Privacy Policy

Sensus - Body Literacy. Powered by You.

Effective Date: February 18, 2026  |  Last Updated: June 24, 2026

---

Introduction

Sensus ("we," "us," or "our") is committed to protecting your privacy and handling your personal information in accordance with applicable privacy laws worldwide, including:

• Australia: Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs)
• European Union/UK: General Data Protection Regulation (GDPR) and UK GDPR
• United States: California Consumer Privacy Act (CCPA/CPRA) and other state privacy laws
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
• Brazil: Lei Geral de Proteção de Dados (LGPD)

This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the Sensus mobile application ("App"). We obtain your explicit, affirmative consent for each category of data processing through in-app consent flows (toggles, permission dialogs, and opt-in screens) before any data is collected or shared. You may withdraw any consent at any time through in-app controls or by contacting us.

1. Information We Collect

1.1 Information You Provide Directly

When you use the App, you may provide:

Wellness Data (Sensitive/Health Information):

• Pain and discomfort logs (location, intensity, type)
• Body region markers and sensation descriptions (stabbing, deep, radiating)
• Body state check-ins (e.g., "thriving," "balanced," "unsettled," "struggling")
• Positive body sensation markers (e.g., lightness, energy, ease, strength, openness)
• Mood indicators (e.g., "Great," "Good," "Neutral," "Difficult")
• Sleep quality indicators (e.g., "Great," "Fair," "Poor")
• Stress level indicators (e.g., "Minimal," "Moderate," "High")
• Contextual factors you select or enter (sleep quality, exercise, stress, posture, weather, and other wellness contexts)
• Context details (e.g., hours of sleep, type of exercise)
• Micro-question responses (structured wellness dimension questions, e.g., recovery status, hydration, social activity)
• Daily follow-up prompt responses (for users whose onboarding profile indicates competitive athlete activity level): structured chip selections covering niggles, sleep quality, leg heaviness, recovery confidence, soreness location, and other validated sport-science dimensions adapted from the Hooper Index, AFAQ, and sRPE-adjacent instruments. Pre-defined chip values only - no free-text responses.
• Movement and exercise observations
• Movement response ratings (immediate comfort level, baseline symptoms, perceived effort, threat perception)
• Follow-up movement responses (change detection, direction, timing)
• Multi-week intervention tracking outcomes (verified outcomes over 4-week periods)
• Response ratings for movements explored in the movement library
• Personal notes and observations
• Daily React (v1.8.6, one-tap daily read): An optional one-tap response to your daily Body Forecast. With a single tap you tell the App whether today feels Spot on, Better, or Worse than its read of your body (or that something is off, which opens the full check-in). This "felt-versus-data" response is saved on your device as a check-in and records how your subjective experience compared with the App's objective read. It is a pre-defined categorical selection only - no free text - and is stored locally on your device (in the iOS Keychain). Only if you opt in to community sharing does it contribute to the categorical Pattern Signature below, as a directional "gap tendency" label (see Section 5.4); it is never uploaded as individual content.
• Movement Capacity inputs (v1.8.5, muscle recovery): Optional one-tap inputs you may give to refine the App's muscle-recovery estimates: a "seed tap" that tells the App which muscle group a strength workout trained (chosen from pre-defined splits such as Legs, Push, Pull, Upper, or Full body) and a "self-check" answer indicating whether a recently-worked area still feels sore. These are pre-defined categorical selections only - no free text and no numbers - and are stored locally on your device (in the iOS Keychain). They are used on-device to compute your recovery states; only if you opt in to community sharing is a single categorical recovery signal contributed (see Section 3.2 and Section 5.4).
• Pattern Signature (v1.8, schema v2 as of v1.8.1, computed automatically): A categorical snapshot of your overall wellness profile, computed entirely on your device from your recent check-ins. The signature is composed only of bucketed values: body-region focus (five values between 0 and 1 representing how often you log each broad region), body-state fractions (proportion of recent check-ins reading tough, steady, or strong), top trigger category (general label such as "movement," "sleep," or "stress" - never a specific trigger string), a sleep bucket, an HRV (heart-rate-variability) trend label, a resting-heart-rate trend label, a step-count trend label, a recovery-speed bucket (a categorical label for how quickly your tougher days tend to ease, included only when enough data exists), a felt-versus-data gap tendency label (a directional category such as aligned, tends-better, tends-worse, or mixed, summarising whether your one-tap daily reactions tend to run better or worse than the App's objective read, included only when enough reactions exist), and the number of check-ins the signature was computed from. The trend labels are directional categories only (for example, rising, falling, or stable) derived on your device from your Apple Health data - they never contain raw values. The signature also carries a single timestamp recording when it was computed (used to detect stale signatures), but no check-in dates and no per-entry dates. The signature does not contain free-text, raw health values, individual check-in content, or any directly identifying information. If you opt in to community sharing, this signature is uploaded to enable the Consensus (Living Map) feature described in Section 3.2.

Profile Information (Optional):

• Display name
• Age range and date of birth (for personalised greetings and to enforce the App's 13+ minimum age)
• Activity level
• Wellness goals
• Injury history
• Training background

Account Information (optional - only if you choose to sign in):

Creating an account is entirely optional - you can always choose "Maybe later" and use the App without one. If you sign in, we collect a minimal contact record so we can reach you (for support, account recovery, important product or policy updates, and occasional invitations to give feedback or take part in research). You can sign in using:

• Sign in with Apple - we receive a stable Apple user identifier and, if you allow it, your name and email. If you choose "Hide My Email," Apple gives us a private relay address (e.g., something@privaterelay.appleid.com) instead of your real email - see Section 8.9.
• Sign in with Google - we receive your Google account email, name, and the unique account identifier.

From this we store a minimal contact record: your Firebase authentication identifier (a random account ID - not your Apple ID or device ID), the sign-in provider (Apple or Google), your email (or Apple private-relay address), your display name (only if provided), the platform (iOS), the dates your account was first created and last used, and your communication preferences.

1.2 Apple Health Data (Optional, With Your Permission)

If you grant permission, the App reads the following data from Apple Health (read-only - we never write to Apple Health):

• Sleep analysis (hours slept)
• Step count
• Active energy burned (calories)
• Heart rate (average)
• Resting heart rate
• Heart rate variability (HRV)
• Blood oxygen saturation (SpO2)
• Respiratory rate
• Mindful minutes
• Walking asymmetry percentage
• Walking speed, step length, and walking steadiness (gait metrics)
• Double support percentage (gait metric)
• Workout type and duration

When multiple data sources exist in Apple Health for the same metric (e.g., a wearable device and iPhone sensors), the App may prioritise the source it determines to be most accurate. This source preference is applied entirely on your device and does not result in any additional data collection.

1.3 Weather and Location Data (Optional, With Your Permission)

If you grant location permission, the App accesses your approximate location (reduced accuracy, approximately 5 km) solely to retrieve current weather conditions via Apple WeatherKit.

• Weather conditions fetched: temperature, humidity, barometric pressure, weather condition, UV index, apparent temperature
• Barometric pressure history (used to compute pressure change trends)

1.4 Information Collected Automatically

The App may automatically collect:

Device Information:

• Device type and model
• Operating system version
• App version
• Unique device identifiers (for app functionality only)
• Time zone settings

Usage Information:

• App feature usage patterns
• Session duration and frequency
• Feature interactions
• Error logs and crash reports

1.5 Information We Do NOT Collect

We do not collect:

• Your name (unless you voluntarily provide a display name or it is shared via account sign-in)
• Your precise location or GPS coordinates (we request reduced-accuracy location solely for weather data and do not store or transmit coordinates)
• Your contacts or address book
• Your photos, camera, or microphone data
• Your browsing history outside the App
• Financial information or payment details
• Government identifiers (Social Security, Medicare, Tax File Numbers, etc.)
• Biometric data (fingerprints, face scans, etc.)

1.6 Categories of Personal Information (CCPA Disclosure)

For California residents, we collect the following categories of personal information:

• Category A: Identifiers (device ID; email and account identifier if you sign in)
• Category B: Personal information under California Civil Code Section 1798.80(e) (none collected)
• Category C: Protected classification characteristics (age range only)
• Category D: Commercial information (none collected)
• Category F: Internet or network activity (app usage patterns)
• Category G: Geolocation data (approximate location for weather only, never stored or transmitted)
• Category K: Inferences drawn from the above (wellness patterns and insights, including the categorical Pattern Signature described in Section 1.1)

2. Legal Basis for Processing (GDPR/UK GDPR)

We process your personal information based on the following legal grounds:

Purpose	Legal Basis
Providing core App functionality	Performance of contract (Article 6(1)(b))
Processing health/wellness data	Explicit consent (Article 9(2)(a))
Processing Apple Health data	Explicit consent (Article 9(2)(a))
Cross-modal health intelligence (on-device)	Explicit consent (Article 9(2)(a))
Weather and approximate location (for weather data retrieval)	Explicit consent (Article 6(1)(a))
Improving App features	Legitimate interest (Article 6(1)(f))
Community insights (Consensus)	Explicit consent (Article 6(1)(a) and 9(2)(a))
Community health metric signals	Explicit consent (Article 6(1)(a) and 9(2)(a))
Community movement response and outcome data	Explicit consent (Article 6(1)(a) and 9(2)(a))
Cohort pattern matching (Living Map / Consensus)	Explicit consent (Article 6(1)(a) and 9(2)(a))
Muscle recovery estimates (Movement Capacity, on-device)	Explicit consent (Article 9(2)(a))
Community recovery signals (Movement Capacity)	Explicit consent (Article 6(1)(a) and 9(2)(a))
Post-workout recovery notification (Movement Capacity)	Consent / Legitimate interest (Article 6(1)(a)/(f))
AI features (Google Gemini)	Explicit consent (Article 6(1)(a))
Account creation and contact (Sign in with Apple / Google)	Consent (Article 6(1)(a)) / Performance of contract (Article 6(1)(b))
Practitioner linking and sharing ("Care Team")	Explicit consent (Article 6(1)(a) and 9(2)(a))
App attestation / anti-abuse (Apple App Attest, Firebase App Check)	Legitimate interest (Article 6(1)(f))
Local notifications	Consent / Legitimate interest (Article 6(1)(a)/(f))
Presenting research-backed health information	Legitimate interest (Article 6(1)(f))
Legal compliance	Legal obligation (Article 6(1)(c))
Security and fraud prevention	Legitimate interest (Article 6(1)(f))

Health Data: As wellness data and Apple Health data constitute "special category data" under GDPR, we rely on your explicit consent to process this information. You provide this consent when you accept this Privacy Policy and enable the relevant features in the App.

3. How We Use Your Information

3.1 Primary Purposes

We use your information to:

• Enable you to log, track, and view your wellness data
• Generate personal patterns, trends, and insights from your logged data
• Provide on-device analysis to identify correlations and patterns (e.g., contextual factors associated with elevated or reduced discomfort)
• Provide cross-modal health intelligence by correlating your Apple Health metrics with your logged body states to identify personal body signals (computed entirely on your device)
• Personalise health metric interpretation by combining your self-reported activity level with Apple Health cardiac data (resting heart rate, heart rate variability) to adjust what the App considers typical ranges for your fitness profile (computed entirely on your device)
• Surface personalised Discovery Cards - automated insights connecting patterns you may not have noticed, computed entirely on your device
• Generate your daily Body Forecast - a prediction of how your body may feel based on your patterns, health data, and community trends
• Estimate how recovered each muscle group is (Movement Capacity) from the Apple Health workouts you record (type, duration) and your check-ins, shown as qualitative recovery states (for example "recovering," "sore," "recovered") and a soft "ready when" window - computed entirely on your device, never as a precise per-muscle percentage
• Generate flare predictions based on your historical patterns, day-of-week trends, context accumulation, health metric changes, and intensity trends (computed entirely on your device)
• Detect seasonal and weather-related patterns in your wellness data (computed on your device)
• Detect noteworthy patterns that you may wish to discuss with a healthcare provider (see Section 3.3)
• Provide post-check-in intelligence, personalised insights shown immediately after each log
• Present research-backed health information from published medical literature matched to your logged body regions, including intervention effectiveness data, evidence quality, and clinical sources (see Section 3.5)
• Compare your personal wellness averages against anonymised community averages when sufficient contributor thresholds are met
• Surface community well-being insights - aggregated patterns from users reporting positive body states in their check-ins
• Tailor movement suggestions based on your profile and logged regions
• Track your movement responses over time to identify which exercises help your specific body
• Generate healthcare provider summaries for your personal use
• Display at-a-glance statistics on your home screen (days active, weekly summary, contexts, and trends)
• Understand how features are used to improve the App
• Respond to your enquiries and provide technical assistance

3.2 Secondary Purposes (With Your Consent)

With your explicit opt-in consent, we may:

• De-identified Community Insights ("Consensus"): Aggregate your data with others to generate community-wide patterns. Your individual data is pseudonymised before upload and aggregated with other contributors. A minimum threshold of users (k-anonymity) is required before any aggregated data is displayed.
• Community Health Metric Signals: Aggregate categorical health pattern labels (e.g., "sleep correlates with how people feel") across consenting contributors to surface what the community's health metrics reveal collectively. Only categorical labels are shared, never raw health values. A stricter minimum contributor threshold applies to health-adjacent data.
• Community Movement Response Data: Aggregate your movement response ratings (comfort level, change detection, effort) with other users to determine which movements help for specific body regions. A minimum threshold of independent users and total trials is required before community movement data is displayed.
• Verified Outcome Data: If you complete a multi-week intervention tracking period, aggregate your outcome data (bucketed intensity changes, dose frequency category) with others to validate intervention effectiveness across the community. A stricter contributor threshold applies.
• Athlete Follow-Up Data: For users with competitive athlete activity level, aggregate categorical follow-up chip responses with other consenting athlete users to surface patterns across athletic communities. A minimum contributor threshold applies before any aggregate insight is displayed.
• Phantom Correlation Metadata: Aggregate delayed-effect pattern metadata to surface community-wide hidden correlations such as delayed triggers and protective factors.
• Cohort Pattern Matching ("The Consensus" / Living Map): Upload your computed Pattern Signature (see Section 1.1) to a Sensus-managed Firestore collection so that a scheduled server-side process can identify other users whose signatures are closest to yours. The result returned to your device contains only privacy-gated aggregate statistics about your matched cohort - the number of similar users (above a privacy floor of 5), the average similarity score, and the cohort's day-by-day distribution across "tough / steady / strong" buckets over the past 60 days. The identities of your matched peers are never exposed to your device or to any other user. Your signature is recomputed and re-uploaded periodically as your check-in history evolves; revoking community consent rotates your anonymous identifier (see Section 5.4) so any future re-opt-in produces a fresh, unlinked match cohort.
• Community Recovery Signals (Movement Capacity): When you answer a Movement Capacity recovery self-check (for example, confirming whether a worked muscle group still feels sore), contribute one anonymous, categorical data point to help improve recovery estimates for people with similar profiles. Each data point contains only coarse, non-identifying categories: a body area (e.g., legs), a coarse age band, a heart-rate-variability trend label relative to your own baseline, a general training-type label (e.g., runner, lifter), and a single "still sore" value, together with a derived cohort label combining those bands. It contains no raw health values, no exact numbers, no dates, and nothing that identifies you, and is tied only to your rotating anonymous community identifier (Section 5.4). The server aggregates these into a qualitative recovery tendency per cohort and surfaces a cohort only when at least 5 distinct contributors are present.
• Practitioner Sharing ("Care Team"): If you link a practitioner using their invite code, share your check-ins (including your notes), display name, and health-derived values with that practitioner so they can support your care between appointments, and exchange messages with them in-app. See Section 8.10 for full details. This is the only feature in which identifiable health information leaves your device, and it requires an explicit, per-practitioner opt-in.
• Communications: Send you updates, tips, or information about the App
• AI Chat and Intelligence (Google Gemini): Process summaries of your logged data and your training profile (activity level, training frequency, training types) through Google's AI services to power conversational features (Ask Sensus, SensusAI chat), Body Forecast explanations, weekly reports, pattern discovery, and personalised insights

3.3 Automated Pattern Detection and Decision-Making

The App includes on-device automated analysis that may identify patterns in your logged data, such as:

• Trends in noticeability over time
• Correlations between contexts and your logged sensations
• Correlations between Apple Health metrics and your logged body states (cross-modal body signals)
• Fitness-aware cardiac interpretation
• Flare prediction based on day-of-week patterns, context accumulation, intensity trends, and health metric changes
• Seasonal and weather-related pattern detection
• Delayed-effect correlations (phantom patterns)
• Recovery trajectory comparisons based on published research
• Muscle-recovery estimation (Movement Capacity, on-device): a recovery "clock" that maps your recorded workouts to muscle groups and estimates a qualitative recovery state for each, adjusted by your own Apple Health signals (such as heart-rate-variability trend, sleep, and age band) and your reported soreness. It produces only qualitative states and soft windows, never a precise per-muscle number, and runs entirely on your device
• Training-split learning (Movement Capacity, on-device): the App may learn your typical training rotation from your own past seed taps so it can pre-fill a one-tap guess of what you trained (always correctable). This is computed on your device from your own inputs only
• Automated matching of logged body regions to condition profiles sourced from published medical literature
• Comparison of personal intensity averages against community averages for similar body regions
• Patterns that may warrant discussion with a healthcare provider ("Red Flag" alerts)
• Pattern Signature computation (on-device): A categorical snapshot of your wellness profile is computed on your device from your recent check-ins. The computation produces only bucketed values (see Section 1.1, which as of v1.8.1 includes directional trend labels for HRV, resting heart rate, and step count) and is used either locally to position your dot in the Consensus visualisation, or - if you have opted in to community sharing - uploaded so that the cohort-matching process below can run.
• Cohort similarity matching (server-side, with consent): If you opt in to community sharing, a scheduled Cloud Function computes the nearest-neighbour cohort for your Pattern Signature across all other consenting users' signatures. The function writes back only aggregate cohort statistics (count, average similarity, day-by-day cohort state distribution over a rolling 60-day window). Peer identities are never written to your match document. The matching only surfaces a cohort to you once at least 5 peer signatures meet the similarity threshold.

Your Rights Regarding Automated Processing (GDPR Article 22):

• These analyses are observational suggestions only - they are informational, not prescriptive
• No legally or similarly significant decisions are made automatically. Forecasts, predictions, and cohort visualisations (including Body Forecast, flare predictions, and the Consensus Living Map) are statistical observations and do not constitute medical advice, clinical decisions, or instructions to act. They do not restrict, alter, or determine your access to any service.
• You are never required to act on any automated insight, prediction, or cohort observation
• You can request human review of any automated insight by contacting us
• You can object to automated processing at any time
• You can disable specific automated features (Body Forecast, notifications, AI features, community sharing) independently through in-app controls

3.4 What We Do NOT Do

We do NOT:

• Sell your personal information to any third party (as defined under CCPA/CPRA)
• Share your personal information for cross-context behavioral advertising
• Share identifiable health data with advertisers
• Use your data for targeted advertising
• Share your data with insurance companies or employers
• Provide medical diagnoses, treatment recommendations, or clinical advice
• Upload raw Apple Health values to Sensus community storage, advertisers, data brokers, insurers, or employers (when AI features are enabled, relevant values are sent to Google Vertex AI at the moment of an AI query - see Section 8.4; when you link a practitioner, health-derived values are shared with that practitioner at your direction - see Section 8.10)
• Store or transmit your location coordinates
• Link your account sign-in identity to your de-identified community contributions, your Pattern Signature, or your cohort matches
• Reveal the identity of any matched peer to your device or to any other user. The cohort-matching process described in Section 3.2 returns only aggregate counts and bucket distributions - no peer identifiers, no peer signatures, and no per-peer detail.

3.5 Research-Backed Health Information

The App includes a curated knowledge base sourced from published medical literature, including Cochrane Systematic Reviews, NICE Clinical Guidelines, WHO publications, and peer-reviewed studies. This knowledge base:

• Is bundled locally within the App (no external server requests to access it)
• Contains condition profiles, intervention effectiveness data, trigger correlations, and recovery timelines sourced from published research
• Is automatically matched to your logged body regions to show relevant research findings
• Displays transparent attribution including source names, sample sizes, and evidence quality
• Is clearly labelled as "From the research" to distinguish it from community-sourced data

4. Data Storage and Security

4.1 Local Storage by Default

4.2 Encryption and Security Measures

iOS Keychain Encryption:

Your wellness data is encrypted using iOS Keychain, Apple's secure storage system, providing:

• AES-256 encryption at rest
• Hardware-backed security on supported devices
• Data accessible only when your device is unlocked (kSecAttrAccessibleWhenUnlockedThisDeviceOnly)
• Data is non-transferable between devices via Keychain configuration

Additional Security Measures:

• Encryption of data in transit (TLS 1.3)
• Secure coding practices following OWASP guidelines
• Regular security assessments
• Access controls and authentication
• Incident response procedures
• App attestation via Apple App Attest and Firebase App Check, used to verify that requests to our backend originate from a genuine, untampered copy of the App running on a real device (an anti-abuse safeguard that helps protect community data and AI services from automated misuse). App attestation uses a device-generated cryptographic key and does not collect personal data. See Section 8.8.

4.3 International Data Transfers

If you enable AI features, community sharing, or create an account, your data may be transferred to and processed in countries outside your jurisdiction, including the United States and Australia.

For EU/UK Users: We ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Supplementary measures as required

Data Processing Agreements: We maintain Data Processing Agreements (DPAs) with our service providers, including Google (Firebase/Firestore, Firebase Authentication, and Gemini AI), that govern how they process data on our behalf and ensure compliance with applicable data protection laws.

For All Users: Our service providers maintain appropriate security standards and contractual obligations to protect your data.

Risk Assessment: Given that the App processes health-related data, we have evaluated the risks associated with our data processing activities and apply appropriate safeguards including local-first storage, on-device computation, k-anonymity thresholds, categorical-only sharing of any health-derived data, automatic rotation of the anonymous community identifier on consent revocation, app attestation against automated abuse, and explicit opt-in consent flows. We will conduct and document a formal Data Protection Impact Assessment (DPIA) under GDPR Article 35 as our processing scale grows or when we introduce material changes to our data processing practices.

4.4 Data Retention

Data Type	Retention Period
Local wellness data	Until you delete it or uninstall the App
Discovery Card history	Until you delete data or uninstall the App
Movement response history	Until you delete it or uninstall the App
Verified outcome history	Until you delete it or uninstall the App
Movement Capacity local data (muscle-recovery states, seed taps, self-check answers)	Stored locally on your device (iOS Keychain); pruned automatically to a recent window and deleted when you delete data or uninstall the App. Cleared by "Delete All My Data."
De-identified recovery signals (Movement Capacity)	Indefinitely (aggregated, contributor-unlinkable). Each record carries only categorical buckets keyed to your rotating anonymous identifier.
Weather data (categorical labels within check-ins)	Until you delete the associated check-in or uninstall the App
De-identified community data	Indefinitely (aggregated, contributor-unlinkable)
De-identified health pattern flags	Indefinitely (aggregated categorical labels only)
De-identified movement response and outcome data	Indefinitely (aggregated, contributor-unlinkable)
De-identified phantom correlation metadata	Indefinitely (aggregated, contributor-unlinkable)
De-identified athlete follow-up responses	Indefinitely (aggregated, contributor-unlinkable)
Pattern Signatures (one document per anonymous user, overwritten on each upload)	Until you revoke community consent or delete your data. On consent revocation your anonymous identifier is rotated, after which the prior signature can no longer be associated with you. Retained indefinitely in aggregate matching pools to support ongoing cohort matches for other users.
Cohort match results (one document per anonymous user, overwritten on each match cycle)	Replaced approximately hourly by the matching Cloud Function. Contains only aggregate cohort statistics; no peer identities. Deleted at the next match cycle after you revoke community consent (or sooner if you delete data, subject to the irreversible nature of de-identified aggregates).
Cohort trajectory data (60-day rolling state distribution)	Stored within the cohort match results document; rolling 60-day window, overwritten on each aggregation cycle.
Practitioner-shared check-ins, messages, and client record	Until you unlink that practitioner or use "Delete All My Data" - both delete all shared check-ins, the message thread, and your client record from the practitioner's view
Push notification token (for practitioner messages)	While at least one practitioner link exists; deleted when you unlink your last practitioner or use "Delete All My Data"
Account contact record (users collection - Firebase ID, provider, email/relay, display name, timestamps)	While your account exists; deleted in-app via "Delete All My Data" (which also deletes the sign-in account itself) or on request to contact@joinsensus.com. Kept separate from community data and never linked to it.
Research knowledge base (bundled medical literature)	Updated with App releases; sourced from published research
AI-generated weekly reports (local)	Last 12 reports stored locally; deleted with App uninstall
Backup data (if applicable)	90 days
Support communications	3 years
Apple Health snapshots (raw values)	Stored locally within check-in entries; deleted with entries
Location coordinates	Not retained - used momentarily for weather retrieval and immediately discarded

4.5 Data Breach Notification

In the event of a data breach affecting your personal information, we will:

• GDPR/UK: Notify the relevant supervisory authority within 72 hours and notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms
• Australia: Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches scheme
• CCPA: Notify affected California residents as required by law

Notification mechanism: Where we have your email address, we will notify you by email. Where we do not, we will notify you via prominent in-app notice on next launch and, where appropriate, push notification. Public notices will also be posted on the App's website.

5. Disclosure of Information

5.1 When We May Disclose Information

Service Providers:

• Cloud hosting providers - Google Firebase / Firestore (for community data, if you opt in)
• Authentication provider - Firebase Authentication (Google), with Apple and Google as sign-in identity providers (stores your account contact record - see Section 8.9)
• AI service providers - Google Gemini via Firebase AI / Vertex AI (with your consent, see Section 8.4)
• Weather data provider - Apple WeatherKit (approximate location used momentarily; coordinates not stored or transmitted to our servers)
• App attestation providers - Apple App Attest and Firebase App Check (anti-abuse; no personal data collected, see Section 8.8)
• Analytics services (anonymised data only)
• Customer support platforms

At Your Direction:

• Your linked practitioner ("Care Team") - if you link a practitioner by invite code, the data described in Section 8.10 is shared with that practitioner. Practitioners receive this data to support your care and are independently responsible for handling it in accordance with their professional and legal obligations. Sharing stops, and shared data is deleted, when you unlink.

Legal Requirements:

• In response to valid legal process (court orders, subpoenas)
• To comply with requests from government agencies with lawful authority
• To protect our legal rights or the safety of users

Business Transfers:

In connection with a merger, acquisition, or sale of assets (with notice to you and opportunity to delete your data)

5.2 We Do NOT Disclose Your Information To:

• Advertisers or marketing companies
• Insurance companies
• Employers or recruitment agencies
• Data brokers
• Any third party for their own marketing purposes
• Law enforcement without valid legal process

5.3 De-identified and Aggregated Data

We may share de-identified, aggregated data for:

• Research and statistical purposes
• Public health insights
• Academic research (with appropriate ethics approval)

This data is aggregated to reduce re-identification risk to a level appropriate for the purpose. See Section 5.4 below for the limits of de-identification on health-related data.

5.4 De-identification Process for Community Data

When you opt in to community data sharing, the following de-identification (pseudonymisation and aggregation) is applied before any data leaves your device. We use the term "de-identified" rather than "anonymised" because no de-identification process for health-related data can guarantee the impossibility of re-identification under all circumstances. The combined effect of the measures below substantially reduces re-identification risk to a level appropriate for aggregated community insights:

6. Your Privacy Rights

6.1 Rights for All Users

Regardless of your location, you have the right to:

• Access your personal information
• Correct inaccurate information
• Delete your personal information
• Export your data in a portable format
• Withdraw consent at any time
• Object to certain processing
• Lodge a complaint with a supervisory authority

6.2 Additional Rights for EU/UK Residents (GDPR)

• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Restriction: Request we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Right Not to be Subject to Automated Decisions: Request human review of automated processing

To exercise these rights: Contact our Data Protection contact at contact@joinsensus.com or use the in-app features.

Supervisory Authority: You may lodge a complaint with your local data protection authority. EU residents: EDPB members directory. UK residents: UK Information Commissioner's Office.

6.3 Additional Rights for California Residents (CCPA/CPRA)

• Right to Know: Request disclosure of personal information collected, used, and disclosed
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information
• Right to Limit Use of Sensitive Personal Information: Limit use of health data to what is necessary
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

To exercise these rights: Email contact@joinsensus.com or use in-app privacy controls. Response within 45 days (extendable by 45 days with notice).

6.4 Additional Rights for Canadian Residents (PIPEDA)

• Right to Access: Request access to your personal information
• Right to Challenge Compliance: Challenge our compliance with PIPEDA
• Right to Withdraw Consent: Withdraw consent subject to legal restrictions

To exercise these rights: Contact contact@joinsensus.com

Office of the Privacy Commissioner of Canada: www.priv.gc.ca

6.5 Additional Rights for Australian Residents (APPs)

• Right to Access (APP 12): Request access to personal information we hold
• Right to Correction (APP 13): Request correction of inaccurate information
• Right to Complain: Lodge a complaint about our handling of your information

To exercise these rights: Contact contact@joinsensus.com or use in-app features.

Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• Email: enquiries@oaic.gov.au

6.6 Additional Rights for Brazilian Residents (LGPD)

• Right to Confirmation and Access: Confirm processing and access your data
• Right to Correction: Correct incomplete or inaccurate data
• Right to Anonymisation, Blocking, or Deletion: Request for unnecessary data
• Right to Data Portability: Transfer data to another service provider
• Right to Information: Know about third parties with whom we share data
• Right to Revoke Consent: Revoke consent at any time

To exercise these rights: Contact contact@joinsensus.com

ANPD (National Data Protection Authority): www.gov.br/anpd

7. How to Exercise Your Rights

7.1 In-App Controls

You can exercise many rights directly in the App:

• Export Data: More > Privacy & Data > Export My Data
• Delete All Data: More > Privacy & Data > Delete All My Data. This permanently clears your local pain logs, movement responses, saved movements, profile preferences (including date of birth), all notification and alert preferences, AI consent, community consent, and the upload-tracking state of every community uploader. It also rotates your anonymous community identifier so any future re-onboarding produces a fresh, unlinked identity. If you have linked practitioners, it unlinks every practitioner - deleting all shared check-ins, message threads, and your client records from their view - and removes your push notification token. If you signed in, it also deletes your account contact record and the sign-in account itself. De-identified contributions previously made to community pools cannot be retrieved or deleted because they cannot be linked back to you (see Section 5.4).
• Unlink a Practitioner: More > Care Team > select the practitioner > Unlink. This stops all sharing and deletes every shared check-in, the message thread, and your client record from that practitioner's view (see Section 8.10).
• Manage Community Consent: More > Privacy & Data > Community Sharing toggle. When you disable community sharing, no further data is uploaded, the upload-tracking state of all community uploaders is cleared, and your anonymous community identifier is automatically rotated. Any future re-opt-in produces a fresh, unlinked identity. Previously contributed de-identified data cannot be retrieved or deleted because it is fully de-identified and aggregated and cannot be linked back to you. This de-identified data remains in aggregate community pools indefinitely.
• Manage AI Consent: More > AI Chat > AI toggle
• Manage Apple Health: More > Privacy & Data > Apple Health toggle. Disabling Apple Health prompts a confirmation describing what the App will no longer be able to do without these readings.
• Manage Location/Weather: iOS Settings > Privacy & Security > Location Services > Sensus
• Manage Notifications: More > Notifications & Alerts
• Correct Data: Edit entries directly in the App

7.2 Contact Us

For rights requests or questions:

• Email: contact@joinsensus.com
• Response Time: As required by applicable law (typically 30 days under GDPR/UK GDPR, up to 45 days under CCPA, extendable in complex cases with notice to you)
• Verification: We may need to verify your identity before processing requests

7.3 Authorised Agents (CCPA)

California residents may designate an authorised agent to submit requests on their behalf. We may require:

• Written authorisation from you
• Verification of the agent's identity
• Direct confirmation from you

8. Third-Party Services

8.1 Third-Party Links

The App may contain links to third-party websites or services not covered by this Privacy Policy. We encourage you to review their privacy policies.

8.2 Analytics Services

We may use privacy-preserving analytics to understand App usage. This data:

• Does not personally identify you
• Is aggregated and de-identified
• Helps us improve the App experience

Specific analytics events: We track aggregated, anonymous events such as feature usage, funnel milestones (first check-in, fifth check-in), notification scheduling and tap-through rates, and Ask Sensus engagement (whether questions were asked, whether responses were read). When you submit a question to Ask Sensus, the question text is processed on your device only - what is sent to our analytics is a categorical classification of the question type (e.g., "symptom," "pattern," "history," "general"), never the question text itself. We also record a "useful moment" event when on-device analysis detects that the App delivered observable value to you (a notification was tapped, a response was read, a weekly report was viewed). No event content includes personally identifying information.

8.2.1 Do Not Track Signals

The App does not currently respond to "Do Not Track" (DNT) browser signals or similar mechanisms, as the App is not a web browser product. We do not engage in cross-context behavioural advertising and do not allow third parties to do so through the App. You may control App-related tracking via iOS Settings > Privacy & Security > Tracking, and via in-app analytics and AI consent toggles.

8.3 App Store

The App is available through the Apple App Store. Your download and use is also subject to Apple's privacy policy.

8.4 AI Services (Google Gemini via Firebase AI)

The App includes optional AI-powered features powered by Google Gemini through Firebase AI / Vertex AI.

AI-powered features include:

• Conversational AI chat ("Ask Sensus" and "SensusAI")
• Body Forecast - daily prediction of how your body may feel
• Weekly reports - AI-generated narrative summaries of your weekly wellness trends
• Pattern discovery and flare prediction
• Post-check-in insights (when AI consent is granted)
• Movement correlation analysis

When enabled:

• Summaries of your logged data may be sent to Google's servers for processing
• Your training profile (activity level, training frequency, and training types from your onboarding profile) is included in AI prompts to contextualise health metric interpretations. No other profile information (name, date of birth, email) is included in AI prompts.
• Weekly reports: aggregated statistics and summarised check-in data are sent to Google's servers. Free-text notes, raw Apple Health values, and personally identifying information are never included in weekly reports.
• Body Forecast and Ask Sensus: when AI features are enabled, relevant raw Apple Health values may be included in the prompt sent to Google Vertex AI so the AI can generate an accurate forecast or respond to questions about how your body is doing. These values are sent at the moment of the query, tied to that single request only, and Google does not retain them for advertising or model training. Month and day of recent check-ins may also be included to provide temporal context; year and time of day are not sent. Free-text notes and personally identifying information are never included. If you do not enable AI features, no Apple Health values leave your device for this purpose.
• Google processes this data according to their privacy policy and data processing terms
• Data is used only to generate responses and is not used by Google for advertising or model training
• AI conversations are stateless, no conversation history is retained on any server
• AI-generated weekly reports are stored locally on your device only (last 12 reports)
• You can disable AI features at any time in Settings

If you do not enable AI features, no data is sent to Google for these purposes.

Google Privacy Policy: policies.google.com/privacy

8.5 Firebase / Google Cloud (Community Features)

If you opt in to community data sharing, de-identified data is stored in Google Firebase Firestore.

• Only de-identified data (as described in Section 5.4) is uploaded
• Firebase is used solely for storing and retrieving aggregated community insights
• No directly identifiable personal information is stored in Firebase community collections
• Categorical health pattern flags are stored alongside other de-identified community data when you have Apple Health connected and community sharing enabled
• Movement response data and verified outcomes are stored as de-identified, enum-based records with no free-text fields
• Phantom correlation metadata is stored for community-wide pattern aggregation
• Athlete follow-up response data is stored as de-identified records when both community sharing consent and competitive athlete activity level are present
• Categorical weather labels are stored alongside check-in data when weather data was collected
• Pattern Signatures are stored in a dedicated Firestore collection (community_pattern_signatures). Each contributor has at most one signature document, keyed by their rotating anonymous identifier, containing only the categorical buckets described in Section 1.1 (which as of v1.8.1 include directional trend labels for HRV, resting heart rate, and step count, never raw values). Documents are overwritten when a new signature is computed.
• Cohort match results are stored in a separate Firestore collection (community_signature_matches), written by a scheduled Cloud Function and read only by your device. Each user has at most one match document, keyed by their anonymous identifier. The document carries only aggregate cohort statistics (cohort size, average similarity, 60-day cohort state distribution). Peer identifiers are never written to these documents. Security model: these documents are readable by any device that already knows the anonymous identifier (which is a randomly generated UUID stored only in your device's local storage). Because the identifier is never written to any other server-side document and is never linked to your real identity, the identifier itself functions as the access secret.
• Recovery signals (Movement Capacity) are stored in a dedicated Firestore collection (community_recovery_signals) when you answer a recovery self-check with community sharing on. Each record contains only the categorical buckets described in Section 5.4, keyed by your rotating anonymous identifier. A scheduled Cloud Function aggregates them into per-cohort recovery tendencies (written to the community_aggregates collection), surfaced only at or above the k-anonymity floor of 5 distinct contributors; smaller cohorts are dropped, and the aggregate carries a qualitative tendency rather than exact counts.
• These data points are aggregated across contributors to generate community insights, subject to minimum contributor thresholds that vary by data sensitivity
• Access to these collections is additionally protected by Firebase App Check / Apple App Attest, which rejects requests that do not originate from a genuine copy of the App (see Section 8.8)

Google Cloud Privacy: cloud.google.com/terms/cloud-privacy-notice

8.6 Apple HealthKit

If you grant permission, the App reads health data via Apple's HealthKit framework.

• We request read-only access, the App never writes to or modifies your Apple Health data
• Raw health values are cached in memory for 15 minutes and stored locally within your check-in entries
• If you opt in to community sharing, only categorical labels derived from your health data are uploaded to Sensus community storage. Raw values are never transmitted to Sensus servers.
• If you enable AI features (separate opt-in), relevant raw Apple Health values may be included in prompts sent to Google Vertex AI at the moment of an AI query (see Section 8.4). No Apple Health data is transmitted if AI features are disabled.
• Workout type and duration are also used on-device to estimate muscle recovery (Movement Capacity - Section 3.1). With your permission, the App may use HealthKit's background delivery to be notified when a new workout is recorded, so it can prepare an optional, on-device recovery notification (Section 9). This detection and any resulting notification happen entirely on your device; no Apple Health data is transmitted off your device for this purpose.
• When you disable Apple Health access in the App, a confirmation dialog is shown explaining that without these readings the App can no longer compute recovery trends, muscle-recovery estimates, body-memory notifications, cardiac-fitness adjustments, or correlate body states with sleep, HRV, and activity. You can confirm or cancel.
• You can revoke HealthKit access at any time via iOS Settings > Health > Sensus

Apple HealthKit Guidelines: developer.apple.com/health-fitness/

8.7 Apple WeatherKit

If you grant location permission, the App uses Apple WeatherKit to retrieve current weather conditions.

• The App requests reduced-accuracy location (approximately 5 km) solely for weather data retrieval
• Location coordinates are used momentarily and never stored, logged, or transmitted to our servers or any third party
• Weather data is processed by Apple's WeatherKit service according to Apple's privacy policy
• Only categorical weather labels are stored locally within your check-in entries
• Location permission is not requested until your third check-in, giving you time to understand the App before deciding
• You can revoke location access at any time via iOS Settings > Privacy & Security > Location Services > Sensus

8.8 App Attestation (Apple App Attest & Firebase App Check)

To protect our backend (community data and AI services) from automated abuse, the App uses Firebase App Check with Apple's App Attest service.

• When the App contacts our backend, it presents an attestation token proving the request comes from a genuine, untampered copy of the App running on a real Apple device.
• App Attest works by generating a cryptographic key on your device's secure hardware. It does not collect, transmit, or process any personal data, health data, or device identifiers that can identify you.
• This is purely an anti-abuse / security measure. It does not track you, build a profile, or feed any analytics or advertising.
• Attestation is processed by Apple (App Attest) and Google (Firebase App Check) according to their respective privacy policies.

Apple App Attest: developer.apple.com  |  Firebase App Check: firebase.google.com/docs/app-check

8.9 Account Sign-In (Sign in with Apple & Google)

Signing in is optional. If you choose to create an account, we use Firebase Authentication (a Google service) together with Sign in with Apple and/or Sign in with Google as identity providers.

• We store a minimal contact record in a dedicated Firebase Firestore collection (the "users" collection): your Firebase user identifier, sign-in provider, email (or Apple private-relay address), display name if provided, platform, and first-seen / last-seen timestamps. Nothing else.
• This record is owner-scoped - security rules ensure that only you, while signed in, can read or write your own record. No other user can access it.
• It is kept strictly separate from the anonymous community identifier (Section 5.4). Your sign-in identity is never linked to your de-identified community contributions, your Pattern Signature, or your cohort matches.
• Your wellness and Apple Health data is not stored in this record or tied to your account - it remains on your device (Section 4.1).
• Apple Private Email Relay: if you sign in with Apple and choose "Hide My Email," Apple provides a private relay address rather than your real email. Emails we send are forwarded to you by Apple; we never see your real address.
• We use this contact record only to reach you about the App - support, account recovery, important product or policy updates, and occasional invitations to give feedback or take part in research. We do not sell it, share it for advertising, or disclose it to third parties except the service providers listed in Section 5.1.
• Access to this collection is additionally protected by Firebase App Check / Apple App Attest (Section 8.8).
• You can delete your account and contact record in-app at any time via More > Privacy & Data > Delete All My Data (which deletes the contact record and the sign-in account itself), or by contacting contact@joinsensus.com.

Apple Sign-In: support.apple.com  |  Firebase Authentication: firebase.google.com/support/privacy

8.10 Practitioner Linking & Sharing ("Care Team")

If you are working with a physiotherapist, clinician, or other practitioner who uses Sensus, you can choose to link with them so they can follow your progress between appointments. This is the only feature in the App through which identifiable health information leaves your device. It is entirely optional, requires an explicit opt-in for each practitioner, and is fully revocable.

How linking works:

• Your practitioner gives you a short invite code. When you enter it, the App shows you exactly which practitioner and clinic the code belongs to before you confirm.
• Linking requires a signed-in account (Section 8.9), because the link is keyed to your account identity.
• Before anything is shared, the App asks for your explicit consent describing what will be shared.

What is shared with a linked practitioner:

• Your display name (so your practitioner knows whose data they are seeing)
• Your check-ins from the time you link (plus recent history so your practitioner has context): body state, intensity, body regions, sensations, contextual factors, your personal notes, and categorical weather labels
• Health-derived values relevant to your care, where available: sleep hours, heart rate variability, resting heart rate, step count, and gait metrics (walking speed, step length, walking steadiness)

Messaging and notifications:

• You and your linked practitioner can send each other messages inside Sensus. Messages are stored in our Firebase backend, readable only by you and that practitioner, and are deleted when you unlink.
• When your practitioner sends you a message, a push notification is delivered to your device via the Apple Push Notification service and Firebase Cloud Messaging. The notification never contains the message content - you open the App to read it.
• To deliver these notifications, a device push token is stored against your account (it identifies your app install for delivery purposes only). It is removed when you unlink your last practitioner or use "Delete All My Data."

Access, use, and deletion:

• Security rules ensure only the practitioner you linked can read your shared data - no other practitioner, user, or third party.
• Your practitioner may use the shared data to support your care, including generating progress summaries or reports (for example, a summary for your GP) as part of their professional service to you. Practitioners are independently responsible for handling your information in accordance with their professional and legal obligations.
• Unlinking deletes everything: when you unlink a practitioner (More > Care Team), all shared check-ins, the message thread, and your client record are deleted from the practitioner's view. "Delete All My Data" does the same for every linked practitioner.
• Practitioner sharing uses your account identity and is kept strictly separate from the anonymous community identifier (Section 5.4). Linking a practitioner never connects your identity to your de-identified community contributions, Pattern Signature, or cohort matches.

9. Notifications

The App may send notifications with your permission:

Notification Type	Content	Frequency
Daily check-in reminder	Reminder to log how your body feels	Once daily at your chosen time
Body Forecast	Daily prediction of how your body may feel	Up to once per day
Pattern alerts	Notification of newly discovered patterns	Up to once per week
Streak reminder	A nudge when your check-in streak is about to break (opt-in)	As needed, with cooldown
Evening check-in	Optional follow-up with step count context	Up to once per day
Movement follow-up	A prompt to log how a movement you recently tried felt	After a logged movement, with cooldown
Movement Capacity recovery (optional)	A value-first note that a muscle group is recovering after a workout (e.g., "your legs are recovering"). Generated and scheduled on your device after a workout is detected via Apple Health (Section 8.6). Lock-screen text never names exact metrics or values.	After a qualifying workout, at most once per day
Practitioner messages (only if you have linked a practitioner - Section 8.10)	A notice that your practitioner sent you a message. Delivered via push (APNs / Firebase Cloud Messaging). Never contains the message content.	As received
Body-memory notification ("Sensus Noticed")	A notification generated when on-device analysis detects a divergence between your objective health signal (sleep, HRV, resting heart rate) and your recent self-reports. Generated and scheduled entirely on your device - no data transmitted to any server to produce it.	Maximum once per 7 days

9.1 Home-Screen and Lock-Screen Widgets

If you add an optional Sensus home-screen or lock-screen widget, it displays a brief summary of your own data - such as your check-in streak or your Body Forecast for the day - directly on your device. Widget content is read from local on-device storage and is never transmitted to any server. You choose whether to add a widget and can remove it at any time. Note that a lock-screen widget you add may be visible on your locked device; you control whether to enable it.

10. Children's Privacy

10.1 Age Restrictions

The App is not intended for children under 13 years of age (or 16 in some EU jurisdictions). We do not knowingly collect personal information from children under these ages.

The App is rated 13+ on the Apple App Store. Age verification is enforced through (a) the App Store's age rating system and (b) an in-app date-of-birth check during onboarding that prevents users with a calculated age below 13 from completing setup, with a root-level lockout screen for any user whose recorded age falls below the minimum. If we become aware that a user is under the applicable minimum age, we will promptly delete their data and terminate their access.

10.2 Parental Consent

Users between 13 and 18 years should review this Privacy Policy with a parent or guardian and obtain their consent before using the App.

10.3 COPPA Compliance (United States)

We comply with the Children's Online Privacy Protection Act (COPPA). If we learn we have collected information from a child under 13 without parental consent, we will delete it promptly.

10.4 Notification

If you believe we have collected information from a child under the applicable age, please contact us immediately at contact@joinsensus.com.

11. Changes to This Privacy Policy

11.1 Updates

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors.

11.2 Notification of Material Changes

For material changes, we will:

• Provide in-app notification at least 30 days before changes take effect
• Update the "Last Updated" date
• For EU/UK users, obtain fresh consent if required for new processing activities

11.3 Continued Use

Your continued use of the App after changes take effect constitutes acceptance of the updated policy. If you do not agree, please stop using the App and delete your data.

12. Contact Information

13. Definitions

Term	Definition
Personal Information/Data	Information that identifies or can identify an individual
Sensitive Information	Health information, genetic data, biometric data, and other special categories
Processing	Any operation performed on personal data
Controller	Entity that determines purposes and means of processing (Sensus)
Processor	Entity that processes data on behalf of the controller
Consent	Freely given, specific, informed, and unambiguous agreement
De-identification	The process of removing or transforming information so it can no longer be readily linked to an identified individual.
Pseudonymisation	Replacing direct identifiers with a stable, randomly generated identifier (UUID) that is not linked to any other personal information about you
Account Contact Record	The minimal directly-identifying record (Firebase user ID, sign-in provider, email or Apple relay address, optional display name, platform, timestamps) stored when you choose to sign in. Owner-scoped and kept strictly separate from the anonymous community identity.
Consensus	The App's community feature aggregating de-identified data from consenting users to surface collective wellness patterns and insights, including the Living Map cohort visualisation introduced in v1.8.
Living Map (introduced v1.8)	The visualisation surface within the Consensus tab that places the user's own dot among a constellation of peer dots representing the cohort matched by Pattern Signature similarity. The map displays only counts and bucketed distributions - no per-peer identity, signature, or detail is ever exposed.
Pattern Signature (introduced v1.8; schema v2 in v1.8.1)	A categorical snapshot of a user's overall wellness profile, computed entirely on-device from recent check-ins. Composed only of bucketed region-focus values, body-state fractions, a top-trigger CATEGORY label, sleep bucket, an HRV trend label, a resting-heart-rate trend label, a step-count trend label, an optional recovery-speed bucket, a felt-versus-data gap tendency label, and a sample-size count (plus a timestamp marking when it was computed). The trend labels are directional categories only and contain no raw health values. The signature contains no check-in dates, no free-text, no raw health values, and no directly identifying information. Uploaded (with community sharing consent) to enable cohort matching.
Daily React (introduced v1.8.6)	An optional one-tap daily response to the Body Forecast (Spot on / Better / Worse) capturing how the user feels versus the App's objective read. Stored locally as a check-in; a pre-defined categorical selection only, with no free text. With community-sharing consent it contributes a directional felt-versus-data gap tendency label to the Pattern Signature.
Cohort Matching (introduced v1.8)	An automated server-side process running approximately hourly that computes the nearest-neighbour cohort for each consenting user's Pattern Signature. Returns to each user's device only privacy-gated aggregate statistics (cohort size, average similarity, 60-day cohort state distribution). Peer identities are never returned. A privacy floor of at least 5 similar peers is required before a cohort is surfaced.
Consensus Knowledge Base	A curated, locally bundled database of condition profiles, intervention effectiveness data, trigger correlations, and recovery timelines sourced from published medical literature.
Discovery Cards	Automated insights surfaced from your logged data, identifying connections and patterns you may not have noticed
Body Forecast	A daily prediction of how your body may feel, computed on your device from your patterns, health data, and community trends
Movement Capacity (introduced v1.8.5)	An on-device estimate of how recovered each muscle group is, derived from the Apple Health workouts you record (type, duration) and your check-ins, adjusted by your own health signals and reported soreness. Shown only to you as qualitative recovery states and soft "ready when" windows - never a precise per-muscle number. Includes optional one-tap "seed taps" (which split you trained) and "self-checks" (whether an area still feels sore), which are pre-defined categorical selections stored locally.
Recovery Signal (Movement Capacity, introduced v1.8.5)	A single anonymous, categorical data point contributed (only with community sharing consent) when you answer a recovery self-check: a body area, a coarse age band, an HRV trend label relative to your own baseline, a general training-type label, and a "still sore" value, plus a derived cohort label. Contains no raw values, no dates, and no identity. Aggregated into a qualitative per-cohort recovery tendency surfaced only at or above a 5-contributor floor.
Flare Prediction	An on-device prediction of elevated risk based on your historical patterns, day-of-week trends, context accumulation, and health metric changes
Phantom Correlations	Delayed-effect patterns where a trigger's impact on your body appears days later rather than immediately, detected through on-device analysis
Red Flag Alerts	Automated pattern detection identifying trends to discuss with healthcare providers
Apple Health Data	Health metrics read from Apple HealthKit, raw values stored locally only
Health Pattern Flags	Categorical labels derived from Apple Health data. Never contain raw health values.
Cross-Modal Health Intelligence	On-device analysis correlating Apple Health metrics with logged body states to identify personal body signals
Community Health Metric Signals	Aggregated insights from categorical health pattern flags across consenting community contributors
Movement Response Data	Structured ratings of how your body responded to specific movements, shared with community consent using pre-defined categories only
Verified Outcomes	Multi-week intervention tracking results showing how an intervention affected your wellness over time, shared with community consent using bucketed values
Athlete Follow-Up Data	Daily structured chip responses surfaced for users with competitive athlete activity level. Pre-defined categorical values only; no free text. Shared with community consent.
Practitioner Linking ("Care Team", introduced v1.8.3)	An optional, explicit per-practitioner opt-in that shares your check-ins (including notes), display name, and health-derived values with a practitioner you link by invite code, and enables in-app messaging with them. The only identifiable health-data sharing path in the App. Fully deleted on unlink.
Push Notification Token	A device token stored against your account solely to deliver practitioner-message notifications. Identifies your app install for delivery only; removed on unlink of your last practitioner or data deletion.
App Attestation	An anti-abuse security mechanism (Apple App Attest via Firebase App Check) that verifies backend requests come from a genuine, untampered copy of the App. Uses a device-generated cryptographic key and collects no personal data.
Body-Memory Notification	A local notification generated entirely on your device when on-device analysis detects a divergence between your objective health signal (sleep, HRV, resting heart rate) and your recent self-reports. No data is transmitted to produce this notification.
K-Anonymity	A privacy protection requiring a minimum number of distinct contributors before any community insight is displayed. Thresholds vary by data sensitivity (5 for categorical insights and cohort matches, 15 for health-derived insights).
Categorical Labels	Pre-defined, non-numerical descriptors used in place of exact values to protect privacy when sharing community data
GDPR	General Data Protection Regulation (EU)
CCPA/CPRA	California Consumer Privacy Act / California Privacy Rights Act
APPs	Australian Privacy Principles
PIPEDA	Personal Information Protection and Electronic Documents Act (Canada)
LGPD	Lei Geral de Proteção de Dados (Brazil)

14. Summary of Key Points

What We Do	What We Don't Do
Store data locally on your device by default	Sell or share your personal information
Use iOS Keychain encryption (AES-256)	Share health data with advertisers
Give you full control over your data	Use data for targeted advertising
Allow export and deletion	Share with insurers or employers
Require opt-in for community features	Make automated decisions affecting you
Require opt-in for AI features	Collect data from children under 13
Require opt-in for Apple Health access	Upload raw Apple Health values to Sensus servers
Make account sign-in optional ("Maybe later" always available)	Require an account to use the App
Keep your sign-in identity separate from your anonymous community data and wellness logs	Link your account to your community contributions or store wellness data on a server
Keep raw Apple Health values out of community data, analytics, and storage	Share raw Apple Health values with advertisers, brokers, insurers, or employers
Send only categorical health labels in community uploads (with dual consent)	Sell or share health data for advertising
Send relevant raw values in AI prompts (opt-in only) so the AI is accurate about your body	Use AI prompt data for any purpose other than generating your response
Generate body-memory notifications entirely on your device	Transmit any data off your device to schedule body-memory notifications
Compute muscle-recovery estimates (Movement Capacity) on your device as qualitative states	Show a precise per-muscle recovery percentage, or upload raw values for it
Share only a single categorical recovery signal (with community consent) to improve estimates for similar people	Share raw values, dates, exact counts, or identity in recovery signals
Send only categorical chip values for athlete follow-up community uploads	Share free-text athlete follow-up responses or exact dates
Compute cohort matches using only the categorical Pattern Signature	Reveal the identity of any matched peer, ever
Return only aggregate cohort stats (size, average similarity, 60-day distribution) to your device	Return peer signatures, peer identifiers, or per-peer trajectory data to your device
Rotate your anonymous community identifier on consent revocation and on "Delete All Data"	Persist your community identity after you revoke consent
Require at least 5 similar peers before surfacing a cohort	Surface cohort statistics below the k-anonymity floor
Use app attestation (App Attest / App Check) to block automated abuse	Collect personal data through app attestation
Present research-backed information with transparent sources	Provide medical diagnoses or clinical advice
Use reduced-accuracy location solely for weather	Store or transmit your location coordinates
Share only categorical weather labels (with consent)	Share precise weather values or your location
Use bucketed values and enum categories for community data	Share free-text notes, journal entries, or exact values
Comply with global privacy laws	Retain data longer than necessary
Respond to rights requests within applicable legal timeframes	Discriminate for exercising rights
Notify you of data breaches via email, in-app notice, or push notification	Write to or modify your Apple Health data
Confirm before disabling Apple Health, so you know what you'll lose	Silently disable Apple Health without explaining the consequences
Share data with a practitioner only when you link them by invite code (explicit opt-in, per practitioner)	Share identifiable data with anyone you have not explicitly linked
Delete all practitioner-shared data when you unlink	Keep shared check-ins or messages after you unlink
Offer full in-app deletion - data, practitioner links, contact record, and account	Make you email us just to delete your account
Keep practitioner-message push notifications content-free	Put message content or health details in a push notification
De-identify community data before upload	Share your notes or free-text entries (community data only - notes ARE shared with a practitioner you explicitly link, see Section 8.10)
Acknowledge the limits of de-identification on health data	Claim absolute anonymisation we cannot guarantee