Privacy Policy
Effective date: May 18, 2026.
SuppleSense is a service of ELMMLY LLC. This Privacy Policy (the "Policy") describes how ELMMLY LLC ("ELMMLY," "SuppleSense," "we," "us," or "our") processes personal information in connection with the SuppleSense mobile application, the website located at www.supplesense.app, and any related online services that link to this Policy (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, do not use the Services.
1. Controller and scope
ELMMLY LLC is the controller of personal information processed through the Services, except where this Policy states that a third party acts as an independent controller. This Policy applies only to information processed by us and does not apply to information processed by third parties whose products or services you access through the Services. Those third parties act under their own privacy notices.
2. Categories of personal information we process
Account identifiers. Email address and the authentication identifier returned by Sign in with Apple, Sign in with Google, or our magic-link provider. We do not receive or store the password associated with your Apple or Google account.
Log content. Supplements, dosages, schedules, and free-text notes you submit, which may include the names of prescription medications, peptides, or hormones you choose to record.
Self-reported ratings. Subjective values you submit, including mood, energy, focus, sleep, and other measures you choose to track.
Health information from Apple Health and Health Connect. Categories of biometric data you explicitly authorize through your device's health permissions (for example, sleep, heart rate, heart rate variability, body weight, or step count). The Services request access only to categories needed for the features you use, and you may revoke any category from your device settings.
Device and diagnostic data. Application version, device model, operating system version, locale, crash reports, and aggregated event data used for reliability and security. We do not use mobile advertising identifiers.
Transaction data. If you purchase a subscription, Apple, Google, or our subscription-management provider processes the payment and returns to us a subscription status and an opaque transaction identifier. We do not receive payment card numbers or financial account credentials.
Communications. The contents of messages you send to us and any contact details you provide for support or product updates.
Some of the categories above may constitute "sensitive personal information" under applicable law because they relate to health.
3. Purposes of processing
We process personal information to: (a) provide and operate the Services, including rendering your log and computing statistical summaries over your own data; (b) authenticate you and secure your account; (c) deliver subscription benefits and process related transactions through our payment providers; (d) send transactional communications and any product communications to which you subscribe; (e) respond to support requests; (f) detect, prevent, and respond to security incidents, fraud, and abuse; (g) comply with legal obligations and enforce our agreements; and (h) on a de-identified or aggregated basis, evaluate and improve the performance of the Services and the underlying statistical method.
4. Use of language models
Statistical findings are produced by a deterministic algorithm applied to your data. Where the Services present those findings in narrative form, a third-party language model provider may be used to phrase the narration. We transmit to the provider only the minimum context required for that narration. Our agreements with language-model providers contractually prohibit the use of your inputs or outputs to train the provider's models.
5. Limits on use and disclosure
We do not sell personal information and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act, as amended. We do not use information received from Apple Health or Health Connect for advertising or marketing purposes, or disclose it to any third party for advertising or marketing purposes, in accordance with Apple and Google platform requirements. We do not disclose your log content to supplement manufacturers, pharmacies, employers, or insurers for their own marketing purposes.
6. Recipients of personal information
We disclose personal information to the following categories of recipients, each acting as a processor or service provider under a written agreement that limits their use of the information to providing services to us:
cloud infrastructure providers (including Amazon Web Services) for hosting, storage, and supporting infrastructure; identity providers (Apple, Google) and our email-delivery provider for authentication and transactional email; subscription-management and payment-processing providers (including Apple, Google, and RevenueCat); error-monitoring and analytics providers for service reliability; and language-model providers (which may include Anthropic, OpenAI, and Google) for the narration function described in Section 4.
We may also disclose personal information: (a) to comply with applicable law, lawful requests by public authorities, valid legal process, or to respond to a subpoena, court order, or similar legal demand; (b) to enforce our terms or protect the rights, property, or safety of SuppleSense, our users, or others; and (c) in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, in which case the receiving entity will be bound by terms no less protective than this Policy with respect to information transferred.
7. Legal bases for processing (EEA, UK, Switzerland)
Where the General Data Protection Regulation, the UK GDPR, or the Swiss Federal Act on Data Protection applies, we rely on the following legal bases: performance of a contract with you to provide the Services (Article 6(1)(b)); our legitimate interests in operating, securing, and improving the Services, where those interests are not overridden by your rights (Article 6(1)(f)); compliance with our legal obligations (Article 6(1)(c)); and your consent (Article 6(1)(a)) for processing of health-related data and for any optional communications, which consent you may withdraw at any time without affecting the lawfulness of processing carried out before withdrawal. For special categories of data under Article 9, we rely on your explicit consent (Article 9(2)(a)).
8. Health information and HIPAA
The Services are a consumer wellness tool and are not designed for use in a treatment relationship governed by the U.S. Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). SuppleSense is not a covered entity or business associate under HIPAA. You should not submit information to the Services that you intend to be protected health information under HIPAA. The Services are not intended to diagnose, treat, cure, or prevent any disease, and the statistical summaries presented through the Services do not constitute medical advice.
9. Your choices and rights
You may export your log, correct entries, and delete your account from within the Services. You may revoke access to any category of Apple Health or Health Connect data at any time from your device settings; revocation will not affect data previously received.
Subject to applicable law, you may have the right to: request access to the personal information we hold about you; request correction of inaccurate information; request deletion of your information; request restriction of, or objection to, certain processing; request portability of information you provided to us; withdraw consent where processing is based on consent; and lodge a complaint with a supervisory authority. California residents have the additional rights set out in the California Consumer Privacy Act, including the right to opt out of any sale or sharing of personal information (which we do not conduct) and the right not to receive discriminatory treatment for exercising those rights.
To exercise any of these rights, contact us at privacy@supplesense.app. We will verify your request as required by applicable law and will respond within the period required by that law. You may authorize an agent to act on your behalf where permitted by applicable law.
10. Retention
We retain personal information for as long as your account is active and for the period thereafter necessary to comply with legal obligations, resolve disputes, and enforce our agreements. Following deletion of your account, we will delete or de-identify personal information held in production systems within 30 days and in routine backups within 90 days, except where a longer period is required by law. De-identified or aggregated data that can no longer reasonably be associated with you may be retained without limit.
11. International transfers
We process personal information in the United States and in other jurisdictions where our service providers operate. Where required by applicable law, we implement appropriate safeguards for cross-border transfers, including the European Commission's Standard Contractual Clauses and the United Kingdom International Data Transfer Addendum.
12. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction, including encryption of data in transit and at rest and access controls on production systems. No method of transmission or storage can be guaranteed to be secure, and we cannot warrant the absolute security of information. In the event of a security incident affecting personal information, we will notify affected users and authorities to the extent required by applicable law.
13. Children
The Services are intended for individuals 18 years of age or older. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected personal information from a child under 18 without verified parental consent, we will delete that information.
14. Changes to this Policy
We may update this Policy from time to time. When we do, we will revise the effective date at the top of this Policy. If a change materially affects how we process personal information, we will provide additional notice through the Services or by email prior to the change taking effect. Your continued use of the Services after the effective date of an updated Policy constitutes acknowledgment of the updated Policy.
15. Additional U.S. state disclosures
California.The categories of personal information described in Section 2 correspond to the categories of personal information enumerated in California Civil Code Section 1798.140, including identifiers, customer records, commercial information, internet or other electronic network activity information, geolocation data, and sensory information (where you record free-text notes). We process sensitive personal information only for the purposes set out in Section 3 and we do not use it to infer characteristics about you. Under California's "Shine the Light" law (Civil Code Section 1798.83), we do not disclose personal information to third parties for those third parties' direct-marketing purposes.
Connecticut, Virginia, Colorado, Utah, Texas, Oregon, and other state privacy laws.If you are a resident of a state that grants consumer privacy rights (including Connecticut, Virginia, Colorado, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, and others), you have the rights described in Section 9. We do not sell personal information and we do not process it for targeted advertising as those terms are defined under your state's law. We do not engage in automated decision-making or profiling that produces legal or similarly significant effects. You may appeal a denial of a privacy-rights request by replying to the email through which we communicated our decision; if your appeal is denied, you may contact the attorney general of your state.
Nevada. Nevada residents have the right to direct a covered operator not to sell certain personal information. We do not currently sell personal information of Nevada residents as defined under Nevada law, but you may submit a request to privacy@supplesense.app at any time.
Global Privacy Control. Our marketing website honors the Global Privacy Control (GPC) signal as an opt-out of any sale or sharing of personal information for cross-context behavioral advertising, where required by applicable law. Because we do not engage in those practices, enabling GPC does not change what we collect through the Services, but the signal is respected as a legally valid request.
16. Washington and Nevada Consumer Health Data
This section supplements the Policy and explains how we handle Consumer Health Data of residents of Washington under the My Health My Data Act and of residents of Nevada under the Nevada Consumer Health Data Privacy Law (together, the "Consumer Health Privacy Laws").
What we consider Consumer Health Data. For purposes of the Consumer Health Privacy Laws, Consumer Health Data we collect about you includes: the supplements, dosages, peptides, hormones, and prescription medications you log; the subjective ratings and free-text notes you submit about your physical or mental health; biometric categories you authorize through Apple Health or Health Connect (such as sleep, heart rate, heart-rate variability, body weight, and step count); and any inferences derived from the foregoing about your past, present, or future physical or mental health status.
How we use Consumer Health Data. We use Consumer Health Data solely to provide and improve the Services as described in Section 3, including computing the deterministic statistical findings that the Services surface and generating the plain-language narration of those findings described in Section 4. We do not use Consumer Health Data for advertising or marketing, and we do not sell it.
How we share Consumer Health Data. We share Consumer Health Data only with the categories of service providers described in Section 6 (cloud-infrastructure providers, identity providers, error-monitoring providers, and language-model providers), each of whom is contractually limited to processing the data on our behalf and for our purposes. We may also disclose Consumer Health Data to comply with applicable law or valid legal process, or in connection with a corporate transaction as described in Section 6, in each case to the extent permitted by the Consumer Health Privacy Laws.
Your rights. If you are a Washington or Nevada resident, you have the right to confirm whether we are collecting, sharing, or selling Consumer Health Data about you and to access that data; to withdraw any consent you have provided for our processing of Consumer Health Data; and to have us delete your Consumer Health Data and direct our service providers to do the same. To exercise these rights, email privacy@supplesense.app. We will verify your request and respond within the period required by applicable law. If your request is denied, you may appeal by replying to our response, and, if your appeal is denied, you may file a complaint with the Washington Attorney General or the Nevada Attorney General.
17. Contact
For questions about this Policy or to exercise any right described in Section 9, contact privacy@supplesense.app.