Privacy Policy
Plain English summary: Bariatric AI collects the health and account information you provide to run its post-bariatric support service. We never sell your data or use your health information for advertising. You can delete your account and data at any time by contacting us.
Contents
This Privacy Policy describes how Bariatric AI ("Bariatric AI," "we," "us," or "our") collects, uses, shares, and protects information when you use our website at bariatricai.io, our web application at app.bariatricai.io, our mobile application (iOS and Android), or any other product or service we offer (collectively, the "Services").
By using the Services, you agree to the practices described in this Privacy Policy. If you disagree, please stop using the Services.
1. Information We Collect
1.1 Information you provide directly
- Account data: full name, email address, password (stored as a cryptographic hash — we never store it in plaintext), account role (patient or clinic administrator), and, where applicable, your clinic name.
- Post-bariatric health inputs: surgery type (e.g., gastric sleeve, bypass, band), surgery date, post-operative stage/week, body weight logs, food and nutrition logs (including photos, meal descriptions, and macro estimates), medication schedules and adherence logs, mood and symptom journals, exercise and activity logs, and progress photos you choose to upload.
- AI chat messages: messages and responses exchanged with our specialized AI agents (nutrition, psychology, fitness, and surgery advisory). These messages are stored to power your personalized experience.
- Communications: messages you send us via email, in-app support, or demo-request forms.
- Clinic onboarding data (B2B): clinic name, contact name, website, and other information submitted when a clinic registers for our affiliate or white-label program.
1.2 Information collected automatically
- Device & technical data: IP address, device type and model, operating system version, app version, browser type, and screen resolution.
- Usage data: screens and pages visited, features used, session duration, timestamps of actions, and error/crash reports.
- Cookies and similar technologies: see Section 11.
1.3 Information from third parties
- Payment processors: when you subscribe, our payment processor (LemonSqueezy) handles card details directly. We receive only a confirmation of payment status and a subscription identifier — we never store your card number, CVV, or full billing address.
- Clinic referrals: if a clinic invites you to use the platform, we receive your name and email address from the clinic for the purpose of sending you an invitation.
2. How We Use Information
- To create and manage your account and authenticate your identity.
- To provide the post-bariatric tracking and AI advisory features of the Services.
- To personalize AI-generated responses based on your surgery type, post-op stage, and health history you have shared.
- To display your progress, trends, and health data to you and, where applicable, to your treating clinician through the clinic dashboard.
- To send you transactional notifications (e.g., medication reminders, appointment nudges) if you enable them.
- To process subscription payments and manage your billing.
- To respond to your support requests and communications.
- To improve and develop the Services, including training and evaluating AI models using aggregated and de-identified data.
- To detect, investigate, and prevent fraud, abuse, and security incidents.
- To comply with applicable laws and enforce our Terms of Service.
We do not: sell your personal information to any third party; use your health data for advertising or targeted marketing; share your health information with data brokers or information resellers; or use your health data for any purpose other than providing the Services to you.
3. Health Data — Special Protections
The health-related information you enter into Bariatric AI (including weight, food logs, medications, symptoms, and AI chat messages about your recovery) is sensitive. We apply the following protections specifically to health data:
- Health data is used only to provide and improve the Services for you. It is not used for advertising, behavioral profiling for commercial purposes, or sold to any third party.
- Health data is not shared with employers, insurers, or marketers.
- Health data shared with AI providers for inference is processed under data processing agreements that prohibit those providers from using your data to train their own models without your explicit consent.
- If you explicitly consent, you may choose to share specific data with your treating clinician through our clinic integration. You control this sharing.
- You may request deletion of all your health data at any time (see Section 8).
4. How We Share Information
We share personal information only in the following circumstances:
- With your clinic (if applicable): if you are a patient of a clinic that uses Bariatric AI, your treating clinician may have access to your health logs and AI conversation summaries through the clinic dashboard, as agreed when the clinic set up their account.
- Service providers: we use the following categories of third-party service providers that process data on our behalf under contractual obligations: cloud hosting and database providers (Supabase, Railway, Vercel — all located in the United States), AI inference providers (subject to data processing agreements), payment processors (LemonSqueezy), and customer support tools. These providers may only use your data to perform services for us.
- Legal requirements: we may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect the rights, property, or safety of Bariatric AI, our users, or the public.
- Business transfers: in connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as a business asset. We will notify you via email or in-app notice if this occurs and your information becomes subject to a different privacy policy.
- With your consent: for any other purpose, with your explicit consent.
We do not sell personal information, and we do not share personal information with third parties for their own direct marketing purposes.
5. HIPAA
The Health Insurance Portability and Accountability Act ("HIPAA") applies to "covered entities" (health plans, healthcare clearinghouses, and certain healthcare providers) and their "business associates."
B2C patients (individual accounts): Bariatric AI is a wellness and support tool used directly by individuals. In this context, Bariatric AI is not a HIPAA covered entity and the information you enter is not "protected health information" (PHI) as defined under 45 C.F.R. § 160.103. The Services are not a substitute for professional medical care.
B2B clinics: when a covered entity (clinic or healthcare provider) deploys Bariatric AI for its patients, Bariatric AI may act as a Business Associate. In that case, we enter into a Business Associate Agreement (BAA) with the clinic and handle PHI in compliance with applicable HIPAA Privacy and Security Rules. Please contact hello@bariatricai.io to request a BAA.
In no event do we use Apple's platforms or services to store or transmit PHI in a manner that would make Apple a covered entity or business associate under HIPAA.
6. Data Retention
- Active accounts: we retain your account data and health logs for as long as your account is active or as needed to provide the Services.
- Account deletion: if you delete your account, we will delete or anonymize your personal information within 30 days, except where we are required to retain it for legal, regulatory, or legitimate business reasons (e.g., fraud prevention records, financial transaction records required by law).
- Clinic data: clinic patient data is retained per the terms agreed between the clinic and Bariatric AI, and subject to any applicable BAA.
- Aggregated/de-identified data: anonymized and aggregated data (from which no individual can reasonably be identified) may be retained indefinitely for product improvement and research purposes.
- Communication records: support and email communications are retained for up to 3 years for quality assurance and legal compliance.
7. Security
We implement technical, administrative, and organizational safeguards designed to protect your information, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Passwords stored as cryptographic hashes — we cannot recover your password.
- Role-based access controls limiting employee access to personal data on a need-to-know basis.
- Periodic security reviews and vulnerability assessments.
- Supabase Row Level Security (RLS) policies isolating each user's data.
No method of electronic storage or transmission is 100% secure. In the event of a data breach that affects your personal information, we will notify you and applicable authorities as required by law.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal information. To exercise any of these rights, contact us at hello@bariatricai.io.
8.1 General rights (all users)
- Access: request a copy of the personal information we hold about you.
- Correction: request correction of inaccurate information.
- Deletion: request deletion of your account and personal data. You can also initiate this from the account settings screen in the app.
- Data portability: request an export of your data in a machine-readable format.
- Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
8.2 California residents (CCPA/CPRA)
California residents have the right to know what personal information we collect and how we use and share it; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information as defined under the CCPA); and the right not to be discriminated against for exercising these rights. To submit a California privacy request, email hello@bariatricai.io with the subject line "California Privacy Request."
8.3 EEA / UK residents (GDPR / UK GDPR)
Where GDPR or UK GDPR applies, we process personal data on the following legal bases: performance of a contract (to provide the Services); compliance with legal obligations; legitimate interests (fraud prevention, security, product improvement); and, for special-category health data, your explicit consent. You have the right to lodge a complaint with your local supervisory authority.
9. International Data Transfers
Bariatric AI is operated from Argentina. Our primary infrastructure is hosted in the United States (Supabase, Railway, Vercel). If you are located in the European Economic Area, United Kingdom, or another jurisdiction with data transfer restrictions, your personal information is transferred to the United States on the basis of standard contractual clauses or other appropriate safeguards as required by applicable law.
10. Children
The Services are intended for adults (18 years and older) who have undergone or are considering bariatric surgery. We do not knowingly collect personal information from anyone under the age of 18. If you believe a child under 18 has provided us personal information, please contact us immediately at hello@bariatricai.io and we will delete that information.
11. Cookies & Tracking Technologies
Our website and web application use the following categories of cookies and similar technologies:
- Strictly necessary: required for the Services to function (e.g., session authentication tokens). These cannot be disabled.
- Functional: remember your preferences (e.g., language selection). These are enabled by default and can be disabled in your browser settings without affecting core functionality.
- Analytics: help us understand how users interact with the Services in aggregate (e.g., page views, feature usage). We use privacy-respecting analytics tools and do not use Google Analytics or similar services that build advertising profiles.
Our mobile application does not use browser cookies. It stores a session token in secure device storage to keep you logged in.
You can control cookie preferences in your browser settings at any time.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the latest revision. If we make material changes — such as changes to what data we collect, how we use it, or your rights — we will notify you by email to the address associated with your account and/or by a prominent notice within the Services at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.
13. Contact Us
For privacy inquiries, data requests, or to report a concern:
Bariatric AI
Buenos Aires, Argentina
Email: hello@bariatricai.io
We will respond to all requests within 30 days (or sooner as required by applicable law).
This Privacy Policy was last reviewed on June 17, 2026.