Privacy Policy

Sensus - Body Literacy. Powered by You.

Effective Date: February 18, 2026 | Last Updated: May 7, 2026

Introduction

Sensus ("we," "us," or "our") is committed to protecting your privacy and handling your personal information in accordance with applicable privacy laws worldwide, including:

Australia: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
European Union/UK: General Data Protection Regulation (GDPR) and UK GDPR
United States: California Consumer Privacy Act (CCPA/CPRA) and other state privacy laws
Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
Brazil: Lei Geral de Proteção de Dados (LGPD)

This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Sensus mobile application ("App"). We obtain your explicit, affirmative consent for each category of data processing through in-app consent flows (toggles, permission dialogs, and opt-in screens) before any data is collected or shared. You may withdraw any consent at any time through in-app controls or by contacting us.

Global Privacy Compliance

This Privacy Policy is designed to comply with major privacy frameworks worldwide, including:

Australian Privacy Principles (APPs): Transparency, data minimisation, security, access, and correction rights
GDPR (EU/UK): Lawful basis for processing, data subject rights, breach notification, international transfers
CCPA/CPRA (California): Right to know, delete, correct, and opt-out; no sale of personal information
PIPEDA (Canada): Consent, accountability, and individual access
LGPD (Brazil): Data subject rights and lawful processing bases

1. Information We Collect

1.1 Information You Provide Directly

When you use the App, you may provide:

Wellness Data (Sensitive/Health Information):

Pain and discomfort logs (location, intensity, type)
Body region markers and sensation descriptions (stabbing, deep, radiating)
Body state check-ins (e.g., "thriving," "balanced," "unsettled," "struggling")
Positive body sensation markers (e.g., lightness, energy, ease, strength, openness)
Mood indicators (e.g., "Great," "Good," "Neutral," "Difficult")
Sleep quality indicators (e.g., "Great," "Fair," "Poor")
Stress level indicators (e.g., "Minimal," "Moderate," "High")
Contextual factors you select or enter (sleep quality, exercise, stress, posture, weather, and other wellness contexts)
Context details (e.g., hours of sleep, type of exercise)
Micro-question responses (structured wellness dimension questions, e.g., recovery status, hydration, social activity)
Daily follow-up prompt responses (for users whose onboarding profile indicates competitive athlete activity level): structured chip selections covering niggles, sleep quality, leg heaviness, recovery confidence, soreness location, and other validated sport-science dimensions adapted from the Hooper Index, AFAQ, and sRPE-adjacent instruments. Pre-defined chip values only — no free-text responses.
Movement and exercise observations
Movement response ratings (immediate comfort level, baseline symptoms, perceived effort, threat perception)
Follow-up movement responses (change detection, direction, timing)
Multi-week intervention tracking outcomes (verified outcomes over 4-week periods)
Response ratings for movements explored in the movement library
Personal notes and observations

Profile Information (Optional):

Display name
Age range and date of birth (for personalised greetings and to enforce the App's 13+ minimum age)
Activity level
Wellness goals
Injury history
Training background

Account Information (if applicable):

Email address (for account recovery or communication)
Communication preferences

1.2 Apple Health Data (Optional, With Your Permission)

If you grant permission, the App reads the following data from Apple Health (read-only — we never write to Apple Health):

Sleep analysis (hours slept)
Step count
Active energy burned (calories)
Heart rate (average)
Resting heart rate
Heart rate variability (HRV)
Blood oxygen saturation (SpO2)
Respiratory rate
Mindful minutes
Walking asymmetry percentage
Double support percentage (gait metric)
Workout type and duration

When multiple data sources exist in Apple Health for the same metric (e.g., a wearable device and iPhone sensors), the App may prioritise the source it determines to be most accurate. This source preference is applied entirely on your device and does not result in any additional data collection.

Raw Apple Health values are stored locally on your device by default. They are never shared with advertisers, data brokers, insurers, or employers. They are never uploaded to Sensus community storage — community data uses only categorical labels (see Section 5.4).

Exception — AI features (separate opt-in): If you enable AI features (Body Forecast and Ask Sensus), relevant Apple Health values (for example, sleep hours, heart rate variability, resting heart rate) may be included in prompts sent to Google Vertex AI at the moment of generating an AI response, so the AI can reason accurately about your body state. This only happens when AI features are enabled, only at the moment of the query, and Google does not retain this data for training or advertising. If you do not enable AI features, no Apple Health values leave your device. See Section 8.4 for details.

1.3 Weather and Location Data (Optional, With Your Permission)

If you grant location permission, the App accesses your approximate location (reduced accuracy, approximately 5 km) solely to retrieve current weather conditions via Apple WeatherKit.

Weather conditions fetched: temperature, humidity, barometric pressure, weather condition, UV index, apparent temperature
Barometric pressure history (used to compute pressure change trends)

Your location coordinates are never stored, transmitted to any server, or shared with any third party. Location is used solely at the moment of a check-in to retrieve weather data from Apple WeatherKit. Within your check-in entries we store only categorical weather labels (e.g., "Warm," "High humidity," "Dropping pressure"). For pressure-trend computation the App also keeps a rolling timeline of recent barometric pressure readings in device-local storage; these readings are never transmitted off your device. If you opt in to community sharing, only categorical labels are uploaded — never coordinates, city names, or precise weather values.

1.4 Information Collected Automatically

The App may automatically collect:

Device Information:

Device type and model
Operating system version
App version
Unique device identifiers (for app functionality only)
Time zone settings

Usage Information:

App feature usage patterns
Session duration and frequency
Feature interactions
Error logs and crash reports

1.5 Information We Do NOT Collect

We do not collect:

Your name (unless you voluntarily provide a display name)
Your precise location or GPS coordinates (we request reduced-accuracy location solely for weather data and do not store or transmit coordinates)
Your contacts or address book
Your photos, camera, or microphone data
Your browsing history outside the App
Financial information or payment details
Government identifiers (Social Security, Medicare, Tax File Numbers, etc.)
Biometric data (fingerprints, face scans, etc.)

1.6 Categories of Personal Information (CCPA Disclosure)

For California residents, we collect the following categories of personal information:

Category A: Identifiers (device ID, email if provided)
Category B: Personal information under California Civil Code Section 1798.80(e) (none collected)
Category C: Protected classification characteristics (age range only)
Category D: Commercial information (none collected)
Category F: Internet or network activity (app usage patterns)
Category G: Geolocation data (approximate location for weather only, never stored or transmitted)
Category K: Inferences drawn from the above (wellness patterns and insights)

We do NOT sell or share your personal information for cross-context behavioral advertising.

2. Legal Basis for Processing (GDPR/UK GDPR)

We process your personal information based on the following legal grounds:

Purpose	Legal Basis
Providing core App functionality	Performance of contract (Article 6(1)(b))
Processing health/wellness data	Explicit consent (Article 9(2)(a))
Processing Apple Health data	Explicit consent (Article 9(2)(a))
Cross-modal health intelligence (on-device)	Explicit consent (Article 9(2)(a))
Weather and approximate location (for weather data retrieval)	Explicit consent (Article 6(1)(a))
Improving App features	Legitimate interest (Article 6(1)(f))
Community insights (Consensus)	Explicit consent (Article 6(1)(a) and 9(2)(a))
Community health metric signals	Explicit consent (Article 6(1)(a) and 9(2)(a))
Community movement response and outcome data	Explicit consent (Article 6(1)(a) and 9(2)(a))
AI features (Google Gemini)	Explicit consent (Article 6(1)(a))
Local notifications	Consent / Legitimate interest (Article 6(1)(a)/(f))
Presenting research-backed health information	Legitimate interest (Article 6(1)(f))
Legal compliance	Legal obligation (Article 6(1)(c))
Security and fraud prevention	Legitimate interest (Article 6(1)(f))

Health Data: As wellness data and Apple Health data constitute "special category data" under GDPR, we rely on your explicit consent to process this information. You provide this consent when you accept this Privacy Policy and enable the relevant features in the App.

3. How We Use Your Information

3.1 Primary Purposes

We use your information to:

Enable you to log, track, and view your wellness data
Generate personal patterns, trends, and insights from your logged data
Provide on-device analysis to identify correlations and patterns (e.g., contextual factors associated with elevated or reduced discomfort)
Provide cross-modal health intelligence by correlating your Apple Health metrics with your logged body states to identify personal body signals (computed entirely on your device)
Personalise health metric interpretation by combining your self-reported activity level with Apple Health cardiac data (resting heart rate, heart rate variability) to adjust what the App considers typical ranges for your fitness profile — for example, a lower resting heart rate is interpreted differently for a competitive athlete than for a sedentary user (computed entirely on your device)
Surface personalised Discovery Cards — automated insights connecting patterns you may not have noticed, computed entirely on your device
Generate your daily Body Forecast — a prediction of how your body may feel based on your patterns, health data, and community trends
Generate flare predictions based on your historical patterns, day-of-week trends, context accumulation, health metric changes, and intensity trends (computed entirely on your device)
Detect seasonal and weather-related patterns in your wellness data (computed on your device)
Detect noteworthy patterns that you may wish to discuss with a healthcare provider (see Section 3.3)
Provide post-check-in intelligence, personalised insights shown immediately after each log
Present research-backed health information from published medical literature matched to your logged body regions, including intervention effectiveness data, evidence quality, and clinical sources (see Section 3.5)
Compare your personal wellness averages against anonymised community averages when sufficient contributor thresholds are met
Surface community well-being insights — aggregated patterns from users reporting positive body states in their check-ins
Tailor movement suggestions based on your profile and logged regions
Track your movement responses over time to identify which exercises help your specific body
Generate healthcare provider summaries for your personal use
Display at-a-glance statistics on your home screen (days active, weekly summary, contexts, and trends)
Understand how features are used to improve the App
Respond to your enquiries and provide technical assistance

3.2 Secondary Purposes (With Your Consent)

With your explicit opt-in consent, we may:

De-identified Community Insights ("Consensus"): Aggregate your data with others to generate community-wide patterns. Your individual data is pseudonymised before upload and aggregated with other contributors. A minimum threshold of users (k-anonymity) is required before any aggregated data is displayed.
Community Health Metric Signals: Aggregate categorical health pattern labels (e.g., "sleep correlates with how people feel") across consenting contributors to surface what the community's health metrics reveal collectively. Only categorical labels are shared, never raw health values. A stricter minimum contributor threshold applies to health-adjacent data.
Community Movement Response Data: Aggregate your movement response ratings (comfort level, change detection, effort) with other users to determine which movements help for specific body regions. A minimum threshold of independent users and total trials is required before community movement data is displayed.
Verified Outcome Data: If you complete a multi-week intervention tracking period, aggregate your outcome data (bucketed intensity changes, dose frequency category) with others to validate intervention effectiveness across the community. A stricter contributor threshold applies.
Athlete Follow-Up Data: For users with competitive athlete activity level, aggregate categorical follow-up chip responses (e.g., niggle severity, sleep quality, leg heaviness, recovery confidence) with other consenting athlete users to surface patterns across athletic communities (e.g., common Monday-morning leg heaviness following weekend matches). A minimum contributor threshold applies before any aggregate insight is displayed.
Phantom Correlation Metadata: Aggregate delayed-effect pattern metadata (e.g., pattern type, trigger category, lag category, magnitude bucket) to surface community-wide hidden correlations such as delayed triggers and protective factors.
Communications: Send you updates, tips, or information about the App
AI Chat and Intelligence (Google Gemini): Process summaries of your logged data and your training profile (activity level, training frequency, training types) through Google's AI services to power conversational features (Ask Sensus, SensusAI chat), Body Forecast explanations, Daily Briefing, weekly reports, pattern discovery, and personalised insights

3.3 Automated Pattern Detection and Decision-Making

The App includes on-device automated analysis that may identify patterns in your logged data, such as:

Trends in noticeability over time
Correlations between contexts and your logged sensations
Correlations between Apple Health metrics and your logged body states (cross-modal body signals)
Fitness-aware cardiac interpretation — adjusting health metric thresholds (e.g., what constitutes an elevated resting heart rate or strong heart rate variability) based on your self-reported activity level, producing personalised health labels and alert messages
Flare prediction based on day-of-week patterns, context accumulation, intensity trends, and health metric changes
Seasonal and weather-related pattern detection
Delayed-effect correlations (phantom patterns) — identifying triggers whose effects appear days later
Recovery trajectory comparisons based on published research
Automated matching of logged body regions to condition profiles sourced from published medical literature (see Section 3.5)
Comparison of personal intensity averages against community averages for similar body regions
Patterns that may warrant discussion with a healthcare provider ("Red Flag" alerts)

Your Rights Regarding Automated Processing (GDPR Article 22):

These analyses are observational suggestions only — they are informational, not prescriptive
No legally or similarly significant decisions are made automatically. Forecasts and predictions (including Body Forecast and flare predictions) are statistical observations based on your historical data and do not constitute medical advice, clinical decisions, or instructions to act. They do not restrict, alter, or determine your access to any service.
You are never required to act on any automated insight or prediction
You can request human review of any automated insight by contacting us
You can object to automated processing at any time
You can disable specific automated features (Body Forecast, notifications, AI features) independently through in-app controls

Important: Automated analyses are NOT diagnostic, NOT medical advice, and NOT a substitute for professional healthcare assessment.

3.4 What We Do NOT Do

We do NOT:

Sell your personal information to any third party (as defined under CCPA/CPRA)
Share your personal information for cross-context behavioral advertising
Share identifiable health data with advertisers
Use your data for targeted advertising
Share your data with insurance companies or employers
Provide medical diagnoses, treatment recommendations, or clinical advice
Upload raw Apple Health values to Sensus servers, advertisers, data brokers, insurers, or employers (when AI features are enabled, relevant values are sent to Google Vertex AI at the moment of an AI query — see Section 8.4)
Store or transmit your location coordinates

3.5 Research-Backed Health Information

The App includes a curated knowledge base sourced from published medical literature, including Cochrane Systematic Reviews, NICE Clinical Guidelines, WHO publications, and peer-reviewed studies. This knowledge base:

Is bundled locally within the App (no external server requests to access it)
Contains condition profiles, intervention effectiveness data, trigger correlations, and recovery timelines sourced from published research
Is automatically matched to your logged body regions to show relevant research findings
Displays transparent attribution including source names, sample sizes, and evidence quality
Is clearly labelled as "From health research" to distinguish it from community-sourced data

Important: Research-backed information presented in the App is for educational and informational purposes only. It is sourced from published studies and clinical guidelines but is NOT personalised medical advice, NOT a diagnosis, and NOT a substitute for consultation with a qualified healthcare professional. Intervention effectiveness data reflects population-level study outcomes and may not apply to your individual circumstances.

4. Data Storage and Security

4.1 Local Storage by Default

Your wellness data is stored locally on your device by default. This means:

Your data remains on your device under your direct control
Data is not transmitted to external servers unless you opt into specific features (Community Sharing or AI Features)
Uninstalling the App deletes your local data

4.2 Encryption and Security Measures

iOS Keychain Encryption:

Your wellness data is encrypted using iOS Keychain, Apple's secure storage system, providing:

AES-256 encryption at rest
Hardware-backed security on supported devices
Data accessible only when your device is unlocked (kSecAttrAccessibleWhenUnlockedThisDeviceOnly)
Data is non-transferable between devices via Keychain configuration

Additional Security Measures:

Encryption of data in transit (TLS 1.3)
Secure coding practices following OWASP guidelines
Regular security assessments
Access controls and authentication
Incident response procedures

4.3 International Data Transfers

If you enable AI features or community sharing, your data may be transferred to and processed in countries outside your jurisdiction, including the United States and Australia.

For EU/UK Users: We ensure appropriate safeguards for international transfers through:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Supplementary measures as required

Data Processing Agreements: We maintain Data Processing Agreements (DPAs) with our service providers, including Google (Firebase/Firestore and Gemini AI), that govern how they process data on our behalf and ensure compliance with applicable data protection laws.

For All Users: Our service providers maintain appropriate security standards and contractual obligations to protect your data.

Risk Assessment: Given that the App processes health-related data, we have evaluated the risks associated with our data processing activities and apply appropriate safeguards including local-first storage, on-device computation, k-anonymity thresholds, categorical-only sharing of any health-derived data, and explicit opt-in consent flows. We will conduct and document a formal Data Protection Impact Assessment (DPIA) under GDPR Article 35 as our processing scale grows or when we introduce material changes to our data processing practices.

4.4 Data Retention

Data Type	Retention Period
Local wellness data	Until you delete it or uninstall the App
Discovery Card history	Until you delete data or uninstall the App
Movement response history	Until you delete it or uninstall the App
Verified outcome history	Until you delete it or uninstall the App
Weather data (categorical labels within check-ins)	Until you delete the associated check-in or uninstall the App
De-identified community data	Indefinitely (aggregated, contributor-unlinkable)
De-identified health pattern flags	Indefinitely (aggregated categorical labels only)
De-identified movement response and outcome data	Indefinitely (aggregated, contributor-unlinkable)
De-identified phantom correlation metadata	Indefinitely (aggregated, contributor-unlinkable)
De-identified athlete follow-up responses	Indefinitely (aggregated, contributor-unlinkable)
Research knowledge base (bundled medical literature)	Updated with App releases; sourced from published research
AI-generated weekly reports (local)	Last 12 reports stored locally; deleted with App uninstall
Account data (if applicable)	While active + 2 years
Backup data (if applicable)	90 days
Support communications	3 years
Apple Health snapshots (raw values)	Stored locally within check-in entries; deleted with entries
Location coordinates	Not retained — used momentarily for weather retrieval and immediately discarded

4.5 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

GDPR/UK: Notify the relevant supervisory authority within 72 hours and notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms
Australia: Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches scheme
CCPA: Notify affected California residents as required by law

Notification mechanism: Where we have your email address, we will notify you by email. Where we do not, we will notify you via prominent in-app notice on next launch and, where appropriate, push notification. Public notices will also be posted on the App's website.

5. Disclosure of Information

5.1 When We May Disclose Information

Service Providers:

Cloud hosting providers — Google Firebase / Firestore (for community data, if you opt in)
AI service providers — Google Gemini via Firebase AI / Vertex AI (with your consent, see Section 8.4)
Weather data provider — Apple WeatherKit (approximate location used momentarily; coordinates not stored or transmitted to our servers)
Analytics services (anonymised data only)
Customer support platforms

Legal Requirements:

In response to valid legal process (court orders, subpoenas)
To comply with requests from government agencies with lawful authority
To protect our legal rights or the safety of users

Business Transfers:

In connection with a merger, acquisition, or sale of assets (with notice to you and opportunity to delete your data)

5.2 We Do NOT Disclose Your Information To:

Advertisers or marketing companies
Insurance companies
Employers or recruitment agencies
Data brokers
Any third party for their own marketing purposes
Law enforcement without valid legal process

5.3 De-identified and Aggregated Data

We may share de-identified, aggregated data for:

Research and statistical purposes
Public health insights
Academic research (with appropriate ethics approval)

This data is aggregated to reduce re-identification risk to a level appropriate for the purpose. See Section 5.4 below for the limits of de-identification on health-related data.

5.4 De-identification Process for Community Data

When you opt in to community data sharing, the following de-identification (pseudonymisation and aggregation) is applied before any data leaves your device. We use the term "de-identified" rather than "anonymised" because no de-identification process for health-related data can guarantee the impossibility of re-identification under all circumstances. The combined effect of the measures below substantially reduces re-identification risk to a level appropriate for aggregated community insights:

Dates removed: Only day of week, hour of day, and relative offsets are shared (never actual dates)
Coordinates removed: Body map coordinates are generalised to broad regions (e.g., "Lower Back/Hips" rather than exact points)
Free-text excluded: Personal notes, "What Changed" entries, and journal text are never uploaded
Raw health values excluded from community data: Actual Apple Health numbers (e.g., heart rate of 72 bpm, 7.5 hours of sleep) are never uploaded to Sensus community storage. Note: if you have enabled AI features (separate opt-in), relevant raw values may be included in prompts sent to Google Vertex AI at the moment of an AI query — this is entirely separate from community data sharing. See Section 8.4.
Health pattern flags (categorical only): If you have Apple Health connected, categorical labels derived from your health data may be shared. These labels describe only the type of metric (e.g., "sleep"), direction (e.g., "positive" or "negative"), and magnitude bucket (e.g., "small," "moderate," "large"). They never contain actual health values.
Weather data (categorical only): If weather data was collected at check-in, only categorical labels are shared (e.g., temperature band "Warm," humidity level "High," pressure trend "Dropping"). Exact weather values and location coordinates are never uploaded.
Intensity values rounded: Pain intensity values are rounded to the nearest 0.5 to prevent precise re-identification
Movement data (enum-based): Movement response data uses pre-defined categories only (e.g., "Comfortable," "Manageable," "Challenging"). No free-text movement notes are uploaded.
Verified outcomes (bucketed): Multi-week intervention outcomes use bucketed intensity changes (rounded to 0.5) and dose frequency categories (e.g., "low," "moderate," "high") to prevent re-identification.
Phantom pattern metadata (categorical): Delayed-effect pattern data uses only pattern type, factor categories, magnitude buckets, lag categories, and confidence buckets. No raw correlation values are shared.
Athlete follow-up data (enum-based): Daily follow-up prompt responses use pre-defined chip categories only (e.g., "none," "mild," "noticeable," "concerning" for niggles; "ready," "normal," "I'd want to push through," "I'd rather not" for recovery confidence). Only categorical chip selections, archetype label, and day-of-week / hour bucket are uploaded. No free-text responses, exact dates, or personally identifying information are ever uploaded.
Mood, sleep, and stress (categorical): Shared as pre-defined categories only (e.g., "Good," "Fair," "Moderate"). No numerical values or free text.
Anonymous identifier: A stable, randomly generated UUID is used for all community contributions. This identifier is never linked to your Apple ID, device identity, name, email, or any other personal information.
K-anonymity: Community insights are only displayed when a minimum threshold of contributors is met. Health-adjacent insights, movement data, verified outcomes, and athlete follow-up insights each require stricter thresholds.

Acknowledgement of limits: Despite the measures above, no de-identification technique applied to health-related data can guarantee absolute non-reidentification, particularly when combined with external data. We mitigate this through k-anonymity thresholds (a minimum of 5 contributors for categorical insights and 15 for health-derived insights), bucketed values, and exclusion of free-text content. Aggregated community insights are released only when these thresholds are met. Once contributed, de-identified data cannot be linked back to you and therefore cannot be selectively retrieved or deleted.

6. Your Privacy Rights

6.1 Rights for All Users

Regardless of your location, you have the right to:

Access your personal information
Correct inaccurate information
Delete your personal information
Export your data in a portable format
Withdraw consent at any time
Object to certain processing
Lodge a complaint with a supervisory authority

6.2 Additional Rights for EU/UK Residents (GDPR)

Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
Right to Restriction: Request we limit how we use your data
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests
Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
Right Not to be Subject to Automated Decisions: Request human review of automated processing

To exercise these rights: Contact our Data Protection contact at contact@joinsensus.com or use the in-app features.

Supervisory Authority: You may lodge a complaint with your local data protection authority. EU residents: EDPB members directory. UK residents: UK Information Commissioner's Office.

6.3 Additional Rights for California Residents (CCPA/CPRA)

Right to Know: Request disclosure of personal information collected, used, and disclosed
Right to Delete: Request deletion of personal information
Right to Correct: Request correction of inaccurate information
Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information
Right to Limit Use of Sensitive Personal Information: Limit use of health data to what is necessary
Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights: Email contact@joinsensus.com or use in-app privacy controls. Response within 45 days (extendable by 45 days with notice).

Do Not Sell or Share My Personal Information: We do not sell your personal information or share it for cross-context behavioral advertising. No opt-out is necessary.

6.4 Additional Rights for Canadian Residents (PIPEDA)

Right to Access: Request access to your personal information
Right to Challenge Compliance: Challenge our compliance with PIPEDA
Right to Withdraw Consent: Withdraw consent subject to legal restrictions

To exercise these rights: Contact contact@joinsensus.com

Office of the Privacy Commissioner of Canada: www.priv.gc.ca

6.5 Additional Rights for Australian Residents (APPs)

Right to Access (APP 12): Request access to personal information we hold
Right to Correction (APP 13): Request correction of inaccurate information
Right to Complain: Lodge a complaint about our handling of your information

To exercise these rights: Contact contact@joinsensus.com or use in-app features.

Office of the Australian Information Commissioner (OAIC):

Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au

6.6 Additional Rights for Brazilian Residents (LGPD)

Right to Confirmation and Access: Confirm processing and access your data
Right to Correction: Correct incomplete or inaccurate data
Right to Anonymisation, Blocking, or Deletion: Request for unnecessary data
Right to Data Portability: Transfer data to another service provider
Right to Information: Know about third parties with whom we share data
Right to Revoke Consent: Revoke consent at any time

To exercise these rights: Contact contact@joinsensus.com

ANPD (National Data Protection Authority): www.gov.br/anpd

7. How to Exercise Your Rights

7.1 In-App Controls

You can exercise many rights directly in the App:

Export Data: More > Privacy & Data > Export My Data
Delete Data: More > Privacy & Data > Delete All My Data
Manage Community Consent: More > Privacy & Data > Community Sharing toggle. When you disable community sharing, no further data is uploaded. Previously contributed data cannot be retrieved or deleted because it is fully de-identified and aggregated and cannot be linked back to you. This de-identified data remains in aggregate community pools indefinitely.
Manage AI Consent: More > AI Chat > AI toggle
Manage Apple Health: More > Privacy & Data > Apple Health toggle
Manage Location/Weather: iOS Settings > Privacy & Security > Location Services > Sensus
Manage Notifications: More > Notifications & Alerts
Correct Data: Edit entries directly in the App

7.2 Contact Us

For rights requests or questions:

Email: contact@joinsensus.com
Response Time: As required by applicable law (typically 30 days under GDPR/UK GDPR, up to 45 days under CCPA, extendable in complex cases with notice to you)
Verification: We may need to verify your identity before processing requests

7.3 Authorised Agents (CCPA)

California residents may designate an authorised agent to submit requests on their behalf. We may require:

Written authorisation from you
Verification of the agent's identity
Direct confirmation from you

8. Third-Party Services

8.1 Third-Party Links

The App may contain links to third-party websites or services not covered by this Privacy Policy. We encourage you to review their privacy policies.

8.2 Analytics Services

We may use privacy-preserving analytics to understand App usage. This data:

Does not personally identify you
Is aggregated and de-identified
Helps us improve the App experience

Specific analytics events: We track aggregated, anonymous events such as feature usage, funnel milestones (first check-in, fifth check-in), notification scheduling and tap-through rates, and Ask Sensus engagement (whether questions were asked, whether responses were read). When you submit a question to Ask Sensus, the question text is processed on your device only — what is sent to our analytics is a categorical classification of the question type (e.g., "symptom," "pattern," "history," "general"), never the question text itself. We also record a "useful moment" event when on-device analysis detects that the App delivered observable value to you (a notification was tapped, a response was read, a weekly report was viewed). No event content includes personally identifying information.

8.2.1 Do Not Track Signals

The App does not currently respond to "Do Not Track" (DNT) browser signals or similar mechanisms, as the App is not a web browser product. We do not engage in cross-context behavioural advertising and do not allow third parties to do so through the App. You may control App-related tracking via iOS Settings > Privacy & Security > Tracking, and via in-app analytics and AI consent toggles.

8.3 App Store

The App is available through the Apple App Store. Your download and use is also subject to Apple's privacy policy.

8.4 AI Services (Google Gemini via Firebase AI)

The App includes optional AI-powered features powered by Google Gemini through Firebase AI / Vertex AI.

These features are entirely optional and require your explicit consent.

AI-powered features include:

Conversational AI chat ("Ask Sensus" and "SensusAI")
Body Forecast — daily prediction of how your body may feel
Daily Briefing — personalised daily wellness summary
Weekly reports — AI-generated narrative summaries of your weekly wellness trends
Pattern discovery and flare prediction
Post-check-in insights (when AI consent is granted)
Movement correlation analysis

When enabled:

Summaries of your logged data may be sent to Google's servers for processing
Your training profile (activity level, training frequency, and training types from your onboarding profile) is included in AI prompts to contextualise health metric interpretations — for example, ensuring the AI does not flag a low resting heart rate as concerning for a competitive athlete. No other profile information (name, date of birth, email) is included in AI prompts.
Weekly reports: aggregated statistics (counts, averages, top patterns, week-over-week trends) and summarised check-in data (intensity, triggers, contexts) are sent to Google's servers. Free-text notes, raw Apple Health values, and personally identifying information are never included in weekly reports.
Body Forecast and Ask Sensus: when AI features are enabled, relevant raw Apple Health values (for example, sleep hours, heart rate variability, resting heart rate) may be included in the prompt sent to Google Vertex AI so the AI can generate an accurate forecast or respond to questions about how your body is doing. These values are sent at the moment of the query, tied to that single request only, and Google does not retain them for advertising or model training. Free-text notes and personally identifying information (name, date of birth, email) are never included. If you do not enable AI features, no Apple Health values leave your device for this purpose.
Google processes this data according to their privacy policy and data processing terms
Data is used only to generate responses and is not used by Google for advertising or model training
AI conversations are stateless, no conversation history is retained on any server
AI-generated weekly reports are stored locally on your device only (last 12 reports)
You can disable AI features at any time in Settings

If you do not enable AI features, no data is sent to Google.

Google Privacy Policy: policies.google.com/privacy

8.5 Firebase / Google Cloud (Community Features)

If you opt in to community data sharing, de-identified data is stored in Google Firebase Firestore.

Only de-identified data (as described in Section 5.4) is uploaded
Firebase is used solely for storing and retrieving aggregated community insights
No directly identifiable personal information is stored in Firebase
Categorical health pattern flags (metric type, direction, magnitude bucket) are stored alongside other de-identified community data when you have Apple Health connected and community sharing enabled
Movement response data and verified outcomes are stored as de-identified, enum-based records with no free-text fields
Phantom correlation metadata (pattern type, factor categories, magnitude and lag buckets) is stored for community-wide pattern aggregation
Athlete follow-up response data (categorical chip selections, archetype label, day-of-week and hour bucket) is stored as de-identified records when both community sharing consent and competitive athlete activity level are present
Categorical weather labels (temperature band, humidity level, pressure band, pressure trend) are stored alongside check-in data when weather data was collected
These data points are aggregated across contributors to generate community insights, subject to minimum contributor thresholds that vary by data sensitivity

Google Cloud Privacy: cloud.google.com/terms/cloud-privacy-notice

8.6 Apple HealthKit

If you grant permission, the App reads health data via Apple's HealthKit framework.

We request read-only access, the App never writes to or modifies your Apple Health data
Raw health values are cached in memory for 15 minutes and stored locally within your check-in entries
If you opt in to community sharing, only categorical labels derived from your health data are uploaded to Sensus community storage (see Section 5.4). Raw values are never transmitted to Sensus servers.
If you enable AI features (separate opt-in), relevant raw Apple Health values may be included in prompts sent to Google Vertex AI at the moment of an AI query (see Section 8.4). No Apple Health data is transmitted if AI features are disabled.
You can revoke HealthKit access at any time via iOS Settings > Health > Sensus

Raw Apple Health values are never uploaded to Sensus community storage, shared with advertisers, or sold to data brokers. For community data sharing, only categorical labels (e.g., "sleep-related," "positive direction," "moderate magnitude") are shared if you opt in to both Apple Health and community data sharing. If you enable AI features (Body Forecast and Ask Sensus), relevant raw values may be included in prompts sent to Google Vertex AI so the AI can reason accurately about your body state — see Section 8.4.

Apple HealthKit Guidelines: developer.apple.com/health-fitness/

8.7 Apple WeatherKit

If you grant location permission, the App uses Apple WeatherKit to retrieve current weather conditions.

The App requests reduced-accuracy location (approximately 5 km) solely for weather data retrieval
Location coordinates are used momentarily and never stored, logged, or transmitted to our servers or any third party
Weather data is processed by Apple's WeatherKit service according to Apple's privacy policy
Only categorical weather labels are stored locally within your check-in entries
Location permission is not requested until your third check-in, giving you time to understand the App before deciding
You can revoke location access at any time via iOS Settings > Privacy & Security > Location Services > Sensus

9. Notifications

The App may send local notifications with your permission:

Notification Type	Content	Frequency
Daily check-in reminder	Reminder to log how your body feels	Once daily at your chosen time
Body Forecast	Daily prediction of how your body may feel	Up to once per day
Pattern alerts	Notification of newly discovered patterns	Up to once per week
Flare prediction	Context-based prediction of elevated risk	As detected, with cooldown
Streak milestones	Consistency achievements (opt-in)	As achieved, with cooldown
Evening check-in	Optional follow-up with step count context	Up to once per day
Body-memory notifications ("Sensus Noticed")	Notifications generated when on-device analysis detects a meaningful weather change matching your prior body patterns, or a divergence between your objective health signal (sleep, HRV, resting heart rate) and recent self-reports. Generated and scheduled entirely on your device — no data transmitted to any server to produce them.	Maximum once per type per 7 days (up to 2 per week total)

All notifications are generated and scheduled locally on your device. No notification content is transmitted to any server. You can disable all notifications or manage individual types in Settings.

10. Children's Privacy

10.1 Age Restrictions

The App is not intended for children under 13 years of age (or 16 in some EU jurisdictions). We do not knowingly collect personal information from children under these ages.

The App is rated 13+ on the Apple App Store. Age verification is enforced through (a) the App Store's age rating system and (b) an in-app date-of-birth check during onboarding that prevents users with a calculated age below 13 from completing setup, with a root-level lockout screen for any user whose recorded age falls below the minimum. If we become aware that a user is under the applicable minimum age, we will promptly delete their data and terminate their access.

10.2 Parental Consent

Users between 13 and 18 years should review this Privacy Policy with a parent or guardian and obtain their consent before using the App.

10.3 COPPA Compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA). If we learn we have collected information from a child under 13 without parental consent, we will delete it promptly.

10.4 Notification

If you believe we have collected information from a child under the applicable age, please contact us immediately at contact@joinsensus.com.

11. Changes to This Privacy Policy

11.1 Updates

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors.

11.2 Notification of Material Changes

For material changes, we will:

Provide in-app notification at least 30 days before changes take effect
Update the "Last Updated" date
For EU/UK users, obtain fresh consent if required for new processing activities

11.3 Continued Use

Your continued use of the App after changes take effect constitutes acceptance of the updated policy. If you do not agree, please stop using the App and delete your data.

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Data Controller:
Sensus (operated by Leilani Matovina, Sole Trader)
Sydney, New South Wales, Australia
Email: contact@joinsensus.com

Data Protection Contact:
For all privacy requests, data protection matters, and rights enquiries:
Email: contact@joinsensus.com

EU/UK Users (GDPR / UK GDPR):
We are a sole-trader business based in Australia. EU and UK users may exercise all data subject rights by contacting us directly at contact@joinsensus.com and may also lodge complaints with their national data protection authority. The App is currently distributed only in territories where we are appropriately set up to comply with local requirements; the App may not be available for download in all EU/UK markets.

Response Time: We aim to respond to all enquiries as required by applicable law (typically within 30 days under GDPR/UK GDPR, up to 45 days under CCPA, extendable in complex cases with notice to you).

13. Definitions

Term	Definition
Personal Information/Data	Information that identifies or can identify an individual
Sensitive Information	Health information, genetic data, biometric data, and other special categories
Processing	Any operation performed on personal data (collecting, storing, using, sharing, deleting)
Controller	Entity that determines purposes and means of processing (Sensus)
Processor	Entity that processes data on behalf of the controller
Consent	Freely given, specific, informed, and unambiguous agreement
De-identification	The process of removing or transforming information so it can no longer be readily linked to an identified individual. We use this term in preference to "anonymisation" to acknowledge that no de-identification of health data is guaranteed to be irreversible under all circumstances.
Pseudonymisation	Replacing direct identifiers with a stable, randomly generated identifier (UUID) that is not linked to any other personal information about you
Consensus	The App's community feature aggregating de-identified data from consenting users to surface collective wellness patterns and insights
Consensus Knowledge Base	A curated, locally bundled database of condition profiles, intervention effectiveness data, trigger correlations, and recovery timelines sourced from published medical literature including Cochrane Systematic Reviews, NICE Clinical Guidelines, and peer-reviewed studies
Discovery Cards	Automated insights surfaced from your logged data, identifying connections and patterns you may not have noticed
Body Forecast	A daily prediction of how your body may feel, computed on your device from your patterns, health data, and community trends
Flare Prediction	An on-device prediction of elevated risk based on your historical patterns, day-of-week trends, context accumulation, and health metric changes
Phantom Correlations	Delayed-effect patterns where a trigger's impact on your body appears days later rather than immediately, detected through on-device analysis
Red Flag Alerts	Automated pattern detection identifying trends to discuss with healthcare providers
Apple Health Data	Health metrics read from Apple HealthKit, raw values stored locally only
Health Pattern Flags	Categorical labels derived from Apple Health data (e.g., metric type, direction, magnitude bucket) that may be shared with community consent. Never contain raw health values.
Cross-Modal Health Intelligence	On-device analysis correlating Apple Health metrics with logged body states to identify personal body signals
Community Health Metric Signals	Aggregated insights from categorical health pattern flags across consenting community contributors
Movement Response Data	Structured ratings of how your body responded to specific movements (comfort level, effort, change detection), shared with community consent using pre-defined categories only
Verified Outcomes	Multi-week intervention tracking results showing how an intervention affected your wellness over time, shared with community consent using bucketed values
Athlete Follow-Up Data	Daily structured chip responses surfaced for users with competitive athlete activity level, covering validated sport-science dimensions (niggles, sleep quality, leg heaviness, recovery confidence, etc.). Pre-defined categorical values only; no free text. Shared with community consent.
Body-Memory Notifications	Local notifications generated entirely on your device when on-device analysis detects either a meaningful weather change that matches your prior body patterns, or a divergence between your objective health signal and recent self-reports. No data is transmitted to produce these notifications.
K-Anonymity	A privacy protection requiring a minimum number of distinct contributors before any community insight is displayed, preventing individual identification. Thresholds vary by data sensitivity (5 for categorical insights, 15 for health-derived insights).
Categorical Labels	Pre-defined, non-numerical descriptors (e.g., "Warm," "High," "Moderate") used in place of exact values to protect privacy when sharing community data
GDPR	General Data Protection Regulation (EU)
CCPA/CPRA	California Consumer Privacy Act / California Privacy Rights Act
APPs	Australian Privacy Principles
PIPEDA	Personal Information Protection and Electronic Documents Act (Canada)
LGPD	Lei Geral de Proteção de Dados (Brazil)

14. Summary of Key Points

What We Do	What We Don't Do
Store data locally on your device by default	Sell or share your personal information
Use iOS Keychain encryption (AES-256)	Share health data with advertisers
Give you full control over your data	Use data for targeted advertising
Allow export and deletion	Share with insurers or employers
Require opt-in for community features	Make automated decisions affecting you
Require opt-in for AI features	Collect data from children under 13
Require opt-in for Apple Health access	Upload raw Apple Health values to Sensus servers
Keep raw Apple Health values out of community data, analytics, and storage	Share raw Apple Health values with advertisers, brokers, insurers, or employers
Send only categorical health labels in community uploads (with dual consent)	Sell or share health data for advertising
Send relevant raw values in AI prompts (opt-in only) so the AI is accurate about your body	Use AI prompt data for any purpose other than generating your response
Generate body-memory notifications entirely on your device	Transmit any data off your device to schedule body-memory notifications
Send only categorical chip values for athlete follow-up community uploads	Share free-text athlete follow-up responses or exact dates
Present research-backed information with transparent sources	Provide medical diagnoses or clinical advice
Use reduced-accuracy location solely for weather	Store or transmit your location coordinates
Share only categorical weather labels (with consent)	Share precise weather values or your location
Use bucketed values and enum categories for community data	Share free-text notes, journal entries, or exact values
Comply with global privacy laws	Retain data longer than necessary
Respond to rights requests within applicable legal timeframes	Discriminate for exercising rights
Notify you of data breaches via email, in-app notice, or push notification	Write to or modify your Apple Health data
De-identify community data before upload	Share your notes or free-text entries
Acknowledge the limits of de-identification on health data	Claim absolute anonymisation we cannot guarantee

15. Legal Framework Compliance

This Privacy Policy is designed to comply with:

Jurisdiction	Law/Regulation
Australia	Privacy Act 1988 (Cth), Australian Privacy Principles
European Union	General Data Protection Regulation (GDPR)
United Kingdom	UK GDPR, Data Protection Act 2018
United States	CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TDPSA (Texas), OCPA (Oregon), MCDPA (Montana), TIPA (Tennessee)
Canada	PIPEDA, provincial privacy laws
Brazil	LGPD
Global	Apple App Store Guidelines, Apple HealthKit Guidelines

This policy was last reviewed for legal compliance on May 7, 2026.