Legal

Privacy Policy

Effective date: May 6, 2026

Verum ("we", "our", "us") operates the Verum mobile application. This policy describes what information we collect, how we use it, and your choices regarding your data.

1. Information We Collect

Category	Data	Source
Account	Email address	You provide it at sign-up (magic link)
Body composition	DEXA scan results (fat mass, lean mass, bone density, weight)	BodySpec, via OAuth with your consent
Wearable data	Sleep (duration, efficiency, stages); recovery (HRV, resting HR, recovery score); strain (daily strain, average HR); workouts (sport, duration, kJ, HR zones); body measurements (height, weight, max HR baseline)	Whoop, via OAuth with your consent
Apple Health	Activity, sleep, heart rate, workout data	Apple HealthKit, with your on-device permission
Nutrition	Meal descriptions, food photos, parsed nutritional data	You provide this in the app
Device	Push notification token	Collected when you enable notifications

We do not collect precise location, contacts, browsing history, or financial information.

2. How We Use Your Information

Personalized insights — We send your health and nutrition data to an AI language model (Anthropic Claude) to generate plain-language insights about trends in your body composition, sleep, recovery, and nutrition.
No model training — We do not use your data to train AI models. Inputs sent to our AI provider are processed only to generate your personal insights and are subject to that provider's contractual no-training terms.
Account management — Your email address is used to authenticate you via magic link and to deliver essential account communications.
Push notifications — We send notifications about new insights and daily check-ins if you opt in.
Product improvement — We may use anonymized, aggregated data to improve insight quality and app features.

3. Third-Party Services

We share data with the following services only as necessary to operate Verum:

Service	Purpose	Data shared
Whoop	Health data sync	OAuth tokens; we read your data from their API
BodySpec	DEXA scan sync	OAuth tokens; we read your scan data from their API
Anthropic (Claude API)	AI insight generation	Health metrics (including Whoop recovery, sleep, strain, workouts), nutrition logs, and body-composition data, sent as prompts to generate your personal insights. Anthropic's commercial API does not use prompts or responses to train its models.
Resend	Email delivery	Your email address (for magic link authentication)
Expo	Push notifications	Device push token and notification content

We do not sell, rent, or share your personal information with advertisers or data brokers.

4. Apple HealthKit

Data read from Apple HealthKit is used solely to provide personalized health insights within the app. We do not use HealthKit data for advertising or share it with third parties other than the AI processing service described above, which uses it only to generate your personal insights. HealthKit data is not stored in iCloud.

5. Data Storage and Security

Your data is stored in a PostgreSQL database hosted on secured infrastructure. OAuth tokens from connected services are encrypted at rest using AES-GCM. All network communication uses TLS encryption.

6. Data Retention

We retain your data for as long as your account is active. When you delete your account from within the app (Settings → Delete account), we immediately and permanently remove your user record and all directly associated personal data — including logs, scans, lab reports, peptide protocols, insights, connected-service tokens, and push notification tokens — from our primary database. Encrypted database backups are retained for 30 days and overwritten on rolling rotation; any residual copies in those backups are purged as part of that rotation and are never restored to production.

Two narrow exceptions apply:

Anonymized research contributions. If you opted to contribute protocol outcomes to Verum's research corpus, the aggregated, de-identified contribution (bucketed dose, duration, goal category, outcome deltas, anonymous author alias) is retained because it no longer identifies you and is used in published community research.
Records required by law. Where retention of specific records is mandated by applicable law, we retain only those records for the minimum period required.

Deleting your Verum account does not delete data that Apple stores inside the Apple Health app on your device, nor data held by Whoop or BodySpec in their own systems. You control those independently: revoke HealthKit access in iOS Settings → Privacy & Security → Health → Verum, and revoke Whoop / BodySpec access through those providers' account pages.

7. Your Rights

You may, at any time:

Access your data through the app
Disconnect Whoop or BodySpec via Settings
Revoke Apple HealthKit access through your device Settings
Delete your account and all associated personal data directly from within the app via Settings → Delete account. Deletion is immediate and irreversible. If you cannot access the app, you may also email us at the address below and we will complete the deletion on your behalf.

If you are located in the EU/EEA, California, or another jurisdiction with applicable data protection laws, you may also have the right to data portability, correction, restriction of processing, and to lodge a complaint with a supervisory authority.

8. Children's Privacy

Verum is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

9. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or through the app. The "Effective date" at the top indicates when the policy was last revised.

10. Contact Us

Verum

Email: privacy@verum.life