Skip to content

Instantly share code, notes, and snippets.

@psilvis

psilvis/privacy_policy.md

Last active February 22, 2026 22:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save psilvis/da3f0cb191d911a87716bc8cc51789ec to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save psilvis/da3f0cb191d911a87716bc8cc51789ec to your computer and use it in GitHub Desktop.
Download ZIP
Chroma App - Privacy Policy
Raw
privacy_policy.md

Privacy Policy

Last updated: February 22, 2025

  1. Overview

Chroma ("the App") is built with a privacy-first approach. The majority of your health data is stored locally on your device using encrypted storage and is never transmitted to our servers. However, certain features involve third-party services as described below.

  1. Data We Collect

The App collects and stores the following data locally on your device:

  • Profile information — Your name and preferences entered during onboarding.
  • Health metrics — Data from Apple HealthKit (steps, heart rate, HRV, sleep, VO2max, and other metrics) with your explicit permission.
  • Activity data — Workout and activity information from Strava.
  • Lab results — Biomarker values extracted from lab reports you import.
  • Supplement protocols — Supplements, dosages, and adherence logs you create.
  • Mood check-ins — Daily mood ratings you record.

All of the above is stored on-device using AES-256 encryption via expo-secure-store. We do not operate backend servers that store your health data.

  1. Data Shared with Third Parties

OpenAI (Lab Report Processing)

When you use the lab import feature and choose AI parsing, your lab report PDF is sent to OpenAI's API for AI-powered biomarker extraction. This means:

  • Your lab report PDF — which may include your name, biomarker values, reference ranges, lab name, and test dates — is transmitted to OpenAI's servers for processing.
  • OpenAI processes this data according to the OpenAI API Terms of Use and Privacy Policy.
  • Under OpenAI's API data usage policy, data sent via the API is not used to train OpenAI's models.
  • The data is transmitted via encrypted HTTPS connection.
  • No device identifiers or personal information beyond the report content are transmitted.
  • If the AI parser fails, the App falls back to a fully local regex-based parser that does not transmit any data.

You can avoid sharing lab data with OpenAI by not using the PDF lab import feature. The "Paste Results" option uses an on-device parser that does not transmit any data.

  1. Apple HealthKit Data

Health data accessed through Apple HealthKit is handled according to Apple's HealthKit guidelines:

  • Data is only accessed after you grant explicit permission.
  • HealthKit data is read only — the App does not write data to HealthKit.
  • HealthKit data is stored locally and is never transmitted to external servers or third parties.
  • HealthKit data is never used for advertising or marketing purposes.
  1. Strava Integration

When you connect your Strava account:

  • Authentication uses OAuth 2.0 with PKCE — the App never sees or stores your Strava password.
  • Only activity data (type, duration, distance, heart rate) is retrieved from Strava's API.
  • Retrieved activity data is cached locally on your device.
  • You can disconnect Strava at any time from the Profile screen.
  1. Data Storage and Security
  • Sensitive data (API keys, tokens, health data) is stored using expo-secure-store, which uses the iOS Keychain for encrypted storage.
  • Health metrics stored in SQLite are encrypted with application-layer AES-256-GCM. The encryption key is stored in the iOS Keychain.
  • No health data is stored on remote servers operated by Lawton Labs.
  • Data export is available in JSON format from the Profile screen.
  1. Data Retention and Deletion
  • All data is stored on your device and persists until you delete it.
  • You can delete all data at any time using the "Delete All Data" option on the Profile screen.
  • Uninstalling the App removes all locally stored data.
  • Data sent to OpenAI for lab parsing is processed transiently and is not retained by OpenAI for model training purposes, per OpenAI's API data usage policies.
  1. Children's Privacy

The App is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13.

  1. Analytics and Tracking

The App does not include any analytics SDKs, advertising trackers, or crash reporting services. No usage data is collected or transmitted.

  1. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App. Continued use of the App after changes constitutes acceptance of the updated policy.

  1. Your Rights

You have the right to:

  • Access all your data stored in the App.
  • Export your data in a portable format (JSON).
  • Delete all your data at any time.
  • Disconnect any third-party service at any time.
  • Choose not to use features that involve third-party data processing (lab import).
  1. Contact

For questions about this Privacy Policy or your data, please contact us at lawtonlabsapps@gmail.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment