flourish

Legal

How we handle your information

Flourish Daily Ltd
Effective Date: July 2, 2026

Introduction

Flourish ("we," "our," or "us") is a personalized AI fitness and wellness guide designed to help you achieve your long-term goals. This Privacy Policy explains how Flourish Daily Ltd, a company registered in the United Kingdom (Company No. 16541416), collects, uses, shares, and protects your information when you use our mobile application and services (the "Services").

For the purposes of the UK General Data Protection Regulation (UK GDPR), Flourish Daily Ltd is the Data Controller of your personal information.

Flourish is a wellness product, not a medical or healthcare provider. We are not a "covered entity" or "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA), and the Services do not provide medical advice, diagnosis, or treatment. Your information is instead protected under the laws described in this policy.

Company Information: Flourish Daily Ltd

15 Penzance Pl, London, W11 4PG, UK

Email: privacy@flourishdaily.io

U.S. residents: Please also see our Consumer Health Data Privacy Notice, which describes how we handle "consumer health data" under laws such as the Washington My Health My Data Act and Nevada's SB 370, and our U.S. State Privacy Rights section below.

1. Information We Collect

1.1 Information You Provide

Account Information:

  • Name
  • Phone number
  • Email address
  • Timezone
  • Identity from Sign in with Apple or Google Sign-In, if you use them.

Fitness and Wellness Data (Only with your explicit consent):

We do not collect this data unless you explicitly connect a third-party service (like Apple Health, Health Connect, or Strava) or manually input it.

  • Activity Data: Steps, distance, flights climbed, active and total calories, speed, pace, cadence, and activity by type (running, walking, cycling, swimming).
  • Workout Details: Activity types and durations, heart rate, heart-rate variability (HRV), VO₂ max, breathing rate, blood oxygen (SpO₂), and route and location points where a workout is recorded with GPS.
  • Sleep Data: Sleep stages, start/end times, sleep score/efficiency, and related metrics such as resting heart rate and skin temperature.
  • Body & Recovery Metrics: Stress, recovery and readiness scores where provided by a connected device.
  • Nutrition: Calories and macronutrients where you log them or a connected service provides them.
  • Mindfulness: Meditation sessions and mindfulness minutes.
  • Self-Reported Notes: Wellness reflections and subjective feedback you provide.

Voice Conversations:

  • Real-time voice input during calls with your AI guide (audio is streamed for processing, not stored as a recording).
  • Transcripts and summaries of your conversations.

Insights Entries (Note taking):

  • Text entries.
  • Photos you upload.
  • Voice Memos: Audio recordings you explicitly create and upload to your journal.

Goals & Plans:

  • Your fitness and wellness goals.
  • Daily and weekly objectives.
  • Plan drafts and progress tracking.

1.2 Automatically Collected Information

Usage Data:

  • Features you use.
  • Session duration and frequency.
  • In-app navigation patterns and product-analytics events.

Device Information:

  • Device type and model.
  • Operating system version.
  • Unique device identifiers.
  • Push notification tokens.

Diagnostics & Performance Data:

  • Crash reports and error logs, which may include diagnostic details and, in some cases, a screenshot of the screen at the time of an error.
  • API response times and backend performance metrics.

Advertising Identifiers:

With your permission (via Apple's App Tracking Transparency prompt on iOS, or the equivalent on Android), we use your device advertising identifier (IDFA / Android Advertising ID) for install and marketing attribution, so we can see which campaigns bring people to Flourish. We do not use your health, fitness, voice, or journal data for advertising (see Section 3).

1.3 Information from Third Parties & Connected Services

Health & Fitness Sources (Only if you explicitly connect them):

We use Spike, a health-data aggregation service, to securely connect the sources you choose and deliver their data to Flourish in a standardized form. Depending on what you connect, this can include:

  • Apple Health (HealthKit) and Android Health Connect.
  • Samsung Health.
  • Wearables and platforms such as Strava, Garmin, WHOOP, Oura, Fitbit, Polar, Withings, Eight Sleep, Peloton, Suunto and COROS.

Calendar (With your permission):

  • Google Calendar: Read and write calendar events to help you plan and schedule activities.

Google Health Connect Disclosure:

The use of information received from Health Connect will adhere to the Google Health Connect Permissions Policy, including the Limited Use requirements. Health Connect data is used only to provide and personalize the Services and is never used for advertising or sold.

1.4 Cookies and Tracking Technologies

We and our service providers may use cookies, mobile device identifiers (such as IDFA or Android Advertising ID), and local storage to operate the app, remember your settings (like authentication tokens), and analyze usage. You can control these through your device settings and the App Tracking Transparency prompt.

2. How We Use Your Information

2.1 Primary Purposes

To Provide Our Service:

  • Power AI-driven fitness and wellness conversations.
  • Analyze your voice input to generate helpful responses.
  • Track your metrics and progress toward goals.
  • Send reminders and motivational notifications by push, SMS, WhatsApp, or email.

To Improve Our Service:

  • Enhance AI response accuracy.
  • Identify and fix bugs.
  • Understand feature usage to prioritize improvements.

2.2 AI and Machine Learning

Real-Time AI Processing:

  • Your conversations are processed by AI models to generate personalized guidance.
  • Voice input is transcribed in real-time.

AI Training:

Your data is NOT used to train foundational AI models. We do not permit our AI providers to use your personal fitness or conversation data to train their models, and we do not use it to train models of our own.

2.3 Communications

  • Service Communications: Account updates, support responses, and coaching messages you have asked for.
  • Marketing (Optional): Tips and newsletters. You can opt-out anytime by using the unsubscribe link in our emails or contacting privacy@flourishdaily.io.

3. How We Share Your Information

We do NOT sell your personal information. We do NOT use your health, fitness, voice, or journal data for advertising, and we do not share it with advertising networks or data brokers for their own purposes.

We share data with the service providers below, who act as our processors. They may only use the data to provide their service to us, under contract, and not for their own purposes. We share only what each provider needs.

3.1 AI & Voice Providers

IMPORTANT DISCLOSURE:

Your personal data, including fitness information, conversation content, and transcripts, is shared with the following AI providers to power Flourish's features. We obtain your consent before enabling these AI features.

OpenAI, Anthropic & Google (Conversational AI)

  • Receive: Conversation content, transcripts, fitness context, and goals.
  • Purpose: Power the AI guide that responds to your questions (large language models).
  • Location: United States.
  • Training: Your data is NOT used to train their models.

Deepgram, ElevenLabs & OpenAI (Speech Recognition)

  • Receive: Real-time voice streams during calls and uploaded Voice Memos.
  • Purpose: Transcribe your speech into text for AI processing.
  • Retention: Live call audio is processed in real-time and is not retained as a stored recording by us or these providers.
  • Location: United States.

ElevenLabs, Google & OpenAI (Voice Synthesis)

  • Receive: Text responses generated by our AI.
  • Purpose: Convert AI responses into natural-sounding speech.
  • Location: United States.

Mem0, Honcho & Hindsight (AI Memory)

  • Receive: Conversation history and user context.
  • Purpose: Maintain continuity so the AI remembers your goals, preferences, and past context.
  • Location: United States.

LiveKit (Real-Time Voice Infrastructure)

  • Receives: Real-time audio streams during calls, as transport.
  • Purpose: Carries the live voice connection between you and your AI guide.
  • Location: United States.

E2B (Secure AI Compute)

  • Receives: Your profile, goals, recent activity, recent conversation history, and journal entries.
  • Purpose: Provides an isolated, secure cloud sandbox where our AI agent runs computations on your data to generate advanced insights and plans.
  • Location: United States.

3.2 Health Data Aggregation

  • Spike: Connects the health and fitness sources you choose (Apple Health, Health Connect, Samsung Health, and wearables such as Strava, Garmin, WHOOP, Oura and Fitbit) and delivers their data to Flourish in a standardized form.

3.3 Infrastructure, Analytics & Diagnostics

  • Supabase (USA): Database hosting, authentication, and secure file storage.
  • PostHog (EU): Product analytics, session replay, and in-app surveys, to understand how the app is used and improve it.
  • Sentry (EU): Crash and error diagnostics.
  • Logfire (USA): Backend performance monitoring.
  • AppsFlyer (USA): Install and marketing attribution, using your device advertising identifier with your consent. AppsFlyer does not receive your health, fitness, voice, or journal data.

3.4 Messaging & Notifications

  • Twilio (USA): SMS and WhatsApp messaging (including coaching messages you receive).
  • WhatsApp / Meta: Delivery of messages if you connect WhatsApp; your WhatsApp number is used to link your account.
  • Brevo (EU): Transactional email and email preferences.
  • Expo, Apple & Firebase Cloud Messaging: Push and incoming-call notifications (device push tokens). Firebase is used for message delivery and sign-in only; Firebase Analytics is disabled.

3.5 Integrations (With Your Permission)

You can manage the following integrations directly within App Settings:

  • Google Calendar: Sync and schedule events.
  • Strava: Import fitness activities (via Spike or Pipedream).
  • Apple Health / Health Connect & wearables: Import fitness, sleep, and mindfulness data (via Spike).
  • Pipedream (USA): A connection broker that securely brokers the OAuth link for legacy Strava connections.
  • Location: Permission for location-based features.

3.6 Subscriptions & Payments

When you purchase a premium subscription, the transaction is processed directly by Apple (App Store) or Google (Play Store) under their respective terms and privacy policies. Flourish does not collect, see, or store any payment card details, bank information, or billing addresses.

To manage premium feature entitlements, we use Adapty (USA) as our subscription management partner. Adapty receives your Flourish user identifier and the app-store-issued subscription status and transaction identifiers (e.g. product ID, expiry date, renewal status). We use this data solely to determine whether your account has an active subscription and to unlock premium features. We do not use it for advertising.

3.7 Product & Support

  • Canny (USA): Our feature-request board. If you use it, we pass your name, email, and avatar so you can post and track requests.

3.8 Legal Disclosures

We may share information when required by law, such as in response to subpoenas or court orders, or to protect our rights and safety.

3.9 Business Transfers

If Flourish Daily Ltd is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before this occurs.

4. Data Retention & Deletion

We keep your data only as long as necessary to provide the Services.

Data TypeRetention PeriodReason
User Data (Account, Fitness, Notes, Transcripts, Voice Memos, AI Memory)Until account deletion + up to 30 daysBackup recovery buffer
Usage AnalyticsAs long as reasonably necessary for product improvementProduct improvement
Crash & Diagnostic Reports90 daysBug fixing

Deleting Your Account:

You can request deletion of your account and associated data in App Settings or by emailing privacy@flourishdaily.io. When you delete your account, we remove your data from our systems and instruct our processors (including our AI memory provider) to delete the data they hold for you. We process deletion requests within 30 days.

5. Your Rights and Choices

5.1 For All Users

To exercise your rights to Access, Correct, or Delete your data, use App Settings or contact us at privacy@flourishdaily.io.

5.2 For UK and EU/EEA Residents (UK GDPR / GDPR)

Since we are based in the UK, you have specific rights under the UK GDPR.

Legal Basis for Processing:

  • Explicit Consent: We rely on your explicit consent to process "Special Category Data" (which includes your health, fitness, biometric, and physiological data synced from connected services, and your voice data) and for voice processing. You may withdraw this consent at any time by disconnecting these services in App Settings or contacting us.
  • Contract Performance: Managing your account and delivering the service.
  • Legitimate Interests: Security, fraud prevention, and service improvement.

Your Rights:

  • Right to Access: Request a copy of your data.
  • Right to Rectification: Correct inaccurate data.
  • Right to Erasure: Delete your data ("right to be forgotten").
  • Right to Restrict Processing: Limit how we use your data.
  • Right to Data Portability: Receive data in a structured format.
  • Right to Withdraw Consent: Disconnect connected services in App Settings or delete your account to withdraw consent for health-data processing.

Supervisory Authority:

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for information rights.
Website: ico.org.uk

5.3 For U.S. Residents (State Privacy Rights)

Depending on your state, you may have some or all of the following rights. To exercise them, use App Settings or email privacy@flourishdaily.io; we will respond within the time required by your state's law (typically 45 days) and you may appeal a decision.

  • Know / Access: Request details about the personal information we hold about you.
  • Delete: Request deletion of your personal information.
  • Correct: Correct inaccurate personal information.
  • Portability: Receive a copy of your data.
  • Opt out: Of any "sale" or "sharing" of personal information and of targeted advertising. We do not sell or share your personal information in the way those terms are defined by state privacy laws.
  • Limit sensitive data: Health and fitness data is "sensitive personal information." You can limit its use by disconnecting sources in App Settings, and we only process it with your consent.
  • Non-discrimination: We will not discriminate against you for exercising these rights.

Opt-out preference signals. Where required, we honor recognized universal opt-out signals such as Global Privacy Control (GPC).

California. We collect the categories of personal information described in Section 1, including "sensitive personal information" (health/fitness data and precise location). We use it for the purposes in Section 2 and do not sell or share it. You have the right to limit the use of sensitive personal information as described above.

Washington, Nevada & other consumer-health-data states. If you are a resident of a state with a consumer health data law, please see our separate Consumer Health Data Privacy Notice for how we collect, use, and share consumer health data, and how to exercise your rights (including withdrawing consent).

6. Data Security

We use industry-standard measures to protect your information:

  • Encryption: Data is encrypted in transit (TLS) and at rest by our hosting and storage providers.
  • Access Control: Role-based access controls limit who can access data.
  • Signed integrations: Inbound data from providers is verified with signed webhooks.

Note: No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If a data breach affects your health information, we will notify you and the relevant authorities as required by applicable law (including the U.S. FTC Health Breach Notification Rule and UK GDPR).

7. AI-Specific Disclosures

7.1 AI Usage in Fitness and Wellness Guidance

  • Nature of AI: Flourish uses AI to generate personalized suggestions based on your fitness data and goals.
  • Not Medical Advice: The AI is a wellness guide, not a doctor. Recommendations are for informational purposes only. Always consult a healthcare professional before starting a new fitness regime.
  • Accuracy: AI may occasionally produce incorrect information ("hallucinations"). Please verify critical information.

7.2 Voice & Biometric Data

  • Live Calls (No Recording): We do not record the audio of live conversations with your AI guide. Your voice is streamed in real-time to our transcription providers to generate text for the AI, and the audio is not retained as a stored recording. We keep the text transcript of the conversation.
  • Voice Memos (Insights): If you record and upload a Voice Memo (journal entry), that audio file is stored securely so you can play it back later. You can delete these Voice Memos at any time.
  • No voiceprints: We use your voice only to provide the Services (transcription and AI responses). We do not create voiceprints, use your voice to identify you, clone your voice, or sell or use voice data for advertising. If we ever introduce voice-based identification, we will obtain your consent first.

7.3 AI Memory System

We use AI memory services (Mem0, Honcho, and Hindsight) to help the AI remember your context (e.g., "User injured their knee last week").

Control: To view specific data stored in the AI memory or to request a full context reset, please contact us at privacy@flourishdaily.io. Deleting your account also deletes your AI memory.

8. International Data Transfers

For UK/EU Users:

Many of our third-party service providers (such as our AI providers, Supabase, LiveKit, and E2B) are located in the United States. Some providers (such as PostHog, Sentry, and Brevo) process data in the EU.

To comply with UK and EU data protection laws, we protect data transferred outside the UK/EEA through:

  • The UK-US Data Bridge: Where applicable, we rely on the UK Extension to the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (SCCs) / UK IDTA: For providers not covered by the Data Bridge, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

By using Flourish, you acknowledge this transfer.

9. Children's Privacy

Flourish is intended for users 18 years and older. We do not knowingly collect information from anyone under 18. If we discover we have collected such data, we will delete it immediately.

10. Changes to This Policy

We may update this policy to reflect changes in our practices. Material changes will be communicated via email or in-app notifications. Continued use of Flourish constitutes acceptance of the updated policy.

11. Contact Us

For questions, data requests, or concerns, please contact us:

Flourish Daily Ltd

Email: privacy@flourishdaily.io

Address: 15 Penzance Pl, London, W11 4PG, United Kingdom