Privacy Policy

Last Updated: January 27, 2026

Judy's mission is to help people achieve sustainable wellness through AI-powered personalized guidance and behavior change. This Privacy Policy explains what information we collect through our mobile application and services, how we use it, and what choices you have about it.

By creating an account and using Judy, you confirm that you understand and agree to this Privacy Policy. If you do not agree, you must refrain from using the app. When we process data that requires your explicit consent, such as certain health data or optional features, you will be asked to provide that consent separately, and you may withdraw it at any time.

1. What Information We Collect

The information we collect depends on how you interact with Judy, the features you use, and the choices you make. We collect information you provide directly, information collected automatically, and information from third-party sources.

a. Information You Provide During Registration
Data Categories: Name, email address, and onboarding information including your primary wellness objective, current weight, height, target weight, desired program duration, date of birth, biological sex, and activity level.

b. Information You Provide While Using Judy
Data Categories: Profile updates, modifications to your weight or activity levels, and any information you voluntarily share through conversations with our AI coach, including details about nutrition intake, physical activities, wellness objectives, challenges, and health-related goals.

AI Coach Interactions: Because Judy provides an AI-powered conversational coach, the messages you exchange with the AI may contain health-related information, dietary preferences, emotional states, and other personal details. We use this information to provide personalized guidance and improve your experience.

c. Information We Collect Automatically
Data Categories:

• Technical Data: Device type, operating system, app version, anonymized IP address, session frequency, usage duration, and interaction patterns
• Log Data: Information that your device automatically sends when you use Judy, including browser type and settings, date and time of use
• Geolocation Data: General geographic location (such as city, state, and country) inferred from your IP address
• Usage Data: Your activity within the app, such as features accessed, time spent on different screens, and navigation patterns
• Crash Data: Information about app performance and crashes to help us improve stability

d. Cookies and Tracking Technologies
Data Categories: Essential session data to maintain your login status and ensure core functionality, plus optional analytics data to understand usage patterns and enhance services.

Google Tag Manager: We use Google Tag Manager to collect anonymous information about how you use our website and app. This includes page views, session duration, navigation patterns, feature interactions, conversion events, and user engagement metrics. Google Tag Manager enables us to efficiently manage tracking tools and may include analytics, marketing, and other measurement services. This information helps us understand user behavior, optimize our services, assess marketing effectiveness, and improve your experience.

You can control certain tracking preferences in your device's privacy settings or browser settings.

e. Information for Future Features (Requiring Separate Consent)
Voice Inputs: When available, you may have the option to interact with the AI coach using voice. Voice data processing (which may contain health-related information) will require your explicit consent and may be withdrawn at any time.

Images: You may choose to upload images, such as meal or activity photographs, to enhance personalization and receive more specific guidance from the AI coach. These will only be processed with your explicit consent and managed in compliance with applicable data protection laws.

f. Information from Third-Party Integrations
Data Categories:

• Information shared with AI service providers (such as Google Gemini and Anthropic) to power our AI coach and generate personalized responses
• Data stored on Google Cloud infrastructure
• Information from fitness trackers or health apps you choose to connect with Judy

We have Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) in place with these providers to ensure robust data protection and GDPR compliance.

When you are asked to provide information, you may decline or use device controls to prevent certain types of data collection. In some cases, if you choose not to provide information that is necessary, some features may not be available or fully functional.

2. How We Use Your Information

We use your personal information, including health-related data, to deliver personalized wellness services, improve our offerings, and communicate with you. Here's how we use the information we collect:

Service Delivery and AI Coach Personalization — To provide personalized guidance through our AI coach, create tailored recommendations, customized meal plans, activity suggestions, and motivational support based on your goals and progress.

Product Improvement and Development — To improve our AI models, enhance recommendation accuracy, develop new features, and conduct user research. We use aggregated, anonymized, or pseudonymized data to analyze trends and understand what users value most.

Communication — To send notifications, reminders, and updates relevant to your goals and activities; inform you of significant app changes or policy updates; respond to your inquiries and provide customer support.

Security and Fraud Prevention — To maintain service security and integrity, detect and prevent fraud, address unauthorized access, protect your account through system monitoring, access controls, and encryption measures.

Business Operations — To operate our business, including billing, accounting, improving internal operations, securing systems, and meeting legal obligations.

Legal Compliance — To comply with applicable laws, regulations, or legal requests, such as responding to authorities or retaining records for tax, audit, or dispute resolution purposes.

Marketing — To communicate about new features, offers, promotions, and information about our services. You can opt out of marketing communications at any time.

We combine data we collect from different sources for these purposes to give you a more seamless, consistent, and personalized experience.

3. How and When We Share Your Information

We respect your personal data's confidentiality and share it with third parties only under strictly defined circumstances. We use contractual and technical measures to ensure any third party accessing your information adheres to rigorous privacy and security standards.

a. AI Service Providers (Data Processors)
We engage trusted third-party AI service providers to power Judy's conversational coach and personalized recommendations. These entities process your personal data exclusively on our behalf and under our instructions:

Google Gemini APIs: We utilize Google's Gemini AI services to generate personalized responses and insights from our AI coach. Your conversations and data shared with the AI are processed through these APIs in accordance with Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs).

Anthropic APIs: We may use Anthropic's AI services to enhance our AI coach capabilities. All data processing adheres to strict privacy and security standards.

Cloud Infrastructure (Google Cloud): Your data is hosted and managed using Google's secure cloud infrastructure. Google is contractually obligated to implement robust security measures and comply with applicable laws.

We do not disclose granular details of our underlying technical systems to safeguard our platform's integrity and security. All service providers are contractually required to maintain the same high data protection standards outlined in this Privacy Policy.

b. Other Service Providers
We share information with vendors working on our behalf for purposes such as:

• Payment processing and fraud prevention
• Customer service support
• Analytics and app performance monitoring
• Marketing and advertising services

c. Legal and Regulatory Disclosures
We may disclose your personal data if legally required or if we reasonably believe doing so is necessary to: comply with legal obligations, legal processes, or regulatory requests; enforce our Terms of Service or other agreements; protect the rights, property, or safety of Judy, our users, or the public.

d. Business Transfers
In the event of a merger, acquisition, asset sale, or similar corporate transaction, your personal data may be transferred to the acquiring or successor entity. We will notify you of any material changes to this Privacy Policy or data handling practices and provide options to exercise your rights where applicable.

e. Advertising and Analytics Partners
Third-party analytics and advertising companies may collect information through our website and app, including device identifiers, IP addresses, and usage data, as described in our use of Google Tag Manager. These third parties may combine this data across multiple sites to improve analytics and advertising.

f. With Your Consent
We may share your information with other third parties when you explicitly direct us to do so, such as when you connect Judy with other health or fitness apps. Such sharing is governed by those third parties' privacy policies.

4. Data Protection and Storage

We take your personal data security very seriously. We apply industry-standard safeguards and best practices to protect your information from unauthorized access, loss, misuse, alteration, or disclosure.

Where Your Data Is Stored: Your personal data is stored in Firebase Database and Google Cloud infrastructure. These services operate in regions designed to comply with GDPR and other relevant data protection regulations.

Security Measures We Implement:

• Encryption: Data is encrypted both in transit (using TLS/SSL) and at rest to prevent unauthorized interception or access.
• Access Controls: Strict authentication protocols ensure only authorized personnel can access your data, and solely on a need-to-know basis for legitimate business purposes.
• Regular Security Audits: We continuously monitor our systems and conduct periodic security audits to identify vulnerabilities and maintain robust security posture.
• Incident Response: In the event of a data breach, we will follow a documented incident response plan to mitigate harm and notify you and relevant authorities as required by law, typically within 72 hours of discovery.
• AI-Specific Protections: We implement additional safeguards for data processed by our AI systems, including input validation, output filtering, and monitoring for potential data leakage or unauthorized disclosures.

5. How Long We Keep Your Information

We retain your personal information only as long as necessary to provide our services, fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

• Active accounts: Data is retained while your account is active and you continue using our services
• Closed accounts: After account deletion, most personal data is deleted or anonymized within 30-90 days, except where retention is required by law
• Legal obligations: Some data may be retained longer to comply with tax, accounting, audit, or legal requirements (typically 3-7 years)
• Anonymized data: We may retain anonymized or aggregated data indefinitely for analytics and research purposes, as this data cannot identify you

You can request deletion of your data at any time by contacting us at contact@WithJudy.com. After verification, we will delete or anonymize your information unless legal requirements mandate retention.

6. Your Rights and Choices

We provide you with meaningful control over your information. Many of these controls are built directly into your Judy account settings.

• Edit your profile information at any time through your account settings
• Update your health goals and preferences to adjust your AI coach's personalization
• Review your conversation history with the AI coach
• Connect or disconnect third-party apps and services
• Close your account and delete your data
• Request a copy of the personal data we hold about you
• Correct inaccurate information directly in your profile settings
• Object to processing for certain purposes, including marketing
• Withdraw consent at any time where processing is consent-based
• Opt out of targeted advertising via device settings

Judy will never discriminate against you for exercising any of these rights. You will not receive different pricing, service quality, or features based on exercising your privacy rights.

How to exercise your rights: Email contact@WithJudy.com using the email address associated with your Judy account.

7. International Data Transfers

The information we collect may be stored and processed in your country or region, or in any other country where we or our service providers operate. Currently, we primarily use data centers in the United States.

We take steps to protect your information as described in this Privacy Policy wherever the data is located. When we transfer data internationally, we use legal mechanisms to help ensure your rights and protections, including Standard Contractual Clauses (SCCs), Data Processing Agreements (DPAs), and ensuring adequate security measures are in place.

8. State-Specific Disclosures (U.S.)

Residents of certain U.S. states have additional privacy rights under state laws including California's CCPA/CPRA, Virginia's CDPA, Colorado's CPA, Connecticut's CTDPA, Utah's UCPA, and similar laws. These rights include the right to know what information we collect, the right to deletion, the right to correction, the right to opt out of sale or sharing, and the right to limit use of sensitive personal information.

We will respond to verifiable requests within 45 days of receipt. To exercise your rights, email contact@WithJudy.com.

9. Residents of the EEA, UK, and Switzerland

If the processing of your information is subject to European Economic Area (EEA), United Kingdom (UK), or Swiss data protection law, you have specific rights under GDPR including the right to access, rectification, erasure, restriction, data portability, and the right to object to processing. You also have the right to lodge a complaint with your local supervisory authority.

We rely on consent, contract performance, legitimate interests, and legal obligation as legal bases for processing your personal data. For questions, contact us at contact@WithJudy.com.

10. Children's Privacy

Judy is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without valid parental consent, we will delete that information promptly. If you believe we have collected information from a child, please contact us immediately at contact@WithJudy.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time as our services evolve, laws change, or new regulations emerge. When we make material changes, we will notify you by posting the updated policy with a new "Last Updated" date, sending you an email notification, or displaying an in-app notification.

Your continued use of Judy after the updated Privacy Policy takes effect constitutes acceptance of the changes. If you do not agree with the revised Privacy Policy, you must discontinue using our services.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: contact@WithJudy.com

We aim to respond to all inquiries within 30 days or as required by applicable law.

By using Judy, you acknowledge that you have read, understood, and agreed to this Privacy Policy.