Privacy Policy

Last updated: 2026-04-21

Draft notice. This is a plain-English starter Privacy Policy tailored to Arion's current data flows. It is not legal advice. Have a qualified privacy lawyer in your jurisdiction review it before public launch.

The short version

We collect what you log (habits, workouts, sleep, meals, mood, water, steps, journal entries).
We use it to power your dashboard, your streaks, and (if Pro) the AI coach.
We do not sell your data. We do not show ads. There are no tracking cookies.
You can export or delete everything at any time from Settings.

1. Who we are

Arion (the "Service") is operated by Arion. The data controller for your personal data is Arion. You can reach us at hello@arion.health.

2. What we collect

Account data: email address, username, password (hashed), avatar (optional), referral code.

Wellness logs: entries you create — habits, habit completions, workouts (with exercises and durations), sleep (bedtime, wake time, quality, mood), meals (with optional calories and macros), mood/journal entries, water glasses, step counts.

Subscription data: tier (free/pro), Pro expiry date, payment status. Card details are processed by our payment provider; we never see them.

Connections: if you connect Strava, Apple Health, Google Health Connect, or Fitbit, we store the connection tokens and the metrics you choose to share.

Technical data: IP address and user-agent at signup (for the audit consent record), basic error logs.

3. Health data — extra protection

The data above includes health data, which is treated as a special category under GDPR/UK GDPR Article 9 and equivalent laws in other regions. We process it only on these legal bases:

Your explicit consent, given when you sign up and when you connect a health source.
Performance of the contract with you (delivering the app you signed up for).

Apple HealthKit and Google Health Connect data stays on your device unless you explicitly enable a sync. When you do, only the metrics you chose (e.g. step count) are sent to our backend — we never read raw sensor or location data.

We do not share your health data with advertisers, data brokers, insurance companies, or any third party for marketing. We do not use your health data to train AI models. AI coaching prompts are sent to our model provider in real time and not retained for training.

4. How we use it

To show you your dashboard, streaks, scores, and history.
To power AI coaching responses (Pro feature).
To compute leaderboard scores and award medals from your real activity.
To send in-app notifications for streaks, friend requests, challenges, and Pro expiry reminders.
To provide friends features (only with friends you've explicitly accepted).
To detect and prevent abuse, fraud, or technical errors.

5. Who we share it with

Friends you accept: can see your username, avatar, wellness score, tier, and medals — nothing else.

Subprocessors (acting on our documented instructions only):

Provider	Purpose	Region
Lovable Cloud (Supabase)	Hosting, database, file storage, auth	EU/US
Lovable AI Gateway	LLM inference for AI Coach prompts	US
Apple Push / Google FCM	Native push notifications	Global
Stripe / Apple / Google billing	Subscription payments	Global
Strava, Fitbit (when connected)	Optional workout / health source sync	US

We do not sell or rent your data. Ever. The full list of contractual safeguards is in our Data Processing Addendum.

6. Where your data is stored

Data is stored in our hosting provider's data centres. Some processing (e.g. AI coaching) may take place outside your country, including in the United States. When we transfer personal data out of the UK/EEA we rely on Standard Contractual Clauses or equivalent safeguards.

7. How long we keep it

We keep your data for as long as your account exists. When you delete your account we permanently remove your personal data within 30 days, except minimal billing records we are legally required to keep.

8. Your rights

Depending on where you live (GDPR/UK GDPR/CCPA/etc.) you have the right to:

Access a copy of your data — use the Export button in Settings.
Correct inaccurate data — edit in the app.
Delete your data — use the Delete Account button in Settings.
Withdraw consent at any time — closing your account withdraws consent for all processing based on it.
Object to certain processing or request restriction — email us.
Lodge a complaint with your local data protection authority.

9. Security

We use industry-standard measures: encryption in transit (HTTPS) and at rest, row-level security so users can only access their own data, server-side validation for medals and leaderboard scores, password hashing with bcrypt, and leaked-password checks against the Have I Been Pwned database. We are not perfect — no system is — but we take security seriously. If you spot an issue please email security@arion.health.

10. Cookies and tracking

We use a strictly necessary cookie/local-storage entry to keep you signed in and to remember your theme and referral code. We do not use third-party advertising or analytics cookies. There is no cross-site tracking.

11. Children

Arion is not directed at children under 16 (or the digital-consent age in your country, whichever is higher). We do not knowingly collect personal data from children below that age. We ask every new user to confirm their age at signup. If you believe a child has signed up, contact us and we'll delete the account.

12. Changes to this policy

When we change how we handle data we update the "Last updated" date and, for material changes, ask you to re-accept inside the app.

13. Contact

Privacy questions or rights requests: privacy@arion.health.

← Terms of Service Back to home →