GLP-101 treats the health-related information you enter as sensitive personal data and applies data minimization — we collect only what the features need.
1. Who we are
The data controller is M&M Ventures Ltd, a company incorporated in the Isle of Man (company number 135641C; registered office: Ferndale, Saddle Road, Douglas, Isle of Man IM2 1HG). Because the app is distributed globally, this policy is to be finalised with counsel to cover Isle of Man data-protection law and UK GDPR / EU GDPR where applicable. Contact: hello@glp101.app.
2. Data we collect
Account: email address and/or Sign in with Apple identifier.
Profile: unit system, age range, optional biological sex, height/weight, goal weight, country, language, journey stage, goals.
Health-related (that you choose to enter): medication schedule, doses, symptoms, meals, hydration, fibre/protein, weight and body metrics, notes, and optional progress/meal photos.
Subscription: status/entitlement via Apple (StoreKit).
AI: messages you send to GLP-101 Coach and safety classifications.
Diagnostics (optional, consent-gated): non-identifying usage data used in-app only. At launch this is not shared with any third-party analytics or crash-reporting provider.
3. Why we process it & legal basis
To provide tracking, reminders, summaries and personalization — performance of the contract / your explicit consent for health data (GDPR Art. 9(2)(a)).
To operate subscriptions — contract.
To improve the app / analytics — consent (where required).
To meet legal obligations and maintain security — legitimate interests/legal obligation.
4. Health-related data & explicit consent
Where required, we process health-related data only on your explicit consent, captured separately during onboarding, and which you can withdraw (withdrawing required consent means deleting your account).
5. Processors & sharing
Supabase — authentication, database, storage, functions (hosting region: EU West).
Apple (StoreKit) — subscription management/billing.
Anthropic (Claude) — our AI provider; processes the Coach messages you send. Conversations are not used to train models unless you separately opt in.
Analytics / crash reporting — no third-party analytics or crash-reporting provider is used at launch; we do not share usage or stability data with an external processor. We do not sell your personal data or use it for cross-app tracking.
6. International transfers
Where data is transferred internationally, we use appropriate safeguards (e.g. Standard Contractual Clauses). Details to be finalised with counsel.
7. Retention & deletion
We retain data while your account is active. You can export or delete your data at any time in Settings. Deletion removes identifiable data except where retention is legally required (e.g. certain consent records, retained in anonymised form).
8. Your rights
Depending on your location (including under GDPR/UK GDPR) you may access, rectify, export (portability), erase, restrict or object to processing, and withdraw consent, without affecting prior lawful processing. You may complain to your supervisory authority.
9. Security
Encryption in transit, access controls, Row Level Security scoping data to its owner, private storage buckets, and server-side handling of all API keys.
10. Children
GLP-101 is for adults 18+ and is not directed to children. We do not knowingly collect data from children.
11. Changes & contact
We will notify material changes in-app. Questions/requests: hello@glp101.app.