Your privacy matters
Last updated: May 19, 2026
Loslo is a wellness companion built around the idea that taking care of yourself shouldn't come at the cost of your private information. This Privacy Policy explains, in plain language, what personal data we collect when you use Loslo, why we collect it, how we store and protect it, who can access it, and the rights you have at any time to control or remove it. By using the Loslo app, you acknowledge that you've read this document and understand the practices described below. If anything is unclear, please reach out — we'd rather have a conversation than leave you guessing about how your data is handled.
Scope and definitions
This Privacy Policy applies to all features of the Loslo mobile application, our backend services, and any communications you receive from us in connection with the app (in-app messages, transactional emails, push notifications). "Personal data" means any information that identifies you or can reasonably be linked to you — your name, email address, age, body measurements, the daily goals you log, the photos you take of your meals if applicable, and so on. "Processing" means any operation performed on that data, such as collection, storage, modification, transmission, or deletion. "You" refers to the natural person using Loslo, and "we" / "us" refers to Loslo AI as the data controller responsible for the choices made about your data.
What we collect
We collect three broad categories of information. First, information you provide directly when creating and using your account: your email address, first name, age, sex assigned at birth (used solely for caloric calculations), current weight, height, target weight, dietary preferences, activity level, and answers to the onboarding questionnaire. Second, health and activity data you choose to sync from Apple HealthKit: number of steps, distance walked or run, workouts logged, active energy burned, sleep duration, and water intake. We only request the specific HealthKit scopes shown in the iOS permission prompt; you can revoke them at any time from iOS Settings → Privacy & Security → Health. Third, technical and usage information that helps us run the app reliably: app version, iOS version, device model (e.g., iPhone 15 Pro), language and locale, anonymized crash reports, and aggregated counts of which features you interact with most. We do not collect your precise location, contacts, microphone, camera roll, or social media identity. Loslo has no third-party advertising SDKs and no behavioral tracking beyond what is strictly necessary to operate the service.
How we collect it
Most of your data comes directly from you — what you type into the onboarding flow, the values you adjust in Settings, the meals or water glasses you log throughout the day, and the gestures you make navigating the app. Apple HealthKit data is read on-device, with your explicit per-category permission, and never leaves your iPhone unless you opt into cloud sync to back up your history across devices. Technical telemetry is collected automatically by our crash and performance tooling (Apple's MetricKit and our own minimal in-app logger). We do not buy data from third-party data brokers, and we do not enrich your profile with information obtained outside the app.
Legal basis for processing
Under the EU General Data Protection Regulation (GDPR) and similar regimes, we process your personal data on the following legal grounds. (a) Performance of the contract: we need your profile and goal data to provide the coaching service you signed up for — without it, the app would have nothing to personalize. (b) Your consent: we ask for your explicit opt-in before reading any HealthKit category, before sending you marketing or wellness tips outside the app, and before any optional analytics. You can withdraw this consent at any time by toggling the relevant switch in Settings, with effect for the future. (c) Legitimate interests: we have an interest in keeping the app secure, preventing fraud, and improving the product based on aggregated usage signals — but only where this interest is not overridden by your fundamental rights. (d) Legal obligations: we may retain certain data, such as billing records, for as long as required by tax and accounting law.
How we use your data
Your data powers the experience you signed up for. Profile inputs (age, sex, weight, height, activity level) feed the Mifflin-St Jeor equation to compute your daily caloric target and macro distribution. Steps, workouts, and active energy from HealthKit drive the 4-objective gameplay and update Loslo the sloth from level 1 (deep sleep) to level 5 (fully awake and radiant). Logged meals and water intake update your daily ring progress and your streak counter. Your weight history powers the projection charts shown on the dashboard and in the results screens. We also use limited aggregated usage data (e.g., how many users complete onboarding step 7) to spot bugs and to decide which features deserve more love in future updates. We do not use your personal data to train external AI models, and we do not feed your information to advertising platforms.
Where your data is stored
Your account profile, preferences, and any cloud-synced history are
stored on Supabase, our backend infrastructure provider. Supabase hosts
our database in the European Union (Frankfurt region). All data is
encrypted in transit using TLS 1.3 and at rest using AES-256. HealthKit
data primarily lives on your iPhone in the Apple Health database, which
is encrypted with your device passcode and Face/Touch ID; we read it
via the HealthKit API only when the app is open or when iOS allows
background delivery for the specific category. Locally on your device,
we use the iOS Keychain to store your session token and
UserDefaults (file-protected by iOS) for small preferences.
We do not maintain shadow copies of your data in any other system,
analytics warehouse, or marketing platform.
How long we keep it
We retain your personal data only as long as needed for the purpose for which it was collected. Account and profile data are kept for as long as your account is active. If you delete your account from Settings → Delete account & data, we initiate an immediate logical deletion (your data becomes inaccessible to the app within minutes) and a permanent physical deletion across our backups within 30 days. Crash reports and diagnostic logs are kept for a maximum of 90 days. Billing and tax records are retained for the period required by applicable law (typically 6–10 years), in a separated and access-controlled archive. If you simply stop using the app without deleting your account, we will reach out by email after a long period of inactivity (12+ months) before deleting it automatically.
Who we share data with
We share your data with the minimum number of carefully selected service providers needed to run Loslo. These currently include: (a) Supabase, our backend infrastructure for account storage and authentication, bound by a Data Processing Agreement and hosted in the EU; (b) Apple, when you make a subscription purchase through the App Store — Apple handles the payment and we only receive an anonymized receipt; (c) email delivery providers (transactional emails such as password resets), which receive only the email address and the message body necessary to deliver the message. We do not share your data with advertisers, social networks, data brokers, or any party for marketing purposes. If we ever need to disclose data to comply with a legally binding request from public authorities, we will (where lawful) notify you in advance and challenge any request that we believe to be overbroad.
International data transfers
Loslo AI is based in the European Union, and our primary data storage is within the EU. Some of our service providers (notably Apple for App Store and push notification delivery) may process data outside the European Economic Area. When data leaves the EEA, we rely on the European Commission's Standard Contractual Clauses or other lawful transfer mechanisms to ensure equivalent protection. You can request a copy of the relevant transfer safeguards by writing to loslo.support@gmail.com.
Your rights
Under the GDPR and most modern privacy laws, you have the following rights, which you can exercise at any time and free of charge. (1) Right of access: ask us for a copy of all personal data we hold about you. (2) Right to rectification: correct any inaccurate or incomplete data; for most fields you can do this directly in Settings, otherwise email us. (3) Right to erasure (right to be forgotten): request that we delete your data — the Delete account & data button is the fastest way; we will confirm completion within 30 days. (4) Right to data portability: receive a structured, machine-readable export of the data you provided to us, and transmit it to another service. (5) Right to restrict processing: tell us to pause processing of certain data while we investigate a complaint. (6) Right to object: object to processing based on legitimate interests, including profiling. (7) Right to withdraw consent: where processing was based on your consent, you can withdraw it at any time, without affecting the lawfulness of processing already carried out. (8) Right to lodge a complaint: if you believe we have mishandled your data, you may complain to your local data protection authority. To exercise any of these rights, contact loslo.support@gmail.com with a description of your request; we will respond within 30 days.
Security
We take security seriously. Beyond encryption in transit and at rest, we apply role-based access controls so that only a small number of engineers can access production data, and only when strictly necessary (debugging, incident response). All such access is logged. Production credentials are rotated regularly, and we run automated dependency scans to catch known vulnerabilities in the libraries we use. We do not store passwords in plaintext: authentication is delegated to Supabase Auth, which hashes passwords with bcrypt. Despite our best efforts, no system can be 100% secure; if we ever discover a personal data breach, we will notify the relevant authorities and affected users in accordance with GDPR Article 33 / 34 (typically within 72 hours of discovery).
Cookies and tracking technologies
The Loslo mobile app does not use traditional web cookies. We do store
small amounts of preference data locally on your device using iOS's
UserDefaults mechanism (e.g., your selected language,
your unit system, whether you have completed onboarding). These local
stores are sandboxed by iOS and are not transmitted to us
automatically. We do not use cross-app tracking identifiers (IDFA)
— Loslo appears in the App Tracking Transparency prompt as "no
tracking".
Children
Loslo is not intended for users under the age of 16. We do not knowingly collect personal data from children under 16. During onboarding, we ask for your age and will refuse to create an account if the value indicates that you are below the minimum age. If you are a parent or legal guardian and you believe that a child has created a Loslo account without your authorization, please contact us at loslo.support@gmail.com and we will delete the account and all associated data promptly.
Changes to this policy
We will update this Privacy Policy when we add a new feature that meaningfully changes how we handle your data, when we change a service provider, or when we need to respond to changes in applicable law. When the changes are material, we will notify you within the app (via an in-app banner) and by email if you have provided one, and we will not apply the new terms retroactively to data already collected without your renewed consent. The "Last updated" date at the bottom of this page always reflects the most recent revision.
Contact and data protection officer
If you have any question about this Privacy Policy, want to exercise one of your rights, or want to discuss any aspect of how Loslo handles your data, you can reach our team at loslo.support@gmail.com. We aim to respond within 7 business days. If your inquiry concerns a specific legal matter that requires our Data Protection Officer, please mention "DPO" in your subject line so it is routed correctly.