Leo/Privacy

Privacy Notice.

What we collect, why we collect it, who we share it with, and the rights you hold over it. In plain English, with the legal terms where they need to be.

Last updated · 2026-05-16·Data controller · Leo Mind & Body·algorithm-level detail
On this pagetap to expand
§ 01

Why this page exists.

Leo handles health data. Some of it is Protected Health Information (PHI) under HIPAA; some of it is personal data under GDPR; some of it is personal information under CCPA. Different rules in different places, all aimed at the same thing — your data should belong to you.

This page is the honest statement of what we collect, why we collect it, who we share it with, and the rights you hold over it. The technical implementation that backs these claims lives at /security; the HIPAA-specific obligations live at /legal/hipaa.

§ 02

Our data promise.

Four commitments. These are the ones we mean to be measured against.

01 · We never sell your data
Not to advertisers, not to data brokers, not to insurance companies. No exceptions. There is no version of Leo where your health data becomes someone else's product.
02 · Your data stays yours
Per-user encryption means the unwrapped key for your Protected Health Information only ever exists in your device's secure enclave (iOS Keychain). Cloud KMS wraps every key server-side; we cannot read your PHI without the unwrapped key.
03 · Complete transparency
You can request a full export of everything we hold on you (PDF, JSON, or CSV) any time. The in-app audit log records every access to your PHI — yours and anyone you've shared with.
04 · Healthcare-grade security
AES-256-GCM at rest, P-256 ECDH with HKDF-SHA-256 for sharing, certificate pinning on every connection, biometric lock with a five-minute session timeout. The algorithms are named on /security.
§ 03

What we don't do.

The corollary of the promise — these are absolute. None of them happens under any business arrangement, partnership, or future product direction.

We don't sell your personal or health data.

We don't share your data with insurance companies for underwriting, pricing, or eligibility decisions.

We don't serve targeted advertising inside Leo. No ad tech inside the app.

We don't grant third parties access to your PHI without a Business Associate Agreement, your explicit consent, or both.

We don't retain your data after you delete your account beyond the windows described in § 08.

We don't train any third-party model on your individual health data. Period.

§ 04

What we collect & why.

Four categories. Each gets its own purpose, lawful basis, and retention treatment.

Health data
Medications & doses, vital signs, symptoms, mood, sleep, journal entries, lab results, cycle & pregnancy logs, and condition-specific records. Collected only when you log it. Encrypted on your device before it leaves. Used to power Leo's on-device pattern engines and to surface your own record back to you.
Account data
Email address, display name, date of birth (for age verification), and authentication tokens. Used to sign you in, link family members, and recover your account.
Device data
iOS version, device model, app version, and crash diagnostics. Used to keep the app working and to prioritize fixes for the devices our users actually carry.
Usage data
Anonymous, aggregated counts of which features are opened and how often (only when you grant analytics consent in the in-app banner). Used to decide what to build next. Individual sessions are not linked back to identifiable users.
§ 05

Your data rights.

Regardless of where you live, the following four rights apply. The GDPR-specific and CCPA-specific expansions live in § 09 and § 10.

Right to access
Request a copy of everything Leo holds on you. Native export to PDF, JSON, or CSV is built into the app.
Right to delete
Request deletion of your account and PHI. We process and confirm within thirty (30) days.
Right to correct
Most fields are user-editable directly in Leo. Corrections to read-only records can be requested by writing to privacy@leomindbody.com.
Right to know
Request a list of the third-party processors that handle your data and what each one does. § 06 below names them.
§ 06

Third-party processors.

Under GDPR Article 28, we're required to name every processor that handles personal data on our behalf. Here's the full list as of today.

Google Cloud Platform
Underlying infrastructure (Firestore, Cloud Functions, Cloud KMS).
UNITED STATES
in progress
Firebase / Firebase Auth
Authentication, database, push notifications. Part of Google Cloud's BAA scope.
UNITED STATES
in progress
Google Analytics
Anonymous web and app analytics. Only when you grant analytics consent in the in-app banner.
UNITED STATES
no PHI
Stripe
Payment processing for donations and subscriptions. Receives no PHI.
UNITED STATES
no PHI
Shopify
Ambassador rewards store and product fulfillment. Receives no PHI.
CANADA / UNITED STATES
no PHI
Apple HealthKit
On-device-only health data sync. Data never reaches our servers via HealthKit.
ON-DEVICE ONLY
n/a
Resend
Transactional email — consent confirmations, parental notices, account-deletion receipts, nurse-link approval requests. Emails carry first names and operational identifiers, never raw lab values or journal text.
UNITED STATES
DPA in place
§ 07

International data transfers.

Leo is operated from the United States. If you are in the European Economic Area, the United Kingdom, Switzerland, or another country with comprehensive data protection laws, your data is transferred to the U.S. under one of the lawful mechanisms recognized by your jurisdiction.

Standard Contractual Clauses (SCCs)
Where required, the European Commission's Standard Contractual Clauses (2021/914) are in place with our U.S. processors (Google Cloud, Stripe) to govern the transfer of personal data outside the EEA.
Adequacy decisions
Where the destination country benefits from a European Commission adequacy decision, transfers are made on that basis.
Supplementary measures
Per-user encryption, certificate pinning, and the on-device key model described on /security function as supplementary measures: PHI in transit and at rest is encrypted with keys we cannot unwrap without the user's device.
§ 08

Data retention.

We retain data for the periods listed below. Deletion is honored automatically for everything outside the legal-hold windows.

Health data & journal entries
Until you delete it, or until you delete your account

You control retention directly. Delete an entry, it's gone; delete the account, all of it is gone within 30 days.

Account data
Until you delete your account

Retained as long as the account is active. Deleted within 30 days of account deletion.

Audit logs (PHI access)
Minimum 6 years (HIPAA documentation requirement)

HIPAA requires a minimum retention; we currently do not enforce a hard upper bound. An enforced retention policy is on the roadmap (see /legal/hipaa § 11).

Analytics (anonymous & aggregated)
Up to 14 months

Google Analytics default retention. Individual users are not identifiable from analytics data.

Crash diagnostics & device logs
Up to 90 days

Auto-purged at the platform level.

Payment records (Stripe)
Up to 7 years

Required by U.S. and EU financial-records law. Stripe is the processor; we do not see your card details.

§ 09

GDPR rights (EU & UK).

If you're in the EU, EEA, UK, or Switzerland, the General Data Protection Regulation (and the UK's post-Brexit equivalent) grants you the following rights. They apply on top of the universal rights in § 05.

Lawful basis · GDPR Art. 6
We process your data on one of four lawful bases: consent (analytics, marketing communications), contract (delivering the Leo service you signed up for), legal obligation (HIPAA, breach notification, financial records), and legitimate interest (debugging, security, fraud prevention — never marketing).
Art. 15
Right of access.

Request a copy of the personal data we hold on you. Native export to PDF / JSON / CSV is built into Leo.

Art. 16
Right to rectification.

Request corrections to inaccurate personal data we hold.

Art. 17
Right to erasure.

Request deletion of your personal data. Honored within 30 days of confirmation.

Art. 18
Right to restriction.

Request that we limit how we process your data while a question is being resolved.

Art. 20
Right to data portability.

Receive your data in a structured, machine-readable format (JSON / CSV) you can take to another provider.

Art. 21
Right to object.

Object to processing based on legitimate interests or for direct marketing. We don't do direct marketing today; the right still applies if we ever do.

DPA complaint
Right to complain.

File a complaint with your national Data Protection Authority. You do not need to contact us first, though we'd rather have the chance to fix it.

To exercise any of these rights, write to privacy@leomindbody.com. We respond within thirty (30) days.

§ 10

CCPA rights (California).

If you are a California resident, the California Consumer Privacy Act (as amended by CPRA in 2023) gives you specific rights over the personal information we collect. Leo does not currently meet CCPA's revenue thresholds for mandatory compliance, but we honor every right below as a matter of standard practice.

01
Right to know.

Request the categories of personal information we collect, the sources we collect from, the business purpose for collection, and the categories of third parties we share with.

02
Right to delete.

Request deletion of your personal information. Honored within 30 days unless we have a legal exemption (e.g., the HIPAA audit-log retention requirement in § 08).

03
Right to correct.

Request corrections to inaccurate personal information we hold (added by CPRA, 2023).

04
Right to opt out of sale / sharing.

Direct us not to sell or share your personal information. We do not sell or share personal information for cross-context behavioral advertising — this right is in place even though we never exercise it.

05
Right to limit use of sensitive personal information.

Restrict our use of sensitive personal information (health data falls into this category) to what is strictly necessary to provide the service (added by CPRA, 2023).

06
Right to non-discrimination.

Exercise your CCPA rights without us charging you more, providing a lower quality of service, or otherwise penalizing you for doing so.

California residents can exercise any of these rights by writing to privacy@leomindbody.com. We will verify your identity (typically by confirming the email associated with your account) and respond within forty-five (45) days as required by Cal. Civ. Code § 1798.130.

No sale or sharing
We do not “sell” or “share” personal information as those terms are defined in Cal. Civ. Code § 1798.140. We have no advertising SDKs, no targeted-ad partners, and no data brokers. The required “Do Not Sell or Share My Personal Information” signage is therefore a confirmation rather than a choice — toggling it changes nothing because there is nothing to opt out of.
Under-16 opt-in
Cal. Civ. Code § 1798.120(c) requires affirmative opt-in before selling or sharing the personal information of any California resident under 16. Because Leo never sells or shares, no opt-in is solicited. If we ever introduce a feature that would constitute sale or sharing, we will re-confirm direct consent from the parent (under 13) or the teen (13–15) before the data in question leaves Leo.
Age-Appropriate Design (alignment)
Leo voluntarily aligns with the spirit of the California Age-Appropriate Design Code Act (AB 2273): high-privacy defaults for under-18 accounts (no targeted advertising at any age tier, mood and journal sharing OFF by default on partner links, parental review queues on minor lab imports), clear age-appropriate notices in the in-app onboarding flow, and explicit no-dark-pattern decisions on opt-out flows (a single tap pauses or deletes — no friction wall).
§ 11

Children's data.

Leo is used by both adults and children. We handle children's data with extra care.

Under 13 · COPPA-aligned flow
Children under 13 cannot create an account on their own. A parent or guardian must create their own account first and generate a six-character code; the child then enters that code at signup, which creates the child account and links it to the parent atomically (server-side). This is the verifiable parental consent mechanism required by the Children's Online Privacy Protection Act (COPPA).
How we verify the parent (VPC method)
Leo classifies its verifiable parental consent method as email-based affirmative consent within an authenticated session — a recognized VPC approach under 16 CFR § 312.5(b)(2)(v) when paired with the operator's “internal use only” restriction. Specifically: the parent must (a) hold a Firebase Authentication session on a verified email address, (b) tap through an in-app consent screen that lists every category Leo collects from the child, and (c) confirm receipt of a direct-notice email (sent by Leo Support at support@leomindbody.com) that recaps what was just consented to and surfaces the parental controls. The parent can revoke at any time by replying to that email, opening the in-app parental dashboard, or contacting privacy@leomindbody.com. We do not use children's information for any purpose other than operating Leo for that child and supplying it to the linked parent and clinical caregivers.
Consent record & how long we keep it
Every consent grant is captured in three places: (1) the parentChildLinks document with the parent and child user IDs and the server timestamp; (2) a consentGrant entry in our HIPAA audit log with the policy version that was current at the time, the verification method, and the message-id of the direct-notice email; (3) the email itself, which is retained by our transactional-email provider for the standard logging window. Parents can view their own consent record on demand inside Leo at Parent → Children → Consent record. Under 16 CFR § 312.8, we retain the consent record for the active life of the child account plus one year after the account is closed or deleted, whichever is later.
HealthKit Clinical Records & minor accounts
Apple's Health Records integration lets a device pull lab results, conditions, medications, and visit summaries from connected provider portals (Labcorp, MyChart, Epic, Cerner). On a shared family iPhone, the iOS picker can expose every connected portal — including a parent's or a sibling's. For under-13 accounts, Leo refuses to invoke the picker until the parent flips an explicit consent flag inside Parent → Children → Health Records. Even once consent is granted, every imported lab report lands in a per-record review queue (Parent → Children → Lab review); caregivers, school nurses, and partners cannot see the report until the parent confirms the source provider and subject name and taps Approve. Parents may also upload labs for a child directly via Parent → Children → Scan a lab — parent-uploaded labs skip the review queue because the parent is both the source and the reviewer.
Minimum-necessary collection
COPPA 16 CFR § 312.7 prohibits the operator from conditioning a child's participation on the disclosure of more personal information than is reasonably necessary. Leo's under-13 signup form collects exactly six fields: email, password, first & last name, date of birth (to enforce the age gate), and the parent code that verifies parental consent. Phone, address, school, medical conditions, and every other field are entirely optional and skippable — both at signup and afterwards. No feature inside Leo is gated behind providing optional information; the in-app onboarding wizard offers a per-step Skip and a top-level “Skip Setup” button. If you spot a field that you feel is required without good reason, please write to privacy@leomindbody.com.
Retention
Children's data is kept only as long as it's reasonably necessary to operate Leo for that child — the standard COPPA retention principle under 16 CFR § 312.10.Active accounts. Retained for the life of the account. The parent may pause or delete at any time from Parent → Children → ⋯.Inactive accounts. If neither the child nor the parent signs in for ~18 months, a daily server-side sweep emails every parent on file and stamps the account for deletion 30 days later. Logging in once during that window clears the stamp. If the deadline passes, the next sweep purges the account through the same wipe path as a parental deletion — every health entry, every relationship link, every uploaded file, and the Firebase sign-in itself.Deleted accounts. Backups are retained for 30 days post-deletion for disaster recovery, then expire. A confirmation email goes to the parent under separate cover.Consent records. The audit row that records the parental consent grant — the VPC method, the policy version in force, and the direct-notice message id — is retained for the life of the account plus one year post-closure (16 CFR § 312.8).HIPAA audit logs. Access-to-PHI audit rows are retained for 6 years (HIPAA baseline). Rows older than that are purged weekly except for retention-significant actions (consent grants, deletion records, retention-driven purges).
School nurses & minor accounts
Leo supports a school-nurse role so a credentialed school health office can administer medications at school. For a student under 13, the nurse must request the link by entering the student's rotating patient code; the request is created in an inactive pendingParentApproval state, an approval email is sent to every parent on file, and the parent must explicitly approve inside Leo (Parent → Children → Nurse requests) before the nurse can see any of the student's data. Until the parent approves, the nurse's app shows the student as “awaiting parental approval” and our server-side rules block every PHI read. Either party may revoke nurse access at any time from inside the app.
Ages 13 – 17
Teens 13 and older may create their own Leo account. Parents may still link to a teen account through the standard parent-child linking flow if the teen consents.
No marketing to children
We do not target advertising or marketing communications at children of any age. There is no ad tech inside Leo at any age tier.
Parental data rights
For accounts of children under 13, the parent has four in-app rights — each surfaced inside Parent → Children → ⋯ on the child's detail screen, and each also exercisable by email reply to the direct-notice message:Review all data — receive a complete JSON archive of everything Leo stores under the child account (16 CFR § 312.6(a)(1)(i)).
Pause data collection — refuse further collection without deleting the account; historical data is preserved (16 CFR § 312.6(a)(1)(iii)).
Delete this account — wipe every health entry, every relationship link, every uploaded file, and the Firebase sign-in itself (16 CFR § 312.6(a)(1)(ii)).
Consent record — view the consent grant timestamp, the policy version at grant time, and the audit-log entry.The parent will also receive an updated direct notice (per 16 CFR § 312.4(c)) whenever the categories of information collected materially change — for example, when the child enables Apple Health or imports records from an outside provider. Written requests can go to privacy@leomindbody.com.
§ 12

Changes to this notice.

We update this notice when the underlying facts change — when a new processor is added, when a retention period changes, when a new right becomes available, or when a regulator publishes guidance that affects how we describe what we do.

Significant changes are announced in two ways: (a) the “last updated” date at the top of this page changes, and (b) for material changes, we email account holders before the change takes effect. Continued use of Leo after a change constitutes acknowledgment of the updated notice; if a change is not acceptable to you, you may delete your account under § 05.

§ 13

How to contact us.

For any privacy question, complaint, or to exercise a right under §§ 05, 09, 10, or 11:

privacy@leomindbody.com

For HIPAA-specific questions or to exercise rights under HIPAA, the dedicated contact is on /legal/hipaa. For terms-of-service or contractual questions, the dedicated contact is on /legal/terms.