Privacy Policy

Effective May 5, 2026

Last updated May 5, 2026

This Privacy Policy describes how Varient Nutrition LLC ("Varient", "we", "us", or "our") collects, uses, shares, and protects personal information when you use the Varient iOS application, the varientnutrition.com website, and any related services (collectively, the "Service"). By using the Service, you agree to the practices described here.

1. Information we collect

We collect information directly from you, automatically through your use of the Service, and from a limited set of third-party providers as described below. We collect only what is necessary to operate the Service.

1.1 Information you provide

• Account information: email address, first and last name, and a password (stored as a salted hash by our authentication provider — we never see your plaintext password).
• Profile information: height, weight, age, gender, activity level, calorie and macronutrient goals, allergies, dietary preferences, kitchen equipment, budget tier, and (optional) autoimmune conditions or medical flags you choose to disclose.
• Bloodwork values: only the laboratory values you choose to enter on the Labs tab (e.g., vitamin D, B12, ferritin, lipid panel). Optional; never required to use the Service.
• Plan and meal data: meal plans we generate for you, the meals you mark eaten, food logs and deviations, and any food preferences or favorites you save.
• Coach messages: the natural-language requests you send to the in-app AI coach.
• Customer-support content: messages, attachments, and metadata when you contact us.

1.2 Information collected through Apple HealthKit and connected devices

With your explicit permission, we read a limited set of metrics from Apple HealthKit (and, if connected, third-party fitness sources such as Oura): sleep duration and timing, heart-rate variability, resting heart rate, step count, active and total calories burned, body weight, and workout entries. This data is read-only and only with your authorization. HealthKit data is treated under the additional commitments described in Section 6.

1.3 Subscription and purchase information

When you purchase a Varient Premium subscription, Apple processes the payment and we receive only subscription state (active, expired, trial period). We do not receive or store your payment card details.

1.4 Information collected automatically

• Diagnostics & usage: anonymous crash reports and basic usage events (which screen was viewed, which feature was used, error codes) used to detect bugs and improve performance. We do not associate this data with advertising IDs.
• Device information: device model, operating-system version, application version, and language preference, used for compatibility and debugging.
• Server logs: IP address, timestamps, and request metadata associated with API requests, used for security, abuse prevention, and operational monitoring. Server logs are retained for up to 30 days unless required for security investigation.
• Cookies / similar technologies (web only): the varientnutrition.com website uses a minimal set of first-party cookies for authentication session management. We do not use third-party advertising cookies or cross-site tracking technologies.

2. How we use information

We process your information for the following purposes:

• Provide the Service: generate personalized meal plans calibrated to your body, goals, preferences, and (with permission) HealthKit context; power the AI coach so it can interpret food logs, nutrient gaps, and tweaks; surface bloodwork-driven nutrition suggestions you accept or deny.
• Account management: create and authenticate your account, process subscriptions via Apple, and prevent abuse.
• Communication: send transactional emails (signup confirmation, password reset, account deletion confirmation) and respond to support requests.
• Diagnostics and improvement: detect crashes, diagnose performance issues, and improve product reliability. Aggregated, de-identified analytics may be used to evaluate feature adoption.
• Security: protect the Service and our users from fraudulent, abusive, or unlawful activity.
• Legal compliance: comply with applicable laws, regulations, court orders, or lawful government requests.

We do not sell your personal information, share it for cross-context behavioral advertising, use it for advertising, share it with data brokers, or use your User Content to train AI models.

3. Legal bases for processing (EU/UK/EEA users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR/UK GDPR:

• Performance of a contract (Art. 6(1)(b)) for processing necessary to provide the Service you have requested.
• Legitimate interests (Art. 6(1)(f)) for security, fraud prevention, diagnostics, and product improvement, where these interests are not overridden by your fundamental rights.
• Consent (Art. 6(1)(a)) for optional features such as connecting Apple HealthKit, entering bloodwork, and any feature that we mark as opt-in. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)) where processing is required to comply with the law.
• Explicit consent for special-category data (Art. 9(2)(a)) for health-related information you choose to provide, including HealthKit data, autoimmune disclosures, and bloodwork values. You may withdraw consent at any time, and the data will be deleted upon withdrawal unless retention is required by law.

4. Service providers and processors

We rely on a limited set of service providers ("subprocessors") to operate the Service. Each processes only the data necessary for its specific function, under contractual obligations that include confidentiality, security, and use limitations consistent with this Privacy Policy. None of them sells your data.

We may add, remove, or change subprocessors as the Service evolves. Material changes will be reflected in the next update to this Privacy Policy. Email privacy@varientnutrition.com for the current authoritative list.

5. Sharing and disclosure

We may disclose personal information in the following circumstances:

• To subprocessors as described in Section 4, only as necessary to operate the Service.
• With your consent or at your direction (e.g., when you accept a bloodwork suggestion that needs to be passed to the AI coach).
• For legal reasons, when we have a good-faith belief that disclosure is necessary to comply with a law, regulation, valid legal process, or governmental request; to enforce our Terms; to detect or address fraud, security, or technical issues; or to protect against harm to the rights, property, or safety of Varient, our users, or the public.
• In connection with a corporate transaction such as a merger, acquisition, financing, reorganization, sale of assets, or insolvency, in which case personal information may be transferred to the successor entity. We will notify you (via email or in-app notice) before your data becomes subject to a different privacy policy.
• In aggregated or de-identified form that cannot reasonably be used to identify you.

6. Apple HealthKit — additional commitments

When you grant Varient access to Apple HealthKit, the following commitments apply in addition to the rest of this Policy. These commitments are made pursuant to Apple's HealthKit guidelines (Section 5.1.3 of the Apple App Store Review Guidelines):

• We do not use HealthKit data for advertising, marketing, or any use-based data-mining purpose other than improving health, fitness, or medical research.
• We do not disclose HealthKit data to any third party (including service providers) for any purpose other than as described in this Privacy Policy and only with your authorization.
• We do not sell HealthKit data to advertising platforms, data brokers, or information resellers.
• We do not share HealthKit data with any third party for advertising or cross-context behavioral advertising.
• HealthKit data is used only to compute your daily calorie target, surface recovery and sleep-quality context to the meal-planning engine, and (when relevant) personalize AI-coach responses to your recent activity.
• You may revoke HealthKit permission at any time in iOS Settings → Privacy & Security → Health → Varient. Revoking permission will not delete data already used in computations, but no further HealthKit data will be read.

7. Bloodwork values

Lab values you enter are stored encrypted at rest in our database. They are used solely to (a) generate the accept/deny suggestions on your dashboard and (b) inform plan generation when you accept a suggestion. Bloodwork values are not shared with any third party other than the AI coach — and only when you explicitly accept a suggestion that needs that context for the coach's response. You can delete bloodwork values at any time by clearing the fields on the Labs tab, or by deleting your account.

8. International data transfers

Varient is operated from the United States, and most of our subprocessors are located in the United States. The AI-coach provider Moonshot AI is located outside the US. If you access the Service from outside the country in which our processors operate, your data may be transferred to, stored, and processed in those countries.

For transfers from the EEA, the UK, or Switzerland, we rely on (a) the European Commission's Standard Contractual Clauses (SCCs) where applicable, (b) the UK International Data Transfer Addendum, and (c) additional technical and organizational measures (encryption in transit and at rest, access controls, confidentiality obligations, no-training commitments). You may request a copy of the relevant transfer mechanism by emailing privacy@varientnutrition.com.

9. Automated decision-making and profiling

The Service uses algorithmic and AI-driven systems to generate personalized meal plans, calorie targets, micronutrient suggestions, and AI-coach responses. These automated systems do not produce decisions that have legal effects or similarly significant effects within the meaning of GDPR Article 22 — they are informational tools to assist your meal planning. You retain full control over which suggestions you accept, which plans you select, and how you act on AI-coach output. You may contact us at privacy@varientnutrition.com to ask questions about how a particular suggestion was generated.

10. Your rights

10.1 In-app and email controls (all users)

• Access: your data is visible in the app at any time.
• Correction: edit profile values directly in the app, or update bloodwork on the Labs tab.
• Deletion: delete your account and all associated personal data via Profile → Delete Account in the iOS app, or by emailing support@varientnutrition.com. Deletion is permanent.
• Export: email support@varientnutrition.com from your account address and we will deliver a JSON export of your account, profile, plans, day logs, and bloodwork within seven (7) days.

10.2 California residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act, as amended:

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties with whom we share information.
• Right to delete personal information we have collected (subject to certain exceptions).
• Right to correct inaccurate personal information.
• Right to limit use of sensitive personal information. The Service does not use sensitive personal information for any purpose beyond what is necessary to provide the requested Service or as otherwise permitted by the CCPA, so this right is automatically honored.
• Right to opt out of sale or sharing. We do not sell personal information and do not share personal information for cross-context behavioral advertising. There is therefore nothing to opt out of.
• Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

Categories of personal information we collect: identifiers (email, name); customer records (profile data); commercial information (subscription state); internet activity (server logs, diagnostics); geolocation derived from IP address; sensory data (none); employment-related (none); education (none); inferences (plan personalization signals); sensitive personal information (account credentials and, with consent, health and bloodwork data).

To exercise these rights, use the in-app controls in Section 10.1 or email privacy@varientnutrition.com. We may verify your request by asking you to confirm details associated with your account. You may designate an authorized agent to act on your behalf; we will require written authorization and identity verification.

10.3 Other US state residents (Virginia, Colorado, Connecticut, Utah, and similar)

Residents of states with comprehensive privacy laws have rights including access, correction, deletion, portability, and (where applicable) opt-out of profiling for decisions producing legal or similarly significant effects, sale, or targeted advertising. We do not sell personal information, do not engage in targeted advertising, and use automated tools only to generate informational meal-planning content. To exercise rights, use the in-app controls or email privacy@varientnutrition.com. You may appeal any denial by replying to our response.

10.4 EEA / UK / Swiss residents (GDPR / UK GDPR)

You have the right to:

• Access the personal information we hold about you;
• Request rectification of inaccurate or incomplete data;
• Request erasure of your data ("right to be forgotten");
• Restrict or object to processing;
• Data portability — receive a copy of your data in a structured, machine-readable format;
• Withdraw consent at any time, where processing is based on consent;
• Lodge a complaint with your local supervisory authority. A list of EU authorities is available at edpb.europa.eu. The UK ICO is at ico.org.uk.

To exercise these rights, use the in-app controls or email privacy@varientnutrition.com. We will respond within one (1) month, with one extension if necessary as permitted by law.

11. Children's privacy

Varient is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided personal information to us, please email privacy@varientnutrition.com and we will promptly delete the account.

For users between 13 and 17, parental or legal-guardian consent is required as set forth in our Terms of Service. We do not knowingly process the personal information of users under 16 located in the EEA, UK, or Switzerland without the consent of a parent or guardian.

12. Data retention

We retain personal information only as long as necessary for the purposes described:

• Account, profile, plans, day logs, bloodwork: for as long as your account is active. Permanently deleted within seven (7) days after you delete your account.
• AI-coach messages: for as long as your account is active or until you clear the conversation. Deleted with the account.
• Subscription state: for as long as your account is active and for up to 24 months after deletion, where required for tax, billing-dispute, or audit purposes.
• Server logs, diagnostics: typically 30 days; up to 12 months for security investigations.
• Customer-support tickets: up to 24 months after the ticket is closed.
• Aggregated, de-identified data may be retained indefinitely for product analysis and cannot be tied back to you.

13. Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (HTTPS / TLS) and at rest, password hashing handled by our authentication provider, access controls, two-factor authentication for production-system access, principle-of-least- privilege for personnel, and routine audit-logging. No security measure is perfect. If we become aware of a breach involving your personal information, we will notify you and the appropriate regulators in compliance with applicable law, generally within 72 hours of confirmation where required by law.

14. Do Not Track and Global Privacy Control

We do not engage in cross-site or cross-service tracking. Because we do not sell or share personal information for cross-context behavioral advertising, the Global Privacy Control (GPC) signal does not change our practices, but we honor opt-out preferences that are required by applicable law where received.

15. Third-party links and services

The Service may contain links to or integrate with third-party websites, services, or content (e.g., Apple, Oura). We are not responsible for the privacy practices or content of those third parties. Their processing is governed by their own privacy policies.

16. Changes to this Privacy Policy

If we make a material change to this Policy, we will notify you via email or an in-app notice at least fourteen (14) days before it takes effect (or such longer period as may be required by law). The "Last updated" date at the top reflects the most recent change. Continuing to use the Service after the effective date constitutes acceptance of the updated Policy.

17. Contact

Privacy questions and requests: privacy@varientnutrition.com
General support: support@varientnutrition.com

For users in the EEA, UK, or Switzerland, you may contact our representative for GDPR purposes by emailing privacy@varientnutrition.com with the subject line "EU/UK Representative".