Privacy Policy
This Privacy Policy explains how Tolera ("Tolera", "we", "us", or "our") collects, uses, shares, and protects information when you use the Tolera application and the website at mytolera.com (the "Service"). It applies together with our Terms of Service.
1. Who we are and scope
Tolera is a personal health tracking and organization tool operated by Tolera. For personal data we process to provide the Service, we act as the data controller. Some providers we use act as our processors or sub-processors, and some optional integrations act as independent controllers of the data they hold. This policy covers the Service. It does not cover third-party services you choose to connect, which have their own privacy policies.
2. A note on HIPAA and health data
Tolera is a consumer application. In most cases it is not a HIPAA covered entity or a business associate, and using Tolera does not create HIPAA protections for the information you enter. This is common for consumer health apps. We say this so you are not misled: the health information you log in Tolera is generally governed by this Privacy Policy and by applicable consumer and data protection laws, not by HIPAA. Even though HIPAA generally does not apply, we treat your health information as sensitive and handle it with care, as described below. Where consumer health privacy laws apply to us (for example, state health privacy laws or the GDPR's special-category rules), we aim to comply with them.
3. Information we collect
Account and identity information. Your email address, and identifiers from your sign-in method (for example, Cloudflare Access or Clerk). Your role or plan tier, feature grants, and account settings. We do not require your legal name.
Health and wellness information you log. This is the core of the Service, and you choose what to enter. It may include:
- food entries, symptoms, and suspected triggers;
- weight and body composition;
- blood pressure and pulse;
- blood glucose readings and diabetes labs (for example, A1c, LDL, eGFR, UACR, potassium);
- other lab and biopsy or histology values you record;
- medications and dosing logs, including GLP-1, testosterone, and anastrozole tracking, and reported side effects;
- sleep and activity;
- workouts and training data;
- progress and benchmark photos, which are images you capture;
- vitals such as resting heart rate, blood oxygen, VO2 max, and body temperature;
- condition-specific data for modules you use, such as EoE (elimination phases, biopsies, reintroductions), gout (serum urate, flares), diabetes, cycle, and carbohydrate tracking;
- notes, goals, and free-text you enter, including anything you type into AI features or submit in a photo for scanning.
Connected-service data. If you enable an optional integration, we receive data from it as described in the connected-services section (for example, weight and blood pressure from Withings, workouts from Hevy, sleep and activity and vitals from Apple Health through a Shortcut you set up).
Usage, device, and log data. Standard technical information generated when you use the Service, such as IP address, device and browser type, timestamps, requests, error and diagnostic logs, and app version. Our hosting provider processes some of this to route, secure, and serve requests. If you submit an error or feedback report, we receive the message, technical context, and app version you send.
Cost and governance metadata. To operate AI features within limits, we record metadata about AI usage and estimated cost per account.
We do not intentionally collect more than we need to run the Service, and we do not build advertising profiles.
4. How we use information and legal bases
We use information to:
- provide, maintain, and secure the Service, and to store and display your entries;
- compute trends, summaries, reminders, and pattern indicators from your own data;
- run AI features you invoke and enforce usage limits;
- operate optional sharing you enable (community recipe content, household or caregiver access);
- sync optional connected services you turn on;
- send transactional and, where you enable them, alert emails;
- respond to support requests and error reports, and detect, prevent, and address abuse, security incidents, and technical problems;
- comply with legal obligations and enforce our Terms;
- improve and develop the Service, using de-identified or aggregated information wherever practical.
Legal bases (GDPR and similar laws). Where the GDPR or a similar law applies, we rely on: performance of our contract with you (Article 6(1)(b)) to provide the Service you request; your consent (Article 6(1)(a)) for optional features such as connected services, alert emails, and any non-essential processing; our legitimate interests (Article 6(1)(f)) in securing, maintaining, and improving the Service and preventing abuse, where not overridden by your rights; and compliance with legal obligations (Article 6(1)(c)). For health and other special-category data, we rely on your explicit consent under Article 9(2)(a), as described next.
5. Sensitive and health data; explicit consent
Much of what you log is special-category or sensitive personal data (data concerning health, and in some cases other sensitive attributes). We process it only to provide the Service to you and features you enable, on the basis of your explicit consent, which you give when you choose to log the data or turn on a feature. You are never required to enter any particular category of health data; the fields are optional and you control what you record.
You can withdraw consent at any time by deleting the relevant data, disconnecting an integration, turning off a feature, or deleting your account. Withdrawing consent does not affect processing already carried out, and turning off a feature may limit the Service. We do not use your health data for advertising, and we do not sell it.
6. We do not sell your data; limited sharing
We do not sell your personal or health information, and we do not "share" it for cross-context behavioral advertising as those terms are used under US state privacy laws.
Your individual health data is never disclosed to other users except through features you deliberately enable:
- Community recipes (opt-in). If you publish a recipe, only the recipe content (title, servings, steps, ingredients, and an allergen vector) enters a shared pool. Ratings are shown only in aggregate, so no individual's rating is exposed. Who published a recipe is stored for de-duplication and abuse handling only and is never shown to other users. No private health data is shared through this feature.
- Household or caregiver sharing (opt-in). If you invite someone to your account, the data of the shared account is made visible to that person within the role you grant. Only the shared account's data is shared, never the separate personal data of the inviter or invitee.
We may also disclose information: to our sub-processors that help run the Service (below); to comply with law, legal process, or a lawful government request; to protect the rights, safety, and security of users, the public, or us, and to enforce our Terms; and in connection with a merger, acquisition, financing, or sale of assets, in which case we will require the recipient to honor this policy and will notify you of any change of controller and your choices.
7. Sub-processors and third-party services
We use the following providers to operate the Service. Each processes only the data needed for its function, under its own terms and privacy policy. Optional integrations are marked and are used only if you enable them.
| Provider | Purpose | Privacy policy |
|---|---|---|
| Cloudflare, Inc. | Core infrastructure: application hosting (Workers), database (D1), object storage for photos (R2), authentication and access control (Cloudflare Access / Zero Trust), and email routing. Processes your stored data and technical request data. | cloudflare.com/privacypolicy |
| Resend | Sends transactional email and, if you enable them, alert emails. Receives recipient email addresses and message content. | resend.com/legal/privacy-policy |
| Anthropic, PBC | Powers AI features. When you use an AI feature, the text or image you submit for that feature is sent to Anthropic's Claude API to generate a response. Anthropic states it does not train its models on data submitted through its API, and processes it under its commercial terms and Data Processing Addendum. | anthropic.com/legal/privacy |
| Clerk, Inc. (optional) | Sign-in and identity, when Clerk is the configured identity provider. Handles authentication and associated account identifiers. | clerk.com/legal/privacy |
| Withings (optional) | If you connect Withings, provides weight, blood pressure, sleep, and activity data via OAuth that you authorize. | withings.com privacy policy |
| Hevy (optional) | If you connect Hevy using your own API key, provides your workout data. | hevyapp.com/privacy-policy |
| Apple, Inc. / Apple Health (optional) | If you set up the iOS Shortcut, your device sends sleep, activity, and vitals you choose to Tolera using a token you generate. Apple Health data stays on your device except what your Shortcut sends. | apple.com/legal/privacy |
| USDA FoodData Central | Public-domain food and nutrition reference lookups. Used to look up nutrition data; your health data is not sent to obtain a lookup. | fdc.nal.usda.gov |
| Edamam | Food and nutrition database lookups. Used to look up foods and nutrition. Nutrition results may be shown "powered by Edamam". | edamam.com |
Food and nutrition data from USDA FoodData Central and Edamam is reference information and may be incomplete or inaccurate. We may update this list as our providers change and will reflect changes in this policy.
8. Optional connected services
Connected services (Withings, Hevy, and Apple Health) are off by default and are enabled only by your explicit action, using your own credentials, OAuth authorization, or a token you generate. Each writes only the fields it owns, so sources do not overwrite each other (for example, Withings provides weight and blood pressure while Apple Health provides sleep, activity, and vitals). You can disconnect a service at any time in the Service and, where applicable, revoke access with the provider directly. Disconnecting stops future syncing; data already synced remains until you delete it. When you use a connected service, that provider's handling of your data on its side is governed by its own privacy policy.
9. Cookies, local storage, and the service worker
Tolera is a progressive web app and uses minimal cookies. It relies on:
- Local storage in your browser to remember preferences and settings on your device;
- a service worker and cache to load the app reliably and support offline use, and to prompt you when an update is available;
- authentication cookies or tokens set by your sign-in method (for example, a session cookie or bearer token) that are necessary to keep you signed in.
These are used to operate the Service, not for advertising or cross-site tracking. You can clear local storage and cookies in your browser settings, though doing so will sign you out and reset local preferences.
10. Data retention
We keep your account and logged data for as long as your account is active so the Service can show your history. When you delete a specific entry, we remove it from active systems. When you delete your account, we delete or de-identify your personal and health data from active systems, except where we must keep limited information to comply with law, resolve disputes, prevent abuse, or enforce our Terms, and except for residual copies that persist in routine backups for a limited period before they are overwritten. De-identified or aggregated data that no longer identifies you may be retained. Note that photo images are stored as bytes in object storage and their metadata in the database; deleting a photo removes both.
11. Security
We take reasonable technical and organizational measures to protect your information, including:
- Encryption in transit using HTTPS/TLS for data moving between your device, the Service, and our providers;
- Encryption at rest for sensitive credentials: a per-user credential you store for an outside service (such as a Hevy API key) is encrypted with authenticated encryption (AES-GCM) before it is written to the database, so a database dump alone does not expose it;
- Per-user data isolation, so each account's data is scoped to that account and one user cannot read another user's data, enforced in code and covered by automated isolation tests;
- Access controls and authentication on the application and administrative surfaces, with cryptographic verification of sign-in tokens;
- Private storage for photo images, served only through ownership-checked endpoints;
- One-time, hashed tokens for the Apple Health ingest path, so the plaintext token is never stored.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your device and sign-in secure.
12. International data transfers
We and our providers may process and store information in countries other than the one in which you live, including the United States. Those countries may have different data protection laws. Where required, we rely on appropriate safeguards for international transfers, such as the European Commission's Standard Contractual Clauses or a provider's equivalent transfer mechanism, and we use providers that offer such protections. By using the Service, you understand your information may be transferred as described here, subject to those safeguards where they apply.
13. Your rights and choices
Depending on where you live, you may have rights over your personal information, including to:
- access the personal data we hold about you and receive a copy;
- correct inaccurate data;
- delete your data ("right to erasure");
- export your data in a portable format;
- restrict or object to certain processing;
- withdraw consent for processing based on consent, including health data and optional features, at any time;
- be free from unlawful sale of your data (we do not sell it) and, under US state laws, to opt out of sale or targeted advertising (not applicable, because we do not do either);
- not be discriminated against for exercising your rights;
- appeal or complain to a supervisory authority or regulator, such as your EU or UK data protection authority or a relevant state attorney general, if you are unsatisfied with our response.
We do not use your data for solely automated decisions that produce legal or similarly significant effects about you. AI features generate suggestions for you to review, not binding decisions.
14. How to access, export, or delete your data
You can access and manage most of your data directly in the Service. To export, correct, or delete data, or to delete your account, use the in-app controls where available, or contact us at hello@mytolera.com. We will verify your request against your account and respond within the time required by applicable law (generally within 30 days, extendable where the law allows). We will tell you if we cannot fully comply and why. There is no charge for a reasonable request. You may use an authorized agent where the law permits.
15. Children's privacy
The Service is intended for adults (18 or older, or the age of majority where higher) and is not directed to children. We do not knowingly collect personal information from children under 13, or under 16 where a higher age applies under local law. If you believe a child has provided us personal information, contact us at hello@mytolera.com and we will delete it. Where a caregiver tracks a minor's health information using household features, the account holder is responsible for having the legal authority to do so.
16. Data breach notification
If we become aware of a personal data breach that affects your information, we will act promptly to investigate and mitigate it, and we will notify affected users and the relevant authorities where and within the timeframes required by applicable law (for example, without undue delay and, under the GDPR, generally within 72 hours to the supervisory authority where feasible).
17. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date and version and, where appropriate, provide notice in the Service or by email. Where the law requires, we will obtain your consent to new processing. Your continued use of the Service after an update takes effect means you accept the updated policy.
18. Contact
For privacy questions or to exercise your rights, contact:
- Tolera
- Email: hello@mytolera.com
- Website: mytolera.com
If you are in the European Economic Area or the United Kingdom and we are required to designate a representative or data protection officer, those details will be added here.