucose/ketone readings, diary notes about symptoms).
- Processing: Any operation performed on personal data (collection, storage, analysis, sharing, deletion).
- Controller: MyMetabolism, determining purposes/means of processing.
3. Data We Collect (and Why)
| Category | Examples | Purpose | Legal Basis (GDPR) |
|---|---|---|---|
| Account | Name (optional), email, password hash, age-gate result, SSO identifiers | Account creation, auth, security | Contract (Art. 6(1)(b)); Legitimate interests for security (Art. 6(1)(f)) |
| Profile | Height, weight, gender, timezone, unit preferences, device ownership flag | Personalization of UI, calculations | Consent (Art. 6(1)(a)) |
| Health/Wellness Inputs | GKI (glucose/ketones), nutrition logs, diary/chat text, quest progress, pillar ratings | Education features, progress tracking, in-app insights | Explicit consent for health data (Art. 9(2)(a)) |
| Product Telemetry | Feature usage, session activity, error logs, performance metrics | Reliability, safety messaging, improve UX | Consent (non-essential analytics) or Legitimate interests for strictly necessary telemetry |
| Communications | Support emails, feedback, product updates (opt-in) | Respond to you; service updates | Consent (marketing), Contract/Legitimate interests (service comms) |
| Device/Browser Data | IP (truncated or salted where feasible), device type, OS, locale | Security, fraud prevention, localization | Legitimate interests (security, fraud) |
Data minimization: We only collect what we need to provide the service. You can skip optional fields.
4. How We Use AI (and Limits)
- AI helps generate educational responses, diary reflections, food analysis, and recipe ideas.
- AI may be inaccurate or incomplete. Review carefully and consult your clinician before acting.
- We apply rate limits to some AI features and save your inputs/outputs to support your history and our safety/quality monitoring.
5. Third-Party Processors (Who Helps Us Run MyMetabolism)
We use reputable vendors under data-processing agreements. Current list (updated when vendors change):
| Processor | Role | Data Types | Region/Transfer |
|---|---|---|---|
| Firebase | Auth, database, storage, RLS | Account, profile, health logs, quests, diary | Hosted region selected by MyMetabolism; SCCs if transferred cross-border |
| OpenAI | AI inference (vision/text) | Food images (compressed), meal text, diary excerpts, prompts | US/EU data centers (per provider). SCCs for cross-border transfers |
| Resend | Transactional email (password reset, crisis alert routing) | Email address, minimal content | US/EU; SCCs if needed |
| (Optional) Analytics (e.g., PostHog/GA) | Non-essential product analytics | Usage/telemetry (de-identified where possible) | Disabled by default; opt-in only |
We do not sell personal data. We only share with processors to operate the app, with your consent where required.
6. Your Choices & Controls
- Consent management: Toggle non-essential analytics/marketing at any time in Settings → Privacy.
- Data access & export: Request a copy of your data (CSV/JSON) via help@mymetabolism.com.
- Correction: Edit your profile/entries or email us to correct inaccuracies.
- Deletion: Delete entries in-app where enabled and/or request full account deletion at help@mymetabolism.com.
- Portability (GDPR): We'll provide structured, commonly used formats for data you provided.
- Objection/Restriction (GDPR): You may object to certain processing or request temporary restriction.
- Withdraw consent: You can withdraw at any time; this won't affect prior lawful processing.
7. International Transfers
If your data moves outside your country (e.g., to the US), we use appropriate safeguards, such as Standard Contractual Clauses (SCCs) and vendor commitments.
8. Security Measures
- Encryption: TLS in transit; AES-256 at rest (via our infrastructure providers).
- Access controls: Role-based access; database Row Level Security by user ID; admin bypass restricted.
- Audit logs: Admin actions and critical system events are logged.
- Vulnerability management: Periodic reviews, patches, dependency management.
- Privacy by design: Only necessary data collected; retention minimized; testing environment uses synthetic data.
- User responsibilities: Keep your credentials confidential; report suspected compromise at help@mymetabolism.com.
9. Data Retention
- Active account: We retain data to provide the service.
- Inactive or deleted account: We delete or de-identify within 7 days after confirmed deletion, except where retention is required by law, dispute resolution, or fraud prevention.
- Telemetry/logs: Short, purpose-limited retention (e.g., 30–90 days) unless needed for security.
10. Breach Notification
- US (FTC Health Breach Notification Rule): We will notify affected users and, if required, the FTC and media without unreasonable delay and within required timeframes.
- EU (GDPR): We notify the supervisory authority within 72 hours of becoming aware of a notifiable breach and affected users without undue delay when required.
- Australia (NDB scheme): We notify the OAIC and affected individuals as soon as practicable where likely to cause serious harm.
11. Region-Specific Disclosures
11.1 United States
- HIPAA: MyMetabolism is not a HIPAA business associate in v1.5 and does not provide covered-entity services.
- State privacy laws (e.g., CCPA/CPRA, VCDPA, CPA): Depending on applicability, you may have the right to know/access, correct, delete, and opt-out of certain sharing. We do not sell personal data. To exercise rights, contact help@mymetabolism.com.
11.2 EU/EEA/UK (GDPR/UK-GDPR)
- Controller: NuOnc, Co., 29 Colborne Rd, Brighton, MA, 02135.
- EU Representative/DPO: We currently do not meet thresholds requiring a DPO; we will update this notice if that changes.
- Legal bases: As listed in Section 3 (Contract, Consent—including explicit consent for health data—Legitimate interests).
- Your rights: Access, rectification, erasure, restriction, portability, objection, and complaint to your local supervisory authority. Contact: help@mymetabolism.com.
- Children: Not intended for users under 18.
11.3 Australia (Privacy Act 1988 & Australian Privacy Principles)
- APP compliance: We collect, use, and disclose personal and health information with consent and for the purposes described.
- Access/correction: Contact help@mymetabolism.com.
- Security: We implement safeguards aligned with ADHA guidance; cross-border transfers use appropriate protections.
- Medical devices: MyMetabolism is not a TGA-regulated medical device. If scope changes, we will comply with TGA/ARTG requirements before release.
12. Medical Disclaimer (Detailed)
- No medical advice: All content (including AI outputs, charts, target lines, recipes, diary reflections) is informational only.
- No clinical interpretation: We do not interpret labs clinically, prescribe diets/supplements, or manage treatment.
- Consult your clinician: Especially before changing diet, fasting, exercise, or supplement routines during cancer care.
- Measurements: If readings appear extreme or you have symptoms, re-test and contact your clinician.
Inline safety copy we may display near riskier features:
Educational only. Not medical advice. Re-test if results look unusual and contact your clinician if you feel unwell.
13. User Conduct
You agree not to:
- Use MyMetabolism to seek or provide medical advice or emergency support;
- Upload unlawful/abusive content or infringe others' rights;
- Attempt to bypass security, scrape, or reverse engineer protected portions of the service.
We may suspend or terminate accounts that violate these terms.
14. Intellectual Property & License
- Content, code, brand (including "MyMetabolism" and "Mito"), and designs are protected.
- We grant a limited, revocable, non-transferable license to use the app for personal, non-commercial, educational purposes.
- Do not copy, modify, or redistribute our IP without permission.
15. Changes to This Policy
We may update this document for legal, security, or product reasons. The Effective Date will change. Material changes will be communicated in-app or by email. Continued use after updates means you accept the revised terms.
16. Contact Us
- Support & Privacy Requests: help@mymetabolism.com
- Security/Breach Reports: help@mymetabolism.com
- Postal Address: NuOnc, Co., 29 Colborne Rd, Brighton, MA, 02135
- EU/UK Privacy Contact: help@mymetabolism.com
- Australia Privacy Contact: help@mymetabolism.com
17. Acceptance
By creating an account, installing, or using MyMetabolism, you confirm you are 18+ and you accept these Terms of Use, Medical Disclaimer, and Privacy Notice, including our processing of your personal and health data as described (and, where required, you grant explicit consent for health data processing).