Privacy Policy

huuman is an AI coaching app for sleep, nutrition, training, and recovery. Because the service is health-adjacent, we handle information that is sensitive by nature — including data synced from Apple Health, free-text conversations with your coach, and progress photos you choose to share. We take that seriously, collect as little as we can, and never sell your data to anyone.

1. Who we are (Data Controller)

The controller responsible for processing your personal data under Art. 4(7) GDPR is:

Huuman Life GmbH
c/o Yilmaz
Türkenstr. 92
80799 München
Germany

Geschäftsführer: Joshua Cornelius, Mehmet Yilmaz
Handelsregister: Amtsgericht München, HRB 311065
Umsatzsteuer-Identifikationsnummer (§ 27a UStG): noch nicht erteilt
Privacy contact: privacy@huuman.life
General contact: support@huuman.life

We have not appointed a statutory Data Protection Officer because we do not meet the thresholds of § 38 BDSG. The privacy contact above is the responsible point of contact for any question or request relating to your data.

2. The data we collect

We only collect what we need to operate the service. Below is every category, why we have it, and where it comes from.

2.1 Account and identity

• Email address— either the email tied to your Apple ID or, if you choose "Hide my email," Apple's private relay address. We only need an email to create an account, send transactional messages, and let you recover access.
• Apple user identifier — the stable per-app identifier Apple gives us when you sign in with Apple. We use it as your account key; it is not your real name.
• Display name — optional, what your coach calls you.

2.2 Profile and onboarding

• Demographics — date of birth (used to derive age), biological sex, height, weight.
• Goals, constraints, and baselines — the answers you give during onboarding (current activity, equipment, injuries, schedule, sleep patterns, nutrition preferences). Used to build your personalized protocol.
• Preferred language and timezone — to deliver your coach in the right language and time-of-day.
• Location — only when you explicitly choose to pick a training location nearby (e.g., your gym). Not tracked in the background.

2.3 Health data (special category — Art. 9 GDPR)

When you connect Apple Health, huuman reads the following data types you authorize:

• Sleep analysis (durations, stages, bedtime, wake time)
• Activity (steps, active energy, distance, workouts including calories and distance)
• Heart rate metrics (resting heart rate, HRV)
• Body composition (body mass, height, body fat percentage)
• Cardiorespiratory fitness (VO2 max)
• Mindful sessions
• Date of birth and biological sex (one-time, for baselines)

We use these only to coach you. We never write to Apple Health, never use Apple Health data for advertising, and never share Apple Health data with any third party except the AI sub-processor listed in §6 (and only when needed to generate a coaching response). HealthKit data is not stored in iCloud by us.

2.4 Conversations and user-generated content

• Chat messages — everything you say to the coach and everything the coach says back, stored so you have continuity between sessions.
• Photos you upload — meal photos, progress photos, and any images attached in chat. Stored privately (only you can read them) and analyzed by the AI sub-processor only when needed to respond to your message.
• Voluntary notes and logs — meals, weights, sessions, and any other data you choose to log.

2.5 Device and diagnostics

• Push notification token — to send you the notifications you opt into. Stored only while you have the app installed.
• App version, OS version, device model — for debugging and compatibility checks.
• Crash reports and performance metrics— collected via Apple's MetricKit when something goes wrong. May include screen names and method-level timings; we never collect identifying content from inside views.
• Anonymous product analytics — only if you opt in (Profile → Privacy → Analytics). Off by default for new users. Limited to event names, screen names, and aggregated counts; no message content, no health values, no IDFA. Hosted in the EU.

3. Why we process this data (Purposes)

• Provide the service. Create your account, run onboarding, build your protocol, and deliver coaching conversations grounded in your real data.
• Personalize coaching. Pre-compute baselines and trends, surface relevant context to the coach so it can react to what actually happened (sleep last night, weight trend, missed sessions).
• Notifications. Send the briefs, reminders, and coach messages you have opted into. You can disable any category in your device settings.
• Improve the product. Fix bugs (using crash reports and performance metrics) and, if you opted in, aggregate anonymous usage to understand which features are useful.
• Security and abuse prevention. Detect credential stuffing, brute force, and rate-limit AI calls so one bad actor cannot degrade the service for everyone else.
• Legal compliance. Tax law, accounting, consumer protection, and responding to lawful requests from authorities.

4. Legal basis (GDPR Art. 6 and Art. 9)

We rely on these legal grounds depending on the data and the purpose:

• Performance of a contract (Art. 6(1)(b)). When you create an account and use huuman, we process your account, profile, conversations, and protocol data to provide the service you signed up for.
• Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)). For health data, before we read Apple Health you must authorize each data type in the system permission sheet, and before you start coaching you must accept the in-app medical disclaimer. You can withdraw consent at any time (Settings → Apple Health, or by deleting your account).
• Legitimate interests (Art. 6(1)(f)). Diagnostics, abuse prevention, and product security. We have weighed these interests against your privacy and limited the data to what is strictly necessary.
• Consent (Art. 6(1)(a)). Anonymous product analytics. Off by default; you opt in in Profile → Privacy.
• Legal obligation (Art. 6(1)(c)). Tax and accounting retention where law requires.

5. Who we share data with

We never sell your data. We share it only with the sub-processors listed below, each bound by a data processing agreement under Art. 28 GDPR. Where a sub-processor is outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (Module 2) and on each provider's public adequacy or transfer assessments.

We do not use advertising networks, social trackers, or third-party cookies. We do not sell, rent, or trade your data.

6. International data transfers

Some sub-processors are based in the United States (notably Anthropic, Apple, and Cursor). We rely on the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) and on the providers' supplementary safeguards — encryption in transit and at rest, access controls, and zero-retention or short-retention options where available — to ensure an essentially equivalent level of protection for your data.

7. How long we keep your data

• Account data — for as long as your account exists. If you delete your account, all account, profile, conversation, health, photo, and analytics data is removed within 30 days, except where law requires longer retention (see below).
• Backups — encrypted database backups retained by Supabase for up to 30 days for disaster recovery, after which deleted data is permanently gone.
• Crash reports and diagnostic metrics — up to 90 days, then deleted.
• Legal and tax records — invoices and payment records retained as required by German tax law (typically 10 years, § 147 AO). Health and chat data are never in this category.

8. Your rights

Under GDPR, you have the following rights with respect to your personal data:

• Access (Art. 15). You can request a copy of your data. The fastest way is Profile → Privacy → Export my data, which generates a JSON bundle plus signed links to your photos. You can also email privacy@huuman.life.
• Rectification (Art. 16). Correct any inaccurate data directly in the app, or write to us.
• Erasure (Art. 17). Profile → Privacy → Delete account permanently removes your account and all associated data. There is no way for us to recover it afterwards.
• Restriction (Art. 18). You can ask us to stop processing your data in specific ways while a dispute is resolved.
• Portability (Art. 20). The export above gives you a machine-readable JSON copy you can take elsewhere.
• Objection (Art. 21). You can object to processing based on legitimate interests at any time. We will stop unless we have compelling lawful grounds that override your interests.
• Withdraw consent (Art. 7(3)). Toggle analytics off in Profile → Privacy, or revoke Apple Health access in iOS Settings → Apple Health. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Complain to a supervisory authority (Art. 77). You have the right to lodge a complaint with your local data protection authority. In Bavaria (where huuman is based): Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

9. Automated decisions and AI

Your coaching conversations and the protocols we build use AI models. These produce suggestions— what to eat, when to train, when to sleep. They are not legal, medical, or financial decisions and do not produce legal effects on you. You retain full control: you can ignore, modify, or push back on any suggestion, and the coach is designed to adapt when you do. If you ever feel a coaching suggestion is wrong, harmful, or beyond the AI's competence, do not follow it; talk to a qualified human professional and let us know at support@huuman.life.

10. Medical disclaimer

huuman is an AI coach. It is not a doctor, therapist, dietitian, or medical device, and it does not diagnose, treat, cure, or prevent any disease. The coaching content we provide is general wellness information personalized to you, not medical advice. If you have a medical condition, are pregnant, are recovering from an injury, or are taking medication, consult a qualified clinician before changing your training, nutrition, or sleep habits based on coaching from huuman. In emergencies, call your local emergency number (112 in the EU, 911 in the US, 999 in the UK).

11. Children

huuman is not designed for children. You must be at least 16 years old to use the service in the EU/EEA, and at least 13 in jurisdictions that allow it with parental consent. We do not knowingly collect data from anyone below the applicable age. If you believe a child has provided us with personal data, please email privacy@huuman.life and we will delete it.

12. Security

Data is transmitted over TLS 1.2+ and stored encrypted at rest on our infrastructure providers. Authentication is handled by Apple's Sign in with Apple. Internal access to production data is limited to engineers with a need-to-know, logged, and audited. We do not store payment card details ourselves. No system is 100% secure; if you believe your account has been compromised, write to support@huuman.life immediately.

13. Cookies and tracking

The iOS app does not use cookies. Our website (the waitlist page and these legal pages) sets only a single strictly-necessary cookie if you log into the internal feedback board. We do not run analytics, advertising, or social-network trackers on the website.

14. Changes to this policy

If we make material changes, we will update the "Last updated" date at the top of this page and, if the change is significant, notify you in the app before it takes effect. Continued use of huuman after a change constitutes acceptance of the updated policy.

15. Contact

Privacy questions or requests: privacy@huuman.life
General support: support@huuman.life

For our registered postal address (Impressum), see § 1 above.