§ Legal

Privacy Policy.

How we handle your data — in plain language, with the legal detail underneath. Last updated: April 18, 2026 · Effective: April 18, 2026

We built Mora to help you log weight, fasting, and calories calmly. We collect the minimum we need to run the service, we never sell your data, and we honor your rights under GDPR, UK GDPR, and California's CCPA/CPRA. This page explains exactly what that means.

1. Who we are

"Mora" (also "we", "us", "our") refers to the team operating the Mora iOS application and the website at getmoraapp.vercel.app. Mora is currently operated as an unincorporated project; once we incorporate, this section will be updated to name the legal entity.

For the purposes of GDPR and UK GDPR, Mora is the data controller of personal data we collect from you. For data processed on our behalf (hosting, email delivery, analytics) we use carefully selected processors, listed in section 4.

2. Data we collect

Information you give us

  • Email address — when you join the waitlist or create an account.
  • Account credentials — your password is stored only as a salted hash by our authentication provider (Supabase Auth); we never see it in plaintext.
  • Profile data — anything you enter in the app (height, starting weight, daily logs, fasting windows, meal entries, notes).
  • Support messages — when you write to us through the contact form, we receive your message, your reply email if you provide one, and the timestamp.

Information collected automatically

  • Device & diagnostic data — iOS version, device model, app version, crash reports, and basic performance metrics. Used to keep the app stable.
  • Approximate location — derived from IP address only, used for security (e.g. detecting unusual sign-ins) and never stored long-term.
  • Subscription metadata — Apple shares with us whether your subscription is active, on trial, or cancelled. We do not receive your card number, full name, or billing address from Apple.

Information from Apple HealthKit

If you grant permission, Mora reads from and writes to Apple HealthKit (e.g. body weight, body fat, dietary energy, fluid intake). See section 5 for the special rules that apply to HealthKit data.

3. Why we collect it & our legal bases

Under GDPR and UK GDPR, we rely on the following legal bases:

  • Performance of a contract (Art. 6(1)(b)): to create your account, sync your logs, and provide the subscription you've paid for.
  • Legitimate interests (Art. 6(1)(f)): to keep the service secure, prevent abuse, fix bugs, and improve features in aggregate. We balance this against your interests and you can object at any time.
  • Consent (Art. 6(1)(a)): for HealthKit access, optional product emails, and any future analytics. You can withdraw consent at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and law-enforcement requests we are legally required to honor.

Health-related data is "special category" data under GDPR Art. 9. We process it only with your explicit consent (Art. 9(2)(a)) granted through the iOS HealthKit permission prompt and only for the purposes you've chosen Mora for.

4. Who we share data with

We do not sell your personal information. We share data only with the following processors, each contractually bound by a Data Processing Agreement (DPA):

  • Supabase Inc. — database, authentication, and serverless functions. Hosting region selected at project creation. Privacy · DPA.
  • Resend Inc. — transactional email delivery (waitlist welcome, support replies). Privacy.
  • Vercel Inc. — static website hosting, request logs (retained ~30 days). Privacy.
  • Apple Inc. — App Store distribution, in-app subscription processing, push notifications. Apple acts as an independent controller for App Store and payments data. Privacy.

We may also disclose information when legally compelled by a valid court order, subpoena, or government request, or when necessary to investigate fraud or protect the safety of our users or others. Where permitted, we will notify you first.

In the event of a merger, acquisition, or asset sale, your data may be transferred to the acquiring entity. You will be notified by email and through the app, and the receiving entity will be bound by this Privacy Policy or one no less protective.

5. HealthKit data — Apple-required disclosures

When you grant Mora permission to read from or write to Apple HealthKit, we treat that data with the additional protections Apple requires:

  • We never use HealthKit data — or any data derived from it — for advertising, marketing, or other use-based data mining purposes other than improving health, fitness, or health-research outcomes within Mora.
  • We never disclose HealthKit data to third parties for advertising, data brokering, marketing, or resale of any kind.
  • We do not share HealthKit data with any third party except as required to provide the service you've requested (e.g. syncing your encrypted account across devices via Supabase) or with your explicit further consent.
  • You can revoke Mora's HealthKit permissions at any time in the iOS Settings app under Privacy & Security → Health → Mora.
  • You can delete all HealthKit data Mora has stored by deleting your Mora account (see section 8).

6. International transfers

Our processors may store and process data in the United States and other countries outside the EEA / UK. When data is transferred out of the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the UK Addendum, and we perform transfer impact assessments to confirm the recipient jurisdiction provides adequate protection.

7. Data retention

  • Waitlist email — kept until launch + 90 days, or until you unsubscribe, whichever is earlier.
  • Account data & logs — kept for as long as your account is active, plus 30 days after deletion to allow recovery from accidental deletion. After that, hard-deleted from primary storage; backups are purged on a 90-day rolling cycle.
  • Support messages — kept for 24 months for service-history purposes, then deleted.
  • Billing records — kept for the period required by applicable tax law (typically 7 years).

8. Your rights (GDPR / UK GDPR)

If you are in the EEA, the UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you.
  • Rectify data that is inaccurate or incomplete.
  • Erase your data ("right to be forgotten"), subject to legal retention requirements.
  • Restrict or object to certain processing.
  • Port your data to another service in a machine-readable format.
  • Withdraw consent at any time, without affecting processing that occurred before withdrawal.
  • Lodge a complaint with your local supervisory authority (e.g. ICO in the UK, CNIL in France, your country's DPA).

To exercise any of these rights, send a request through our contact form. We will respond within 30 days (extendable by 60 days for complex requests, with notice). We may need to verify your identity before acting on the request.

9. California privacy rights (CCPA / CPRA)

If you are a California resident, you have additional rights:

  • Right to know what personal information we collect, the purposes, and the categories of third parties we share with.
  • Right to delete personal information we have collected, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, including for cross-context behavioral advertising.
  • Right to limit use of sensitive personal information — Mora uses sensitive PI (account credentials, health information) only to deliver the service you've requested.
  • Right to non-discrimination for exercising any of these rights.

To exercise these rights, contact us through the contact form. You may also designate an authorized agent to make a request on your behalf, in which case we may require written verification.

"Shine the Light" (California Civil Code §1798.83)

We do not share personal information with third parties for their own direct marketing purposes.

10. Children

Mora is not directed to and not intended for use by anyone under the age of 13 (or under 16 in the EEA / UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

11. Cookies & local storage

Our website uses minimal storage. We do not set advertising or analytics cookies. The site may use:

  • Local storage for Supabase authentication tokens (only on pages where you sign in or verify your email).
  • Strictly-necessary preferences, such as remembering you've dismissed a notice.

Because we do not use non-essential cookies, no cookie consent banner is required under EU ePrivacy. If we add analytics in the future, we will ask for your consent first and update this policy.

12. Security

We protect your data with industry-standard measures: encryption in transit (TLS 1.2+) and at rest, password hashing using algorithms recommended by OWASP, role-based access control to production data, and the principle of least privilege for all team members.

No system is perfectly secure. If we ever experience a personal data breach affecting you, we will notify the relevant supervisory authority within 72 hours where required, and notify you without undue delay if the breach is likely to result in a high risk to your rights.

13. Changes to this policy

We may update this Privacy Policy as the service evolves or the law changes. The "Last updated" date at the top of this page reflects the most recent change. For material changes (new categories of data, new processing purposes, expanded sharing), we will give you prominent notice in the app or by email at least 30 days before the change takes effect.

14. Contact us

For privacy questions, GDPR / CCPA requests, or anything else covered by this policy, please use our contact form. Your message goes directly to Mora — we typically respond within 5 business days.

← Back to mora