Privacy Policy

The data controller for personal data processed through this service is Glean, operated as a sole trader established in the United Kingdom("we", "us"). For privacy enquiries or to exercise the rights described below, contact hello@glean.fit.

Account and profile: identifiers and profile details you provide (for example email address, name from OAuth providers where you use social login), and preferences such as units and training settings stored in your account.

Entries and content: structured data you save (activities, meals, body measurements, and related fields) and optional notes. Images you upload for extraction are processed to produce those entries.

Technical data: server and security logs (e.g. IP address, user agent, timestamps) for operating the service, abuse prevention, and diagnostics — typically at a coarse level and retained only as long as needed for those purposes.

Billing (if you subscribe): our payment processor receives payment details; we store identifiers needed to manage your subscription (for example customer and subscription ids).

We rely on the following UK GDPR / GDPR legal bases, matched to purpose:

• Performance of a contract (Art. 6(1)(b)) — to authenticate you, store the entries you save, run AI-assisted extraction you initiate, and provide paid features you subscribe to.
• Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse and fraud, apply rate limits, keep diagnostic logs, and make service-quality improvements. You can object at any time using the contact above.
• Legal obligation (Art. 6(1)(c)) — to keep records required by tax, accounting, or other applicable law (for example invoices for paid subscriptions).
• Consent (Art. 6(1)(a)) — for any non-essential cookies or marketing communications where required; see our Cookie notice. You can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Images and text you submit for extraction are sent to OpenAI(or another model provider we configure) via our hosting environment. The provider processes inputs to return structured suggestions; we store the resulting entries and associated metadata you confirm. Only upload images you have the right to share with our AI sub-processor for processing. See the provider's documentation for their terms and data handling practices.

Extracted fields are suggestions that you review before saving. We do not use automated decision-making that produces legal or similarly significant effects about you within the meaning of Art. 22 UK GDPR / GDPR.

We configure our AI providers to opt out of model training on customer data. Your inputs and outputs are not used to train third-party AI models.

We use the following sub-processors to deliver the service. They are contractually required to protect data and process it only on our instructions, subject to their public terms and certifications.

We will update this table if sub-processors change materially.

Account and entry data are kept while your account is active and for a short period afterwards if needed for backups, legal obligations, or dispute resolution — then deleted or anonymised in line with our deletion flows.

Entry images stored in Vercel Blob are automatically deleted after 7 days (see cron cleanup in the product). Derived structured data you saved from an extraction remains in your log after the raw image is removed. URLs pointing at expired blobs will no longer load.

Some sub-processors are established outside the UK / EEA — principally in the United States (for example OpenAI) and other regions depending on provider configuration (Vercel, Turso, Vercel Blob, Resend, Stripe, Upstash). Where personal data is transferred outside the UK / EEA we rely on appropriate safeguards — typically the UK International Data Transfer Addendum and the EU Standard Contractual Clauses — together with supplementary measures where needed. You may request further detail via hello@glean.fit.

We operate the service over TLS, store passwords using modern hash functions provided by our authentication library (Better Auth), and encrypt data at rest through our hosting and database providers. The app offers optional two-factor authentication (TOTP) and lets you review active sessions from your settings. We apply rate limits, input validation, and upload hardening to reduce abuse. No system is perfectly secure; please report suspected issues to hello@glean.fit.

We use cookies and similar technologies as described in our Cookie notice — including essential authentication cookies.

Subject to applicable law, you have the following rights in relation to your personal data:

• Access — obtain confirmation of processing and a copy of your data.
• Rectification — correct inaccurate or incomplete data.
• Erasure("right to be forgotten") — have your data deleted where grounds apply.
• Restriction — limit processing in specific circumstances.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests, including profiling.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Complaint to a supervisory authority — UK users may complain to the Information Commissioner's Office (ico.org.uk); EEA users may contact their local data protection authority.

To exercise any right, contact hello@glean.fit. You can also delete your account from Settings (Security): that removes your account and associated data, subject to legal retention needs.

The service is not directed at children under the age at which they can give their own consent to information-society services in their jurisdiction (13 in the United Kingdom under the Data Protection Act 2018; between 13 and 16 across EEA member states depending on local law). Do not register if you do not meet the minimum age in your country.

We may update this policy and will revise the "Last updated" date at the top. Material changes will be communicated as required by law — for example by in-app notice or email — before they take effect.