Qyra.

Legal

Privacy Policy

Effective date: May 28, 2026

This Privacy Policy describes how Star Island Holdings LLC (“Qyra,” “we,” “our,” or “us”) collects, uses, discloses, and otherwise processes your personal information when you use the Qyra mobile application, the qyra.health website, and other interactions you may have with us (collectively, the “Services”), and explains your rights and choices regarding that information.

This Policy forms part of our Terms of Service. Capitalized terms not defined in this Policy have the meanings given in the Terms.

Children. If you reside in the United States and are under 13 years of age, you should not use the Services. If you reside in the European Economic Area (EEA), Switzerland, or the United Kingdom, you must be at least 16 to use the Services without parental consent. If we become aware that we have collected personal information from a child below the applicable threshold, we will delete it and the associated account.

1. Information We Collect

1.1 Information you provide directly

  • Account & profile. Name, email address, date of birth, sex/gender, height, weight, goal weight, and activity level — used to compute your personalized macro and calorie targets.
  • Authentication identifiers. When you sign in with Apple, Google, Microsoft, or email/password, the corresponding identity provider returns a stable user identifier (and, where you grant it, your email). We never store your password ourselves; authentication is handled by Supabase Auth.
  • Health & nutrition data. Foods, drinks, supplements, and compounds you log (via photo, barcode, voice, or manual entry); calorie and macronutrient values; meals; weigh-ins; fasting sessions; workouts and exercise logs; goal progress; and any progress photos you choose to capture. Some of this data is sensitive personal information under applicable law.
  • User-generated content. Group messages, group memberships, challenge participation, Versus competitions, and other content you post or share with other users through the Groups and Versus features.
  • Photos and audio. Food photos you submit for AI analysis, product photos captured during barcode scans, and voice recordings you submit for voice food logging. Photos and audio are transmitted to our processing pipeline only when you initiate the action; we do not background-record.
  • Communications. Any information you provide when you contact us (e.g., support, feedback, account requests).

1.2 Information collected automatically

  • Device & usage data. Device model, OS version, app version, anonymous installation identifier, locale, and aggregated usage events (e.g., feature usage counts, error events). We use this to keep the app working and to debug crashes — not to build profiles for advertising.
  • Apple HealthKit. With your explicit permission (granted via the system HealthKit consent sheet), Qyra reads steps, active energy burned, and body mass from Apple Health, and writes meals you log (calories, macros, water), weigh-ins, and completed workouts back to Apple Health. HealthKit data is governed by Apple’s privacy framework and is never used for advertising and never transferred to third parties for marketing.
  • Location data. If you use location-dependent features, such as nearby restaurant discovery or outdoor workout tracking, Qyra may process your precise location while that feature is active. We use location only to provide the requested feature and do not sell it or use it for advertising.
  • Subscription status. We verify your active subscription via Apple StoreKit. We do not see or store your payment instrument; Apple is the merchant of record.
  • Push notification tokens. If you grant notification permission, we store the APNs token associated with your device so we can send reminders, group activity notifications, and milestone alerts.

1.3 Information from third parties

  • Identity providers. When you sign in with Apple, Google, or Microsoft, we receive the stable user identifier they issue and, where you grant it, your name and email.
  • Open Food Facts. When you scan a barcode, we query the public Open Food Facts database to retrieve product details (name, image, nutrition).
  • Anthropic Claude (food, voice, and coaching AI). Food photo recognition, voice-to-food parsing, exercise estimates, and AI coaching are powered by Anthropic’s Claude API, routed through our Supabase Edge Functions so your AI provider account is not linked and our API credentials are not exposed. See Section 4 for details.

1.4 What we do not collect

  • We do not run third-party advertising networks. We use limited product analytics to measure site and app reliability and feature usage.
  • We do not sell, rent, or share your personal information with advertisers, data brokers, or marketing partners.
  • We do not collect location in the background outside location-dependent features.
  • We do not access your camera or microphone outside the explicit logging flows.

2. How We Use Your Information

  • Provide the Services. Calculate macro goals, log meals and workouts, surface progress, deliver AI insights, sync with Apple Health, and authenticate your account.
  • Maintain and improve quality. Diagnose crashes, monitor service reliability, and improve features. Aggregated, de-identified metrics may be used for product analytics.
  • Communicate with you. Respond to support requests, send transactional notifications (e.g., subscription receipts, security alerts), and announce material changes to the Services.
  • Protect the Services and users. Detect abuse, prevent fraud, enforce our Terms, and respond to security incidents.
  • Legal compliance. Comply with applicable law, respond to lawful requests, and exercise or defend legal claims.

3. Legal Bases (EEA / UK / Switzerland)

If you are in the EEA, UK, or Switzerland, we process your personal information under one or more of the following lawful bases:

  • Performance of a contract— to provide the Services you signed up for.
  • Consent— for sensitive health data, HealthKit access, push notifications, and any marketing communications. You can withdraw consent at any time.
  • Legitimate interests— to debug crashes, secure the Services, prevent abuse, and improve product quality, balanced against your rights.
  • Legal obligation— to comply with applicable law and lawful requests.

4. AI Processing

Qyra uses Anthropic’s Claude API to power food photo recognition, barcode-image analysis, voice-to-food parsing, exercise estimates, and the AI nutrition coach. Requests are routed through our backend (Supabase Edge Functions), so your Anthropic account is not linked and our API credentials are not exposed.

  • What is sent. Only the feature-relevant image, transcript, message, workout description, or nutrition context needed to answer your request. AI coaching requests may include recent logged nutrition, workout, weight, and goal context so the response can be personalized.
  • How long it’s retained. AI-provider processing is governed by Anthropic’s API terms and data-processing commitments. Qyra does not use your food photos, transcripts, or coaching conversations to train Qyra-owned models, and we do not retain raw image bytes server-side after the response is returned.
  • What we store. The structured result — food names, calorie and macro values, your accept/reject decision — is stored against your account so you can review, edit, and re-log meals.
  • Accuracy. AI outputs are estimates, not medical or professional advice. Always double-check important values before relying on them.

5. How We Disclose Information

We do not sell your personal information. We disclose information only as follows:

  • Service providers (sub-processors). Supabase (database, auth, edge functions, file storage) hosts your account and logs. Anthropic (Claude API) processes AI requests. Apple (APNs) delivers push notifications. Vercel hosts qyra.health and provides limited site analytics. Cloudflare provides DNS and CDN. Convex hosts the lightweight website-tracking endpoint currently used on qyra.health. Each provider is contractually bound to confidentiality and security obligations.
  • Apple HealthKit. HealthKit authorization and reads happen on your device. HealthKit values you choose to use in Qyra, such as steps, active energy, body mass, workouts, meals, and water, may be stored in your Qyra account to provide sync, progress, coaching, and social features. We do not use HealthKit data for advertising.
  • Other Qyra users. Content you choose to share in Groups, Versus, or other social features is visible to the participants of that surface.
  • Legal & safety. We may disclose information to comply with law, respond to lawful requests, enforce our Terms, or protect rights, property, or safety.
  • Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction, subject to this Policy.

6. Your Choices & Rights

In-app controls

  • Apple Health. Manage read/write permissions in iOS Settings → Privacy & Security → Health → Qyra.
  • Notifications. Toggle in iOS Settings → Notifications → Qyra, or inside the app.
  • Delete data. Profile → Settings → Delete Account removes your account and associated data within 30 days.
  • Sign out / sign back in. Refreshes the secure session token used to access AI features.

Statutory rights

Depending on where you live, you may have the right to:

  • access a copy of the personal information we hold about you,
  • correct inaccurate information,
  • delete information (subject to legal exceptions),
  • port information in a portable format,
  • object to or restrict certain processing (e.g., legitimate-interest-based analytics),
  • withdraw consent for sensitive-data processing at any time,
  • opt out of any processing that constitutes a “sale” or “sharing” for cross-context behavioral advertising — though Qyra does not engage in either,
  • file a complaint with your local data-protection authority.

To exercise any of these rights, email hello@qyra.health. We’ll verify your identity using information already associated with your account, then respond within the timeframe required by applicable law (typically 30 to 45 days). We will not discriminate against you for exercising any right.

7. California Residents (CCPA / CPRA)

In addition to the rights listed above, California residents may request the specific pieces of personal information we have collected, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we have shared it — for the 12 months preceding your request.

Sale and sharing. Qyra does not sell personal information, and does not share personal information for cross-context behavioral advertising. We do not use or disclose sensitive personal information (including health data) for purposes other than providing the Services you requested.

Submit requests via hello@qyra.health. An authorized agent may submit on your behalf with proof of authorization.

8. Washington Residents (My Health My Data Act)

For Washington residents, “consumer health data” as defined under the MHMDA includes information that identifies your physical or mental health (e.g., dietary habits, body measurements, fitness activity). We collect this data only with your consent at the point of entry, use it solely to provide the Services described in this Policy, and do not sell it. You may exercise your MHMDA rights by emailing hello@qyra.health.

9. International Transfers

Qyra is operated from the United States, and our service providers are located in the United States and other countries. By using the Services, you understand that your information may be transferred to and processed in the United States or other jurisdictions whose data-protection laws may differ from those in your country of residence. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

10. Data Retention

We retain your account and the data you log for as long as your account is active. When you delete your account, we delete or de-identify your personal information within 30 days, except where we are required to retain it for legal, tax, or fraud-prevention purposes. De-identified, aggregated data may be retained indefinitely.

11. Security

We use reasonable technical, organizational, and administrative safeguards designed to protect your information — including TLS in transit, encryption at rest on our infrastructure providers, row-level security in the database, and least-privilege access for staff. No system is perfectly secure; if you suspect a vulnerability or compromise, please email hello@qyra.health.

12. Changes to this Policy

We will update the “Effective date” above when this Policy changes. Material changes will be highlighted via in-app notice or email. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

13. Contact Us

Questions, requests, or complaints can be sent to:

Star Island Holdings LLC
Privacy contact: hello@qyra.health
Security disclosures: hello@qyra.health
General support: hello@qyra.health
Website: qyra.health
Mailing address: available on request via hello@qyra.health.

© 2026 Qyra. All rights reserved.

Blog·Rate My Routine·Support·Privacy·Terms·Press·Instagram·X