Privacy Policy

1. No Cloud, No Accounts, No Tracking

Flair is fully offline-first.

• We never require an account, email, or phone number.
• Your journal entries, habits, scores, and AI insights live only on your device.
• We do not have a backend database for your personal data.
• We do not sell, share, or monetize your information.
• The only exception is when you explicitly invoke an AI feature (Level Up, Magic Lens, Eat Now, Document Scanner, Bio Age, or the Blueprint Protocol). Each feature requires your explicit approval via an in-app consent prompt before any data is transmitted. See Section 4.
• A randomly-generated, non-identifiable token is included with AI requests solely for rate-limiting. It is not linked to you, your device, or your health data.

2. Local Encryption & Ownership ("The Sovereign")

If you enable "The Sovereign" in Settings → Data Ownership:

• We generate a 12-word backup phrase that only you control.
• This phrase derives the encryption key that protects your entire journal on disk.
• We never see, store, or back up your phrase or key.
• If you lose your phrase or device, your encrypted data cannot be recovered — even by us.

3. Biometric Lock ("The Vault")

If you enable biometric locking (Face ID / Touch ID / device passcode) in Settings → Privacy & Security:

• Authentication is handled entirely by your device's operating system.
• Flair never accesses or stores your biometric data.

4. Artificial Intelligence & Third-Party API Processing

Flair includes several AI-powered features. Each feature requires your explicit in-app consent before any data leaves your device.

• Level Up sends a structured summary of your day's journal entries, anonymous health profile buckets (age range, sex, BMI category), your stated health objective, and your active wellness protocol targets to our serverless routing layer over HTTPS. No names, exact biometrics, or account identifiers are transmitted.
• Magic Lens sends a compressed copy of your meal photo for nutritional analysis. No metadata, location, or identifying information from the photo is transmitted.
• Eat Now sends your restaurant name, approximate location (street or mall), country, and meal intention alongside your anonymous health profile to generate personalised meal recommendations. No names, exact biometrics, or account identifiers are transmitted.
• Document Scanner processes your health report photo entirely on-device using optical character recognition (OCR). Personal identifiers (names, dates of birth, ID numbers, phone numbers, email addresses, and national IDs) are detected and stripped locally using on-device pattern matching. Before sending, Flair displays the specific items that were detected and removed, and requires your explicit approval to proceed. Only the anonymised, redacted clinical text is sent to our routing layer for biomarker extraction. The original photo is never stored by Flair and never transmitted to any server.
• Blueprint Protocol sends your anonymous health profile and stated health objective to generate a personalised wellness protocol. No names, exact biometrics, or account identifiers are transmitted.
• Bio Age sends your anonymous health profile — age, sex, height, weight, BMI, ethnicity (a sensitive data category under PDPA, transmitted only with your explicit per-session consent) — vital signs (resting heart rate, HRV, blood oxygen), blood markers (HbA1c, cholesterol, body fat, visceral fat), medical conditions, lifestyle factors, and a 30-day journal activity summary to estimate your biological age. All data is anonymised — no names, exact birth dates, or account identifiers are transmitted.
• AI Providers: AI inference is performed via Google's Gemini API, xAI's Grok API, or OpenAI's GPT-4o-mini API, selected automatically by our routing layer based on availability. All providers process data for inference only, under their respective API terms of service. We do not share personally identifiable information with any provider.
• No Persistence: Our routing layer processes data in memory and does not log, store, or retain your data after the request is complete. AI providers process your data under their own API terms. For reference: Google Gemini, xAI Grok, OpenAI GPT-4o-mini.
• No Training: Your data is not used by our routing layer or by any AI provider to train models.
• Anonymous Telemetry: AI requests include a pseudo-anonymous identifier (a rotating hash, not linked to your identity) used for three purposes only: (1) per-provider cost tracking, (2) API latency monitoring, and (3) error rate analysis. No health data, journal content, or personally identifiable information is included in telemetry.
• Sensitive Medical Context: If you optionally provide medical conditions (such as diabetes, kidney or liver conditions, or injuries) or fasting states, this information is transmitted to the AI provider for inference and is not stored by Flair. It is used solely to ensure that generated recommendations do not suggest activities that could be harmful to you. This data is never stored on our servers, never retained after your request is processed, and is treated as sensitive health data under applicable law.
• In-App Consent: Before any AI feature transmits data for the first time, Flair displays a consent prompt disclosing the service, purpose, active AI provider, and data involved. You may approve or reject each feature independently. Your preference is stored locally and can be changed at any time in Settings.

5. Apple Health & Google Health Connect

To power automated tracking:

• Flair requests read-only access to steps, workouts, sleep, heart rate, and GPS routes.
• This data is pulled directly into your local journal and never leaves your device.
• We do not transmit raw health data to any server.
• We do not write to Apple Health or Google Health Connect.
• Workout route data (GPS), if synced, is stored only on your device and is never transmitted to our servers.

With your permission, Flair imports the following data from Apple Health: workouts, sleep sessions, resting heart rate, heart rate variability (HRV), and blood oxygen saturation (SpO2). This data is stored locally on your device and is never transmitted to any server unless you explicitly invoke an AI feature that includes it (such as Bio Age).

6. Location & Environment Data

With your permission, Flair uses your approximate location to request local weather, air quality (AQI), and UV index data from a third-party environment service. Your coordinates are used only to resolve the environmental reading and are not stored by Flair or linked to any identity. You can disable this in Settings.

7. Crash Reports & Anonymous Analytics

To maintain stability, Flair may collect anonymized crash logs (stack traces only). These contain no health data, no journal content, and no personally identifiable information. If specific crash reporting tools are integrated, they will be named here.

8. Your Rights & Data Deletion

You have full control:

• Delete everything at any time via Settings → Reset App.
• Or simply uninstall Flair — your local data disappears with the app.
• Note: Data that originates from Apple Health or Google Health Connect is managed through those platforms and is not deleted by uninstalling Flair.

9. Contact Us

Questions? Reach out at support@flairhealth.app.