Metalyze

Privacy Policy

Last Updated: April 6, 2025

1. Introduction

Welcome to Metalyze ("we," "our," or "us"). We are committed to protecting your privacy and handling your data with transparency and care. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

Metalyze is a comprehensive health analytics platform that integrates continuous glucose monitoring (CGM) data with fitness metrics, sleep quality, and nutrition information to provide personalized, AI-driven health recommendations.

2. Information We Collect

2.1 Information You Provide

We collect information you provide directly to us, including:

  • Account information (name, email, password)
  • Profile information (date of birth, sex, height, weight, activity level)
  • Health and fitness data you manually enter
  • Recipes and nutrition information you create or save
  • Communications with us

2.2 Information From Third-Party Services

With your explicit permission, we collect data from connected services, including:

  • Continuous glucose monitoring data (Dexcom)
  • Fitness and activity data (Garmin, Strava, TrainingPeaks, Intervals.icu)
  • Nutrition data (MyFitnessPal, Cronometer)
  • Sleep and recovery metrics

We only access the specific data types you authorize, and you can revoke access at any time through your account settings.

2.3 Automatically Collected Information

When you use our platform, we automatically collect:

  • Device information (IP address, browser type, operating system)
  • Usage data (pages visited, features used, time spent)
  • Cookies and similar technologies

3. How We Use Your Information

We use your information for the following purposes:

  • Provide, maintain, and improve our services
  • Generate personalized health insights and recommendations
  • Process and complete transactions
  • Send you technical notices, updates, and support messages
  • Respond to your comments and questions
  • Develop new features and services
  • Monitor and analyze trends and usage
  • Detect, investigate, and prevent fraudulent transactions and other illegal activities
  • Protect the rights and property of Metalyze and others

4. How We Share Your Information

We may share your information in the following circumstances:

4.1 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

4.2 Service Providers

We may share your information with third-party vendors, consultants, and other service providers who need access to such information to carry out work on our behalf. These providers are contractually obligated to use your personal information only for the purposes of providing services to us.

4.3 Analytics Partners

We may share anonymized or aggregated data with third parties for analytics purposes. This information cannot reasonably be used to identify you.

4.4 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

4.5 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or uses of your personal information.

5. Data Security

We implement appropriate technical and organizational measures to protect the security of your personal information. This includes end-to-end encryption for sensitive health data and strict access controls. However, no method of transmission over the Internet or electronic storage is 100% secure, so we cannot guarantee absolute security.

Our security measures include:

  • Encryption of data in transit using TLS/SSL protocols
  • Encryption of sensitive data at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication mechanisms for our staff
  • Regular security training for our team members
  • Monitoring systems to detect and respond to suspicious activities

We regularly review and update our security practices to address new threats and vulnerabilities. In the event of a data breach that affects your personal information, we will notify you in accordance with applicable laws.

5.1 Information Security and Certifications

We are committed to maintaining the highest standards of information security. While we are currently in the process of obtaining formal industry certifications, we adhere to security best practices including:

  • Implementation of security controls based on ISO 27001 framework
  • Regular independent security assessments and vulnerability testing
  • Compliance with GDPR requirements for EU users and applicable US state privacy laws
  • Staff training on security awareness and data protection

We will update this policy as we obtain formal certifications.

6. Special Provisions for Health Data

Metalyze collects and processes health-related data, which may be considered sensitive personal information under various privacy laws. We recognize the sensitive nature of this information and provide these additional details about how we handle your health data:

6.1 Health Data Processing

We process your health data for the following specific purposes:

  • Generating personalized insights about your metabolic health
  • Analyzing patterns and correlations between different health metrics
  • Providing recommendations for optimizing your health and performance
  • Enabling you to track and visualize your health data over time
  • Improving our algorithms and services through aggregated and anonymized analysis

6.2 Legal Basis for Processing Health Data

Depending on your jurisdiction, we process your health data based on one or more of the following legal bases:

  • Your explicit consent, which you provide when connecting third-party health services or manually entering health data
  • The necessity to perform our contract with you to provide the Metalyze services
  • Our legitimate interests in providing and improving our services (where not overridden by your rights)

You may withdraw your consent at any time by disconnecting third-party services or contacting us, though this may affect our ability to provide certain features.

6.3 Health Data Retention

We retain your health data for as long as your account is active or as needed to provide you with our services. You can request deletion of your health data at any time through your account settings or by contacting us. Note that:

  • Some health data may be retained in anonymized or aggregated form after account deletion
  • We may retain certain health data for longer periods if required by law or for legitimate business purposes, such as resolving disputes
  • Data from third-party services may continue to be stored by those services according to their own retention policies

6.4 Health Data Sharing Limitations

We apply stricter limitations on sharing your health data compared to other personal information:

  • We do not sell your health data to third parties
  • We do not use your health data for advertising purposes
  • We only share your health data with service providers who are contractually bound to maintain its confidentiality and security
  • We only share your health data with third parties with your explicit consent, except where required by law

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

  • Access and update your information through your account settings
  • Request deletion of your data
  • Object to processing of your information
  • Data portability
  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with a supervisory authority

To exercise these rights, please contact us using the information provided in the "Contact Us" section.

7.1 Account Deletion

You have the right to delete your account and all associated data at any time. You can initiate account deletion through your account settings page by selecting "Delete Account" in the Danger Zone section. This process will:

  • Permanently delete your user profile and authentication information
  • Remove all your connected integrations and access tokens
  • Delete all your health data, including glucose readings, workout information, and nutrition data
  • Remove any custom dashboards, saved configurations, and preferences

This deletion is permanent and cannot be undone. You may need to create a new account if you wish to use our services again in the future.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. When we no longer need to use your information, we will remove it from our systems or anonymize it.

8.1 Record Retention Policy

Our data retention periods vary by data type:

  • Account information: Retained for the duration of your account and for up to 30 days after account deletion
  • Health data: Retained for the duration of your account and deleted within 30 days of account deletion
  • Usage data: Retained for up to 24 months to support service improvement
  • Billing information: Retained for the period required by applicable tax and accounting regulations
  • Communication records: Retained for up to 24 months from the date of communication

We may retain certain information in anonymized or aggregated form after account deletion for analytical purposes. We also retain information as necessary to comply with legal obligations, resolve disputes, and enforce agreements.

9. International Data Transfers

Your information may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country. We take appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Policy.

9.1 Geographic Availability and Data Storage

Currently, Metalyze services are available only to users in the European Union and the United States. All user data, including personal information and health data, is stored on secure servers located in Germany, which provides strong data protection under EU laws.

Our technical infrastructure is designed to ensure that your data remains protected according to the high standards of the EU General Data Protection Regulation (GDPR), even when accessed from the United States.

Should we expand our services to other regions in the future, we will update this policy accordingly and implement appropriate safeguards for any additional international data transfers.

10. Children's Privacy

Our services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to remove that information.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

12. Notice of Privacy Practices and DPO

As a health analytics platform, we maintain a comprehensive privacy program to ensure the protection of your personal and health information:

12.1 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions regarding this privacy policy and our privacy practices. Our DPO can be contacted at:

Email: [email protected]

The DPO's responsibilities include:

  • Monitoring compliance with applicable data protection laws
  • Training staff involved in data processing operations
  • Conducting internal audits
  • Serving as the point of contact for data subjects and supervisory authorities
  • Maintaining records of processing activities

12.2 Privacy Practices

Our privacy practices are guided by the following principles:

  • Transparency: We clearly communicate how we collect, use, and share your information
  • Purpose limitation: We collect and process your data only for specified, explicit purposes
  • Data minimization: We collect only what is necessary for the purposes of processing
  • Accuracy: We take steps to ensure your data is accurate and up-to-date
  • Storage limitation: We retain your data only as long as necessary
  • Integrity and confidentiality: We implement appropriate security measures
  • Accountability: We take responsibility for how we handle your data

In addition to this Privacy Policy, we maintain internal policies and procedures that govern how we handle personal information, respond to data breaches, and process data subject requests.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: [email protected]

© 2025 Metalyze. All rights reserved.