Formulate Privacy Policy

Effective date: 2026-05-11 Last updated: 2026-05-19

This Privacy Policy describes how Formulate ("we," "us," or "the app") collects, uses, stores, and shares information when you use our mobile application. By using Formulate, you agree to the practices described here.

Quick summary (read this first)

We collect what you tell us (profile, goals, supplements you take) and what you scan (when you tap the shutter on a supplement label, the photo is sent to Google's Gemini API so it can read the ingredients — see Section 1.3).
We store this in Supabase (US database servers) under your authenticated account. Photos are not retained by us — only the structured ingredient list extracted from them.
When you talk to the AI Coach, your message is sent to DeepSeek for processing. We don't store that on DeepSeek's side.
We use RevenueCat to manage your subscription if you're a Pro user.
We use PostHog for anonymous crash reports and basic lifecycle telemetry (app open/background events only). No personal data, no scan content, no Coach messages. You can turn it off in Settings → Privacy → Anonymous crash reporting.
We never sell your data. We never run ads.
You can delete everything at any time from Settings → Account → Delete account.

1. Data we collect

1.1 Account data (required)

Email address (for sign-in via one-time code).
Authentication identifiers (user ID assigned by our auth system).

1.2 Profile and health-context data (you provide)

Stats you optionally enter: height, weight, biological sex, year of birth.
Goals (e.g., strength, endurance, sleep, focus).
Dietary restrictions, allergies.
Training context (frequency, type).
Time zone.

This data is used to personalize ingredient recommendations and the AI Coach's responses. You can leave any field blank.

1.3 Supplement and scan data (you create through usage)

Scans you perform: product name, parsed ingredients with doses, barcode (if applicable).
Your supplement stack: products you take regularly, doses, timing.
Daily intake log: each time you log taking something.

Note on scan images: When you tap the shutter on a supplement label, the captured photo is sent over an encrypted connection to Google's Gemini API (generativelanguage.googleapis.com) so the model can read the panel and return the ingredient list. The image leaves your phone — it does not stay local. Once Gemini returns the ingredient data:

Our server stores only the structured ingredient list (names, doses, units) under your account in Supabase.
We do NOT store the photo itself. The photo is never written to our database or any storage we control.
Per Google's published policy for paid Gemini API requests, your image is not used to train Google's models and is retained only for limited operational purposes (abuse monitoring, ~30 days). We do not control Google's policies — review them at https://ai.google.dev/gemini-api/terms.
If you are on the free tier of our app, your scans run on the same Gemini API as Pro scans.

If you don't want Google to process your scan images, don't use the scan feature. The rest of the app (stack, intake log, AI Coach, ingredient library) works without it.

1.4 AI Coach conversations

Messages you send to the AI Coach and the responses generated.
Pinned facts you ask the Coach to remember.

These are stored in our database under your account.

1.5 Subscription data (if you upgrade to Pro)

Subscription status, product purchased, renewal date — managed by RevenueCat (see Section 4).
Apple/Google payment data: we never see your card. Apple or Google handles the actual payment.

1.6 Device and diagnostic data (anonymous, optional)

Formulate uses PostHog (posthog.com) to collect anonymous error reports and basic lifecycle telemetry — app open and background events only, plus crash stack traces if the app crashes. We do NOT send: any personally identifying information, your email, your scans, your stack, your Coach messages, or any health data. PostHog never receives screen recordings, screenshots, or the contents of any field in the app.

This telemetry is on by default and you can disable it entirely at any time in Settings → Privacy → Anonymous crash reporting. PostHog acts solely as our data processor and does not share this data with third parties.

We do NOT collect: contacts, location, microphone, photos library (camera is used only for scanning, with your explicit permission, and we don't retain captured images on our servers — see Section 1.3 for how scan images are handled by Google's Gemini API), advertising identifier, browsing history.

2. How we use your data

To provide the service: store your stack, calculate daily intake totals, decode scans, run the AI Coach.
To personalize: tailor ingredient recommendations and Coach answers to your stated goals.
To bill (if Pro): process your subscription via Apple/Google + RevenueCat.
To improve the app: analyze aggregated, anonymous patterns (e.g., "what % of users have goals set"). We do not look at your individual data for product analytics.

We do NOT use your data to: - Train AI models on your conversations. - Sell or rent to third parties. - Run advertising. - Build profiles for any party other than you.

3. The AI Coach and DeepSeek

When you send a message to the AI Coach, the following happens:

The message, plus context (your goals, your stack, optionally your pinned memory facts), is sent to a server we operate (Supabase Edge Function).
The server forwards the request to DeepSeek (api.deepseek.com), an AI provider, which generates a response.
The response is sent back to your device and saved to your account.

DeepSeek's data handling: Per DeepSeek's published policy, API requests are not used to train their models and are retained only for limited operational purposes. We do not control DeepSeek's policies — review them at https://platform.deepseek.com/.

If you don't want DeepSeek to process your messages, don't use the AI Coach feature. The rest of the app works without it.

4. Service providers we share data with

Provider	Purpose	What they receive
Supabase (Auth + Database, US)	Account auth, all user data storage	Account email, profile, scans, stack, intake log, Coach conversations, Coach memory
RevenueCat (Subscription mgmt, US)	Manage Pro subscription state	User ID, subscription product, store identifiers — no health data
Google Gemini API (Scan interpretation, US)	Read supplement-label photos and return structured ingredient data	The single photo you capture when you tap the scanner shutter. Per Google's terms for the paid Gemini API, your photo is not used to train Google's models and is retained briefly only for abuse monitoring. We never share your account identity with Google.
DeepSeek (AI Coach)	Generate AI Coach responses	The current Coach message + your goals + stack + pinned memory at time of request
PostHog (Anonymous telemetry, US)	Anonymous crash reports + lifecycle events	Anonymous device identifier (random), OS + app version, app open/background events, crash stack traces — no email, no scans, no stack, no Coach messages, no health data. Opt-out in Settings.
Apple App Store / Google Play	Payment processing for Pro	Whatever Apple/Google handle for IAP (we don't see card data)
OpenFoodFacts (food barcode lookup, future)	Resolve barcodes to product info	Barcode number only — no user identifier

We have data processing agreements in place with these providers where required by law (GDPR, etc.).

5. Data retention

Active users: data is retained as long as your account exists.
Account deletion: you can delete your account at any time from Settings → Account → Delete account. All data — profile, scans, intake, Coach conversations, memory, entitlements — is permanently deleted from our database within 30 days. Backups are purged within 90 days.
Inactive accounts: if you don't sign in for 24 months, we may delete your account after notifying you by email.

6. Your rights

You can: - Access: see your data via the in-app settings (most fields are visible) or by emailing the contact below. - Export: request a copy of all your data in JSON format. We respond within 30 days. - Correct: edit your profile fields directly in the app. - Delete: see Section 5. - Withdraw consent: stop using the app. To delete data, see Section 5.

If you're in the EU/EEA/UK, you also have: - The right to lodge a complaint with your local data protection authority. - The right to object to certain processing. - The right to data portability (covered by export above).

If you're in California, you have CCPA rights including: - The right to know what personal information we collect, use, and disclose. - The right to deletion. - The right to opt out of "sale" — note that we do not sell your personal information. - The right to non-discrimination for exercising any CCPA right.

To exercise any of these rights, email the address in Section 9.

7. Children

Formulate is not intended for users under 13 years old (or the equivalent minimum age in your country). We do not knowingly collect data from children under that age. If you believe a child has provided us data, contact us at the address below and we will delete it.

The supplement guidance in Formulate is intended for adults. We do not provide pediatric dosing information.

8. Important limitations (medical disclaimer)

Formulate is not a medical device. The information we provide is educational, based on published research, and does not constitute medical advice. We are not a HIPAA covered entity. The data you store with us is not protected by HIPAA — it's protected by this Privacy Policy and applicable consumer protection law.

If you have a medical condition, are pregnant or nursing, take prescription medications, or have any concern about supplements interacting with your health, consult a healthcare professional. The AI Coach is explicitly instructed to defer medical questions to clinicians.

9. Contact us

For privacy questions, data access requests, or to delete your account:

Email: [email protected]

This address forwards to the founder's personal inbox. Response time is typically 1–2 business days. For privacy or data-deletion requests, mention "PRIVACY" in the subject line so it's not missed.

10. Changes to this policy

If we change this policy materially (e.g., add a new data-sharing partner, change retention periods), we will notify you in the app and by email at least 14 days before the change takes effect. Minor changes (typos, clarifications) take effect immediately and are reflected in the "Last updated" date at the top.