Rhada Privacy Policy
Version 1.1.0 · Effective 25 May 2026 · Last reviewed 27 May 2026
This Privacy Policy explains how DIAN Holdings Limited ("DIAN", "we", "us", "our"), a company incorporated in New Zealand, collects, uses, shares and protects your personal information when you use the Rhada mobile application, the website at rhada.app, and any related services (together, the "Service").
We are the controller (or its equivalent term in your jurisdiction, such as "business" under the California Consumer Privacy Act or "data fiduciary" under India's Digital Personal Data Protection Act 2023) of personal information processed through the Service.
If you have any questions about this Policy or wish to exercise a right described in it, contact us at support@rhada.app. We treat that mailbox as our privacy contact and will route privacy and data-protection requests internally to the appropriate team.
Rhada is not a healthcare provider, a medical device, or a HIPAA Covered Entity. It is a nutrition and lifestyle coaching app for healthy adults. See §10 for what that means in practice. For full medical-safety language, see our Terms of Use §10.
Table of contents
- Quick summary
- Who we are and how to contact us
- Scope
- What personal information we collect, and why
- How we share personal information
- International data transfers
- How long we keep personal information
- Your rights
- Security
- Our health-data and HIPAA posture
- Third-party services
- Children
- Automated decision-making and AI
- Research and aggregated data
- Cookies and similar technologies
- Changes to this Policy
- Disputes about this Policy
Jurisdictional schedules — A New Zealand · B Australia · C EEA / UK · D United States (CCPA + state laws + Washington MHMDA + Nevada SB 370 + Connecticut CTDPA consumer-health-data provisions) · E Canada · F Brazil · G India · H Singapore · I Thailand · J Japan · K South Korea · L Hong Kong · M Indonesia · N Philippines · O Other.
A separate Consumer Health Data Notice covers Washington, Nevada and Connecticut sector-specific health-data laws in detail; it supplements Schedule D.
1. Quick summary
We have written this Policy in plain language because regulators require it and because we believe you deserve it. The full text below is the binding version, but here is the gist:
- Rhada is a nutrition and lifestyle coaching app. It works because you give it information about your body, your food, and your habits. That information is sensitive, and we treat it as such.
- We use that information to provide your weekly coaching plan, daily food logging, training programme, check-ins and progress tracking. We do not sell it. We do not use it for behavioural advertising. We do not share it with data brokers.
- Some features rely on third-party AI services (Anthropic's Claude for coaching, Google's Gemini for food-photo and label vision). Your messages and photos are sent to those services under contract. Neither provider may use your data to train their general-purpose models.
- We never receive your payment card details. Subscriptions are billed by Apple or Google.
- Rhada is not a medical device. It does not diagnose, treat, cure or prevent any medical condition. Always consult a qualified healthcare professional for medical questions.
- You are at least 16 years old if you use Rhada. The Service is not designed for or directed at children.
- You can export or delete your data at any time from the app's Settings, or by emailing support@rhada.app.
2. Who we are and how to contact us
In short. DIAN Holdings Limited (NZ company), trading as Rhada. Reach us at support@rhada.app for anything — including legal, privacy, data-protection and rights requests; aliases (legal@, privacy@, info@, hello@) all route to the same mailbox.
| Field | Detail |
|---|---|
| Legal entity | DIAN Holdings Limited |
| Country of incorporation | New Zealand |
| Trading name | Rhada |
| App | Rhada (iOS App Store, Google Play Store) |
| Website | https://rhada.app |
| Privacy contact (all jurisdictions) | support@rhada.app |
| Postal contact | available on request via support@rhada.app |
Where local law requires a representative — for example, an EU GDPR Article 27 Representative, a UK GDPR Article 27 Representative, an LGPD representative in Brazil, an APPI representative in Japan, or a DPDPA Data Protection Officer in India — that representative's contact details will be published here when the Service is offered to residents of that jurisdiction. Until those appointments are published, you can reach us at support@rhada.app and we will route your request appropriately.
3. Scope
In short. This Policy covers the Rhada mobile app and the rhada.app website. It does not cover Apple, Google, your device OS, or other third-party services you reach through Rhada.
This Policy applies to:
- The Rhada mobile application on iOS and Android.
- The marketing website at https://rhada.app.
- Customer support communications initiated through support@rhada.app.
This Policy does not apply to third-party services you access through Rhada (for example, Apple's App Store, Google Play, or your device's operating system). Those services have their own privacy policies, which we link to in §11.
4. What personal information we collect, and why
In short. What you give us (profile, body data, food logs, coach messages), plus what your device and our sub-processors generate when you use the app (push tokens, crash reports, subscription events). No location. No advertising IDs. No cross-app tracking. We don't sell, we don't share for ads, we don't enrich from data brokers.
The information we collect depends on the features you use. Each row below describes a category of personal data, what we collect inside that category, why we collect it, and our lawful basis for processing under the GDPR / UK GDPR (which we treat as our global baseline because it is the most stringent framework we are subject to).
4.1 Account and identity
| Data | Source | Why |
|---|---|---|
| Email address | You, or your Apple / Google federated-sign-in identity provider | Authentication, account recovery, transactional messages |
| Display name (first name) | You (onboarding step 1) | Personalising the app and coach |
| Date of birth or age | You (onboarding) | Eligibility (16+), calorie/macro calculations, age-appropriate coaching |
| Federated authentication identifiers | Apple, Google | Sign-in without a password |
| Authentication tokens | Supabase Auth (GoTrue) | Keeping you signed in |
Lawful bases: performance of a contract (we cannot run an account without these), and legitimate interests in fraud prevention. Retention: for the life of your account; deleted within 30 days of account deletion (see §8).
4.2 Body composition and health information ("special category" data)
This is the data you give Rhada so it can do its job. Under EU/UK law it is "special category" data under Article 9 GDPR. Under California, Colorado and most other US state privacy laws it is "sensitive personal information". Under New Zealand law it is "health information" under the Health Information Privacy Code 2020. Under Indian law it is "sensitive personal data" under the DPDPA implementing rules. We treat it as such everywhere.
| Data | Source | Why |
|---|---|---|
| Starting weight, current weight, target weight, weight log history | You | Plan generation, progress tracking |
| Height | You | Energy-expenditure estimates |
| Body fat % (optional) | You | Plan refinement |
| Sex assigned at birth and/or current gender identity | You | Energy-expenditure formulas, cycle features (where relevant) |
| Menstrual / cycle data (where relevant) | You | Cycle-aware coaching |
| Activity, sleep, workouts, active calories, heart rate, HRV, resting heart rate, weight | Apple HealthKit (iOS) or Android Health Connect (Android), only with your permission | Automatic check-ins; coach context (NEAT, recovery, stress signals) |
| Subjective wellness — mood, energy, hunger, stress, sleep quality | You (daily pulse, weekly check-in) | Adaptive coaching loop |
| Free-text check-in narratives | You | Coaching context |
Lawful basis (EU/UK): Article 9(2)(a) — your explicit consent, obtained at onboarding and re-obtained on material changes. You can withdraw consent at any time in Settings.
Special handling:
- Apple Health and Android Health Connect data is read on-device under operating-system permission prompts. We pull only the metrics described above. We do not write back to Apple Health or Health Connect except when you explicitly log a workout.
- Health data is stored in Supabase under row-level-security policies that restrict access to your own user ID.
- Health data is never used for advertising or shared with advertising networks or data brokers (we don't have any).
4.3 Diet and food logging
| Data | Source | Why |
|---|---|---|
| Foods you log (name, portion, time, macros, calories) | You, OpenFoodFacts (barcodes), AI vision | Daily logging, plan adherence |
| Meal photos | Your camera or photo library | Food-vision analysis (Google Gemini) |
| Nutrition-label photos | Your camera | Label vision (Google Gemini) |
| Voice notes (transient) | Your microphone | On-device or OS-level speech-to-text on coach and check-in screens |
| Saved foods and favourites | You | Faster logging |
| Meal plans, recipes | Generated by Anthropic Claude using your profile | Daily meals |
| Likes, dislikes, allergies, dietary restrictions | You (onboarding + settings) | Plan personalisation |
Lawful basis: performance of a contract; explicit consent for any data that constitutes special-category information (most diet data is not, but allergies are).
Retention: Food logs are retained for the life of your account so you can see history. You can delete individual logs at any time.
4.4 Coaching and conversation
| Data | Source | Why |
|---|---|---|
| Your messages to the coach | You | The coach replies, and the conversation history makes future replies useful |
| Coach replies (AI-generated) | Anthropic Claude via our claude-proxy edge function | The coaching feature itself |
| Plan-update suggestions | Anthropic Claude | Adaptive weekly coaching |
Lawful basis: performance of a contract; explicit consent where conversations include special-category data (they often do — that's the point).
How AI is used (transparency notice under EU AI Act and the broader principle of fair processing):
- We send your messages, recent check-in data, recent food and weight history, and a system prompt encoding our coaching philosophy to Anthropic Claude (model:
claude-sonnet-4-6). - We send meal photos and nutrition-label photos to Google Gemini (model:
gemini-2.5-flash). - Both providers operate under contracts (their respective API terms and Data Processing Addenda) that prohibit them from using your data to train their general-purpose models.
- Outputs from AI providers are reviewed by our system prompt and structural parsers before being shown to you, but AI-generated content can still be wrong. The coach is a coach, not a clinician.
4.5 Subscription and billing
| Data | Source | Why |
|---|---|---|
| Subscription status, entitlement, store transaction identifier | Apple App Store, Google Play (relayed via RevenueCat) | Granting access to paid features |
| Trial start and end dates | RevenueCat | Trial-period management |
| Cancellation and renewal events | RevenueCat webhook | Keeping your access state correct |
We never receive your payment card number, CVV, billing address, bank account or other payment-method details. All payment processing is performed by Apple's or Google's billing system. Those companies are independent controllers of that data and you should consult their privacy policies for how they handle it (see §11).
Lawful basis: performance of a contract.
4.6 Notifications and engagement
| Data | Source | Why |
|---|---|---|
| Expo push token | Your device, via Expo's push service | Delivering push notifications |
| Notification preferences (which categories, quiet hours, timezone) | You (Settings) | Sending notifications you've actually asked for, at appropriate times |
| Notification events (sent, delivered, opened) | Our system + Expo | Debugging deliverability and respecting do-not-disturb periods |
Lawful basis: consent (you can disable notifications at the OS level or in Settings at any time).
4.7 Diagnostics and security telemetry
| Data | Source | Why |
|---|---|---|
| Crash reports, errors, stack traces, anonymised device model, app version, OS version | Sentry SDK in the app | Fixing bugs and stopping crashes |
| Server-side error logs, request IDs | Supabase Edge Functions | Operating the Service |
| Authentication audit events (sign-in, sign-out, failed attempts) | Supabase Auth | Account security |
We have configured Sentry to strip personally identifying information from crash payloads. Sentry data is not used for advertising or commercial purposes; it is used solely to operate the Service.
Lawful basis: legitimate interests in running, securing and improving the Service.
4.8 Device and technical data
| Data | Source | Why |
|---|---|---|
| Device platform (iOS / Android), OS version, app version, locale, timezone | Your device | Bug triage, locale-aware formatting, scheduling |
| IP address (transiently — for the duration of a request) | Your network | Routing, abuse prevention |
We do not maintain long-term IP-address logs. We do not correlate IP addresses with profile records for analytics or advertising.
4.9 Information we do not collect
We want to be specific about this because the absence of data collection is part of the product:
- Precise device location. We do not request the
AlwaysorWhen-in-Uselocation permission and we do not collect GPS coordinates. - Contacts, calendar, address book. We do not request access.
- Advertising identifiers (IDFA / GAID). We do not collect them and we do not run advertising networks in the app.
- Cross-site tracking. We do not use Apple's App Tracking Transparency identifier; we display no ATT prompt because there is nothing to track.
- Behavioural-advertising profiles. We do not build them.
- Data broker enrichment. We do not buy data about you from third parties.
5. How we share personal information
In short. Only with sub-processors who help us run the Service (Anthropic, Google Gemini, Apple, Supabase, RevenueCat, Expo, Resend, Sentry, OpenFoodFacts — see register); with independent companies you choose to use (Apple App Store, Google Play, HealthKit, Health Connect); and when legally compelled. We never sell or "share" for advertising.
We share personal information only with:
5.1 Sub-processors (companies that process data on our behalf)
A complete, current list with regions, purpose, and links to each provider's privacy and DPA terms is maintained in our Subprocessors register. As of the effective date of this Policy, our sub-processors are:
| Provider | Purpose | Region |
|---|---|---|
| Supabase Inc. (and its underlying cloud providers AWS / GCP) | Primary database, authentication, edge functions, storage | Region selected at project creation; users notified of any region migration |
| Anthropic, PBC | AI coaching and meal-plan generation (Claude API) | USA |
| Google LLC | AI food-vision and label-vision (Gemini API); federated sign-in (Google Identity) | USA |
| Apple Inc. | Sign in with Apple; APNs push delivery | USA |
| RevenueCat, Inc. | Subscription state management and webhook relay | USA |
| Expo (650 Industries, Inc.) | Push token registration via Expo Push Service | USA |
| Resend, Inc. | Transactional email delivery | USA / EU (region pinned) |
| Functional Software, Inc. d/b/a Sentry | Crash and error reporting | USA / EU |
| OpenFoodFacts | Public barcode lookup (we send a barcode string; no user identifier is attached) | EU (France) |
Each sub-processor is engaged under a written contract that includes data-protection terms appropriate to the categories of data shared, including Standard Contractual Clauses (or equivalent) for international transfers where required.
5.2 Independent third parties (controllers in their own right)
When you choose to interact with these services through Rhada, you share data with them directly. They are independent controllers; we are not responsible for their handling of your data.
- Apple App Store and Google Play — for subscription billing.
- Apple HealthKit and Android Health Connect — operating-system-level health stores. Rhada reads data with your permission; Apple and Google govern the stores themselves.
5.3 Legal compliance
We will disclose personal information when required by a valid legal process — a court order, subpoena, search warrant, or other lawful demand — and only to the extent required. We push back on overbroad demands and we will notify you of any government request affecting your data unless legally prohibited from doing so.
5.4 Business transfers
If DIAN Holdings is involved in a merger, acquisition, financing or sale of assets, personal information may be transferred to the acquiring party. We will give you advance notice and a meaningful opportunity to delete your data before any such transfer takes effect.
5.5 We do not sell or "share" personal information
We do not sell personal information for money. We do not "share" personal information for cross-context behavioural advertising as those terms are defined under the California Consumer Privacy Act, the Colorado Privacy Act, the Virginia Consumer Data Protection Act, or any other US state privacy statute. The same applies in every other jurisdiction we operate in.
6. International data transfers
In short. Rhada is run from New Zealand; most of our sub-processors are in the United States. We use Standard Contractual Clauses (or the equivalent in your jurisdiction) wherever the law requires a transfer safeguard.
DIAN Holdings is established in New Zealand. New Zealand has been recognised by the European Commission as providing an adequate level of data protection (Adequacy Decision 2013/65/EU, reaffirmed under the GDPR). However, our sub-processors are predominantly based in the United States.
Where personal information is transferred from a jurisdiction with cross-border-transfer restrictions to a jurisdiction without recognised adequacy:
- EEA → US: we rely on Standard Contractual Clauses (SCCs) (Implementing Decision (EU) 2021/914) with each US sub-processor, supplemented by the EU–US Data Privacy Framework certification where the sub-processor is certified.
- UK → US: we rely on the UK International Data Transfer Addendum to the EU SCCs, or the UK Extension to the EU–US Data Privacy Framework.
- Switzerland → US: we rely on the Swiss–US Data Privacy Framework or SCCs.
- NZ → other countries: under section 22 / Information Privacy Principle 12 of the Privacy Act 2020, we contractually require sub-processors to provide comparable safeguards.
- Australia → other countries: under APP 8, we take reasonable steps to ensure overseas recipients comply with the Australian Privacy Principles.
- India → other countries: subject to rules notified under section 16 of the DPDPA 2023, we will restrict transfers to jurisdictions notified by the Central Government as restricted and obtain consent where required.
- Other jurisdictions: we apply the comparable safeguards required by the local cross-border-transfer rules (Brazil LGPD, Singapore PDPA, Thailand PDPA, South Korea PIPA, Japan APPI, Hong Kong PDPO, Indonesia PDP Law, Philippines DPA, Canada PIPEDA, etc.).
Where we rely on Standard Contractual Clauses or equivalent, you may request a copy by emailing support@rhada.app.
7. How long we keep personal information
In short. Most active data lives for the life of your account + 30 days after deletion. Financial records (subscriptions) we keep for 7 years to meet tax-record law. Crash reports age out at 90 days. Backups roll over every 35 days.
We keep personal information only as long as we need it for the purposes set out in this Policy or as required by law.
| Category | Retention |
|---|---|
| Account profile (email, name, age) | Life of account + 30 days |
| Body composition and health data | Life of account + 30 days |
| Food logs, weight logs, check-ins | Life of account + 30 days |
| Coach conversations | Life of account + 30 days |
| Meal and workout plans | Life of account + 30 days |
| Photos (meal, label) | We do not retain raw photos by default beyond the analysis call; thumbnail / metadata retained with the food log |
| Voice audio | Not retained beyond the transcription pass — only the transcript is stored |
| Subscription event history | 7 years (financial-record obligation in NZ and most jurisdictions we operate in) |
| Authentication audit logs | 13 months |
| Sentry crash and error reports | 90 days |
| Email backups (Supabase / Resend operational backups) | 35 days rolling, then deleted |
When you delete your account (see §8), we delete personal information on the schedule above. Backup copies are purged within 35 days of account deletion. Where deletion would conflict with a legal obligation (for example, tax records of paid subscriptions), we retain only the minimum required, segregate it from the active dataset, and delete it as soon as the obligation expires.
8. Your rights
In short. You can access, correct, delete, export, restrict, object and withdraw consent at any time — from Settings → Account in the app, or by emailing support@rhada.app. Your specific rights (and our response time) depend on your jurisdiction — see the schedules below.
The specific rights available to you depend on where you live. Below is the global baseline; the jurisdictional schedules at the end of this Policy describe additional or differently-named rights in your jurisdiction.
You have the right to:
- Access the personal information we hold about you and obtain a copy.
- Correct information that is inaccurate or incomplete.
- Delete your account and the personal information we hold about you.
- Export your personal information in a portable, machine-readable format.
- Restrict or object to certain processing.
- Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Our coaching plans are generated with AI assistance but are designed for educational and motivational purposes and do not produce legally significant effects. You can always contact us at support@rhada.app for human review of any automated output.
- Lodge a complaint with a supervisory authority (see the jurisdictional schedules for contact details).
How to exercise these rights:
- From the app: Settings → Account → Export my data / Delete my account.
- By email: send a request to support@rhada.app from the email address associated with your account, or include sufficient information to verify your identity.
We respond within the time limits required by your local law — generally 30 days under the GDPR, UK GDPR and most other regimes, 45 days under the CCPA (extendable once by 45 days when reasonably necessary), and 20 working days under the New Zealand Privacy Act 2020.
We will not charge you for exercising a right unless the request is manifestly unfounded or excessive, in which case we will tell you in advance.
If we refuse or are unable to action your request, we will explain why and tell you how to escalate.
9. Security
In short. TLS in transit, provider-managed encryption at rest, per-user row-level-security in the database, secrets out of the client app, least-privilege access, annual sub-processor review, written incident-response plan. No system is perfect — report concerns to support@rhada.app.
We protect personal information using a layered set of technical and organisational measures, including:
- Encryption in transit: TLS 1.2+ for all client-to-server traffic and all sub-processor traffic.
- Encryption at rest: provider-managed (Supabase / AWS / GCP-class) encryption for the primary database and storage.
- Row-level security (RLS) in our database: each table containing user data enforces a per-user policy so that one user cannot read another user's rows.
- API-key isolation: keys for Anthropic, Google, RevenueCat and other providers live in Supabase Function secrets. The client app never sees them.
- Least-privilege access: production access is limited to engineers who need it for a specific operational task, with audit logging.
- Authentication: email + password (with breach-resistant password rules), or federated sign-in via Apple or Google. Authentication tokens are stored in OS-backed secure storage (iOS Keychain / Android Keystore).
- Sub-processor due diligence: we contract only with providers that publish current security certifications (SOC 2 Type II, ISO/IEC 27001, or equivalent) and we review them annually.
- Backup and recovery: backups are encrypted, region-pinned, retained on a 35-day rolling window, and tested.
- Incident response: we maintain a written response plan and will notify you and the relevant supervisory authority of a personal-data breach within the time required by your local law — generally 72 hours (EU/UK), and as soon as practicable in jurisdictions without a fixed window (NZ, AU and others).
No system is perfectly secure. If you become aware of a vulnerability or a possible incident, please report it to support@rhada.app.
10. Our health-data and HIPAA posture
In short. Rhada is a coaching app, not a healthcare provider. We are not a HIPAA "Covered Entity" and we are not subject to HIPAA — but we treat your health data with the same care a HIPAA Covered Entity would, because (a) most US state and EEA laws require us to, and (b) it's the right thing to do.
What HIPAA is. The US Health Insurance Portability and Accountability Act regulates "Protected Health Information" (PHI) handled by "Covered Entities" — healthcare providers, health plans, healthcare clearinghouses — and their "Business Associates". A nutrition-coaching app run by a non-healthcare company is generally not a Covered Entity and the information it holds is not PHI as HIPAA defines it.
What this means for you. HIPAA does not apply to Rhada because:
- We do not provide medical diagnosis or treatment.
- We do not bill insurance, Medicare or Medicaid for any service.
- We do not employ or contract physicians, nurses or other licensed clinicians.
- We do not maintain medical records on behalf of a healthcare provider.
Where your health data still gets HIPAA-level protection anyway, because of state or international law:
- United States — Washington (My Health My Data Act, effective March 2024) — covers "consumer health data" regardless of HIPAA status. We treat all WA users' health data as protected by MHMDA. See our Consumer Health Data Notice and Schedule D.3 below.
- United States — Nevada (SB 370, effective March 2024) — similar to MHMDA; covers Nevada residents' consumer health data. See Consumer Health Data Notice and Schedule D.4.
- United States — Connecticut (CTDPA consumer-health-data amendments, effective October 2023) — adds explicit authorisation requirements for processing consumer health data. See Schedule D.5.
- California (CCPA/CPRA "sensitive personal information") — health information falls within SPI; treated under our restrictions in Schedule D.1.
- EEA / UK (Article 9 GDPR "special category data") — processed only with explicit consent.
- New Zealand (Health Information Privacy Code 2020) — applies to health information held by any agency, not just healthcare providers. See Schedule A.
- Australia (Privacy Act 1988 "sensitive information") — applies to all health information, not just clinician-held records.
If you are looking for telemedicine, prescribed-medication oversight, or clinically-supervised weight management, Rhada is not the right product for you. Apps that offer those services (and the medical records that go with them) are HIPAA Covered Entities. We are not. See our Terms of Use §10 for the full health-and-safety disclaimer.
11. Third-party services
In short. When you sign in with Apple or Google, or grant Apple Health / Google Health Connect permissions, you're also dealing directly with those companies under their terms — not ours. Their privacy policies are linked below.
When you use Rhada you also interact with services controlled by other companies. Their privacy policies, not ours, govern how they handle your data:
- Apple — https://www.apple.com/legal/privacy/
- Google — https://policies.google.com/privacy
- Anthropic (Claude API) — https://www.anthropic.com/legal/privacy
- Supabase — https://supabase.com/privacy
- RevenueCat — https://www.revenuecat.com/privacy
- Expo — https://expo.dev/privacy
- Resend — https://resend.com/legal/privacy-policy
- Sentry — https://sentry.io/privacy/
- OpenFoodFacts — https://world.openfoodfacts.org/privacy
(URLs were correct at the effective date of this Policy. If a link no longer resolves, search the provider's website for "privacy".)
12. Children
In short. You must be 16 or older to use Rhada. We don't knowingly accept anyone under 16. If a parent or guardian believes their child has signed up, email support@rhada.app and we'll close the account and delete the data.
Rhada is not directed at children under 16 and we do not knowingly collect personal information from anyone under 16. If you believe a child under 16 has provided personal information to us, contact support@rhada.app and we will delete the data and close the associated account.
Some jurisdictions set a different threshold for parental-consent-free use of online services (for example, 13 in the United States under COPPA and in some EU member states; 18 in some jurisdictions for sensitive-data processing). Because Rhada processes special-category health information and offers calorie and body-composition guidance, we set our floor at 16 globally. If you are between 16 and the age of majority in your jurisdiction, we encourage you to discuss your use of Rhada with a parent or guardian.
13. Automated decision-making and AI
In short. Rhada uses AI to write meal plans, workouts, coach replies and to read meal/label photos. AI outputs are decision support, not autonomous decisions — they don't affect your access to credit, insurance, employment, housing or any other legally significant outcome. AI can be wrong; treat its output as a starting point, not gospel. Email support@rhada.app for human review of any AI-generated output you want a person to look at.
Rhada uses AI to:
- Generate weekly meal plans based on your profile, body response, and preferences (Anthropic Claude).
- Generate workout plans (Anthropic Claude).
- Provide coach replies and check-in feedback (Anthropic Claude).
- Estimate macros from meal photos and read nutrition labels (Google Gemini).
These uses are decision support, not autonomous decisions. They are not used to determine eligibility for any service, employment, credit, insurance, housing, or any other matter with legal or similarly significant effects. You can always contact us at support@rhada.app to request human review of any AI-generated output.
In compliance with the EU AI Act transparency obligations applicable to general-purpose AI deployers:
- We disclose that Rhada uses AI (this section and §4.4).
- AI-generated content is labelled as such in-app wherever practicable.
- We do not use AI for prohibited practices under Article 5 of the EU AI Act (social scoring, emotion recognition in workplaces / educational institutions, biometric categorisation, predictive policing, etc.).
- We do not use AI for high-risk purposes as defined in Annex III of the EU AI Act.
14. Research and aggregated data
In short. We do not currently run research studies on your data, and we do not sell or share aggregated statistics. If that ever changes, we'll re-prompt for opt-in consent before including your data.
We may compute aggregated, de-identified statistics — for example, "the median time users spend logging a meal" or "the average number of check-ins per week" — to operate, improve and report on the Service. By "de-identified" we mean information that has been processed so that a specific individual cannot reasonably be re-identified from it, alone or in combination with other information we reasonably have access to.
We do not today:
- Conduct clinical or observational research using your identified personal information.
- Publish papers or external reports that contain your identifiable data.
- Sell or license aggregated datasets to third parties.
If we decide to run a research study (for example, evaluating coaching efficacy with an external research partner), we will: (1) update this Policy, (2) re-prompt for explicit opt-in consent at next sign-in, and (3) describe the study scope and the research partner in the in-app consent prompt. Your default state is opt-out: you don't have to do anything to stay out of research.
15. Cookies and similar technologies
In short. The app uses no cookies. The marketing site uses only strictly-necessary cookies, plus anything you consent to in the cookie banner.
In the mobile app: we do not use cookies. We do not use third-party SDKs for advertising, audience measurement or social tracking. The only tracking-adjacent technology we use is OS-level secure storage for your authentication token (which you would expect, and which never leaves your device).
On the marketing website (rhada.app): see our separate Cookie Policy. The marketing site uses cookies only where strictly necessary or where you have consented through a cookie banner.
16. Changes to this Policy
In short. Material changes trigger a re-prompt for acceptance and an email. Patch changes (typos, link refreshes) don't.
We will update this Policy when our practices, our sub-processors, or applicable law changes. The canonical version is the file in our public source repository; every change is recorded in CHANGELOG.md with a version number and a date.
For material changes (a new category of personal data, a new sub-processor that materially changes the data flow, a change in lawful basis, a change in retention), we will:
- Bump the major or minor version of this Policy.
- Notify you in the app on next sign-in and require renewed acceptance before continuing.
- Email you at the email address associated with your account where the change requires it.
For non-material changes (typos, clarifications, link updates), we publish a patch version and update the "Last reviewed" date at the top of this document.
17. Disputes about this Policy
In short. Email us first at support@rhada.app — most complaints resolve within days. If we can't resolve it, you can escalate to the supervisory authority for your jurisdiction (see schedules below).
If you believe we have not complied with this Policy or with applicable data-protection law, please contact us first at support@rhada.app. We aim to resolve every complaint internally. If you are not satisfied, you may escalate to the relevant supervisory authority in your jurisdiction — see the jurisdictional schedules below for contact details.
Jurisdictional Schedules
The schedules below describe additional, jurisdiction-specific rights and disclosures. They supplement the global baseline above; they do not replace it. Where a schedule grants you a broader right than the baseline, the broader right applies.
Schedule A — New Zealand (Privacy Act 2020 and Health Information Privacy Code 2020)
DIAN Holdings Limited is an "agency" under the Privacy Act 2020. Our processing of health information is also subject to the Health Information Privacy Code 2020 (HIPC).
Your rights under the Privacy Act 2020 / HIPC:
- Right of access (IPP 6 / Rule 6 HIPC) — request the personal or health information we hold about you.
- Right of correction (IPP 7 / Rule 7 HIPC) — request correction of inaccurate information, or have a statement of correction attached.
- Right to complain to the Office of the Privacy Commissioner — https://www.privacy.org.nz/ — if you are dissatisfied with our handling.
We will respond within 20 working days.
We comply with all 13 Information Privacy Principles and, for health information, the 12 Rules of the HIPC.
Schedule B — Australia (Privacy Act 1988 and Australian Privacy Principles)
DIAN Holdings carries on business in Australia for the purposes of the Privacy Act 1988 (Cth) when we offer the Service to Australian residents and process personal information about them.
Your rights under the Australian Privacy Principles:
- APP 6 — Use and disclosure of personal information.
- APP 12 — Access to your personal information.
- APP 13 — Correction of your personal information.
Sensitive information (which includes health information) is collected only with your consent and used only for the primary purpose for which it was collected.
You may complain to the Office of the Australian Information Commissioner (OAIC) — https://www.oaic.gov.au/ — if you are unhappy with our handling.
Schedule C — European Economic Area (GDPR) and United Kingdom (UK GDPR / DPA 2018)
For users in the EEA, the controller of your personal data is DIAN Holdings Limited, a company incorporated in New Zealand and offering services to data subjects in the EEA within the meaning of Article 3(2) GDPR.
For users in the UK, the controller of your personal data is DIAN Holdings Limited under the UK GDPR as incorporated by section 3 of the Data Protection Act 2018.
Your rights under Articles 12–22 GDPR (and the equivalent UK GDPR provisions):
- Right of access (Art. 15).
- Right to rectification (Art. 16).
- Right to erasure (Art. 17, the "right to be forgotten").
- Right to restriction of processing (Art. 18).
- Right to data portability (Art. 20).
- Right to object (Art. 21) — including to processing based on legitimate interests.
- Rights related to automated decision-making (Art. 22) — see §13.
- Right to lodge a complaint with a supervisory authority (Art. 77).
Supervisory authority:
- For UK users: the Information Commissioner's Office (ICO) — https://ico.org.uk/.
- For EEA users: your local data protection authority. A list is maintained at https://edpb.europa.eu/about-edpb/board/members_en.
EU and UK Representatives: we will appoint and publish the contact details of an EU GDPR Article 27 Representative and a UK GDPR Article 27 Representative before we actively offer the Service to residents of those jurisdictions, if required by the relevant supervisory authority on the basis of our processing volume and risk.
Cross-border transfers from the EEA / UK to the US rely on Standard Contractual Clauses or the EU–US / UK Extension Data Privacy Framework, supplemented by transfer-impact assessments.
Special category data (Article 9 GDPR / DPA 2018 §10) is processed on the basis of your explicit consent under Article 9(2)(a).
Schedule D — United States
This schedule covers California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Indiana (IndianaCDPA), Tennessee (TIPA), Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHPA), Kentucky (KCDPA), Maryland (MODPA), Minnesota (MCDPA), and Rhode Island (RIDTPPA), among others.
D.1 California — CCPA / CPRA
Categories of personal information collected, sold or shared:
| Category | Collected? | Sold or "shared" for cross-context behavioural advertising? |
|---|---|---|
| Identifiers (email, account ID) | Yes | No |
| Customer records | Yes | No |
| Commercial information (subscription state) | Yes | No |
| Internet or other electronic network activity | Limited (diagnostics) | No |
| Geolocation data | No | No |
| Biometric information | No | No |
| Sensory data (voice → on-device transcription) | Yes (transient) | No |
| Inferences | Yes (coaching plan derivations) | No |
| Sensitive personal information (health, precise geolocation, racial/ethnic origin, religious beliefs, mail content, genetic data, biometrics for ID, sex life or sexual orientation) | Health information only | No |
We do not sell or share personal information as those terms are defined in the CCPA/CPRA. There is no "Do Not Sell or Share My Personal Information" link to render because there is no sale or share to opt out of, but if California regulations require us to publish a link anyway it is reachable at https://rhada.app/legal/do-not-sell-or-share.
Your CCPA/CPRA rights (and the parallel rights under the other state laws listed in §D):
- Right to know what personal information we collect and how we use it.
- Right to access and portability.
- Right to delete.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing (not applicable — we do neither).
- Right to limit the use of sensitive personal information to the purposes set out in §7027(m) of the CPRA regulations.
- Right to non-discrimination for exercising these rights.
Authorised agents: you may use an authorised agent to make a request, subject to verification.
Universal opt-out signals (Global Privacy Control, etc.): we respect GPC even though we do not sell or share, because the signal is also being read as a general privacy preference.
Complaint route: California Attorney General, https://oag.ca.gov/privacy.
D.2 Other US state laws
Where you are a resident of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, Rhode Island or any other US state with a comprehensive consumer privacy statute, you have substantively similar rights to those described in §D.1, subject to that statute's particular scope, exceptions and thresholds. Email support@rhada.app to exercise them. We process such requests using the verification standards your state law requires and respond within the statutory window.
Appeal: if we deny a rights request, you may appeal by replying to our denial; we will give you a final response within the statutory appeal window.
D.3 Washington — My Health My Data Act (MHMDA)
The Washington My Health My Data Act (effective 31 March 2024) regulates the processing of "consumer health data" of Washington residents regardless of whether the processor is a HIPAA Covered Entity. Rhada is not a Covered Entity (see §10), but most of the personal information we process about WA residents falls within MHMDA's definition of "consumer health data".
Your MHMDA rights:
- Right to confirm whether we collect, share or sell your consumer health data.
- Right to access your consumer health data, including a list of all third parties with whom we have shared it.
- Right to deletion of your consumer health data and to require us to notify our processors to do the same.
- Right to withdraw consent to collection or sharing.
- No sale without separate authorisation — we do not sell consumer health data and we do not need to obtain a sale authorisation because we don't sell it.
- Non-discrimination for exercising MHMDA rights.
Full details, including the categories of consumer health data we collect and the third parties we share with, are in our separate Consumer Health Data Notice. The Notice is also available at the URL designated by MHMDA §1.04: https://rhada.app/legal/consumer-health-data.
Complaint route: Washington State Attorney General — https://www.atg.wa.gov/file-complaint.
D.4 Nevada — SB 370 Consumer Health Data Privacy
Nevada SB 370 (effective 31 March 2024) is substantively similar to MHMDA and grants Nevada residents comparable rights over consumer health data. Our handling is described in the same Consumer Health Data Notice.
Complaint route: Nevada Attorney General Bureau of Consumer Protection — https://ag.nv.gov/.
D.5 Connecticut — CTDPA consumer-health-data amendments
Connecticut Public Act No. 23-56 (effective 1 October 2023) amended the Connecticut Data Privacy Act to add specific protections for "consumer health data":
- We obtain opt-in consent before processing your consumer health data.
- We do not sell your consumer health data without your separate opt-in consent. We do not sell consumer health data at all.
- We do not provide an employee or contractor access to consumer health data without confidentiality obligations.
- We maintain a secure environment for the processing of consumer health data.
These commitments operate in addition to the standard CTDPA rights described in §D.2.
Complaint route: Connecticut Attorney General — https://portal.ct.gov/AG.
Schedule E — Canada (PIPEDA and provincial laws)
For Canadian users, our processing is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial statutes (Quebec Law 25, BC PIPA, Alberta PIPA) where applicable.
Your rights mirror the global baseline (§8). You may complain to the Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca/.
For Quebec residents, our processing also complies with the Act respecting the protection of personal information in the private sector ("Law 25"), including the obligation to publish information about cross-border transfers (see §6 above) and a contact for Quebec-specific requests (use support@rhada.app).
Schedule F — Brazil (LGPD — Lei Geral de Proteção de Dados)
For Brazilian users, DIAN Holdings is the controller under the LGPD. Our lawful bases mirror the GDPR. Your rights under Articles 17–22 LGPD include access, correction, deletion, portability, anonymisation, and information about sharing.
You may complain to the Autoridade Nacional de Proteção de Dados (ANPD) — https://www.gov.br/anpd/.
A Brazilian representative will be appointed and published if and when our processing volume requires it under the LGPD.
Schedule G — India (DPDPA 2023)
For users in India, our processing is subject to the Digital Personal Data Protection Act 2023 ("DPDPA"). DIAN Holdings is the Data Fiduciary.
Your DPDPA rights:
- Right to information about processing (s.11).
- Right to access and correction (s.12).
- Right to erasure (s.12).
- Right to grievance redressal (s.13).
- Right to nominate another person to exercise rights in case of death or incapacity (s.14).
We have a designated point of contact for DPDPA grievances at support@rhada.app. A Data Protection Officer will be appointed and published if and when our designation as a "Significant Data Fiduciary" requires it.
Complaints may be made to the Data Protection Board of India when operational.
For children under 18 in India, processing requires verifiable parental consent. Because Rhada's global floor is 16+, users in India who are between 16 and 18 are accommodated under §12; we apply parental-consent requirements where DPDPA implementing rules require them for users under 18.
Schedule H — Singapore (PDPA)
For users in Singapore, our processing is subject to the Personal Data Protection Act 2012. Your PDPA rights include access, correction, withdrawal of consent, and a complaint route to the Personal Data Protection Commission (PDPC) — https://www.pdpc.gov.sg/.
We comply with the Do Not Call Registry for any marketing messaging by SMS, voice or fax (we do none of these).
Schedule I — Thailand (PDPA)
For users in Thailand, our processing is subject to the Personal Data Protection Act B.E. 2562 (2019). Your rights mirror the global baseline; the supervisory authority is the Office of the Personal Data Protection Committee (PDPC) — https://www.pdpc.or.th/. Special-category data is processed under explicit consent.
Schedule J — Japan (APPI)
For users in Japan, our processing is subject to the Act on the Protection of Personal Information. We are a "Personal Information Handling Business Operator" (PIHBO). Your rights include disclosure, correction and cessation of use. Cross-border transfers to non-adequate countries require your consent or equivalent safeguards (we obtain consent at sign-up). The supervisory authority is the Personal Information Protection Commission (PPC) — https://www.ppc.go.jp/en/.
Schedule K — South Korea (PIPA)
For users in South Korea, our processing is subject to the Personal Information Protection Act. Special-category data (sensitive information, including health) requires separate consent, which we obtain at onboarding. Cross-border transfers require separate, explicit consent unless an exception applies. Your rights include access, correction, suspension, and deletion. The supervisory authority is the Personal Information Protection Commission (PIPC) — https://www.pipc.go.kr/eng/.
Schedule L — Hong Kong (PDPO)
For users in Hong Kong, our processing is subject to the Personal Data (Privacy) Ordinance (Cap. 486). Your rights include access and correction (Data Protection Principle 6). The supervisory authority is the Privacy Commissioner for Personal Data (PCPD) — https://www.pcpd.org.hk/.
Schedule M — Indonesia (UU PDP 2022)
For users in Indonesia, our processing is subject to Undang-Undang Pelindungan Data Pribadi (Law No. 27 of 2022). Your rights mirror the global baseline, including the right to obtain information about processing, access, correction, deletion and to object to automated decision-making.
Schedule N — Philippines (Data Privacy Act of 2012)
For users in the Philippines, our processing is subject to Republic Act No. 10173, the Data Privacy Act of 2012. Your rights are those enumerated in section 16 of the Act. The supervisory authority is the National Privacy Commission (NPC) — https://www.privacy.gov.ph/.
Schedule O — Other jurisdictions
We aim to comply with the data-protection law of every jurisdiction from which we knowingly accept users, including but not limited to: South Africa (POPIA), UAE (UAE Federal Decree-Law No. 45 of 2021), Saudi Arabia (PDPL), Israel (Privacy Protection Law 5741-1981), Mexico (LFPDPPP), Argentina (Ley 25.326), and the People's Republic of China (PIPL — to the extent we are subject to it).
If you are resident in a jurisdiction not specifically addressed above and you have a privacy concern that this Policy does not appear to cover, contact us at support@rhada.app and we will respond under the framework of your local law.
End of Privacy Policy v1.0.0.