Privacy Policy | Apex OS

1. Introduction

Welcome to Apex OS ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal and health information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our wellness application and related services (collectively, the "Service").

Apex OS is a wellness application that provides evidence-based health protocols personalized by AI. We take your privacy seriously and handle your health data with medical-grade security standards.

Our Privacy Commitment

We never sell your personal data. Your health information is encrypted at rest and in transit. We use zero-retention AI processing where possible to minimize data exposure.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our Service.

2. Information We Collect

2.1 Personal Information

When you create an account, we collect:

Email address — Used for authentication and communication
Password — Stored as a secure hash (we never store plain-text passwords)
Wellness goals — Your selected primary wellness focus
Timezone — Used for proper timing of nudges and recommendations
Notification preferences — Your communication preferences

2.2 Health & Biometric Data

With your explicit consent, we collect health data from connected wearable devices through Apple HealthKit (iOS) or Google Health Connect (Android):

Sleep metrics — Duration, stages, quality scores
Heart Rate Variability (HRV) — Daily and overnight measurements
Resting Heart Rate (RHR) — Daily measurements
Step count and activity — Daily movement data
Recovery scores — Calculated from your biometric data

Important: Health data is only collected when you explicitly connect a wearable device and grant permission. You can disconnect at any time from Settings.

2.3 Calendar Data

If you enable calendar integration, we access your Google Calendar to read free/busy blocks only. We do not access or store:

Event titles or descriptions
Attendee information
Event locations
Any event content

This data is used solely to optimize the timing of wellness nudges around your busy periods.

2.4 AI Interaction Data

When you use our AI wellness coach, we collect:

Chat messages — Your questions and our AI responses
Protocol recommendations — AI-generated suggestions
Audit logs — Records of AI interactions for quality and safety

2.5 Usage & Analytics Data

We collect anonymized usage data to improve our Service:

App usage patterns and feature engagement
Protocol completion rates
Error logs and performance metrics
Device type and operating system version

3. How We Use Your Information

We use your information to:

Personalize wellness protocols — Tailor recommendations based on your health data and goals
Provide AI-powered insights — Generate personalized nudges and recommendations
Calculate recovery scores — Analyze your biometric data to optimize protocol timing
Send notifications — Deliver timely wellness reminders (with your consent)
Improve our Service — Analyze usage patterns to enhance features
Communicate with you — Send service updates and respond to inquiries
Ensure security — Detect and prevent fraud or abuse

We never use your health data for advertising, marketing, or any purpose other than providing and improving your wellness experience.

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

Consent — For processing health data, sending marketing communications, and optional features like calendar integration
Contract Performance — To provide the Service you requested when you created an account
Legitimate Interests — To improve our Service, ensure security, and prevent fraud (where these interests do not override your rights)
Legal Obligation — To comply with applicable laws and regulations

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

5. Third-Party Sharing

We work with trusted service providers to operate our Service. Below is a complete list of third parties who may receive your data:

Provider	Purpose	Data Shared	Retention
Firebase	Authentication, real-time database	Email, auth tokens, app data	Account lifetime
Supabase	Primary database	All app data (encrypted)	Account lifetime
Google Vertex AI	AI recommendations	Anonymized health context	Session only
OpenAI	Text embeddings	Anonymized protocol text	Zero retention*
Pinecone	Vector search	Text embeddings only	Account lifetime
RevenueCat	Subscription management	Email, subscription status	Account lifetime
Mixpanel	Product analytics	Anonymized usage events	12 months

*OpenAI is configured with zero data retention for HIPAA compliance.

We Never Sell Your Data

Apex OS does not sell, rent, or trade your personal information to third parties for their marketing purposes. We only share data as described above to provide our Service.

6. International Data Transfers

Your data may be transferred to and processed in the United States, where our service providers maintain their infrastructure. We ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) — We use EU-approved contractual terms with our processors
EU-US Data Privacy Framework — We work with providers who are certified under this framework where applicable
Encryption — All data is encrypted in transit and at rest

7. Your Rights

7.1 GDPR Rights (EU/UK Users)

If you are in the EEA or UK, you have the right to:

Access — Request a copy of your personal data
Rectification — Correct inaccurate personal data
Erasure — Request deletion of your personal data ("right to be forgotten")
Portability — Receive your data in a structured, machine-readable format
Restriction — Request limited processing of your data
Objection — Object to processing based on legitimate interests
Withdraw Consent — Withdraw consent at any time

7.2 CCPA Rights (California Residents)

If you are a California resident, you have the right to:

Know — Request disclosure of personal information collected
Delete — Request deletion of your personal information
Opt-Out — Opt out of the sale of personal information (note: we do not sell your data)
Non-Discrimination — Not be discriminated against for exercising your rights

7.3 How to Exercise Your Rights

You can exercise your rights in the following ways:

In-App: Settings → Privacy Dashboard → Request Data Export
In-App: Settings → Account → Delete Account
Email: Contact us at privacy@apexosapp.com

We will respond to your request within 30 days. We may need to verify your identity before processing your request.

8. Health Data & HIPAA Considerations

Important Disclaimer

Apex OS is a wellness application, not a medical device or healthcare provider. We are not a "covered entity" under HIPAA. However, we voluntarily apply HIPAA-grade security standards to protect your health information.

We protect your health data with the following measures:

Encryption at Rest — All health data is encrypted using AES-256 encryption
Encryption in Transit — All communications use TLS 1.3
Zero-Retention AI — OpenAI is configured with zero data retention
Access Controls — Strict role-based access to production systems
Audit Logging — All data access is logged and monitored
Business Associate Agreements — We maintain BAAs with applicable vendors

9. Data Retention

We retain your data for the following periods:

Data Type	Retention Period
Account information	Until account deletion
Health metrics (sleep, HRV, etc.)	2 years rolling
Protocol logs	Until account deletion
AI chat history	90 days
Analytics data	12 months
Audit logs	7 years (legal requirement)

When you delete your account, we will delete or anonymize your data within 30 days, except where we are required to retain it for legal purposes.

10. Security

We implement industry-standard security measures to protect your data:

Encryption — AES-256 at rest, TLS 1.3 in transit
Authentication — Secure password hashing, optional biometric login
Infrastructure — Cloud providers with SOC 2 Type II certification
Access Control — Principle of least privilege for all systems
Monitoring — 24/7 security monitoring and incident response
Testing — Regular security assessments and penetration testing

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. If you discover a security vulnerability, please report it to privacy@apexosapp.com.

11. Children's Privacy

Apex OS is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@apexosapp.com.

If we discover that we have collected personal information from a child under 16, we will delete that information promptly.

12. Cookies & Tracking

Our mobile application does not use cookies. However, we use the following tracking technologies:

Firebase Analytics — App usage and crash reporting
Mixpanel — Product analytics and feature usage

You can opt out of analytics tracking in the app's Privacy Dashboard settings.

Our website (apexosapp.com) uses essential cookies for functionality and may use analytics cookies with your consent.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

Posting the new Privacy Policy on this page
Updating the "Last updated" date
Sending an email notification for significant changes
Displaying an in-app notification

We encourage you to review this Privacy Policy periodically for any changes.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Privacy Inquiries

Email: privacy@apexosapp.com

We aim to respond to all inquiries within 30 days.

If you are in the EU and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.