Privacy Policy — Myelina Health
Last updated: July 11, 2026
Myelina Health is a wellness companion for people living with multiple sclerosis. We exist in two forms, and they handle data differently. This policy explains both honestly, in plain language.
- Part A — The iOS / Apple Watch app. Works entirely on your device. No account, no servers, your health data does not leave your phone.
- Part B — The web service at myelina.health. You create an account. Your check-ins, reflections, medications, AI coach conversations, wearable imports, and related data are stored in a secure cloud database so the site can show them back to you.
In both cases: we do not sell your personal data, and we never share it with data brokers or advertising networks.
Part A — The iOS / Apple Watch app (on-device)
The shipped iOS app contains no server endpoints of ours. It works entirely on your device.
- No account. No login, no email required, nothing to sign up for.
- Apple Health, read-only. With your permission, the app reads heart rate variability, resting and current heart rate, sleep, active energy, and stand time — and, only if you separately enable it, cycle data. It never writes to Apple Health.
- Stored on your device. Health data is used to compute your energy estimate on your device and stored in an encrypted on-device database. It is not transmitted to us.
- No analytics SDKs, no ad trackers. Any engagement information the app records stays on your device.
- Optional — weather. Uses your approximate location to fetch local weather. Not stored by us.
- Optional — Oura Ring. If you connect one, your Oura access token is stored in the iOS Keychain on your device.
- Sharing is user-initiated. Wellness Reports and caregiver notes go only where you send them. We do not receive a copy.
- Your control. Change categories in iOS Settings → Privacy & Security → Health → Myelina Health. Delete the app to delete its data.
Part B — The web service (myelina.health)
The web service is different: it uses an account, and the data you enter is stored in a cloud database so we can show it back to you, compute forecasts, and enable optional features like AI insights and sharing with a clinician or buddy.
Account & identifiers
- Authentication is provided by Supabase Auth (email + password, or Google sign-in).
- We store your email address, a user ID, and the profile fields you provide: first name, MS type, years since diagnosis, energy goals, device list, and notification-time preferences.
- If you subscribe, we also store your Stripe customer ID and subscription status.
- We do not add IP-address or device-fingerprint columns to our own tables. Supabase Auth may retain sign-in metadata (such as IP and user-agent) inside its managed auth logs; that is controlled by Supabase, not by us.
Health and personal data we store
When you use the web service, the following categories are stored in our database:
- Daily check-ins: energy level, sleep quality, stress level, brain fog, body symptoms, tags, and any free-text notes you write.
- Evening reflections: overall energy, prediction accuracy, and evening tags.
- Energy predictions generated for you (six time-block forecasts, recommendations, crash-risk score, confidence).
- Medications you log: name, dosage, frequency, time-of-day, and notes.
- Goals and achievements you set or unlock.
- Weekly plans generated for you.
- AI Coach conversations: your messages and the assistant's replies.
- Cached AI Insights: the periodic pattern summary computed from your data.
- Wearable connections and imports: OAuth tokens for connected providers (Fitbit / Garmin / Apple exports); imported daily steps, average heart rate, sleep hours, calories, active minutes, and the raw payload.
- Buddy and social features: buddy pairings, invites, and messages you send.
- Clinician–patient links (if you connect a clinician): the clinician's email, clinic name, status, and any note.
- Subscriptions and billing metadata: Stripe subscription ID, product/price, status, period dates.
- Product events: lightweight funnel events (page path, event name, session ID, referrer host, UTM parameters, device string) to understand how the product is used.
- MCP tool-call logs (if you connect an AI agent via our MCP integration): which tool was called, when, whether it succeeded, and its arguments.
Row-Level Security
Every user-facing table in our database has Row-Level Security enabled. In plain terms: database rules stop one user's data from being returned to another user's session. RLS is a safeguard, not a guarantee — see the medical / security disclaimer below.
Subprocessors — who processes your data on our behalf
We use the following third-party services to run the web product. Each receives only what is necessary for its role.
- Supabase (Lovable Cloud). Our database, authentication, and serverless functions. Stores all of the data listed above.
- Lovable AI Gateway (ai.gateway.lovable.dev), routing to Google Gemini models. Powers AI Coach, AI Insights, Weekly Plan, Priority Pulse, Crash Risk detection, and Energy Prediction. Yes — your health data is sent to this AI gateway when you use those features. Specifically: your recent daily check-ins (energy, sleep, stress, brain fog, body symptoms, tags, notes), evening reflections, and profile fields (first name, MS type, years since diagnosis), plus the question you type for AI Coach. It is sent so the model can generate an answer for you; we do not use it to train models.
- Stripe. Payments and subscription management. Receives your email, our user ID, and the price/product you select. Card details are handled by Stripe directly and never touch our servers.
- Emailit (api.emailit.com). Delivers transactional and authentication emails (magic links, verification, receipts, reminders, buddy notifications). Receives your email address, your first name, and the variables used in the template.
- Wearable providers (Fitbit, Garmin, or Apple export files) — inbound only. If you connect one, we hold an OAuth token so we can read your activity data. We do not push data back to them.
- Google Search Console — SEO ranking data at the site level. Does not receive user data.
We do not currently use PostHog, Segment, Mixpanel, Sentry, Google Analytics, or advertising pixels on the web service.
Analytics & cookies
Analytics on myelina.health are first-party only. When you browse the site we may log lightweight product events — page path, event name, a session ID, the referring domain, UTM parameters from marketing links, and a device string (for example "desktop / Chrome"). If you are signed in, these events are keyed to your user ID.
A cookie banner asks for consent to optional analytics before any of that is recorded. We use strictly necessary cookies for sign-in and session handling; anything beyond that is opt-in.
Hosting
Our database and serverless functions run on Supabase, hosted on Amazon Web Services in the us-east-1 region (United States). If you use the web service from outside the US, your data is transferred to and stored in the United States.
Part C — Your rights & choices
Delete your account
You can delete your account from Settings. When you do, our delete-account function purges the following from our database:
- Your profile, daily check-ins, evening reflections, medications, goals, achievements, weekly plans, energy predictions, cached AI insights, and AI Coach conversations.
- Your wearable connections, wearable imports, and OAuth state.
- Your push-notification subscriptions.
- Your buddy pairs, buddy invites, buddy messages, and any clinician–patient links you are part of.
- Your subscription record, referral code, invite codes, and product-event history.
- Your MCP tool-call logs and revoked-client entries.
- Your authentication record with Supabase Auth.
A small amount of information is intentionally retained after deletion, for specific and narrow reasons:
- Email deliverability records (delivery logs, bounces, unsubscribe tokens, suppression list) — keyed to your email address. Kept so we honor unsubscribe requests and do not re-mail addresses that have bounced or opted out.
- Newsletter opt-out records — kept so we can prove you asked not to be contacted.
- Sales / partnership CRM records (only if you contacted us as a clinician or partner via a lead form) — kept for our business records.
Access, export, correction
You can view and edit your profile and logged data inside the app. You can export your check-ins and related data as CSV from the Insights page. To request a copy of everything we hold, or to ask us to correct something, email us at the address below.
GDPR / CCPA
If you are in the EU/UK or California, you have the right to access, correct, delete, and port your personal data, and to object to certain processing. Email us to exercise any of these rights. We do not sell personal data and we do not share it for cross-context behavioural advertising.
Retention
Your health data on the web service persists until you delete your account. We do not currently apply a global auto-expiry to check-ins, reflections, medications, or wearable imports. Cached AI Insight summaries are recomputed roughly every 24 hours as your data changes. Some invite links, OAuth state, and buddy invites carry their own short expiration times.
Part D — Medical disclaimer
Myelina Health is a wellness and informational tool. It is not a medical device. It does not diagnose, treat, cure, or prevent any disease, and its estimates and AI-generated suggestions are not medical advice. Always consult a qualified healthcare professional about your care.
Part E — Children
Myelina Health is intended for adults. It is not directed to children under 13, and we do not knowingly collect data from anyone under 13. If you believe a child has created an account, contact us and we will delete it.
Changes to this policy
We may update this policy as the product evolves. Material changes will show an updated "Last updated" date at the top.
Contact
Privacy questions or requests: hello@aikeepsitreal.com
Need help with the app? Visit Support.