Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

• Account registration information (name, email address, password, date of birth, biological sex)
• Health data you submit — symptoms, medications, supplements, health goals, medical history, and clinical notes
• Lab results, diagnostic reports, and medical records you upload or enter manually
• Genomic and DNA data, if you connect a compatible genetic testing service or upload raw data files
• Mental health information shared in conversations with Sylvia AI, including mood, stress levels, and psychological history
• Dietary logs, food intake records, and nutrition-related information
• Responses to health assessments, intake questionnaires, and platform surveys
• Communications with our support team

1.2 Data We Collect Automatically

• Wearable and biometric data synced from connected devices — heart rate, HRV, SpO₂, sleep stages, activity levels, skin temperature, and continuous glucose monitor readings
• Platform usage data — features accessed, AI model interactions, session duration, and navigation patterns
• Device identifiers, operating system, browser type, IP address, and approximate geolocation
• Crash reports and diagnostic data for platform stability

1.3 Data From Third Parties

• Apple Health, Google Health Connect, and compatible health data platforms (with your explicit authorization)
• Connected wearable manufacturers including Apple Watch, Garmin, Oura Ring, Whoop, and CGM providers
• Genetic testing partners (with your explicit authorization and consent)

2. How We Use Your Information

We use the information we collect exclusively to:

• Provide, operate, and improve our AI-powered health intelligence Services
• Generate personalized health insights, supplement protocols, and AI model responses
• Enable provider-ready clinical summaries, interaction screening, and decision support tools
• Perform herbal medicine, toxicology, and drug-herb interaction analysis via AskMN v3
• Deliver mental health support and crisis escalation protocols via Sylvia AI
• Perform nutrigenomic analysis and dietary personalization via NutriGen
• Perform genomic variant interpretation and pharmacogenomic profiling via Genlyy
• Maintain platform security, detect fraud, and prevent abuse
• Communicate service-critical updates, security notices, and support responses
• Comply with applicable laws and legal obligations

We do not use your health information for advertising, data brokerage, or any purpose unrelated to providing our Services to you.

3. No Model Training on User Data

Your personal health data, conversations, genomic profiles, and mental health disclosures are never used to train, fine-tune, or improve any Mother Nature AI model without your explicit, separate, opt-in written consent.

Our AI models — AskMN v3, Sylvia 2.1, NutriGen 1.0, and Genlyy 1.3 — are trained exclusively on licensed and publicly available medical literature, botanical databases, clinical guidelines, and research datasets. No inference is performed by routing user conversations to third-party general-purpose AI providers.

If we introduce a voluntary research data contribution program in the future, participation will be strictly opt-in with full disclosure of how your data will be used, and you may withdraw consent at any time.

4. Data Security

We implement layered, industry-leading security controls to protect your health data:

• Encryption at rest: AES-256 encryption for all stored health data and genetic information
• Encryption in transit: TLS 1.3 for all data transmitted between your device and our infrastructure
• HIPAA-conscious architecture: Infrastructure designed with HIPAA technical safeguard requirements including access controls, audit logging, workload isolation, and PHI boundary enforcement
• Zero-trust network architecture: Internal services operate on a least-privilege, zero-trust model with mutual TLS between components
• Role-based access control (RBAC): Access to user data requires explicit role authorization; no employee has unrestricted access to user health records
• Regular penetration testing: Third-party security assessments conducted at minimum annually, with critical findings remediated within defined SLAs
• Vulnerability disclosure program: Responsible disclosure policy in place for external security researchers

While we apply rigorous security controls, no system is perfectly immune to all threats. In the event of a security incident affecting your data, we will notify you as required by applicable law.

5. Special Category Health Data

Certain categories of health data receive enhanced protections under our practices and applicable law:

• Genomic and genetic data: Processed exclusively for the purpose of providing genomic health insights. Never disclosed to insurance companies, employers, or law enforcement without a valid court order. Retained only as long as you maintain an active account, unless you request earlier deletion.
• Mental health data: Conversations with Sylvia AI and any mental health disclosures are processed with the strictest privacy protections. Mental health data is never disclosed to third parties except to comply with mandatory reporting obligations (imminent risk of serious harm) under applicable law.
• Substance use and addiction data: Information related to substance use is subject to 42 CFR Part 2 protections where applicable and is never disclosed without your explicit consent except as required by law.
• Reproductive health data: Information about pregnancy, fertility, reproductive choices, and related health topics is treated as sensitive data and is not disclosed to third parties.

6. How We Share Your Information

We do not sell, rent, or share your personal health data with third parties for marketing, advertising, or commercial purposes. We may share your information only in the following limited circumstances:

• Service providers: Vendors who assist in operating our platform (cloud infrastructure, authentication, analytics) under strict data processing agreements and confidentiality obligations
• Healthcare providers: Only when you explicitly authorize sharing a specific report or summary with a named provider
• Legal compliance: When required by applicable law, court order, or valid government request — we will notify you to the extent legally permissible
• Business transfers: In connection with a merger, acquisition, or sale of assets, with prior notice and data protection obligations maintained for the successor entity
• With your consent: For any other purpose with your explicit, specific, informed consent

7. Data Retention and Deletion

We retain your personal health data for as long as your account is active or as needed to provide our Services. You can delete your account and all associated data at any time through your account settings. Account deletion initiates a 30-day deletion window after which all personal data — including health records, conversation history, genomic data, and wearable sync data — is permanently and irreversibly deleted from our systems.

De-identified, aggregated statistical data (with no re-identification risk) may be retained for platform analytics and system improvement. We may also retain certain information as required by applicable law, such as audit logs for security and compliance purposes, which are retained for the legally required retention period.

Genetic and genomic data is purged from our processing systems immediately upon account deletion and is not stored in offline backups beyond 90 days.

8. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal data ("right to be forgotten")
• Portability: Request your health data in a structured, machine-readable format
• Restriction: Request restriction of processing of your data in certain circumstances
• Objection: Object to processing of your data for specific purposes
• Withdrawal of consent: Withdraw previously given consent at any time

To exercise these rights, contact us via our contact page. We will respond to verified requests within 30 days (or the legally required timeframe in your jurisdiction).

9. California Consumer Privacy Act (CCPA)

California residents have specific rights under the CCPA, including the right to know what personal information we collect and how it is used, the right to delete personal information, and the right to opt out of the sale of personal information. Mother Nature AI does not sell personal information.

To submit a CCPA request, please contact us at our contact page. We will verify your identity before processing any request. California residents may designate an authorized agent to make requests on their behalf.

10. GDPR — European Users

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the General Data Protection Regulation (GDPR). Our lawful bases for processing include: performance of our contract with you, your explicit consent (for sensitive health data), and our legitimate interests in providing and improving our Services.

Data transfers outside the EEA to the United States are conducted under Standard Contractual Clauses (SCCs) as approved by the European Commission. You have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data in accordance with GDPR.

For GDPR inquiries, contact our EU representative through our contact page.

11. Cookies and Tracking Technologies

We use cookies and similar technologies for authentication, session management, security, and platform analytics. We use Mixpanel for aggregated product analytics. You can manage cookie preferences through your browser settings or our consent management tool.

We do not use tracking cookies for behavioral advertising. Analytics data is used solely to understand platform usage patterns and improve our Services.

12. Children's Privacy

Our Services are intended for individuals 18 years of age and older. We do not knowingly collect personal health information from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will delete such information promptly upon verification.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or Services. For material changes, we will provide prominent notice within the platform and via email at least 30 days before the changes take effect. Your continued use of our Services after the effective date of the updated policy constitutes acceptance of the changes.

14. Contact Us