Legal

Privacy Policy

Last updated: May 2026

At Flura, your health data is sacred. This policy explains what we collect, why we collect it, how we protect it, and what rights you have. We have written it in plain language on purpose — you deserve to understand how your data is used.

1. Who We Are

Flura (“we”, “us”, “our”) is a health tracking application available on iOS and Android. Our service is operated under the domain flura.app. For any privacy-related inquiries, contact us at [email protected].

2. Data We Collect

We collect only what is necessary to provide the service. This includes:

  • Health and symptom data — symptoms you log, their severity, timing, and any notes you add; medication names, dosages, and schedules; menstrual cycle data; sleep, energy, and mood ratings.
  • Account data — your email address, display name, and account preferences. If you sign up via Apple or Google, we receive a verified email from those providers.
  • Device and technical data — device type, operating system version, app version, language setting, and anonymous crash reports. We do not collect your IP address for tracking purposes.
  • Usage data — which features you use and how often, so we can improve the product. This data is aggregated and linked to a pseudonymous identifier, not your name or email.

We do not collect biometric identifiers, location data, contacts, photos, or any data unrelated to health tracking.

3. How We Use Your Data

Your data is used to:

  • Provide and operate the Flura app and its features.
  • Run AI-powered pattern analysis to surface insights about your symptoms and health trends.
  • Generate physician-formatted reports you can share with your care team.
  • Personalize your experience, such as reminders and check-in suggestions.
  • Send you service-related communications (e.g., account confirmations, feature updates). You can opt out of marketing emails at any time.
  • Improve the product through aggregated, anonymized usage analytics.

We will never sell your personal data or health data to third parties. We will never use your health data for advertising profiling.

4. AI Processing

Flura uses Anthropic's Claude AIto analyse your symptom data and generate personalised health insights, doctor reports, and appointment briefs. When you choose to use these features, relevant symptom logs and check-in data are sent to Anthropic's API.

  • Data sent to Anthropic is processed solely to generate your insights and is not used by Anthropic to train their AI models.
  • Only data necessary to produce the requested output is transmitted — we do not send your name, email, or account identifiers to Anthropic.
  • You will be asked for explicit consent before any data is sent to Anthropic. You can withdraw this consent at any time from your profile settings.
  • Flura stores your feedback on AI-generated insights (e.g., “This is accurate” / “This isn't right”) to personalise future analysis for you. This feedback data remains within your account and is not shared with Anthropic or any third party.

Anthropic processes this data in accordance with their API data privacy policy: anthropic.com/privacy.

5. Data Storage and Security

Your data is stored on Supabase infrastructure hosted on servers located within the European Union (AWS EU-West region). All data is encrypted at rest using AES-256 and in transit using TLS 1.2+.

Access to your data is restricted to authorized Flura personnel on a strict need-to-know basis. We maintain audit logs for all access to production data. Our database enforces row-level security policies so that each user can only access their own records.

No security system is perfect. In the event of a data breach that is likely to result in risk to your rights, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the incident.

6. Third-Party Services

We use a small number of trusted third-party services to operate Flura:

SupabaseDatabase and authentication

EU-hosted. Processes account data and health logs. Acts as a data processor under our DPA.

AnthropicAI pattern analysis

Anonymized symptom data may be sent to Anthropic's Claude API to generate health insights. Data is not used by Anthropic to train their models. Your insight feedback (accurate / not right) is stored in Flura's own database to personalise your future insights — it is not shared with Anthropic.

AmplitudeProduct analytics (EU data residency)

Receives pseudonymous usage events (e.g., 'log_opened', 'report_generated') processed in the EU. No health data or personally identifiable information is sent to Amplitude.

RevenueCatSubscription and payment management

Manages in-app purchase receipts and entitlements. RevenueCat does not process your health data. Actual payments are processed by Apple or Google.

SentryError monitoring and crash reporting (EU data residency)

Receives crash reports and performance data processed in the EU (Frankfurt). User ID and email are attached to crash reports to help us diagnose issues. All user data is automatically deleted when an account is deleted.

UXCamSession replay and UX analytics

Records anonymized session replays to help us understand how users interact with the app and identify usability issues. Sensitive screens are excluded from recordings. User identity is linked via pseudonymous ID and automatically deleted when an account is deleted.

Firebase (Google)Push notifications and app hosting

Used for website hosting and push notification delivery via Firebase Cloud Messaging. No health data is sent to Firebase.

Meta PlatformsAdvertising measurement (Meta Pixel)

The Meta Pixel measures the performance of our advertising campaigns on Facebook and Instagram. It collects visit data (pages viewed, waitlist signups) when you have consented to advertising cookies. No health symptom data is ever shared with Meta. EU/UK users must explicitly accept advertising cookies before the pixel activates.

7. Your Rights (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right to access — Request a copy of all personal data we hold about you.
  • Right to rectification — Ask us to correct inaccurate or incomplete data.
  • Right to erasure— Request deletion of your account and all associated data. You can initiate this directly in the app under Profile › Delete Account. Deletion is scheduled with a 30-day grace period. If you sign back in within 30 days, your account is automatically restored. After 30 days, all personal data, health logs, and analytics data (including data held by Amplitude) are permanently and irreversibly deleted.
  • Right to data portability — Export your health logs and account data in a machine-readable format (JSON or CSV) from within the app.
  • Right to restriction — Ask us to pause processing of your data while a dispute is resolved.
  • Right to object — Object to processing based on legitimate interests.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

8. Data Retention

We retain your data for as long as your account is active. When you request account deletion, a 30-day grace period begins. During this window your account is deactivated but your data is preserved — if you change your mind, simply sign back in and your account will be fully restored.

After 30 days, all personal data and health logs are permanently deleted, including:

  • Your profile, symptom logs, medication logs, check-ins, and notes.
  • AI-generated insights, reports, and appointment briefs.
  • Analytics data held by Amplitude (a GDPR deletion request is submitted automatically).

After permanent deletion, we retain only a cryptographic hash of your email address (not the email itself) in a suppression table. This is used solely to prevent abuse and cannot be reversed to recover your email or identity.

Anonymized and aggregated analytics data (which cannot be used to identify you) may be retained indefinitely to improve our service.

9. Cookie Policy

The Flura mobile app does not use cookies. Our website (flura.app) uses a minimal set of cookies:

  • Strictly necessary cookies — Required for the website to function (e.g., session management). These cannot be disabled.
  • Analytics cookies — Used by Amplitude to measure page visits and feature interest. These are pseudonymous and do not track you across other websites. You can opt out by enabling Do Not Track in your browser.
  • Advertising cookies— The Meta Pixel is used to measure the effectiveness of our advertising campaigns. EU/UK/EEA visitors must explicitly consent before these cookies are set. All visitors can manage their preference via the “Cookie settings” link in the footer. See Section 12 for full details.

10. Children's Privacy

Flura is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a user is under 16, we will promptly delete their account and associated data. If you believe a child under 16 has provided us with personal data, please contact [email protected].

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via email and display a notice in the app at least 14 days before the changes take effect. Continued use of Flura after the effective date constitutes acceptance of the updated policy.

12. Cookies and Advertising Tracking

Meta Pixel

Flura uses the Meta Pixel, an advertising measurement tool operated by Meta Platforms Ireland Limited (EU) and Meta Platforms Inc. (US). When active, the Meta Pixel collects:

  • Pages you visit on flura.app
  • Actions you take (such as joining our waitlist)
  • Your IP address, browser type, and device information
  • A unique cookie identifier (_fbp) stored in your browser

This data is used to measure ad campaign performance and show Flura ads to relevant audiences on Facebook and Instagram.

We never share your health symptom data with Meta. Only website visit data and waitlist form submissions are tracked.

Your choices by region

EU, UK, and EEA visitors: We do not activate the Meta Pixel until you explicitly accept advertising cookies via our consent banner.

California residents (CCPA/CPRA):You have the right to opt out of the sale or sharing of your personal data for advertising purposes. Click “Do not sell my data” in our consent banner or “Cookie settings” in the footer.

All other visitors: By using flura.app, you consent to the use of the Meta Pixel as described in this policy.

Cookie table

CookieProviderPurposeDuration
_fbpMetaIdentifies browsers for ad delivery and measurement3 months
_fbcMetaStores last click attribution from Meta ads3 months
flura_cookie_consentFluraStores your cookie consent preference (localStorage)1 year

How to opt out

  • Use the “Cookie settings” link in the site footer at any time
  • Use your browser's privacy settings to block third-party cookies
  • Visit Meta's ad preferences at facebook.com/adpreferences
  • Use the Digital Advertising Alliance opt-out at optout.aboutads.info

International data transfer

Meta Pixel data is transmitted to Meta's servers in the United States. For EU/UK users who have consented, this transfer is covered by Standard Contractual Clauses (SCCs) between Meta Platforms Ireland Ltd. and Meta Platforms Inc.

13. Contact

For privacy-related questions or to exercise your rights, please contact us at: [email protected]