Privacy Policy

HeyMilo Ltd (“HeyMilo”, “we”, “us”, or “our”) is the data controller for your personal data. We are a company registered in England & Wales. Our ICO registration is pending.

If you have any questions about this Privacy Policy or how we handle your data, you can contact our Data Protection Officer at dpo@heymilo.coach.

Website: heymilo.coach

We collect and process the following categories of personal data when you use HeyMilo:

Account data

• Name
• Email address
• Profile picture (via Clerk authentication)

Profile data

• Date of birth
• Sex
• Height
• Current weight and goal weight

Health data (special category)

• Medical conditions
• Medications
• Injuries
• Stress levels
• Sleep patterns
• Food allergies and intolerances
• Eating disorder history
• Pregnancy status
• Cardiac history

Activity data

• Exercise logs
• Food logs
• Water intake
• Weight check-ins
• Progress photos

AI interaction data

• Chat messages with Milo
• Coaching responses
• Plan adjustments

Technical data

• Device type
• Browser
• IP address
• Session cookies

Under Article 6(1)(b) UK GDPR, we process your data as necessary for the performance of our contract with you — that is, delivering the AI health coaching service you signed up for.

For special category health data, we rely on your explicit consent under Article 9(2)(a) UK GDPR, which you provide during the onboarding process. You can withdraw this consent at any time — see the “Your Rights” section below for details.

UK GDPR gives extra protection to health data. The following data we collect qualifies as special category data:

• Medical conditions and medications
• Food allergies and intolerances
• Eating disorder history
• Pregnancy and postpartum status
• Cardiac event history
• Any other data that reveals your physical or mental health status

We process this data ONLY with your explicit consent and ONLY for the purpose of providing safe, personalised coaching. We will never use your health data for any other purpose.

We use your data to:

• Generate personalised 2-week fitness and nutrition plans
• Power AI coaching conversations via Milo
• Track your progress against your goals
• Perform safety screening during onboarding (eligibility checks)
• Send daily briefs and reminders (if enabled)
• Improve our coaching methodology (anonymised and aggregated data only)

We do NOT use your data for advertising. We do NOT sell your data to third parties. We do NOT build advertising profiles.

We use Azure OpenAI (Microsoft) to power our AI coaching. Your data is sent to Azure OpenAI to:

• Generate personalised coaching responses
• Create fitness and nutrition plans
• Extract relevant health context from conversations

Important: HeyMilo does not make fully automated decisions with legal or similarly significant effects. All AI coaching is supplementary to your own decisions. You have the right to request human review of any AI-generated recommendation.

We share your data with the following service providers only:

• Azure OpenAI (Microsoft) — for AI coaching. Data processed in UK South and US regions.
• Clerk — for authentication. Account data only.
• Resend — for transactional emails. Email address only.
• Azure Blob Storage — for progress photo storage.

We NEVER sell your data. We NEVER share data with advertisers. All service providers are bound by data processing agreements.

Your data is primarily stored and processed in Microsoft Azure's UK South data centre. Some data may be transferred to the United States when processed by Azure OpenAI.

These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Microsoft's compliance with the EU-US Data Privacy Framework
• Technical measures including encryption in transit (TLS 1.2+) and at rest (AES-256)

• Active accounts: data retained for the duration of your account.
• Deleted accounts: 30-day grace period, then permanent deletion.
• AI conversation logs: retained for 90 days, then automatically purged.
• Progress photos: deleted with account or on request.
• Anonymised analytics: may be retained indefinitely (cannot be linked back to you).

Under UK GDPR you have the right to:

• Access — request a copy of all data we hold about you.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data ("right to be forgotten").
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Object — object to processing based on legitimate interests.
• Withdraw consent — withdraw consent for health data processing at any time. This does not affect the lawfulness of processing carried out before you withdrew consent.
• Complain — lodge a complaint with the Information Commissioner's Office (ICO).

To exercise any of these rights, email dpo@heymilo.coach. We will respond within one month.

HeyMilo uses only essential cookies:

• Clerk session cookies for authentication
• No advertising or tracking cookies
• No third-party analytics cookies

We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

HeyMilo is not intended for anyone under 16 years of age. We do not knowingly collect data from children under 16. If we learn that we have collected data from a child under 16, we will delete it immediately.

We will notify you of material changes to this Privacy Policy at least 30 days in advance via email or in-app notification. The "Last updated" date at the top of this page will always reflect the most recent revision.

Data Protection Officer: dpo@heymilo.coach

General enquiries: hello@heymilo.coach

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF