PlainTheory

Privacy Policy

Last updated: May 11, 2026.

What we collect

Your email; the focus areas, goals, body metrics, daily rhythm, and dietary notes you enter; the logs you create; the messages you send our AI coach. We don’t collect anything we don’t need to make the product work.

Where it lives

Stored encrypted at rest with customer-managed keys (AWS KMS) in DynamoDB, us-east-2. Transit is TLS 1.3. We do not sell or share your data with advertisers.

Sub-processors

We use a small set of vendors who process data on our behalf:

  • AWS (US) — hosting, encryption, identity (Cognito).
  • OpenAI (US) — generates your daily plan and chat replies. We send only the context required for each request.
  • Stripe (US) — payment processing if you upgrade.
  • Vercel (US) — hosts the web app, and provides Vercel Analytics — anonymous, cookieless page-view counts. No cross-site tracking, no PII.

Your rights (GDPR / CCPA)

You have the right to access, correct, export, and delete your data. We make these one-click:

  • Access & export: Settings → Download my data. Returns a JSON file with every record we hold on you.
  • Correct: change anything in Profile, Goals, or Settings.
  • Delete: Settings → Delete my account. Soft-deleted for 30 days (so you can recover), then permanently removed.
  • Object to processing:email us — we’ll honor it.

Cookies

We use only essential cookies: a signed httpOnly session cookie for sign-in, and your theme preference. No analytics or advertising cookies.

Security posture

Customer-managed KMS keys, point-in-time recovery on the database, TLS everywhere, audit logging, MFA available, signed-cookie sessions with rotation. We’re a small team building toward SOC 2 — we follow the practices, but we don’t hold the certificate yet.

A note on health framing

PlainTheory is not a medical product. We do not knowingly collect Protected Health Information (PHI). We follow HIPAA-aware practices for security and access control, but the product is general-purpose coaching and is not a covered entity under HIPAA.

Children

PlainTheory is for adults 18+. We do not knowingly collect data from people under 18. If you believe we have, please contact us and we’ll delete it.

Contact

For privacy questions or to exercise any of the rights above, email us.

Stub for v1. Replace with legal-reviewed text before public launch.