Immunally helps you track your health over time — symptoms, labs, diet, sleep, medications, and more. It is not a medical device and does not provide medical advice. AI-generated summaries and patterns are meant to help you notice things and have better conversations with your healthcare team. They are not diagnoses, treatment recommendations, or clinical assessments. Always consult your doctor before making decisions about your health.
Immunally is operated by Immunally LLC, a limited liability company registered in Washington State, United States. When this policy says "we," "us," or "our," it means Immunally LLC.
When you sign in with Google, Apple, or email, we store your email address and name so we can identify your account and send you notifications you've opted into.
Every entry you create in the app — symptoms, medications, lab results, meals, sleep, exercise, mood, notes, experiments — is stored in your account. You chose to log it; we keep it so you can look back at it.
Height, weight, diagnosis, allergies, and other optional profile fields. None of this is required to use the app.
If you connect Apple Health, we pull sleep data, steps, resting heart rate, and workout summaries to fill in your health picture automatically. You can turn this off at any time in iPhone Settings → Privacy & Security → Health → Immunally.
If you enable push notifications, we store a device push token to deliver notifications such as your daily brief, medication reminders, and pattern alerts. This token is stored in your account and deleted when you disable notifications or delete your account. We do not use it to track you.
Basic technical logs — error messages, crash reports, and API call timestamps — to help us diagnose problems. We use Sentry to capture error traces from the app and our backend. These logs never contain your health data. Sentry data is retained for 30 days.
The Immunally web app uses browser local storage and session tokens to keep you signed in and remember your preferences. We do not use advertising cookies, tracking pixels, or third-party analytics. There are no third-party cookies on this site.
When you complete onboarding and agree to our Terms & Conditions, we record the date and time of your acceptance and which version of the terms you accepted. This is required to demonstrate consent under GDPR and similar regulations. It is not health data and is not encrypted.
Your data is stored in Supabase, a managed database service running on AWS infrastructure in the United States. Here is an honest account of how your data is protected right now:
Free-text fields — your notes, descriptions, and personal writing — are encrypted using AES-256-GCM before being saved. Your encryption key is stored in your account profile within the same Supabase infrastructure. This means Supabase, as a service, holds both the encrypted data and the key. A raw database backup cannot be read without administrative access to the platform.
Structured numeric and categorical values — symptom severity scores, sleep hours, exercise duration, mood ratings, and similar fields — are stored as plaintext in our database today. These are numbers and categories, not your personal writing, but they are health data. We are actively building server-side encryption for all fields, which will be in place before broader launch.
All communication between your device and our servers uses TLS encryption (the same technology used by banks and healthcare systems). Your data is never sent over an unencrypted connection.
Row-level security is enforced at the database layer across all of our tables — your account can only ever read, write, or delete your own records. No other user can access your data, even with a valid session token. Every API endpoint that handles health data independently verifies your identity before processing any request. Administrative database credentials are never present in the app's code or bundled assets.
Immunally uses AI to help you make sense of your health data — daily summaries, pattern detection, and on-demand analysis of symptoms, labs, and diet entries.
We use Anthropic's Claude API to generate these insights. When an analysis runs, the relevant portion of your health data for that request is sent to Anthropic's servers. For example, if you ask for a symptom analysis, your recent symptom entries are sent. Your name and email address are never included in what we send.
Anthropic processes this data to generate the response and deletes it according to their data retention policies. You can read Anthropic's privacy policy at anthropic.com/privacy.
We are in the process of completing a Data Processing Agreement (DPA) with Anthropic to formally govern how they handle your data. Until that is in place, Anthropic's standard commercial terms apply.
| Who | Why | Do we sell to them? |
|---|---|---|
| Supabase | Database and storage provider. Your data lives on their infrastructure (AWS US East). | No |
| Anthropic | Powers AI analysis features when you request them. | No |
| Google / Apple | Authentication providers if you sign in with their account. | No |
| Sentry | Error monitoring. Receives error traces and stack logs — never health data. | No |
| Resend | Transactional email delivery (e.g. account confirmation emails). Receives your email address only. | No |
That is the complete list. We do not share your health data with advertisers, data brokers, insurers, employers, or anyone else. We do not use your data to train AI models. We do not run analytics on your health entries for any purpose beyond operating the app.
Immunally is operated from the United States and your data is stored on US-based servers. If you are accessing the app from outside the United States — including from the European Union, United Kingdom, or other jurisdictions — your data will be transferred to and processed in the United States. By using the app, you consent to this transfer. We apply the same security protections described in this policy regardless of where you are located.
If you're in the EU or UK, you have rights under GDPR including the right to access, correct, port, restrict processing of, or erase your data. The deletion right above covers your right to erasure. For access, correction, or portability requests, contact us directly and we will respond within 30 days.
If you're in California, you have rights under the CCPA including the right to know what personal information we collect, the right to delete it, the right to opt out of sale (we do not sell your data), and the right not to be discriminated against for exercising these rights. To exercise any CCPA right, contact us at info@immunally.com.
Your data stays in your account until you delete it. When you delete your account, all associated health data is permanently removed from our active database immediately and from backups within 30 days. Error logs (Sentry) are purged after 30 days. Email delivery logs (Resend) are retained for 30 days. Terms acceptance records are retained for 7 years as required for legal compliance purposes.
We do not automatically delete inactive accounts. Your data remains in your account indefinitely until you choose to delete it. If we ever introduce an inactivity policy, we will notify you by email at least 60 days in advance before any data is removed.
The app may contain links to third-party websites or services (for example, links to Anthropic's privacy policy or Apple Health documentation). We are not responsible for the privacy practices or content of those third parties. We encourage you to review their privacy policies before providing any information to them.
If a breach occurs that affects your health information, we will notify affected users by email within 72 hours of discovery, consistent with GDPR Article 34 obligations. We will describe what was affected, what we are doing about it, and what steps you can take.
Immunally is for adults aged 16 and over. We do not knowingly collect data from anyone under 16. If you believe someone under 16 has created an account, contact us and we will delete it immediately.
If we make material changes to how we handle your health data, we will notify you by email or by a prominent in-app notice at least 14 days before the change takes effect. The date at the top of this page always reflects the current version. Continued use of the app after the effective date constitutes acceptance of the updated policy.
This Privacy Policy is governed by the laws of the State of Washington, United States, without regard to its conflict of law provisions.
Privacy questions, data requests, or anything else — email info@immunally.com. We are a small team and will get back to you within a few business days.