Privacy Policy

Last Updated: March 2026

Monty Health ("we", "our", "us") is committed to protecting your privacy. This policy describes how we collect, use, store, and protect your personal information when you use our mobile application ("the App") and related services.

1. Data Controller

Monty Health is the data controller responsible for your personal data. For any privacy-related inquiries, contact us at support@monty.health.

2. Data We Collect

We collect the following categories of personal information:

Account Information:

• Email address (via Firebase Authentication or Google Sign-In)
• Display name
• Anonymous user ID (for subscription management)

Health & Wellness Data (self-reported):

• Daily wellness logs (mood, sleep quality, exercise, diet notes)
• Symptoms and severity ratings
• Supplements taken
• Meal descriptions
• Health profile information (conditions, allergies, medications)

Usage Data:

• AI consultation and chat conversation history
• Subscription purchase history (managed by Apple and RevenueCat)
• Device tokens for push notifications (via Apple Push Notification service)

3. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract performance: Processing necessary to provide the App's core functionality (health logging, AI consultations, data storage).
• Consent: You provide explicit consent when you enter health data, use AI features, or enable push notifications. You may withdraw consent at any time by deleting your data or account.
• Legitimate interest: Maintaining the security and functionality of the App, preventing fraud and abuse.

4. How We Store Your Data

Monty stores your health data locally on your device using an encrypted SQLite database. If you are a Pro subscriber, your data is also backed up to Firebase Cloud Firestore using end-to-end encryption (NaCl secretbox). The encryption key is generated on your device and stored securely in your device keychain. We cannot read your encrypted health data on our servers.

5. Third-Party Services

We use the following third-party services to provide the App:

Firebase (Google): Authentication (including Google Sign-In), encrypted data backup, and cloud functions. Firebase processes your email address, authentication tokens, and encrypted health data. Google's Privacy Policy.

Google Sign-In: If you choose to sign in with Google, Google shares your name, email address, and profile picture with the App. We only use your email and display name. Google's Privacy Policy.

OpenAI: When you use AI features (consultations, chat, insights), your health data summary is sent through our secure Cloud Function to OpenAI's API to generate personalized wellness recommendations. We use the OpenAI API with data retention disabled; your data is not stored by OpenAI for model training. OpenAI's API Data Usage Policy.

RevenueCat: Manages subscription purchases. RevenueCat receives your anonymous user ID and purchase data from Apple. It does not receive your health data. RevenueCat's Privacy Policy.

Apple (In-App Purchases & Push Notifications): Subscription payments are processed by Apple. We do not receive or store your payment information. Push notification delivery is handled via Apple Push Notification service (APNs), which uses device tokens.

6. AI-Powered Features & Automated Decision-Making

When you use AI features:

• Recent health data summaries (up to 90 days) are sent as context to generate personalized recommendations.
• Chat messages you type are sent to process your questions.
• Data is transmitted from your device to our Firebase Cloud Function via encrypted HTTPS, which forwards it to OpenAI's API.
• We do not log or store the content of AI conversations on our servers.
• AI features are entirely optional. You can use the App for logging without ever using AI features.

Automated Decision-Making: The App uses AI to analyze patterns in your self-reported health data and generate wellness suggestions. These AI-generated outputs are informational only and do not constitute medical advice. No automated decisions with legal or similarly significant effects are made about you. You are never obligated to follow AI recommendations.

7. International Data Transfers

Your data may be processed in the United States, where our third-party service providers (Firebase, OpenAI, RevenueCat) are located. If you are accessing the App from outside the United States (including the European Economic Area), you acknowledge that your data will be transferred to and processed in the United States. We rely on the service providers' data protection measures and standard contractual clauses where applicable to safeguard transferred data.

8. Data Sharing

We do not sell, rent, or share your personal health data with any third parties for marketing or advertising purposes. We do not participate in data broker arrangements. Data is only shared with the third-party services listed in Section 5 as necessary to provide the App's functionality.

9. Data Encryption

Health data backed up to the cloud is encrypted using NaCl secretbox encryption before leaving your device. The encryption key is stored in your device's secure keychain and is never transmitted to our servers. We cannot decrypt or read your health data.

10. Data Retention

• Local data: Stored on your device until you delete it or uninstall the App.
• Cloud backups: Retained until you delete your account. Encrypted backups are removed within 30 days of account deletion.
• Authentication data: Your Firebase authentication record is deleted when you delete your account.
• AI conversation data: Not stored on our servers. OpenAI processes requests in real-time with zero data retention per our API configuration.
• Subscription data: Managed by Apple and RevenueCat according to their respective retention policies.

11. Data Retention & Deletion

You can permanently delete all local data at any time from Profile > Clear All Data. You can delete your entire account (including all cloud data) from Profile > Delete Account. Once deleted, data cannot be recovered.

12. HIPAA Disclaimer

Monty is not a HIPAA-covered entity. While we take data security seriously and encrypt your health data, Monty is a consumer wellness app, not a healthcare provider or health plan. Do not use Monty to store information that requires HIPAA-level protection.

13. Children's Privacy

Monty is not intended for children under 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete that data promptly.

14. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate personal data.
• Right to erasure: Request deletion of your personal data (available via Profile > Delete Account).
• Right to restrict processing: Request that we limit how we use your data.
• Right to data portability: Request your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interest.
• Right to withdraw consent: Withdraw your consent at any time (this does not affect processing done prior to withdrawal).

For EU/EEA residents: You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

For California residents (CCPA): You have the right to know what personal information we collect and how it is used, the right to delete your personal information, and the right to opt-out of the sale of personal information. We do not sell your personal information. To exercise any of these rights, contact us at support@monty.health. We will not discriminate against you for exercising your rights.

To exercise any of these rights, contact us at support@monty.health. We will respond to verified requests within 30 days.

15. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you through the App or by updating the "Last Updated" date. Your continued use of the App after changes are posted constitutes acceptance of the revised policy.

16. Contact

For privacy questions or to exercise your data rights, contact: support@monty.health