🐊

GATOR

Health Data AggreGATOR

Privacy Policy

Effective Date: February 1, 2026

1. Introduction

GATOR ("Company," "we," "us," or "our") respects Your privacy and is committed to protecting Your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard Your information when You use our health data aggregation platform (the "Service").

This Privacy Policy applies to all users of the Service and complies with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA) where applicable.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, and profile picture from Google OAuth
  • Health Data: Lab results, biomarkers, and medical test data You upload (e.g., from Function Health, LabCorp)
  • Integration Credentials: Encrypted credentials for third-party health services (Garmin, Eight Sleep, Oura)

2.2 Information Collected Automatically

  • Daily Metrics: Steps, heart rate, HRV, sleep data synced from connected devices
  • Usage Data: How You interact with the Service, features used, and timestamps
  • Device Information: Browser type, operating system, and IP address

2.3 Sensitive Health Information

We collect and process sensitive health information, including lab results, biomarkers, vital signs, and sleep data. This data is considered "special category data" under GDPR and requires explicit consent, which You provide when accepting these Terms.

3. How We Use Your Information

We use Your information to:

  • Provide, maintain, and improve the Service
  • Display Your health data and generate personalized insights
  • Sync data from connected third-party health platforms
  • Generate AI-powered health analysis and recommendations
  • Communicate with You about the Service
  • Ensure security and prevent fraud
  • Comply with legal obligations

4. Legal Basis for Processing (GDPR)

Under GDPR, we process Your data based on:

  • Consent: You explicitly consent to processing of health data when creating an account
  • Contract: Processing is necessary to provide the Service You requested
  • Legal Obligation: Processing required by law (e.g., tax records, legal requests)
  • Legitimate Interests: Improving and securing the Service (where not overridden by Your rights)

5. Data Sharing and Disclosure

We do not sell Your personal data. We may share Your information with:

  • Service Providers: Supabase (database hosting), Anthropic (AI processing), Vercel (hosting)
  • Third-Party Integrations: Only with Your explicit authorization (Garmin, Eight Sleep, Oura, Google Drive)
  • Legal Requirements: When required by law, court order, or government request
  • Business Transfers: In connection with a merger, acquisition, or sale of assets

AI Processing:Your health data may be sent to Anthropic's Claude API to generate insights. This data is processed according to Anthropic's data processing agreement and is not used to train AI models.

6. Data Security

We implement industry-standard security measures:

  • AES-256-GCM encryption for stored credentials and sensitive data
  • TLS 1.3 encryption for all data in transit
  • Row Level Security (RLS) ensuring users can only access their own data
  • Regular security audits and vulnerability assessments
  • Secure OAuth 2.0 authentication via Google

While we strive to protect Your data, no method of transmission over the Internet is 100% secure. You are responsible for maintaining the security of Your account credentials.

7. Data Retention

We retain Your data as follows:

  • Account Data: Retained while Your account is active
  • Health Data: Retained until You delete it or Your account
  • Consent Records: Retained for 7 years for legal compliance
  • Backup Data: Deleted within 30 days of account deletion

Upon account deletion, we anonymize or delete Your personal data within 30 days, except where retention is required by law.

8. Your Rights (GDPR)

Under GDPR, You have the right to:

  • Access: Request a copy of Your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of Your data ("right to be forgotten")
  • Restriction: Request limitation of processing
  • Portability: Receive Your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent at any time

To exercise these rights, visit the Privacy section in Your account settings or contact us at privacy@gator-health.com. We will respond within 30 days.

9. Your Rights (CCPA)

California residents have additional rights:

  • Right to Know: What personal information we collect and how it's used
  • Right to Delete: Request deletion of Your personal information
  • Right to Opt-Out: Opt out of the sale of personal information (we do not sell data)
  • Right to Non-Discrimination: Equal service regardless of exercising rights

To exercise CCPA rights, contact us at privacy@gator-health.com or use the in-app privacy controls.

10. Cookies and Tracking

We use essential cookies for:

  • Authentication and session management
  • Security and fraud prevention
  • Remembering Your preferences

We do not use advertising or tracking cookies. You can manage cookie preferences in Your browser settings.

11. International Data Transfers

Your data may be transferred to and processed in the United States, where our servers and service providers are located. We ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, to protect Your data during international transfers.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify You of material changes by posting the updated policy on the Service and updating the "Effective Date." For significant changes affecting how we process health data, we will request renewed consent.

14. Contact Us

If You have questions about this Privacy Policy or wish to exercise Your data rights, contact us:

Data Protection Officer
Email: privacy@gator-health.com
Address: Austin, TX, USA

For EU residents, You have the right to lodge a complaint with Your local data protection authority if You believe Your rights have been violated.

By using GATOR, You acknowledge that You have read and understood this Privacy Policy and consent to the collection and processing of Your data as described herein.