Privacy Policy
Last updated June 15, 2026
This Privacy Policy for Selen Coaching LLC, a company affiliated with Alkalytic Ltd ("Company," "we," "us," or "our"), describes how and why we access, collect, store, use, and/or share ("process") your personal information when you use the Alkaterranean web application, native iOS application, APIs, and related services (the "Services").
Alkaterranean is a wellness coaching product, not a medical device. We do not diagnose, treat, cure, or prevent any disease.
1. What Information Do We Collect?
Information You Provide
- Account information: email address, display name, and password (hashed; we never store plaintext passwords).
- Profile & wellness preferences: primary health goal, dietary restrictions, food allergies, cuisine preferences, cooking skill level, and how often you eat out.
- Body metrics (optional): current weight and height. You may skip these during onboarding and can remove them at any time in Settings.
- Food diary entries: meal type (breakfast, lunch, dinner, snack), text descriptions of what you ate, and the date and time you logged each entry.
- Meal photos and captures: images you choose to upload for meal logging or photo nutrition analysis, plus related capture metadata such as the linked diary entry and analysis status.
- AI coaching conversations: messages you send to the AI coach and the responses you receive.
- Voice notes and transcripts: audio, transcripts, or imported text that you choose to submit for meal capture or coaching context.
- Wellness check-ins: optional daily symptom tags you report (e.g., energetic, bloated, poor sleep). Used to help the AI coach identify patterns between your meals and how you feel.
- Weight history (optional): weight entries you log over time, used to track trends and provide coaching context.
- Apple Health and wearable context (optional): only the categories you explicitly authorize, such as weight, activity, workout, sleep, or similar wellness samples. You can decline or disconnect these permissions.
- Goals: daily meal targets, weekly streak goals, and daily water intake goals.
- Billing and entitlement identifiers: subscription status, plan, app-store transaction identifiers, and provider customer IDs needed to manage access.
Information Collected Automatically
- Usage data: pages visited, features used, and session duration (collected via analytics tools such as PostHog when configured). Our product-analytics tools do not record session replays of your activity; our error-monitoring tool may capture a masked replay around an error (see "Error data" below).
- Device & browser data: browser type, operating system, app version, and screen resolution.
- Error data: crash reports and performance metrics sent to our error monitoring service (Sentry) to maintain service reliability. This may include session replays that reconstruct how a page rendered around an error, with on-screen text and form inputs masked.
Information We Do Not Collect
- We do not collect GPS location data.
- We do not access your contacts.
- We do not access your camera, photo library, microphone, or Apple Health data unless you choose to grant permission or submit content.
- We do not use Apple Health, wearable, meal, symptom, or body-metric data for advertising, unrelated targeting, or sale.
- We do not store payment card numbers (see Section 5).
2. How Do We Use Your Information?
- Provide the Services: deliver AI coaching, food diary tracking, progress dashboards, streak calculations, and weekly summaries.
- Personalize your experience: tailor AI coaching responses to your dietary preferences, allergies, goals, and logged meals.
- AI memory: the AI coach extracts observations from your conversations (e.g., "prefers Greek salads," "has a nut allergy") to improve future coaching responses. These observations are stored in your account and are never shared with other users.
- Photo, voice, and import analysis: analyze user-submitted photos, transcripts, and imported text to support diary logging, nutrition estimates, and coaching context.
- Apple Health and wearable context: incorporate optional user-authorized health samples into reviews and coaching when you connect those sources.
- Safety monitoring: detect eating disorder patterns, self-harm language, or medical emergency disclosures in coaching conversations so we can surface crisis resources.
- Service improvement: analyze aggregated, de-identified usage patterns to improve features and fix bugs.
- Coaching emails: send personalized daily coaching emails (referencing your recent meals and wellness data) and weekly progress summaries. These are part of the coaching service and can be toggled off individually in Settings.
- Service emails: send transactional emails (account verification, password resets, billing notifications, trial reminders). These cannot be disabled as they are essential to your account.
3. AI Processing & Data Minimization
Our AI coaching feature sends the minimum context necessary to generate a relevant response:
- Your current message and relevant recent conversation history.
- Your dietary preferences, restrictions, and allergies (for safety and personalization).
- Today's logged meals with AI analysis, and user-submitted meal photos when photo analysis is requested.
- Voice transcripts, imported text, or optional Apple Health/wearable summaries when they are relevant to the request.
- Top-ranked observations from your AI memory (up to 10).
AI processing is handled by third-party inference providers and routing infrastructure (currently Anthropic, OpenAI, Google, and Vercel AI Gateway). Google is used only as an automatic failover, reached when our primary providers are unavailable. We configure these providers under data-processing terms intended to prevent your submitted content from being used to train provider models.
When you use an AI feature — chatting with your coach, photo or label analysis, or voice and transcript capture — you authorize us to transmit the relevant content and context described above to these third-party AI providers, including Anthropic, OpenAI, and Google, so they can generate the response you requested. You can avoid this processing by not using those features.
Photo nutrition, transcript, and coaching outputs are estimates. You should review and correct diary entries before relying on them.
Every AI response includes a disclaimer that it is AI-generated wellness coaching, not medical advice.
4. Who Do We Share Your Information With?
We do not sell your personal information. We share data only with the following service providers, under contractual data protection obligations:
| Provider | Purpose | Data Accessed |
|---|---|---|
| Supabase | Database & authentication | All account and diary data |
| Vercel (hosting, edge & analytics) | Application hosting, server rendering, request routing, and cookieless usage & performance analytics (Web Analytics, Speed Insights) | All request data in transit (account, diary, chat, photo upload, and session data passing through the app), plus aggregate, cookieless page-view and Web Vitals metrics |
| Anthropic / OpenAI / Google / Vercel AI Gateway | AI coaching, photo analysis, and AI routing | Relevant conversation, diary, photo, transcript, and context data (see Section 3) |
| LangSmith (LangChain) | AI tracing & diagnostics | Anonymized AI-pipeline diagnostics (performance and timing metadata, with raw message content removed and identifiers truncated): a small sampled fraction of successful interactions, plus diagnostics from failed interactions, used to monitor and debug the coaching pipeline |
| Stripe | Web payment processing | Billing data (see Section 5) |
| Apple / Adapty | iOS in-app purchases, subscription status, and entitlement sync | App-store transaction IDs, provider profile IDs, subscription status |
| Sentry | Error monitoring | Error traces, anonymized user IDs, and session replays (on-screen text and form inputs masked) |
| PostHog | Product analytics | Feature usage events (when configured). No session replays. |
| Resend | Email delivery | Email address, display name (for coaching and service emails) |
| Linq | Phone coaching channel delivery (iMessage, RCS, SMS) | Messages you send and coach replies over iMessage, RCS, or SMS |
| Telegram | Telegram coaching channel delivery | Messages you send and coach replies over Telegram |
Each of these providers is contractually required to protect your information, to use it only to provide services to us (or as required by law), and to provide the same or an equivalent level of data protection as described in this Privacy Policy. We do not authorize them to sell your personal information or use it for cross-app advertising.
We may also disclose your information if required by law, court order, or to protect the safety of our users.
5. Payment Data
Web payments are handled by Stripe. iOS in-app purchases and subscription entitlement sync are handled by Apple and Adapty. We do not store credit card numbers, bank account details, or other payment instrument data on our servers. We retain only the provider identifiers needed to manage your subscription status, such as a Stripe customer ID, Apple transaction identifiers, or an Adapty profile ID. You can review Stripe's privacy policy at stripe.com/privacy. Apple in-app purchase data is also governed by Apple's privacy policy and App Store terms.
6. Data Security
We implement multiple layers of security to protect your data, following industry best practices including the OWASP Top 10 security framework:
Encryption & Access Control
- All data in transit is encrypted using HTTPS with TLS 1.2+ and HTTP Strict Transport Security (HSTS).
- All data at rest is encrypted by our database provider (Supabase/AWS, AES-256).
- Row-level security (RLS) is enforced on every database table — your queries can only return your own data. This is enforced at the database level, not just the application level.
- Passwords are hashed using bcrypt; we never store or see your plaintext password.
Application Security
- Content Security Policy (CSP) headers restrict which scripts, styles, and connections the app can make, protecting against cross-site scripting (XSS) attacks.
- All user inputs are validated and sanitized before processing. Email content is HTML-escaped to prevent injection attacks.
- Rate limiting is applied to AI coaching interactions, meal scoring, and data export endpoints to prevent abuse.
- Webhook signatures are cryptographically verified for all payment processing callbacks.
- Cron job authentication uses timing-safe comparison to prevent timing attacks.
AI-Specific Protections
- User messages are sanitized before being sent to AI models to prevent prompt injection attacks.
- AI responses are validated and filtered through a content safety pipeline before being shown to you.
- AI inference providers and routing infrastructure are configured under data-processing terms intended to prevent submitted content from being used to train provider models.
- Every AI-generated response is clearly labeled as AI-generated and includes a wellness coaching disclaimer.
7. Data Retention & Deletion
We retain your personal information for as long as your account is active. When you delete your account:
- All profile data, food diary entries, uploaded meal photos, voice captures, AI conversations, observations, goals, optional health-source data, and weight history are permanently deleted.
- Stripe, Apple, and Adapty billing records are retained by those providers according to their data retention policies and legal obligations.
- Anonymized, aggregated analytics data may be retained for service improvement.
While your account is active, we keep different data for different periods:
- Your diary and coaching profile (meal entries, goals, observations, weight history, and optional health-source context) are kept for as long as your account is active, so your coach can learn from your history.
- Uploaded meal photos and voice recordings are automatically deleted about 30 days after upload. The meal entries and coaching insights derived from them remain in your diary.
- Internal AI quality and debugging logs have most message content — including the action details we extract, such as a meal you logged — removed within 30 days, and are fully deleted within 120 days. For turns we flag for quality review, a copy is kept for that review until the log is deleted, within 120 days. Usage and cost metrics are kept up to 90 days.
- Messaging-channel transport records (the raw iMessage, RCS, SMS, and Telegram delivery payloads) are deleted within 30 days. The conversation itself becomes part of your coaching history (see above) and is kept for the life of your account, then permanently deleted when you delete your account.
- Diagnostic traces sent to our monitoring providers are anonymized and retained only briefly for reliability debugging.
You can delete your account at any time from Settings in the web or iOS app. Deletion is permanent and cannot be undone. For Apple Sign-In accounts, we also attempt to revoke the Apple authorization token as part of account deletion when the required Apple credential is available.
8. Cookies & Tracking
We use cookies for:
- Essential cookies: authentication session management (required for the app to function).
- Analytics cookies: product usage tracking via PostHog (when configured). You can opt out of analytics cookies.
We do not use advertising cookies, do not sell data to advertising networks, and do not track you across other companies' apps or websites for advertising. For full detail, see our Cookie Policy.
9. Children's Privacy
Alkaterranean is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If we learn that we have collected data from a user under 18, we will promptly delete their account and all associated data.
10. Your Privacy Rights
All Users
- Access: view all data we hold about you (available in Settings and via data export request).
- Correction: update your profile, preferences, and diary entries at any time.
- Deletion: delete your account and all associated data from Settings.
- Connected-source controls: disconnect optional Apple Health or wearable sources through the app and revoke the underlying permission in your device settings.
- Email preferences: control which coaching emails you receive. You can independently toggle daily coaching emails and weekly summary emails in Settings. Transactional emails (account verification, billing) cannot be disabled.
California Residents (CCPA/CPRA)
Under CPRA, your dietary preferences, allergies, and body metrics may be classified as sensitive personal information. You have the right to:
- Know what personal information we collect and how it is used.
- Request deletion of your personal information.
- Opt out of the sale or sharing of your personal information (we do not sell your data).
- Limit the use of your sensitive personal information to what is necessary for the Services.
- Non-discrimination for exercising your privacy rights.
Washington Residents
Under the Washington My Health My Data Act, your dietary and wellness data is classified as consumer health data. You provide this data voluntarily to receive personalized coaching; we use it solely to deliver the Services you request and do not sell it. You may delete your data at any time by deleting your account.
Turkey Residents (KVKK)
Under Turkey's Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu, Law No. 6698), your health and dietary information is special-category personal data. You provide it voluntarily to receive personalized coaching; we use it solely to deliver the Services and do not sell it. As described in Section 13, delivering the Services involves transferring your data abroad (primarily to the United States). You may withdraw and delete your data at any time by deleting your account.
Under Law No. 6698 you have the right to:
- Learn whether your personal data is processed, and request information about how it is used.
- Know the purpose of processing and whether your data is used accordingly.
- Know the third parties to whom your data is transferred, in Turkey or abroad.
- Request correction of incomplete or inaccurate data, and erasure of your data.
- Object to outcomes produced solely by automated analysis, and seek compensation for damage.
To exercise any of these rights, contact us at privacy@selencoaching.com.
11. Do Not Track
Some browsers transmit a Do Not Track (DNT) signal. There is no uniform standard for responding to DNT signals. We do not currently respond to DNT signals, but we minimize tracking by default and do not use advertising trackers.
12. FTC Health Breach Notification
As a non-HIPAA consumer wellness app, if we experience a data breach involving your health-related information, we will notify you and the Federal Trade Commission within 60 days, as required by the FTC Health Breach Notification Rule.
13. International Users & Data Transfers
Alkaterranean is operated from the United States and the United Kingdom. Our hosting and database infrastructure (including Vercel and Supabase) processes and stores your data primarily in the United States. Our AI inference and routing providers may also process your submitted content in the United States or other countries where they operate.
If you access the Services from the European Union, the United Kingdom, Turkey, or another region with data-protection laws, your personal information will be transferred to, processed in, and stored in the United States and other countries whose data-protection rules may differ from those in your own country. By using the Services, you consent to this transfer.
Where required, we rely on appropriate safeguards for international transfers (such as Standard Contractual Clauses) and handle your data in line with GDPR and UK GDPR principles. Transfers of personal data from Turkey are subject to the cross-border requirements of Article 9 of Law No. 6698 (KVKK). To ask about international transfers or exercise your rights, contact us at privacy@selencoaching.com.
14. Messaging Coaching Channels (iMessage, RCS, SMS & Telegram)
Alka-Terranean® offers optional coaching over phone messaging — iMessage, RCS, or SMS (powered by Linq) — and Telegram. When you use these channels, the messages you send and the AI coach's replies are processed in the same way as web-app coaching conversations described in Sections 2 and 3 above.
Wellness coaching only. These channels deliver wellness coaching, not medical advice. Alka-Terranean® is a wellness service and is NOT a HIPAA covered entity. (Where state consumer health-data laws apply — such as the Washington My Health My Data Act described above — we handle your wellness data in accordance with those laws.)
Do not send clinical health information. We do not ask for, and you should not send, clinical or medical records, laboratory results, diagnoses, imaging reports, or other protected health information (PHI) through these channels. If you share such information voluntarily, our AI coach will acknowledge it but will not interpret your records or lab values or make medical decisions; it may still offer wellness-safe, condition-aware suggestions, and will direct you to a qualified healthcare provider for anything that requires clinical interpretation.
Messages sent through any phone messaging channel (iMessage, RCS, or SMS) or Telegram are subject to the respective platform's or carrier's own terms and privacy policies in addition to this Policy. You may disconnect a messaging channel at any time in your account Settings.
15. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice in the app before the changes take effect. The "Last updated" date at the top reflects the most recent revision.
16. Contact Us
If you have questions about this Privacy Policy or your data, contact us:
- Email: privacy@selencoaching.com
- Selen Coaching LLC / Alkalytic Ltd