Back to Supp'Buddy

Privacy policy

Last updated: June 23, 2026

Summary: We collect the minimum we need to run Supp'Buddy. Medications, diagnoses, lab results, pregnancy status, and medical conditions are not saved as profile fields or reusable Buddy memory. If you type medical context into chat, it may remain in the chat transcript and can be used for continuity in that conversation. That context is blocked from saved long-term facts. We never sell your data. We never run ads. We don't share data with third parties for marketing.

1. Who we are

Supp'Buddy is an AI supplement coach that helps you scan labels, build and refine your Supp' Stack, schedule reminders, and get Buddy check-ins around your goals. The service is operated by the Supp'Buddy team. For privacy questions, reach us at contact@supp-buddy.com.

2. What we collect

Account information. When you sign up, we collect your email address. If you use Google Sign-In, your name and profile picture as provided by Google. Authentication is processed by our authentication provider.

Basic profile. During onboarding you provide your age, gender, weight, country, and goals. This is used to personalize your experience.

Supplement data. Products you add, your Supp' Stack, routines, schedules, reminder preferences, dietary preferences, coach check-ins, and any supplement label images you scan. This powers your dashboard and recommendations.

Chat conversations. Messages you exchange with Buddy are saved in your conversation history so the chat can continue naturally. When you continue a conversation, recent messages may be loaded back into Buddy's context. If you type medical context into chat, it may remain in that transcript. Anything Buddy needs to remember outside the chat transcript is distilled into stack and preference facts (e.g. "takes Magnesium Glycinate for sleep support") and a short conversation summary. The distilled record passes a sanitization gate before being saved. It cannot contain diagnoses, medication names, lab results, pregnancy status, or clinical symptom descriptions.

Usage data. Basic analytics such as which features you use, session duration, and error logs to help us improve the app. We do not build cross-user behavioral profiles.

3. What we don't save as profile or reusable memory

Some categories of data that are common in health-adjacent apps are deliberately not saved as profile fields, reusable Buddy memory, or long-term facts:

Our database has explicit constraints that reject diagnosis names, medication names, lab results, pregnancy status, and clinical context from saved Buddy memory. This protects reusable memory and long-term facts; it does not rewrite your raw chat transcript.

4. AI and third-party services

Supp'Buddy uses large language models to power the chat assistant, supplement analysis, and label scanning. When you interact with Buddy, the relevant context (your message, recent chat history, your supplement stack, and basic profile fields needed for the query) is sent to a third-party AI provider's API for processing. If you include medical context in chat, that context may be included in the request so Buddy can answer the conversation you started. AI providers are not allowed to use your prompts, medical context, or Buddy's responses to train their models.

Our AI Provider Standards

We may use different AI providers over time, and may change providers as the technology and pricing evolve. Rather than tie your privacy to any single vendor's name, we commit to a fixed set of standards that every AI provider we route your data to must meet. These standards are our binding commitment to you. Any provider we use, now or later, meets all of them:

  1. No training on your data. The provider contractually does not use your prompts, medical context, or Buddy's responses to train its models.
  2. Bounded retention. Your prompts and responses are retained no longer than 60 days (for service delivery and abuse monitoring), then deleted. Many of our providers retain for less, or not at all.
  3. Recognized security certification. The provider holds an independent, audited security certification such as SOC 2 Type II or ISO/IEC 27001.
  4. Lawful international transfer. For users in the EU, UK, and EEA, the provider processes your data under a valid GDPR transfer mechanism: an adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses.
  5. No undefendable jurisdiction. If you are in the EU, UK, or EEA, your data is never processed in a jurisdiction without one of the transfer mechanisms above. In practice this means your data is never sent to AI infrastructure that cannot lawfully receive it.

Because our commitment is to these standards rather than to a particular company, we can adopt a better or cheaper model that meets them without reducing your protections. When we change providers, your rights under this policy do not change.

Current AI providers

This list is informational and is updated as our providers change. Your protections are defined by the Standards above, which do not change when a provider is swapped.

We may additionally route requests for some users to a secondary provider that meets the Standards above, depending on subscription tier and region. We do not route data belonging to EU, UK, or EEA users to any provider that does not meet Standard 4 and Standard 5.

We also use Supabase for authentication, database, and backend services. Your data is stored in Supabase-managed infrastructure with row-level security policies that prevent users from accessing each other's data.

5. AI is not medical advice

Buddy is an AI assistant, not a doctor, pharmacist, or nutritionist. Buddy's recommendations are general guidance based on the supplement and profile information you provide. They are not a substitute for advice from a qualified healthcare professional.

You are responsible for your own health decisions. By using Supp'Buddy, you acknowledge these limitations.

6. How we use your information

7. Data retention

8. Data storage and security

Your data is stored using Supabase's cloud infrastructure with row-level security policies ensuring you can only access your own data. Authentication tokens are stored using platform-secure storage (Secure Store on mobile devices, encrypted local storage on web). We use HTTPS for all data transmission.

The sanitization gate that protects your chat-derived memory runs at three layers: the AI rewriter, an application-layer regex check, and a database-level constraint. If one layer fails, the next catches it.

9. Data sharing

We do not sell your personal data. We share data only in these limited circumstances:

10. Your rights

Depending on where you live, you may have rights under data protection law. You can:

If you are in the European Union, you also have the right to lodge a complaint with your national supervisory authority. In Sweden, that is IMY.

To exercise any of these rights, email contact@supp-buddy.com.

11. International data transfers

Supp'Buddy is operated from Sweden. Some service providers process data in the United States or other regions. For users in the EU, UK, and EEA, every such transfer is covered by a valid GDPR transfer mechanism: an adequacy decision, the EU-US Data Privacy Framework, or Standard Contractual Clauses. We do not transfer EU, UK, or EEA personal data to any jurisdiction lacking one of these mechanisms.

12. Children's privacy

Supp'Buddy is not intended for users under 18. We do not knowingly collect information from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.

13. Cookies and local storage

The web version of Supp'Buddy uses local storage to maintain your session and cache data for performance. The mobile app uses on-device SQLite to store allergies and other local-only data. We do not use tracking cookies, advertising cookies, or third-party retargeting.

14. Changes to this policy

We may update this Privacy Policy from time to time. If a change materially affects how we handle your data, we will notify you through the app or by email and ask you to accept the new version before continuing. Continued use of Supp'Buddy after non-material changes constitutes acceptance of the updated policy.


Questions? Contact us at contact@supp-buddy.com.