Privacy Policy
Effective date: 7 April 2026
This policy explains what personal data Lysa Health collects when you use the Lysa app and website, why we collect it, how we use it, and what rights you have. Please read it carefully before using our services.
Important — Health Data
Lysa handles sensitive health information including medication logs, weight records, and symptom data. We never sell your health data, never use it for advertising, and never share it with insurers or employers. Your health data is used solely to provide the Lysa service to you.
1. Who we are
Lysa Health ("Lysa", "we", "us", "our") is the data controller responsible for your personal data. We operate the Lysa mobile application and the website at lysahealth.app.
If you have any questions about this policy or how we handle your data, please contact us at: privacy@lysahealth.app
2. Data we collect
We collect the following categories of personal data:
2.1 Account data
- Email address (used for account creation and login)
- Authentication tokens (managed by Supabase)
2.2 Profile data
- Starting weight and goal weight (optional)
- Weight unit preference (kg or lbs)
- GLP-1 medication name (e.g., Ozempic, Wegovy, Mounjaro)
- Medication dose and concentration (for compounded medications)
- Preferred injection day of the week
- Account creation date
2.3 Health logs
- Weight logs: weight readings and date/time recorded
- Nutrition logs: meal descriptions, protein (g), calories (kcal), water intake, timestamp
- Injection logs: injection date, dose amount, injection site (abdomen/thigh/upper arm), side (left/right), optional notes
- Symptom logs: symptom name (selected from a list or free-text), severity rating (1–5), date/time
2.4 Photos (Pro subscribers only)
- Meal photos you choose to upload for AI nutritional analysis
- Photos are transmitted securely to our AI provider for analysis and are not stored beyond the duration of the analysis
2.5 Subscription data
- Subscription status (free or paid) — we do not store payment card details; these are handled by Apple or Google
- RevenueCat customer ID linked to your Lysa account
2.6 Technical data
- Device operating system and version (for debugging)
- App version
- Error logs (anonymised where possible)
3. How we use your data
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide and operate the service | All account, profile, and log data | Contract |
| AI meal analysis (Pro) | Meal description, meal photo | Consent / Contract |
| AI symptom guidance (Pro) | Symptom, severity, medication, dose, week of treatment | Consent / Contract |
| Injection site rotation warnings | Recent injection site and side logs | Contract |
| Personalised protein target calculation | Current weight, goal weight | Contract |
| Subscription management | Email, RevenueCat customer ID | Contract |
| Send account-related emails | Email address | Contract / Legitimate interest |
| Improve the service (aggregate, anonymised) | Usage patterns (anonymised) | Legitimate interest |
| Comply with legal obligations | As required by law | Legal obligation |
We do not use your health data for advertising, profiling, or marketing purposes. We do not sell your personal data to any third party.
4. Legal bases for processing (UK GDPR)
Under the UK General Data Protection Regulation (UK GDPR), we rely on the following legal bases:
- Contract (Article 6(1)(b)): Processing necessary to provide the Lysa service you have signed up for — including storing your logs, displaying your progress, and calculating your targets.
- Consent (Article 6(1)(a) and Article 9(2)(a)): For processing special category health data (your weight, symptoms, medication, injection logs) and for AI analysis of meal photos. You may withdraw consent at any time by deleting your account.
- Legitimate interests (Article 6(1)(f)): For improving the reliability and performance of our service using anonymised, aggregated data. We do not override your rights and freedoms.
- Legal obligation (Article 6(1)(c)): When required to comply with applicable law.
Because health data is a special category under UK GDPR (Article 9), we rely on your explicit consent for processing it. You grant this consent when you create an account and begin logging health information.
5. Third parties we share data with
We share data with the following trusted third parties who provide services necessary to operate Lysa. We do not sell data to any party.
| Provider | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Supabase Inc. | Database, authentication, edge functions | All user data (stored on their servers) | supabase.com/privacy |
| RevenueCat Inc. | Subscription and purchase management | User ID, subscription status, purchase receipts | revenuecat.com/privacy |
| Anthropic PBC | AI meal and symptom analysis (Pro) | Meal descriptions, symptom + medication data (no name or email) | anthropic.com/privacy |
| Apple Inc. | iOS payment processing and App Store distribution | Handled directly by Apple — we receive only subscription status | apple.com/privacy |
| Google LLC | Android payment processing and Play Store distribution | Handled directly by Google — we receive only subscription status | policies.google.com/privacy |
All providers acting as data processors are bound by data processing agreements and appropriate safeguards. Supabase offers EU and UK data residency options. Where data is transferred outside the UK, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).
6. Health data — special protections
Your health information is sensitive. We apply the following protections above and beyond standard data practices:
- Health data is stored encrypted at rest and in transit (TLS 1.2+).
- Health data is never used for advertising, marketing profiling, or sold to any party.
- Health data is never shared with insurers, employers, or government agencies except where required by law.
- Meal photos submitted for AI analysis are processed in memory and not stored by our AI provider beyond the duration of the request.
- AI-generated symptom guidance is based solely on the symptom, severity, and medication data you provide — no identifying information is included in AI requests.
- You can export or delete all your health data at any time (see Section 8).
Lysa is not a medical device. The information provided by the app, including AI-generated guidance, is for informational purposes only and does not constitute medical advice, diagnosis, or treatment.
7. Data retention
| Data type | Retention period |
|---|---|
| Account and profile data | Until you delete your account |
| Health logs (weight, nutrition, injections, symptoms) | Until you delete your account or individual entries |
| Meal photos | Not retained — processed and discarded immediately after AI analysis |
| Subscription records | Up to 7 years (legal/financial obligation) |
| Error logs | Up to 90 days (anonymised) |
| Data after account deletion | Deleted within 30 days, except where legally required to retain |
8. Your rights
Under UK GDPR you have the following rights. To exercise any of them, email us at privacy@lysahealth.app. We will respond within 30 days.
Access
Request a copy of all personal data we hold about you.
Rectification
Ask us to correct inaccurate or incomplete data. Most data can be corrected directly in the app.
Erasure
Request deletion of your account and all associated data. You can also delete individual log entries directly in the app.
Portability
Request your data in a structured, machine-readable format (JSON or CSV).
Restriction
Ask us to stop processing your data while a dispute is resolved.
Objection
Object to processing based on legitimate interests. We will stop unless we have compelling grounds.
Withdraw consent
Withdraw consent for health data processing at any time by deleting your account.
Complaints
Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
9. Children
The Lysa app is intended for adults aged 18 and over. GLP-1 medications are prescribed to adults and we do not knowingly collect personal data from anyone under 18. If you believe a child has created an account, please contact us at privacy@lysahealth.app and we will delete the account promptly.
10. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice within the app at least 14 days before the change takes effect. The effective date at the top of this page will always reflect the current version. Continued use of Lysa after changes take effect constitutes your acceptance of the revised policy.
11. Contact us
For any privacy questions, data requests, or concerns:
Lysa Health
Email: privacy@lysahealth.app
Response time: within 30 days
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO).