Privacy Policy
Last Updated: June 9, 2026
1. Introduction
Natura AI™ LLC ("Natura AI," "we," "us," or "our") provides an AI-powered naturopathic wellness information service through our website, iOS application, Android application, and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service.
We are committed to transparency about our data practices. Because our Service involves sensitive health-related information and uses artificial intelligence to generate responses, we believe it is especially important that you understand what data we collect, how it is processed, and with whom it is shared.
By creating an account or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our practices, please do not use the Service.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, and authentication/session identifiers. Natura's current sign-in flow uses passwordless email one-time codes; we do not store passwords in plain text.
2.2 Health and Wellness Information
To provide personalized wellness information, we may collect sensitive health-related data that you voluntarily provide, including:
- Health conditions and medical history
- Allergies and sensitivities
- Current medications and supplements
- Dietary preferences and restrictions
- Wellness goals and lifestyle information
- Information about what remedies or approaches have or have not worked for you
2.3 Conversation Data
We store the questions you ask our AI assistant, the responses generated, and any feedback ratings you provide. This conversation history enables continuity across sessions and helps us improve response quality.
2.4 Memory and Personalization Data
Over time, our Service builds a health profile based on your interactions. This includes extracted preferences, health context, and patterns identified from your conversations. This profile is used to provide more relevant and personalized responses.
2.5 Family Member Data
If you use our family features, you may provide information about family members, including their names, relationship to you, dates of birth, health conditions, allergies, medications, and wellness goals. You represent that you have the authority and consent to provide this information on their behalf.
2.6 Payment Information
Payment transactions are processed by our third-party payment processors, Stripe (for web), Apple, Google Play Billing, and RevenueCat (for cross-platform subscription entitlement sync). We do not directly collect, store, or have access to your full credit card number, debit card number, or bank account details. We receive limited transaction information such as transaction amounts, subscription status, purchase tokens or receipts, and billing dates.
2.7 Usage Data
We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, click patterns, and the date and time of your visits.
2.8 Device Information
We collect information about the device you use to access the Service, including browser type and version, operating system, device type, screen resolution, and your Internet Protocol (IP) address.
2.9 Cookies and Similar Technologies
We use cookies and similar tracking technologies (such as local storage) to maintain your session, remember your preferences, and collect usage analytics. For more details, see Section 12 below.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Provide and personalize the Service: To deliver AI-generated wellness information tailored to your health profile, preferences, and conversation history.
- Process conversations through AI: To transmit your questions and relevant health context to AI language models for response generation.
- Build and maintain your health profile: To extract and store health-relevant information from your interactions so that future responses are more accurate and personalized.
- Process payments and manage subscriptions: To facilitate billing, process subscription changes, and maintain payment records.
- Send transactional communications: To deliver account-related emails including welcome messages, trial reminders, payment receipts, and security alerts.
- Send marketing communications: With your consent, to send wellness tips, product updates, and newsletters. You may opt out at any time.
- Improve the Service: To analyze usage patterns, identify issues, and enhance our knowledge base, AI responses, and user experience.
- Ensure safety and security: To detect and prevent fraud, abuse, and unauthorized access, and to enforce our safety guidelines for health-related content.
- Comply with legal obligations: To meet applicable legal, regulatory, and tax requirements.
4. How We Share Your Information
We share your information with the following categories of third-party service providers, solely as necessary to operate and improve the Service:
4.1 Anthropic (Claude AI)
Your conversation content, including health-related questions and relevant health profile context, is sent to Anthropic's Claude AI API to generate responses. Anthropic processes this data under their API terms of service and does not use API inputs to train their models by default. We recommend reviewing Anthropic's privacy practices at anthropic.com/privacy.
4.2 Supabase
Supabase is our database and authentication infrastructure provider. It stores your account data, conversation history, health profiles, and related information. Supabase provides encryption at rest and in transit.
4.3 OpenAI
OpenAI processes knowledge-base embeddings and optional voice-message transcription. Voice audio is used to create a transcript and is discarded after transcription; Natura persists the transcript only if you send it as a chat message.
4.4 Stripe
Stripe processes payment transactions for web subscriptions. Stripe receives the payment information necessary to process your transactions and is PCI DSS compliant. See stripe.com/privacy for their privacy policy.
4.5 RevenueCat
RevenueCat manages subscription status and in-app purchases across iOS, Android, and web subscriptions. It receives subscription status information, purchase receipts or Play purchase tokens, customer IDs, entitlement keys, and device/app identifiers needed to keep paid access in sync across platforms.
4.6 PostHog
PostHog provides product analytics. It receives pseudonymized usage data to help us understand how users interact with the Service and identify areas for improvement. We do not send health values, chat text, product names, ingredient lists, or voice transcripts to PostHog.
4.7 Sentry
Sentry provides crash reporting and performance diagnostics. It may receive crash logs, stack traces, device/app diagnostics, and a pseudonymous user ID so we can diagnose production issues. We filter known auth and transient network errors and do not intentionally send email addresses or health values to Sentry.
4.8 Firebase and Google Play Services
Firebase Cloud Messaging processes push notification tokens for reminders, chat-reply alerts, and scan-result notifications. Google Play Billing processes Android subscription purchases and sends purchase state information used for entitlement management.
4.9 Resend
Resend processes email addresses and transactional email content for authentication, onboarding, billing, and account notices.
4.10 Hosting Providers
Our web application is hosted on Vercel and our backend API is hosted on Railway. These providers may process request data, including IP addresses, as part of delivering the Service.
4.11 What We Do Not Do
- We do not sell your personal information to third parties.
- We do not share your data with advertisers or ad networks.
- We do not use your health data for purposes unrelated to providing the Service.
4.12 Legal Disclosures
We may disclose your information if required to do so by law, in response to a subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
5. Health Data
Because our Service is focused on wellness information, we collect and process sensitive health-related data that warrants special attention. This section explains our specific practices regarding health data.
- What we collect: Health conditions, medications, allergies, sensitivities, dietary preferences, wellness goals, and family health information that you voluntarily provide.
- How it is used: Health data is used exclusively to personalize your wellness information experience, including generating relevant AI responses and building your health profile over time.
- AI processing: When you ask a question, relevant portions of your health profile and conversation history are transmitted to Anthropic's Claude AI to generate contextually appropriate responses. This means your health data is processed by a third-party AI service.
- Security measures: We implement encryption in transit and at rest, access controls, and other industry-standard security measures to protect your health data. However, no system can guarantee absolute security.
- Deletion: You can request deletion of your health data at any time by contacting privacy@mynatura.ai.
- HIPAA disclaimer: Natura AI is an informational wellness service. We are not a healthcare provider and are not a HIPAA-covered entity. The Service does not provide medical advice, diagnosis, or treatment. While we implement industry-standard security practices to protect your data, HIPAA regulations do not apply to our Service.
6. Children's Privacy
Natura AI is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13.
Our Service allows account holders (who must be 13 or older) to create family member profiles for their children. In such cases, the parent or legal guardian is the account holder and is solely responsible for providing and managing their child's data within the Service. The parent or guardian represents that they have the legal authority to provide this information.
If we become aware that we have collected personal information directly from a child under 13 without verified parental consent, we will take steps to delete that information promptly.
If you believe that a child under 13 has provided personal information to us without parental consent, please contact us at privacy@mynatura.ai so we can investigate and take appropriate action.
7. Data Security
We take the security of your personal information seriously and implement a range of technical and organizational safeguards, including:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS/SSL protocols.
- Encryption at rest: Data stored in our databases is encrypted at the infrastructure level through our hosting and database providers.
- Access controls: Access to personal data is restricted to authorized personnel and protected by authentication and role-based permissions.
- Secure authentication: Natura's current sign-in flow uses passwordless email one-time codes. Authentication tokens have limited lifespans and are refreshed periodically.
- Regular security reviews: We periodically review our security practices and infrastructure to identify and address potential vulnerabilities.
Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data and encourage you to keep your email account and device credentials secure.
8. Data Retention
We retain your personal information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
- Account data: Retained while your account is active. Upon an account deletion request, we will delete or anonymize your account data within 30 days, except where retention is required by law.
- Conversation history: Retained while your account is active and deleted upon account deletion.
- Health profile data: Retained while your account is active and deleted upon account deletion or upon specific request.
- Payment records: Retained as required by applicable tax and financial regulations, typically for up to 7 years.
- Analytics data: Aggregated and anonymized after 90 days. Anonymized data may be retained indefinitely for statistical purposes.
9. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access: Request a copy of the personal information we hold about you.
- Correction: Request that we update or correct inaccurate or incomplete information.
- Deletion: Request deletion of your account and associated personal data, subject to legal retention requirements.
- Portability: Request a copy of your data in a structured, commonly used, machine-readable format.
- Opt-out of marketing: Unsubscribe from marketing communications at any time using the unsubscribe link in our emails or by contacting us.
- Withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us at privacy@mynatura.ai. We will respond to your request within 30 days, or as required by applicable law. We may need to verify your identity before processing your request.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information:
- Right to know: You have the right to request that we disclose what personal information we collect, use, disclose, and sell about you.
- Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
- Right to correct: You have the right to request correction of inaccurate personal information.
- Right to opt-out of sale: We do not sell your personal information, so no opt-out is necessary. If our practices change, we will provide a "Do Not Sell My Personal Information" mechanism.
- Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
- Right to limit use of sensitive personal information: You may request that we limit our use of sensitive personal information (including health data) to what is necessary to provide the Service.
Categories of information collected: As described in Section 2, we collect identifiers, health-related information, commercial information (payment and subscription data), internet activity information, and inferences drawn from the above. These are collected for the business purposes described in Section 3.
To exercise your California privacy rights, email privacy@mynatura.ai or use the privacy settings in your account. You may also designate an authorized agent to make a request on your behalf.
11. International Users
Natura AI is operated from the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where our servers and databases are located.
By using the Service, you consent to the transfer of your information to the United States and acknowledge that data protection laws in the United States may differ from those in your country of residence.
For users in the European Union / European Economic Area (EU/EEA): Our processing of your personal data is based on contractual necessity (to provide the Service you have requested) and your explicit consent (for health data and marketing communications). You may withdraw your consent at any time. If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local supervisory authority.
12. Cookies and Tracking Technologies
We use cookies and similar technologies for the following purposes:
- Essential cookies: Required for authentication, session management, and core functionality of the Service. These cannot be disabled without impairing the Service.
- Analytics cookies: Used through PostHog to collect anonymized usage data that helps us understand how users interact with the Service and identify areas for improvement.
We do not use advertising or third-party tracking cookies. We do not participate in ad networks or allow third-party advertisers to track our users.
You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, disabling essential cookies may prevent you from using certain features of the Service.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this page.
If we make material changes that significantly affect how we handle your personal information, we will notify you via email (at the address associated with your account) or through a prominent notice within the Service before the changes take effect.
Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms. We encourage you to review this page periodically for the latest information about our privacy practices.
14. Android Application — Additional Disclosures
This section applies only to users of the Natura AI Android app distributed through the Google Play Store. It supplements the rest of this Policy.
Permissions we request and why
- Notifications (POST_NOTIFICATIONS, asked during onboarding or first use): Send daily check-in reminders, chat-reply alerts, and scan-result notifications. You can opt out per-channel in Settings → Notifications.
- Camera (CAMERA, asked when you tap the ingredient scanner): Capture ingredient-label photos and scan barcodes. Barcode frames are analyzed on-device; captured ingredient-label photos are uploaded to Natura for analysis, discarded after processing, and not stored in the saved scan result.
- Microphone (RECORD_AUDIO, asked when you record a voice message): Record optional voice messages for transcription. Audio is uploaded for transcription and discarded after the transcript is created. Natura persists the transcript only if you send it as a chat message.
- Avatar picker (no permission requested): When you tap "Choose photo" for your profile avatar, the app launches the Android system Photo Picker. You select a single image; the app receives only that one image and never has access to your broader photo library.
- Vibration, Internet, Network state, Google Play Billing: system-level permissions granted automatically, used for haptic feedback, backend communication, offline-state UI, and subscription purchases respectively.
- Biometric app lock (USE_BIOMETRIC / USE_FINGERPRINT): Optional device-level app lock for private health data. Android handles biometric matching; Natura does not receive, collect, or store biometric templates.
We do not request: precise or background location, contacts, calendar, SMS, call logs, external storage, accessibility services, device-admin, or any other restricted permission.
Data shared with Google services
- Firebase Cloud Messaging (FCM): we register a pseudonymous device push token so we can send notifications. The token resets if you sign out or uninstall, and we delete server-side records of revoked tokens within 30 days.
- Google Play Billing: when you start, modify, or cancel a subscription, Play sends us a purchase token and entitlement status (managed via RevenueCat). We never see your payment method.
- Google Play Pre-Launch Report: when we upload new versions, Google runs them on test devices for crash checking. No real user data is involved; the runs use empty accounts.
Advertising ID (AAID)
The Android app does not declare the Android Advertising ID permission and Natura does not use the Android Advertising ID for advertising, analytics, or session continuity.
Health data on Android
Health information you voluntarily provide — conditions, allergies, medications, wellness check-ins, family member profiles, scanned products saved to your library — is stored in your authenticated user record in Supabase, protected by row-level security so only your authenticated session can read or write it. Health data:
- Is never used to train AI models. We use Anthropic's Claude API under enterprise terms that exclude inputs from training.
- Is never shared with advertisers, data brokers, or affiliate networks.
- Is never included in analytics events. Events log event names and counts only, never the values.
- Is deleted from Natura-controlled systems within 30 days of a verified account-deletion request (Settings → Delete Account), including Supabase account/profile records and backing health-data tables. Payment and subscription processors such as Google Play Billing, RevenueCat, Stripe, and Apple may retain limited transaction records where required for billing, tax, fraud prevention, or legal compliance.
Cross-platform data sharing
If you sign in to Natura on iOS, the web app at mynatura.ai, or Android using the same account, we sync your profile, chat history, saved items, and family members across platforms. The data lives in a single Supabase record per account, not duplicated per platform.
Children's privacy on Android
Natura is not directed to children under 18, is not enrolled in Google Play's Families program, and does not knowingly collect personal information from children. Family member profiles inside an account are managed by the adult account holder for their own household; they are not separate accounts and do not collect data directly from any child.
15. Contact Information
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Privacy inquiries: privacy@mynatura.ai
- General support: support@mynatura.ai
- Mailing address: Natura AI LLC, Seattle, WA
We aim to respond to all privacy-related inquiries within 30 days.