Privacy Policy

Effective date: 2026-05-01

Last updated: 2026-05-01

This Privacy Policy describes how SELO ("we", "our", or "us") collects, uses, and shares information when you use the SELO mobile application (the "App") and related services (collectively, the "Service").

By installing or using the App, you agree to this Privacy Policy. If you do not agree, please do not use the App.

1. Who we are

SELO is operated by Ibrahim Al Houti, an individual sole proprietor based in Kuwait, doing business as SELO Technology ("we", "our", or "us"). For privacy questions or to exercise your rights, contact:

Email: privacy@selotechnology.com

Mailing address: Available on request

2. Information we collect

2.1 Information you provide directly

• Account information — email address and password when you create an optional cloud account.
• Profile information — first name, family name, age, sex, height, current weight, target weight, target timeline, training goals, and self-reported activity level.
• Body composition data — DEXA, InBody, or other scan results you enter manually or import via OCR or AI vision extraction (body fat %, lean mass, fat mass, visceral fat, BMR, RSMI, BMD Z-score, and related fields).
• Health logs — meals (food name, calories, protein/carbs/fats), workouts (type, duration, calories burned), water intake, weight check-ins, fasting sessions, and progress photos.
• Subscription data — your SELO Premium status (active / trial / inactive) and subscription expiry, validated server-side from Apple's StoreKit signed receipts.

2.2 Information collected automatically

• Device data — device model, OS version, app version, and locale, used solely to render the App correctly and to attach to crash reports.
• Usage telemetry — anonymized event counts (sign-up completed, paywall viewed, AI feature used) tied to your Supabase user ID. No personal content is included in these events.
• Crash reports — when the App crashes, we collect a stack trace, device model, OS version, and app state via Sentry. Crash reports do not include your personal data, training logs, or photos. You can opt out by leaving SENTRY_DSN empty (we'll provide instructions on request).

2.3 Information from third-party services with your permission

• Apple Health (HealthKit) — when you grant access, the App reads steps, active calories, exercise minutes, weight, and sleep samples from Apple Health. The App may write completed workouts and weight check-ins back to Apple Health if you grant write permission. HealthKit data never leaves your device unless you have an active SELO cloud account, in which case the synced subset (e.g. weight check-ins) reaches our servers.
• Apple App Store — when you subscribe to SELO Premium, Apple shares an opaque transaction identifier and signed receipt with us. We do not see your name, billing address, or payment method.
• USDA Food Data Central — if you provide a USDA API key, food searches you initiate are sent to USDA. SELO does not log these searches.
• Camera — when you scan a food barcode or import a body-composition scan image, the camera feed stays on-device. Scan images are sent to our AI vision service (Anthropic Claude) only when local OCR cannot extract the fields.

3. How we use information

We use your information to:

• Provide the Service — render your dashboard, generate plans and reports, sync across devices, and validate your subscription.
• Personalize AI outputs — when you request an AI training plan or transformation report, your profile, latest scan, and recent training history are sent to Anthropic's Claude API to generate the response. Anthropic does not retain or train on your data per their API terms.
• Improve and secure the Service — diagnose crashes (via Sentry), detect abuse, and enforce rate limits.
• Communicate with you — send transactional notifications (account verification, password reset, subscription receipts). We do not send marketing emails without your consent.

We do not sell your data, run third-party advertising, or share your data with data brokers.

4. Legal bases (for users in the EEA / UK)

We process your data on the following legal bases under the GDPR:

• Contract — to provide the Service you signed up for.
• Consent — for HealthKit access, camera access, and push notifications. You can revoke consent at any time in iOS Settings.
• Legitimate interest — for crash reporting, abuse prevention, and Service improvement.
• Legal obligation — to comply with tax, accounting, and law-enforcement requests where required.

5. AI services and your data

When you use SELO Premium AI features (training plans, transformation reports, scan extraction):

• Your relevant data (profile, latest scan, recent workouts) is sent server-side to Anthropic Claude via our Supabase Edge Functions.
• Anthropic processes this data to generate the response. Per Anthropic's API terms, inputs and outputs are not used to train Anthropic's models and are retained only as required for trust and safety review (typically 30 days).
• We log only the metadata of the call (timestamp, surface, token count, cost) — not the raw input content — in our ai_call_log table. This is used to enforce rate limits and audit costs.
• Generated outputs (plans, reports) are stored on our servers (Supabase Postgres) tied to your account so you can review them later.

If you are not subscribed to SELO Premium, no AI features run and no data is sent to Anthropic.

6. Data sharing and recipients

We share your data only with:

• Supabase — our cloud backend (database, authentication, file storage, Edge Functions). Hosted on AWS Tokyo. Subject to Supabase's Data Processing Agreement.
• Anthropic — for AI feature requests, as described above.
• Apple — App Store, StoreKit, Apple Push Notifications, HealthKit (on-device only).
• Sentry — anonymized crash reports.
• Service providers strictly for the technical operation of the Service (e.g. our email-delivery provider for password resets).

We do not transfer your data to advertising networks, social platforms, or analytics SDKs that aggregate user data across apps.

7. Data retention

• Account data — retained while your account is active.
• Account deletion — when you delete your account from Profile › Account, we mark your account for deletion immediately and purge all data after a 30-day grace period, in compliance with Apple Guideline 5.1.1(v). You can sign in within 30 days to recover.
• Free-tier users without an account — local SwiftData stays on your device. We do not have a copy.
• Free-tier users with an account — data older than 7 days is auto-purged from your device but retained on our servers; if you upgrade to Premium, your full history is restored. If you do not upgrade and do not log in within 12 months, we may delete your inactive account on 30 days' notice.
• Crash reports — retained 30 days then automatically deleted.
• AI call log — retained 90 days then aggregated and the personal-id reference is removed.

8. Your rights

Subject to applicable law (including GDPR and CCPA), you have the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your account and associated data (Profile › Account › Delete)
• Export your data in a portable format (request via privacy@selotechnology.com)
• Object to specific processing activities
• Withdraw consent for HealthKit, camera, or notifications via iOS Settings
• Lodge a complaint with your local data-protection authority

To exercise any right, email privacy@selotechnology.com with your account email. We respond within 30 days.

9. Children's privacy

SELO is not intended for users under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with information, contact privacy@selotechnology.com and we will delete the account.

10. International data transfers

Your data is hosted in AWS Tokyo (Asia-Pacific). If you are in the EEA / UK, your data is transferred outside your region for processing. We rely on Standard Contractual Clauses for these transfers.

11. Security

We use industry-standard security:

• TLS 1.2+ for all data in transit
• Encryption at rest on the database
• Per-user Row-Level Security on every database table (your data is isolated cryptographically)
• Server-side validation of every Apple StoreKit receipt (no client trust)
• Service-role keys held only server-side; client uses a publishable key with no privileged access
• Rate limiting on every public endpoint (per-IP and per-user)
• Schema validation on every input

No system is 100% secure. We will notify affected users within 72 hours of becoming aware of a breach involving personal data, in compliance with applicable law.

12. Changes to this policy

We may update this Privacy Policy. When we do:

• We update the "Last updated" date at the top
• For material changes, we notify you via the App or by email (at least 14 days before the change takes effect)
• Continued use after the effective date constitutes acceptance

13. Contact

Questions? Concerns?

Email: privacy@selotechnology.com

For App Store-related inquiries, please contact us at the email above before submitting an App Store review.