Longevity PulseSign in
Back
Legal

Privacy Policy

This page is maintained by the operator (see Legal Notice) to explain how CompiledHuman handles personal data. It describes app-visible controls and current practices and is not an independent certification.

1. Controller

Controller within the meaning of the GDPR is the operator listed in the Legal Notice.

2. What data we process

  • Account data — when you sign in via Google or Apple: name, email address, and a stable user identifier provided by the OAuth provider.
  • Health & performance data you enter yourself — sleep, focus, output scores, manual training entries, habit check-ins.
  • Wearable data you connect — recovery, sleep, HRV, workouts from Whoop, Oura, or Apple Health. Only the metrics needed to render your dashboard are stored.
  • Technical data — server logs (IP, user agent, timestamps) for security and abuse prevention, kept for a maximum of 30 days.

3. Why we process it (legal basis)

  • Contract performance, Art. 6 (1) (b) GDPR — providing the dashboard and features you sign up for.
  • Consent, Art. 6 (1) (a) and Art. 9 (2) (a) GDPR — for health-related data and wearable integrations.
  • Legitimate interest, Art. 6 (1) (f) GDPR — security, fraud prevention, and aggregate analytics.

4. The public Longevity Pulse feed

The Longevity Pulse news feed is fully public. We do not require sign-in to read it and we do not set tracking cookies for visitors.

5. Processors and sub-processors

  • Lovable Cloud — hosting, database, authentication (EU region).
  • Google LLC / Apple Inc. — OAuth sign-in providers.
  • Firecrawl — scraping public news sources for the Longevity Pulse feed; no user data is sent.
  • Lovable AI Gateway — generating news summaries and the AI-compiled analysis on your dashboard.
  • Wearable vendors (Whoop, Oura, Apple Health) — only after you explicitly connect them via OAuth.

6. AI processing

We use large language models to (a) rewrite public news in fresh language with a strategic outlook and (b) generate the "AI-Compiled Analysis" on your dashboard.

Inputs are not used to train third-party models. Your personal metrics are sent only when you are signed in and only the minimum necessary to produce the analysis.

7. Cookies

We use only technically necessary cookies to keep your session signed in. No advertising, analytics, or tracking cookies. See the Cookie Notice.

8. Retention

  • Account data: until you delete your account.
  • Health, training, and wearable data: until you delete it or disconnect the source.
  • Server logs: 30 days.

9. Your rights

Under the GDPR you have the right to:

  • Access (Art. 15), rectification (Art. 16), and erasure (Art. 17) of your data.
  • Restriction of processing (Art. 18) and data portability (Art. 20).
  • Object to processing (Art. 21) and withdraw consent at any time (Art. 7 (3)).
  • Lodge a complaint with a supervisory authority (Art. 77) — in Germany, the data protection authority of your federal state.

To exercise any of these rights, contact us at the email address in the Legal Notice.

10. International transfers

Where processors operate outside the EU/EEA, transfers are based on EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR) or adequacy decisions.

Last updated: June 2026