Privacy Policy
Last updated: April 14, 2026
Who we are
Karada is a health and fitness app made by Karada LLC, a Maine company. We're available in the United States only.
Here's how we handle your data, and what we promise never to do with it.
Karada is not a medical device and does not provide medical advice. It is a fitness and wellness tool. Always consult your doctor before starting an exercise program or making changes to your health routine.
For Washington state residents, see our Consumer Health Data Privacy Policy below.
How we get your consent
Before we collect any health data, we ask. This consent is separate from the Terms of Service. You control it.
You can withdraw consent at any time by deleting your account in Settings. If we add new categories of health data collection in the future, we will ask for your consent again before collecting that data.
What data we collect
Account information
- Email address (for login and account recovery)
- Password (hashed by our authentication provider, never stored in plain text)
Health and body data
This is the core of what Karada does. We collect only what's needed to provide the service.
- Body measurements: weight, body fat percentage, skeletal muscle percentage, waist/hip/neck measurements
- Body awareness check-ins: how your body feels (settled, buzzy, heavy, tender) and movement type (strength, cardio, rest). This is stored in our database.
- Workout records: training sessions, exercises completed, sets and reps
- Nutrition audits: categorical protein intake estimates (meat, eggs, dairy, plant protein, powder, nuts, labeled grams from packages)
- Weekly reflections: how your clothes fit (and where you notice it), functional strength observations, free-text notes about your body
- Safety screening responses: PAR-Q (Physical Activity Readiness Questionnaire) answers and clearance status
- GLP-1 medication status: if you choose to set this in Settings (current, tapering, transitioning, former, never). Optional.
Data from Apple Health / Health Connect (opt-in only)
If you choose to connect Apple Health (iOS) or Health Connect (Android), we access:
Stored in your Karada account (so we can show you trends over time):
- Body mass (weight), body fat percentage, lean body mass
Used for computation only, not stored (read in memory to generate insights, then discarded):
- Sleep duration, step count, resting heart rate, heart rate variability (HRV)
- Dietary protein and fiber intake
This connection is optional. You can use Karada without it. Disconnect anytime in your device settings.
HealthKit and Health Connect data is never used for advertising, never shared with third parties, and never used for any purpose other than providing you with the Karada service. This applies to both stored and transiently-computed data.
Profile preferences
- Scale type, training days, workout preferences, unit preference
- Weight baseline (if you entered one during setup)
- Protein target (calculated from your weight, adjustable)
- Goals, workout plan preference
Infrastructure data we receive automatically
- Authentication logs: Our database provider (Supabase) logs IP addresses, device type, and login timestamps as part of normal authentication. We do not use this data for tracking, profiling, or analytics. It exists for security purposes (detecting unauthorized access). IP addresses in auth logs could theoretically be used to determine approximate location, but we do not do this.
- App update checks: Our build platform (Expo/EAS) receives device ID, platform version, app version, runtime version, and update channel when checking for over-the-air updates. This is infrastructure telemetry, not health data.
- Crash reports: If the app crashes, an error report may be sent to our build platform (Expo) that includes technical details about what went wrong. These reports can include whatever was on screen, including a body fat reading or check-in response. We're working on sanitizing these before they leave your device.
- Push notification tokens: If you enable notifications, Apple or Google assigns a device token so we can send your weekly reflection reminder. We store this token to deliver notifications only.
Data we do NOT collect
- No GPS or location tracking. We do not access your device's location services. (Auth logs do contain IP addresses, disclosed above, but we do not use them for location purposes.)
- No reproductive health data on our servers. Karada does not collect period tracking, ovulation, pregnancy status, fertility intent, hormonal cycle data, or any reproductive health information. If cycle-aware features are added in the future, the raw data will be encrypted and stored on your device only, never on our servers. This is a standing architectural commitment, not just a policy. We cannot comply with requests for reproductive health data because we do not have it.
- No behavioral analytics. We don't run Google Analytics, Segment, Amplitude, Mixpanel, or any behavioral tracking tool. We don't track which screens you visit, how long you spend in the app, or what you tap. (Note: Apple App Store Connect and Google Play Console provide us with aggregated, anonymous download and crash statistics as part of their platforms. These contain no individual health data.)
- No advertising identifiers. No IDFA, GAID, or ad tracking.
- No biometric identification. We do not use face recognition, fingerprint scanning, or voice recognition for identity verification. (Note: HRV and resting heart rate, which we read from HealthKit, may be classified as "biometric data" under some state definitions. These are disclosed above under HealthKit data.)
How we use your data
We collect only what we need to provide the Karada service. Specifically:
- To run the app. Your health data powers your dashboard, insights, bonsai visualization, monthly recaps, and progress tracking.
- To authenticate your account. Email and password for login and recovery.
- To send you service communications. Product updates if you joined the waitlist. Unsubscribe anytime.
We do NOT use your data for:
- Advertising or ad targeting
- Sale to third parties or data brokers
- Training AI models on your personal health data
- Profiling for insurance, employment, or credit decisions
- Any purpose other than providing the Karada service
Who has access to your data
| Provider | Purpose | Health data accessed | Other data |
|---|
| Supabase | Database, authentication | Body measurements, check-ins, workouts, nutrition, reflections, PAR-Q | Auth logs (IP, device, timestamps) |
| Buttondown | Email waitlist only | None | Email address |
| Apple HealthKit | Health data sync (opt-in) | Weight, body fat, lean mass (stored); sleep, steps, HR, HRV, protein, fiber (transient) | None |
| Google Health Connect | Health data sync (opt-in) | Same as HealthKit | None |
| Expo / EAS | App builds, updates, crash reports | Crash reports may contain on-screen health data | Device ID, platform version, app version |
We do not sell your data. We do not share your data with advertisers. We do not license your data.
Who at Karada can access your data
Karada is operated by a solo founder who has administrative access to the Supabase database console. This access is used only for debugging, support, and maintaining the service. No other employees or contractors have database access. Your data is never viewed for curiosity, shared informally, or used for any purpose other than operating the service.
Law enforcement
We will disclose your data only if required by a valid legal process (subpoena, court order, or warrant). We will notify you of any such request unless a court order or legal process explicitly forbids us from doing so.
Change of ownership
If we're acquired or merged, your data stays under this policy. We'll email you 30 days before anything changes, and you can delete your account first.
How we protect your data
- Encryption in transit: TLS 1.2 or higher for all data between your device and our servers.
- Encryption at rest: All data is encrypted at rest via our infrastructure provider's AES-256 encryption (Supabase on AWS).
- Authentication: Passwords are hashed by Supabase Auth. Tokens are stored in your device's secure storage (iOS Keychain / Android Keystore).
- Your data is locked to your account. Row-level database security ensures you can only read and write your own data. Other users cannot see your health records.
- No tracking scripts. Our app and landing page contain zero analytics or advertising scripts. This is enforced by automated checks on every code change.
How long we keep your data
| Data category | Retention period |
|---|
| Account info (email) | Until you delete your account |
| Health and body data (check-ins, workouts, protein audits, reflections) | Until you delete your account |
| Profile preferences (scale type, training days, GLP-1 status) | Until you delete your account |
| Authentication logs (IP, device, timestamps) | 7 days (Supabase Free/Pro plan default) |
| PAR-Q safety screening (anonymized) | 7 years after account deletion (see below) |
| Crash reports | Managed by Expo per their retention policy |
After you delete your account: All your data is permanently deleted, with one exception. We keep an anonymized safety screening record for 7 years for legal purposes. This record contains only a random identifier (with no mathematical relationship to your account), the date you completed the screening, and whether any answers were flagged. It cannot be linked back to you by anyone, including us. After 7 years, it is permanently deleted.
Your rights
All users
- See your data anytime in the app
- Delete your account and all data with one tap in Settings
- Disconnect Apple Health / Health Connect anytime in device settings
California residents (CCPA/CPRA)
Body composition, HRV, and health data are considered sensitive personal information under CPRA. We only use this sensitive data to provide the Karada service.
You have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Correct inaccurate personal information
- Limit use of your sensitive personal information
- Not be discriminated against for exercising your rights
- Opt out of sale or sharing. We do not sell or share your personal information.
- Opt out of automated decision-making. Karada does not make automated decisions that produce legal or similarly significant effects on you.
- Authorize an agent to submit requests on your behalf
To exercise these rights: contact us through the app (Settings > Support) or use the in-app deletion feature. We will respond within 45 days.
Washington residents
See Addendum A for your full rights under the My Health My Data Act.
Wellbeing resources
If you or someone you know is struggling with an eating disorder, help is available:
National Eating Disorders Association (NEDA) Helpline: 1-800-931-2237
Crisis Text Line: Text "NEDA" to 741741
This helpline is also accessible from within the Karada app (Settings > Support).
Children
Karada is for adults 18 and older. If a young person signs up, we'll delete their account right away. Contact us through the app if you believe a minor has created an account.
What happens if there's a data breach
If there's ever a breach, here's what we do:
- Tell you right away (within 30 days for Washington residents, 60 days for everyone else). We'll describe what happened, what data was involved, what we're doing about it, and what you can do to protect yourself.
- Notify the FTC at the same time as consumer notification, as required by the Health Breach Notification Rule.
- Notify your state attorney general if required by your state's breach notification law.
- Notify media outlets if the breach affects 500 or more people in a single state.
Changes to this policy
If we make material changes, we will notify you in the app or by email at least 30 days before the changes take effect. If the changes involve collecting new categories of health data or sharing data with new third parties, we will ask for your consent again before those changes apply to you. We will not retroactively weaken the protections in this policy without your explicit consent.
Contact
Karada LLC
Portland, Maine
Reach us through the app (Settings > Support) or via the contact form on karada.fitness.
Governing law
This policy complies with applicable state and federal law. To the extent any provision conflicts with mandatory state consumer protection law (including Washington's My Health My Data Act and California's CCPA/CPRA), that law controls.
Addendum A: Washington Consumer Health Data Privacy Policy
Required by the Washington My Health My Data Act (RCW 19.373)
This addendum applies to Washington state residents and constitutes Karada's Consumer Health Data Privacy Policy.
Categories of consumer health data collected
| Category | Source | Purpose |
|---|
| Body measurements (weight, body fat %, skeletal muscle %, waist/hip/neck) | User-entered, or Apple Health / Health Connect | Dashboard, trends, monthly recaps |
| Body awareness responses (settled, buzzy, heavy, tender; strength, cardio, rest) | User-entered | Daily check-in ritual, insight generation |
| Workout records (exercises, sets, reps) | User-entered | Workout tracking, bonsai growth |
| Nutrition audit data (protein category counts, labeled grams) | User-entered | Protein awareness, pattern insights |
| Weekly reflection responses (clothes fit, functional strength, free-text notes) | User-entered | Evidence of body changes, monthly recaps |
| Safety screening responses (PAR-Q answers, clearance status) | User-entered | Exercise safety screening |
| GLP-1 medication status | User-entered (optional) | Contextual insights |
| Sleep duration, step count, resting HR, HRV, dietary protein/fiber | Apple Health / Health Connect (opt-in) | Transient computation for insights (not stored) |
| Weight, body fat %, lean body mass | Apple Health / Health Connect (opt-in) | Stored for trend tracking |
Third parties with access to consumer health data
| Third party | Categories accessed | Purpose |
|---|
| Supabase (database provider) | All stored health data | Database hosting and authentication |
| Expo / EAS (build platform) | Crash reports may contain on-screen health data | App delivery and crash reporting |
Apple HealthKit and Google Health Connect are on-device APIs. Health data read from them is either stored in Supabase (weight, body fat, lean mass) or used transiently in memory (sleep, steps, HR, HRV, protein, fiber).
We do not sell your consumer health data.
Your rights under WA MHMD
- Right to know what consumer health data we collect and why (see table above)
- Right to withdraw consent for health data collection. Withdraw by deleting your account in Settings. Withdrawal is as easy as giving consent.
- Right to delete your consumer health data. Delete your account in Settings.
- Right to access your consumer health data. Visible in the app at all times.
- Right to a list of third parties who have received your health data (see table above).
- Right to authorize an agent to act on your behalf.
To exercise any right: contact us through the app (Settings > Support) or use the in-app account deletion feature. We will respond within 30 days.