Privacy Policy
Before the detail, here is what matters.
- Your health data is yours.
- We never sell your data.
- We never use your data for advertising.
- Our AI providers do not use your data to train their models.
- You can export or delete everything at any time.
Cellular Performance (CoC 77705785) builds and operates Cellular, a personal health intelligence platform. We collect health data from your wearables, lab reports, and conversations to give you a clear picture of your health and how to improve it.
This policy covers the Cellular web app at app.joincellular.com, the Cellular desktop and mobile apps, and messaging channels you connect (WhatsApp, Telegram, Slack). It explains what data we collect, why, who we share it with, and what rights you have.
Cellular Performance is the data controller. Our address is Herengracht 73H, 1015BD Amsterdam, The Netherlands. For privacy questions, contact us at legal@joincellular.com.
What data we collect and why
The data we collect depends on how you use Cellular. This section lists every category. For the legal basis behind each, see Legal basis for processing. For how long we keep each type, see Data retention and deletion.
Account and profile
When you create an account, we collect your email address, first name, and last name. As you set up your profile, you can add your date of birth, biological sex, ethnicity, height, address, timezone, unit system, avatar, goals, and notification preferences.
We use Google Places to autocomplete your address and store the result, including coordinates. Your address personalises recommendations based on climate, altitude, and local lab reference ranges.
All authentication is passwordless. You sign in with Google, Apple, or a magic link sent to your email.
Health data
Wearable data - when you connect a wearable device, we sync your health data through Junction.
| Domain | Data collected |
|---|---|
| Sleep | Duration, stages, efficiency, heart rate, HRV, breathing rate, SpO2, temperature |
| Activity | Workouts, steps, distance, calories, heart rate, cadence, power, VO2max, strain |
| Daily summaries | Resting heart rate, HRV, recovery, stress |
| Body composition | Weight, body fat, muscle mass, blood pressure, temperature |
| Glucose | Average, time in range, continuous readings |
| Nutrition | Calories, macronutrients, micronutrients, meals |
Workout data includes GPS routes and position samples when your wearable records them. This constitutes location data.
Supported providers: Apple Health, Oura, WHOOP, Garmin, Withings, Polar, Eight Sleep, Dexcom, Strava, and Cronometer.
Lab reports - when you upload a blood test or other lab report (PDF or image), we store the original file and send it to Anthropic (Claude) to extract biomarker names, values, and units. We store the extracted data as structured records tied to your account.
Physique photos - if you use the body composition feature, you upload photos (front, side, back). We send these photos to fal.ai for background removal, then to Anthropic (Claude) for body composition analysis, which produces an estimated body fat range and composition notes. We store the originals and processed versions.
Derived data - we calculate additional metrics from the data above. This includes your Cellular Age (a composite biological age score), health forecasts, trends, and baselines. We compute these on our servers and store them with your account.
AI concierge
When you use the AI health assistant, we store your messages (text, images, documents), the AI responses, and the AI reasoning behind each response. The concierge is powered by Anthropic (Claude). During a conversation, it retrieves your health data (wearables, biomarkers, body composition) when relevant to your question.
The concierge builds a memory of your health context, preferences, goals, and sensitivities. We store these context notes as vector embeddings (via OpenAI) to enable semantic search across conversations.
If you rate an AI response or leave feedback, we store that too.
Messaging channels
Connecting a messaging channel is optional. If you do, we collect channel-specific identifiers.
| Channel | Data collected |
|---|---|
| Phone number | |
| Telegram | Chat ID, user ID, username, first name |
| Slack | Workspace ID, workspace name, user ID, channel ID |
We store all messages in our database and process them through the AI concierge. We send voice notes from WhatsApp, Telegram, and Slack to Deepgram for transcription (the audio itself is transmitted). In-app voice input is also streamed to Deepgram. We store images and documents in our database.
Authentication and sign-in
When you sign in from a new device, we capture your device type and your city and country derived from your IP address. We resolve this location using a local database (MaxMind GeoLite2) - your IP address stays on our servers. We use this to send you a new device sign-in alert by email.
We use Anthropic (Claude) to suggest profile completions. When you first sign up, we infer your likely first and last name from your email address, and your likely biological sex from your first name. We store both as suggestions for you to accept or dismiss. They are not applied automatically.
Analytics and diagnostics
We collect usage data to improve the platform and fix issues. All three services are used solely for product improvement and bug fixing.
| Service | Data collected | Location |
|---|---|---|
| PostHog | Page views, clicks, form interactions, feature usage events. User ID, email, name, and role sent as properties. | EU (eu.posthog.com), proxied through our domain |
| Sentry | Errors, performance data, session replays (DOM snapshots, console output, network requests). Replays sampled at 10%, 100% on errors. User ID and email. | US, tunnelled through our domain |
| BetterStack | Server-side logs: user ID, email, request metadata, errors. | EU |
PostHog and BetterStack data stays in the EU. Sentry data is processed in the US under Standard Contractual Clauses.
Cookies and local storage
All cookies serve functional or analytical purposes.
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase session | Authentication | Session |
| Invite token | Persists invite during sign-up | 10 minutes |
| Slack OAuth state | Prevents cross-site request forgery during Slack connection | 5 minutes |
| PostHog | Analytics (first-party) | 1 year |
| Sentry | Error replay | Session |
We also use browser storage (localStorage and sessionStorage) for functional purposes: your first name for the loading screen, display preferences, and recent searches. You can clear these at any time through your browser settings. Blocking analytics cookies does not affect core functionality.
HealthKit and Apple Health
If you use our iOS app, you can share Apple Health data with Cellular through HealthKit. We request read-only access to the following categories: sleep, activity, workouts, body composition, blood glucose, heart rate, heart rate variability, blood oxygen, and profile. We do not write to HealthKit.
We use this data to calculate your Cellular Age, generate health forecasts, populate your health dashboard, and surface insights through the AI concierge.
HealthKit data is read on your device by Junction's SDK, synced to Junction's servers, then delivered to Cellular via webhook. Junction is a health data platform that provides a health service to you. We do not store HealthKit data in iCloud.
- We do not sell HealthKit data.
- We do not use HealthKit data for advertising.
- We do not share HealthKit data with third parties other than Junction, which processes it to provide a health service to you.
You can disconnect HealthKit at any time through your device settings or the Cellular app. Disconnecting stops new data from syncing. Previously synced data remains on our servers until you request deletion or delete your account. For retention details, see Data retention and deletion.
AI processing
We use AI across several features. Every AI provider we use is contractually prohibited from training on your data.
| Provider | Purpose | Data received | Location |
|---|---|---|---|
| Anthropic (Claude) | Lab report extraction | Raw report files, your sex, age, and wearable/lifestyle data (during summary step) | US |
| Anthropic (Claude) | AI concierge | Messages, conversation history, health data (sleep, activity, daily summaries, biomarkers, body, glucose, nutrition), profile (name, date of birth, sex, address, height), photos | US |
| Anthropic (Claude) | Daily health insights | Sleep, activity, daily summaries, and body data from the last 7 days, plus your name, sex, and date of birth | US |
| Anthropic (Claude) | Physique analysis | Body composition photos (after background removal), including pose classification | US |
| Anthropic (Claude) | Profile suggestions | Email address, first name | US |
| OpenAI | Vector embeddings | Message text, AI memory content | US |
| fal.ai | Background removal | Physique photos | US |
| Deepgram | Voice transcription | Audio from voice notes and in-app voice input | US |
Lab report extraction - when you upload a lab report, we send it through four processing steps to classify, extract, validate, and summarise the results. Every step runs through Anthropic (Claude). The summary step also retrieves your recent wearable and lifestyle data to generate a contextual report summary.
AI concierge - when you send a message, we include your profile, connected devices, and conversation history. The AI calls tools to fetch your health data when answering health questions. We store the AI reasoning behind each response.
Daily health insights - Anthropic (Claude) generates daily health insights from your recent wearable and profile data, shown on your dashboard.
Physique analysis - fal.ai removes the background from your photos. Anthropic (Claude) then classifies the pose (front, side, back) and estimates body fat range and composition notes.
Profile suggestions - when you first sign up, we send your email address to Anthropic (Claude) to infer your likely name, and your first name to infer your likely biological sex. We store both as suggestions for you to accept or dismiss.
Vector embeddings - we send your message text and AI memory content to OpenAI to generate vector embeddings. These power semantic search across your conversations. Only Anthropic generates responses; OpenAI produces embeddings.
Voice transcription - we send audio from WhatsApp, Telegram, Slack voice notes and in-app voice input to Deepgram for speech-to-text conversion.
Automated calculations
We calculate your Cellular Age (a composite biological age score), health forecasts, trends, and baselines. These run on our servers using your biomarker and wearable data. No third-party AI is involved.
All automated processing is informational. It does not produce decisions with legal or similarly significant effects on you, such as credit decisions or employment screening.
Legal basis for processing (GDPR)
We process your personal data under GDPR Article 6. Health data is a special category under GDPR Article 9 and requires a separate legal basis. You give consent through the action listed in the final column.
Health data (consent)
| Processing activity | Article 6 basis | Article 9 basis | Your action |
|---|---|---|---|
| Wearable data sync | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Connecting a wearable device |
| Lab report extraction | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Uploading a report |
| Physique photos and analysis (including background removal by fal.ai) | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Uploading photos |
| AI concierge (health data) | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Connecting wearables or uploading reports |
| Daily health insights | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Connecting wearables |
| Cellular Age and forecasts | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Connecting wearables or uploading reports |
| HealthKit | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Authorising HealthKit access |
| Voice transcription (Deepgram) | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Using voice input |
| Vector embeddings (OpenAI) | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Using the AI concierge with health data |
| Messaging channels | Consent (6(1)(a)) | Explicit consent (9(2)(a)) | Connecting a channel |
Core product (contract)
| Processing activity | Article 6 basis | Article 9 basis | Your action |
|---|---|---|---|
| Account creation and profile | Contract (6(1)(b)) | - | Creating your account |
| AI concierge (general) | Contract (6(1)(b)) | - | Using the concierge |
| Transactional emails | Contract (6(1)(b)) | - | - |
Operations (legitimate interests)
| Processing activity | Article 6 basis |
|---|---|
| Analytics (PostHog) | Legitimate interests (6(1)(f)) |
| Error tracking (Sentry, BetterStack) | Legitimate interests (6(1)(f)) |
| New device sign-in alerts | Legitimate interests (6(1)(f)) |
| Profile suggestions | Legitimate interests (6(1)(f)) |
| Customer messaging (Intercom) | Legitimate interests (6(1)(f)) |
We rely on legitimate interests for analytics (understanding product usage), error tracking (detecting faults), sign-in alerts (protecting your account), profile suggestions (reducing setup friction), and customer messaging (providing support). We balance these against your rights by minimising the data collected, proxying analytics through our domain, and hosting analytics and logging in the EU. You can object at any time by contacting legal@joincellular.com.
How to withdraw consent
Each consent is tied to a specific action. You withdraw it by reversing that action.
| Data type | How to withdraw |
|---|---|
| Wearable data | Disconnect the device in Data Sources. |
| Lab reports | Delete individual reports or delete your account. |
| Physique photos | Delete individual check-ins or delete your account. |
| HealthKit | Disconnect via your device settings or the Cellular app. |
| Voice transcription | Stop sending voice messages or using voice input. |
| Messaging channels | Unlink the channel in settings. |
| All data | Delete your account in settings or contact us. We delete all data within 30 days of the request. |
For wearables and HealthKit, disconnecting stops new data from syncing. For messaging channels, unlinking stops new messages but message history remains. In both cases, previously synced data stays on our servers until you delete your account. To remove all health data, delete your account.
Withdrawing consent does not affect processing that happened before you withdrew.
Third-party services
We share personal data with the third parties listed below. We do not sell your personal data.
| Category | Service | Data shared | Purpose | Location |
|---|---|---|---|---|
| AI | Anthropic (Claude) | Messages, health data, photos, report files, profile data | AI concierge, report extraction, insights, physique analysis, profile suggestions | US |
| AI | OpenAI | Message text, conversation summaries | Vector embeddings | US |
| AI | fal.ai | Physique photos | Background removal | US |
| AI | Deepgram | Audio from voice input | Speech-to-text transcription | US |
| Infrastructure | Supabase | Account details, health metrics, reports, files | Database, authentication, file storage | EU |
| Infrastructure | Vercel | HTTP requests, IP addresses, page URLs | Hosting | EU (Paris) |
| Infrastructure | Resend | Email addresses, email content | Transactional emails | US |
| Health data | Junction | User ID, wearable account credentials, wearable OAuth tokens | Wearable data aggregation (health data transits through Junction) | EU |
| Messaging | Meta (WhatsApp Cloud API) | Phone numbers, messages | WhatsApp messages | US |
| Messaging | Telegram Bot API | User identifiers, usernames, messages | Telegram messages | Global |
| Messaging | Slack API | Workspace IDs, user IDs, channel IDs, messages | Slack messages | US |
| Analytics | PostHog | User ID, email, name, role, usage events | Product analytics | EU |
| Analytics | BetterStack | User ID, email, errors, session replays, request metadata | Error tracking, session replay, server-side logging | EU |
| Identity | Intercom | User ID, email, name | Customer support | EU |
| Identity | Google Places API | Address search queries | Address autocomplete | US |
| Identity | MaxMind GeoLite2 | IP addresses | IP geolocation (processed locally, no data sent) | Local |
| Identity | Google OAuth | Email address, name (from provider profile) | Authentication | US |
| Identity | Apple OAuth | Email address, name (from provider profile) | Authentication | US |
International data transfers
Cellular is operated from the Netherlands. Your primary data store (Supabase), analytics (PostHog), logging (BetterStack), hosting (Vercel), wearable aggregation (Junction), and customer support (Intercom) are all in the EU.
The following services process data in the United States: Anthropic, OpenAI, fal.ai, Deepgram, Resend, Meta (WhatsApp), Slack, Google Places, Google OAuth, and Apple OAuth. Telegram processes data globally. We transfer data to these services under the EU-US Data Privacy Framework or Standard Contractual Clauses.
MaxMind data is processed locally on our servers. No IP address data leaves the EU.
Data retention and deletion
| Data type | Retention period | You can delete |
|---|---|---|
| Account and profile | While your account is active | Delete your account |
| Wearable data | While your account is active | Delete your account |
| Lab reports and biomarkers | While your account is active | Individual reports or your account |
| Physique photos and analysis | While your account is active | Individual check-ins or your account |
| AI conversations | While your account is active | Hide individual threads * |
| AI memories | While your account is active | Delete your account |
| Messaging channel data | While your account is active | Delete your account |
| Analytics (PostHog) | Vendor default retention | Automatically expires |
| Error tracking and logs (BetterStack) | Vendor default retention | Automatically expires |
| Deletion audit logs | Retained after account deletion | Not deletable (legal compliance) |
* Hidden threads are removed from your view but stay in our database until account deletion.
How account deletion works
- You request deletion in settings or by contacting legal@joincellular.com.
- We lock your account immediately.
- You have 30 days to cancel by contacting us.
- After 30 days, we delete all your personal data from our database and file storage.
- We retain a deletion audit log (user ID, email, request and execution dates) for legal compliance. This log contains no health data.
Third-party services follow their own retention schedules. All AI providers we use operate on zero-retention API terms.
Your rights under GDPR
You have the following rights over your personal data.
| Right | What it means | How to exercise |
|---|---|---|
| Access | Request a copy of the data we hold about you | Use the data export feature in settings or contact us |
| Rectification | Correct inaccurate data | Edit your profile in settings or contact us |
| Erasure | Delete your data | Delete individual items or your account in settings |
| Portability | Receive your data in a structured, machine-readable format | Use the data export feature in settings |
| Restriction | Ask us to limit processing of your data | Contact us |
| Objection | Object to processing based on legitimate interests | Contact us |
| Withdraw consent | Withdraw consent at any time | Disconnect data sources, unlink channels, or delete your account |
| Complaint | File a complaint with a supervisory authority | Contact the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) at autoriteitpersoonsgegevens.nl |
To exercise any right, see Contact below. We respond within 30 days.
Data security
We protect your data with the following measures.
- We encrypt all data in transit (TLS) and at rest.
- Row-level security ensures you can only access your own data.
- Webhook endpoints verify signatures before processing incoming data.
- We encrypt Slack bot tokens before storage.
- Supabase manages authentication sessions with httpOnly, secure cookies.
- We proxy analytics and error tracking through our domain to prevent third-party cookie exposure.
If we discover a data breach that exposes your personal data, we will notify you and the Autoriteit Persoonsgegevens within 72 hours as required by GDPR.
Not a medical device
Cellular is a health intelligence platform, not a medical device. The AI concierge, Cellular Age score, forecasts, and biomarker analysis are for informational purposes only. They do not diagnose, treat, cure, or prevent disease. Consult a qualified healthcare professional before making health decisions.
Children
Cellular is not intended for anyone under 18. We do not knowingly collect personal data from minors. If we discover we hold data from someone under 18, we will delete it within 30 days.
Changes to this policy
We update this policy when our practices change. If we make a material change, we will notify you by email or through the app at least 14 days before the new effective date. We archive every version. You can view past versions using the selector at the top of this page.
Contact
Cellular Performance Herengracht 73H, 1015BD Amsterdam, The Netherlands CoC 77705785
Supervisory authority: Autoriteit Persoonsgegevens, autoriteitpersoonsgegevens.nl