Privacy Policy

1. Introduction and Overview

Metea ("we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal health data. This Privacy Policy explains how we handle information when you use the Metea mobile application (the "App").

2. Data Controller

The data controller responsible for this App is the developer of Metea. For any inquiries, please contact us through the App Store.

3. Data Storage and Processing Location

3.1 Local Storage on Your Device

All health data accessed from Apple HealthKit is stored exclusively on your iPhone in a secure, encrypted local database (Realm) within an App Group container. This includes but is not limited to:

• Heart rate and heart rate variability (HRV) data
• Sleep analysis data
• Activity and workout data
• Stress indicators derived from HRV
• Your Personal Health Twin profile (AI-generated insights about your health patterns)
• Any other HealthKit data types you authorize

This data is processed locally on your device using Apple's Core ML framework for on-device machine learning. We have no technical ability to access this data. The database is protected by iOS's built-in encryption and can only be accessed when your device is unlocked.

3.2 iCloud Storage

Your data is stored in your personal iCloud account, which provides secure cloud backup and synchronization. This storage:

• Uses Apple's end-to-end encrypted iCloud infrastructure
• Is governed by Apple's Privacy Policy and your agreement with Apple
• Remains under your control through your Apple ID settings
• Does not grant us any access to your data—only you can access it
• Enables seamless syncing across your Apple devices
• Provides automatic backup to prevent data loss

3.3 No Server-Side Processing of Personal Health Data

We do not operate servers that store or process your personal health data. All AI analysis and insights are generated on your device using Apple's Core ML framework or are processed anonymously as described in Section 4. Your Personal Health Twin—the AI model that learns your individual health patterns—exists only on your device and is never transmitted to our servers.

4. AI Analysis and Anonymization

4.1 On-Device AI Processing

The primary AI analysis in Metea occurs entirely on your device using Apple's Core ML framework. Our machine learning models are embedded within the App and process your health data locally without any data transmission to external servers. This includes:

• Personal Health Twin: An AI model that learns your individual health patterns. This model is created and stored exclusively on your device and is never transmitted anywhere.
• Stress & HRV Analysis: Real-time analysis of heart rate variability to detect stress patterns
• Sleep Quality Assessment: Analysis of sleep data to provide insights
• Trend Detection: Pattern recognition across your health metrics over time

4.2 Privacy-Safe AI Prompts

When generating personalized insights, our AI system uses privacy-safe prompts that contain only aggregated metrics and derived patterns. Raw HealthKit samples are never transmitted. For example, instead of sending your individual heart rate readings, the system might use aggregated information like "average resting heart rate: 65 BPM, typical range: 58-72 BPM."

4.3 Anonymous Data Aggregation (Optional)

If you opt in to anonymous data sharing in the App settings, aggregated and fully anonymized data may be used to improve our algorithms. Our anonymization process includes:

4.4 Granular Sharing Controls

You have full control over what data, if any, is shared anonymously:

• Master Toggle: Disable all anonymous data sharing with a single setting
• Per-Metric Controls: Choose individually whether to share stress data, sleep data, activity data, etc.
• Location Sharing: Separate control for whether generalized location data is included

Under GDPR Article 4(1), anonymized data that cannot identify an individual is not considered personal data. Our anonymization process is designed to meet this standard, ensuring that shared data qualifies as truly anonymous.

5. Apple HealthKit Integration

Metea integrates with Apple HealthKit to access your health and fitness data. In accordance with Apple's HealthKit guidelines:

• We request only the specific data types necessary for the App's functionality
• You have granular control over which data types to share with the App
• You can revoke access at any time through iOS Settings → Privacy → Health → Metea
• HealthKit data is never used for advertising or marketing purposes
• HealthKit data is never sold to third parties
• HealthKit data is never shared with third parties for their own purposes

6. Information We May Collect

While we do not collect your health data, we may collect limited information for App functionality:

6.1 Account Information (If Applicable)

If the App offers account creation: email address, display name (optional), and authentication credentials. This is stored securely and used solely for account management.

6.2 Technical Data

We may collect anonymized technical data for App improvement:

• Device type and iOS version (anonymized)
• App version
• Crash reports (anonymized, via Apple's crash reporting)
• General usage statistics (anonymized)

6.3 Support Communications

If you contact our support team, we may retain your communication to provide assistance and improve our services.

7. Legal Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we process data based on the following legal grounds:

• Consent (Art. 6(1)(a) GDPR): For accessing HealthKit data and optional features
• Contract Performance (Art. 6(1)(b) GDPR): To provide the App's core functionality
• Legitimate Interests (Art. 6(1)(f) GDPR): For App security, fraud prevention, and service improvement

For health data specifically, we rely on your explicit consent as required by Art. 9(2)(a) GDPR. This consent is obtained through iOS's HealthKit permission dialogs and can be withdrawn at any time.

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of Access (Art. 15): Request information about data we process
• Right to Rectification (Art. 16): Correct inaccurate data
• Right to Erasure (Art. 17): Request deletion of your data ("Right to be Forgotten")
• Right to Restrict Processing (Art. 18): Limit how we use your data
• Right to Data Portability (Art. 20): Receive your data in a portable format
• Right to Object (Art. 21): Object to certain types of processing
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time

Since your health data is stored on your device and in your personal iCloud account, you have complete control over it. You can delete all App data by uninstalling the App or clearing App data in iOS Settings. iCloud data can be managed through your Apple ID settings.

To exercise any of these rights regarding data we may hold, please contact us through the App Store using the "App Support" link on the Metea app page.

9. Data Security

We implement appropriate technical and organizational measures to ensure data security:

• All local data is protected by iOS's built-in encryption
• Data at rest is encrypted using Apple's Data Protection
• Any network communications use TLS 1.3 encryption
• We follow Apple's security best practices for iOS development
• Regular security audits and code reviews

10. Data Retention

Health Data: Stored on your device and in your iCloud account until you delete it or uninstall the App. We have no control over this data and cannot delete it remotely. You can manage your iCloud storage through your Apple ID settings.

Account Data: Retained until you delete your account or request deletion.

Technical/Analytics Data: Anonymized data is retained for up to 24 months for service improvement purposes.

11. International Data Transfers

Your health data is stored locally on your device and in your iCloud account. We do not transfer your data internationally. Apple may transfer iCloud data according to their privacy policy and data processing agreements.

For any limited data we process (account data, support communications), if transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

12. Children's Privacy

The App is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us immediately.

13. Third-Party Services

The App may use the following third-party services:

• Apple HealthKit: For health data access (governed by Apple's Privacy Policy)
• Apple iCloud: For secure data storage and synchronization (governed by Apple's Privacy Policy)
• Apple App Store: For app distribution and in-app purchases

We do not share your health data with any third parties for advertising, marketing, or any other purposes.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of any material changes through the App or via email (if provided). The "Last updated" date at the top indicates when the policy was last revised. Continued use of the App after changes constitutes acceptance of the revised policy.

15. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. You can find your local data protection authority through the European Data Protection Board at edpb.europa.eu.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us through the App Store: