MyClover Privacy Policy

Information You Provide to Us

When you use MyClover, you may choose to provide:

• Account Information: Email address, name (optional), date of birth (to verify age eligibility)
• Lifestyle Tracking Data:
  • Daily habits (diet entries, exercise activities, sleep patterns)
  • Wellness observations (how you feel, energy levels, discomfort notes)
  • Goals and reminders you set
  • Photos of meals or other lifestyle documentation you choose to upload
• Manually Entered Health Information:
  • Lab results or health metrics you manually enter or upload (e.g., weight, lab PDFs)
  • Notes about your wellness journey
• User Preferences: App settings, notification preferences, display preferences

Data from Third-Party Integrations

With your explicit consent, we may access data from third-party health and fitness platforms you choose to connect:

• Fitbit Data: When you connect your Fitbit account, we may access activity data (steps, active minutes, calories burned), sleep data (duration, quality), heart rate data, and weight data as made available through Fitbit's API
• Other Integrations: [Future integrations will be listed here as they are added]

See Section 3: Third-Party Health Data Integrations for detailed information about how we use and protect data from connected services.

Information We Collect Automatically

• Usage Data: How you interact with the App (features used, time spent, navigation patterns)
• Device Information: Device type, operating system, app version, unique device identifiers
• Performance Data: Crash reports, error logs (anonymized)

Information We Do NOT Collect

• We do not directly connect to healthcare providers, hospitals, labs, or electronic health record (EHR) systems
• We do not receive data automatically from medical devices or healthcare institutions
• We do not collect data from children under 13 years of age
• We do not require you to provide any health information - all tracking is voluntary

How Fitbit Integration Works

MyClover offers an optional integration with Fitbit to help you track your activity and wellness data alongside your manually entered information. When you connect your Fitbit account:

1. You Grant Permission: You authorize MyClover to access specific data from your Fitbit account through Fitbit's secure OAuth authorization process
2. We Request Limited Data: We only request access to activity, sleep, heart rate, and weight data - we do not request access to other Fitbit data categories
3. Fitbit Shares Data: Fitbit Inc. shares the authorized data with MyClover through their API
4. We Display Your Data: We display your Fitbit data in the MyClover app alongside your manually entered tracking information

What Fitbit Data We Access

When you connect your Fitbit account, we may access:

• Activity Data: Steps, distance, calories burned, active minutes, exercise sessions
• Sleep Data: Sleep duration, sleep stages, sleep quality scores
• Heart Rate Data: Resting heart rate, heart rate zones during activity
• Weight Data: Weight measurements logged in Fitbit
• Profile Information: Basic profile data necessary to sync your account (user ID, timezone)

Important: All Fitbit data access requires your explicit consent during the connection process. You can revoke this consent at any time.

How We Use Fitbit Data

We use Fitbit data ONLY for the following purposes:

• Display to You: Show your Fitbit activity and wellness data in the MyClover app
• Pattern Recognition: Include Fitbit data in behavioral pattern analysis (e.g., "You felt more energetic on days with higher step counts") - these insights are shown only to you
• Progress Tracking: Visualize your activity trends over time alongside your manually tracked data
• Goal Support: Help you monitor progress toward your personal wellness goals

What We Do NOT Do With Fitbit Data:

• We do NOT share your Fitbit data with any external parties, advertisers, or analytics services
• We do NOT include identifiable Fitbit data in aggregated research or analytics without your separate, explicit consent
• We do NOT use Fitbit data to target advertisements
• We do NOT sell or rent your Fitbit data
• We do NOT use Fitbit data for account migration, service duplication, or reverse-engineering of Fitbit's platform
• We do NOT use Fitbit data to provide medical diagnosis, treatment, or medical advice

Fitbit Data Storage and Retention

• Secure Storage: Fitbit data is stored with the same security measures as all other health data in MyClover (encryption in transit and at rest)
• Retention Period: We retain synced Fitbit data for as long as your Fitbit connection is active and your MyClover account remains active
• Disconnection: When you disconnect your Fitbit account, we stop syncing new data immediately. You can choose to keep or delete previously synced Fitbit data from MyClover
• Account Deletion: When you delete your MyClover account, all Fitbit data is deleted within 30 days (see Section 5: Data Storage and Security for full retention policy)

Your Control Over Fitbit Data

You have complete control over your Fitbit integration:

• Connect or Disconnect: You can connect or disconnect your Fitbit account at any time through MyClover Settings → Health Connections
• Revoke Access: You can revoke MyClover's access to your Fitbit data through your Fitbit account settings at fitbit.com
• Delete Synced Data: You can delete previously synced Fitbit data from MyClover through the app settings
• Control Sharing Scope: Fitbit's authorization process allows you to see exactly what data MyClover requests before you approve

Fitbit's Privacy Policy

Your Fitbit account and data are subject to Fitbit's Privacy Policy, available at https://www.fitbit.com/legal/privacy-policy. We are not responsible for Fitbit's data practices. Please review Fitbit's policies to understand how they collect, use, and share your data.

Data Accuracy and Reliability

We display Fitbit data as provided by Fitbit's API. We do not verify, validate, or guarantee the accuracy of Fitbit data. If you notice inaccurate data, please check your Fitbit device and account settings. MyClover is not responsible for errors or inaccuracies in data provided by Fitbit.

Compliance with Fitbit Platform Terms

MyClover's use of Fitbit data complies with the Fitbit Platform Developer Terms of Service. We respect Fitbit user privacy and data protection requirements, including:

• Obtaining informed consent before accessing Fitbit data
• Using Fitbit data only for the purposes disclosed to you
• Protecting Fitbit data with appropriate security measures
• Honoring your deletion requests for Fitbit data immediately
• Not using Fitbit data for advertising, marketing to third parties, or unauthorized purposes

European Users and Fitbit Data

For users in the European Economic Area (EEA) and UK:

• Legal Basis: We process Fitbit data based on your explicit consent (GDPR Article 6(1)(a) and Article 9(2)(a) for health data)
• Data Controller: Both MyClover and Fitbit act as independent data controllers for your data
• Your Rights: You have the right to withdraw consent, access your data, request deletion, and exercise other GDPR rights (see Section 6: Your Privacy Rights)
• Data Transfers: Fitbit data may be transferred internationally in accordance with Section 10: International Data Transfers

Questions About Fitbit Integration

If you have questions about how we use Fitbit data, contact us at privacy@myclover.app.

What We DO NOT Do With Your Data

• We do not interpret your data to provide medical meaning, diagnosis, or treatment recommendations
• We do not claim your data shows disease improvement or medical outcomes
• We do not share your identifiable health information with third-party analytics, advertising, or marketing services
• We do not sell your personal information
• We do not use your health data to target ads
• We do not include data from third-party integrations (such as Fitbit data) in aggregated, de-identified research or analytics without your separate, explicit consent

Important Note on Third-Party Integration Data

Data from third-party integrations (such as Fitbit) is treated with additional restrictions:

• NOT Included in Research: Third-party integration data (including Fitbit data) is NOT included in aggregated, de-identified data used for service improvement or research purposes unless you provide separate, explicit consent for such use
• Display Only by Default: By default, third-party integration data is used only to display information back to you in the MyClover app and to generate personal pattern insights shown only to you
• Separate Consent Required: If we seek to use third-party integration data for any purpose beyond displaying it to you, we will ask for your separate, informed consent and clearly explain the intended use

Where We Store Your Data

Your data is stored on secure servers in [specify region, e.g., "the United States" or "EU data centers"]. We use industry-standard security measures including:

• Encryption in transit (TLS/SSL)
• Encryption at rest
• Access controls and authentication
• Regular security audits
• Secure backup systems

Data Retention

• Active Accounts: We retain your data as long as your account is active and necessary to provide our services. We periodically review stored data to ensure we only retain information necessary for the purposes described in this policy.
• Inactive Accounts: If you don't use the App for 12 consecutive months, we may delete your account and associated data after notifying you
• Account Deletion: When you delete your account, we delete your personal data within 30 days, except where we're required to retain it for legal purposes
• Backups: Deleted data may remain in encrypted backups for up to 90 days before permanent deletion
• Retention Reviews: We conduct regular reviews of data retention practices to minimize data storage in accordance with GDPR storage limitation principles

Analytics and Performance Monitoring

App Analytics: We use our own first-party analytics systems to understand app usage patterns and feature adoption. These analytics are processed internally and do NOT send identifiable health information to external platforms.

Third-Party Analytics Tools (if any are implemented):

• [Specify analytics platform(s) if used, e.g., "Google Analytics for Firebase"]
• We configure these tools to exclude all health tracking data
• Only non-sensitive usage data is sent (e.g., screen views, button clicks, session duration)
• We do NOT send: symptoms, habits, wellness observations, lab results, or any personal health information

Performance and Crash Monitoring: We may use third-party crash reporting tools [specify if used, e.g., "Sentry" or "Firebase Crashlytics"] to identify and fix technical issues. This data:

• Is fully anonymized and contains no health information
• Includes only technical data (device type, OS version, error logs)
• Does not include your tracking data or personal content
• Is used solely for bug detection and app stability improvement

Current Tools in Use: [List specific tools when implemented, e.g., "None currently" or "Firebase Crashlytics for crash reporting only"]

All Users

• Access: Request a copy of your data
• Correction: Update or correct your information
• Deletion: Delete your account and data at any time
• Export: Download your data in a portable format
• Control: Manage notification preferences and data sharing settings
• Disconnect Third-Party Integrations: You can disconnect Fitbit or other connected services at any time through MyClover Settings → Health Connections. This stops new data syncing immediately. You can also delete previously synced data.
• Revoke Third-Party Access: You can revoke MyClover's access to your Fitbit data directly through your Fitbit account settings at fitbit.com

Additional Rights (GDPR - EU/EEA Users)

• Right to Object: Object to certain processing activities
• Right to Restrict: Request restriction of processing
• Right to Portability: Receive your data in a structured, machine-readable format
• Right to Withdraw Consent: Withdraw consent for processing at any time
• Right to Lodge a Complaint: File a complaint with your data protection authority

Additional Rights (CCPA/CPRA - California Users)

• Right to Know: Know what personal information we collect, use, and disclose
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt out of the "sale" or "sharing" of your information (Note: We do not sell or share your information)
• Right to Correct: Request correction of inaccurate information
• Right to Limit Use of Sensitive Personal Information: Limit the use and disclosure of your sensitive personal information (including health-related data) to purposes necessary to provide the services you requested
• Right to Non-Discrimination: Not be discriminated against for exercising your rights

We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties.

Limited Sharing

We may share your information only in these circumstances:

1. Service Providers: With trusted vendors who help us operate the App (e.g., cloud hosting, customer support) under strict confidentiality agreements that prohibit them from using your data for any other purpose. Current service providers include:
   • Supabase: Database and authentication services
   • Fitbit Inc.: Third-party health data integration (only when you connect your Fitbit account) - Fitbit acts as an independent data controller and data source, not a processor for MyClover
   • [Other service providers as added]
2. With Your Consent: When you explicitly authorize us to share information
3. Aggregated/Anonymous Data: We may share aggregated, de-identified statistics that cannot identify you (e.g., "70% of users track exercise daily"). This does NOT include data from third-party integrations (such as Fitbit) unless you provide separate consent.
4. Legal Requirements: When required by law, court order, or to protect our legal rights, safety, or the safety of others
5. Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred (you'll be notified with an opportunity to delete your account)

We Will Never Share

• Your identifiable health tracking data with advertisers
• Your symptoms, habits, or wellness data with third-party analytics platforms
• Your personal information for marketing purposes without explicit consent
• Your Fitbit data or other third-party integration data with any external parties (beyond the original data source)

Third-Party Data Sources

When you connect third-party services like Fitbit, those companies act as independent data controllers and share data directly with you through MyClover. We do not control or modify this data; we simply display it to you. Your relationship with these third parties is governed by their respective privacy policies and terms of service.

Safeguards for International Transfers

For EU/EEA Users: We comply with GDPR requirements for international data transfers through:

• Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses with service providers that process data outside the EU/EEA
• Adequacy Decisions: Where possible, we transfer data to countries with adequacy decisions from the European Commission
• Additional Safeguards: We implement supplementary technical and organizational measures including:
  • End-to-end encryption for data in transit
  • Encryption at rest for stored data
  • Strict access controls limiting who can access your data
  • Regular security assessments of data processing partners
  • Contractual commitments from processors to handle data in accordance with GDPR

Transfer Documentation: You may request copies of the safeguards we use for international transfers by contacting dpo@myclover.app.

For UK Users: We comply with UK GDPR and use International Data Transfer Agreements (IDTAs) or UK Addendums to SCCs as appropriate.

In-App Controls

• Account Settings: Update your profile information, email, and preferences
• Data Management: View, export, or delete your tracking data
• Pattern Management: Review, confirm, or delete discovered patterns
• Notification Settings: Control what notifications you receive

Communications Preferences

• Email: Unsubscribe from marketing emails via the link in any email
• Push Notifications: Disable via your device settings or in-app preferences
• Essential Communications: Some service-related communications cannot be opted out of while your account is active

Account Deletion

You can delete your account at any time:

1. Go to Settings > Account > Delete Account
2. Confirm deletion
3. Your data will be permanently deleted within 30 days

Alternatively, email us at kate@myclover.app to request account deletion.

Who Controls Your Data

EU Representative

[If applicable for companies outside the EU/EEA serving EU users, specify EU representative details]