Privacy Policy
Version 1.3 — effective July 13, 2026
Privacy Contact: Abby Holland — [email protected] for any privacy questions or requests regarding your data.
Introduction
Welcome to Go Go Gaia (“we”, “us”, “our”), a women's health platform operated by Holland Neurotech Inc. We collect, store, and process health information you provide or connect through integrated devices and services. We are committed to protecting your health information through industry-standard security practices and respecting your privacy rights under applicable laws.
1. Information We Collect
Go Go Gaia collects the following categories of information based on the features you choose to use:
Some of this information you enter manually. Other information — particularly biometric, vital sign, fitness, sleep, and cycle data — is read from your device's Apple HealthKit with your permission, including data your wearables (Apple Watch, Oura, Whoop, Garmin, Eight Sleep, and similar) have written to HealthKit. You control which categories you grant access to in iOS, and you can revoke access at any time in Settings › Privacy › Health. Data is transmitted to our servers so we can power your insights, dashboards, AI coaching, and longitudinal tracking across devices.
Cycle & Reproductive Data
- Menstrual cycle dates, flow intensity, cycle length, period length
- Fertility data: basal body temperature (BBT), cervical mucus observations, ovulation test results
- Pregnancy status, gestational week, trimester, kick counts, contraction timing
- Birth control type and usage, pill calendar tracking
- Hormone levels: estrogen, progesterone, FSH, LH, testosterone, DHEA, AMH
- PCOS management data, IVF journey tracking
- Menopause stage (perimenopause, menopause, post-menopause), HRT status and effectiveness
Biometric & Vital Sign Data
- Heart rate (resting and active), heart rate variability (HRV)
- Blood pressure, blood oxygen saturation (SpO2), respiratory rate
- Body temperature, VO2 max, glucose readings
- Steps, active energy, distance, exercise time
- Weight, body fat percentage, BMI, body measurements
Lab Results
- Bloodwork values extracted from uploaded lab PDFs (CBC, thyroid panel, lipid panel, metabolic panel, hormone levels, vitamin levels, inflammation markers)
- LOINC-coded clinical lab data with reference ranges and interpretations
- Lab provider name and test dates
Mood & Mental Wellness Data
- Mood logs with intensity ratings
- Symptom logs with severity ratings
- Stress levels, anxiety indicators, cognitive function observations
Medication & Treatment Data
- Medication names, dosages, frequencies, treatment categories
- Dose log entries (taken, missed, pending) with timestamps
- Adherence rates, side effect logs, effectiveness ratings
- Supplement prescriptions via Fullscript (when practitioner-prescribed)
- Health conditions with linked treatments
Fitness, Nutrition & Sleep Data
- Workout logs, sport-specific sessions, training load, injury tracking
- Meal logs with food items, calorie counts, macronutrient breakdowns
- Water and hydration tracking, AI-analyzed meal photos
- Sleep sessions, sleep stages, sleep efficiency and quality
AI Conversation Data
- Conversations with Delphi AI about health topics
- AI-learned health facts and recurring themes
- Vision analysis results (meal photos, lab result photos)
Account & Identity Data
- Name, email address, avatar
- Date of birth, life stage selection
- Language preference, timezone
2. How We Use Your Health Information
To Provide Health Tracking Services
- Display your health data on dashboards, charts, and trend analyses
- Calculate health scores (Whole Health Score, readiness, regularity, adherence)
- Generate cycle predictions, fertile window estimates, and phase recommendations
- Process uploaded lab result PDFs to extract structured health values
- Provide AI-powered health insights through Delphi
For Treatment/Care Coordination (Professional Platform)
- When you connect with a healthcare professional through Go Go Gaia, we share your health data with that professional according to the specific data categories you authorize
- Professionals can view your data through the professional portal to prepare for appointments
- You control which categories are shared and can revoke access at any time
For AI-Powered Analysis
Generating your insights (Google as a processor). When you use AI features, your relevant health data is sent to Google Gemini (via Vertex AI) so it can generate an insight or answer, which is then returned to you. This includes vision analysis of meal photos and lab results. This processing is covered by a Data Processing Agreement with Google Cloud that prohibits Google from using your data for any purpose other than serving our request. Google does not use your data to train its own models under this agreement, and this flow does not train ours.
This is separate from helping improve Gaia's own models, which is optional, off by default, and described in Section 11, “Research, Service Improvement & AI Model Training,” below. We only use your individual-level data to train Gaia's own models if you have turned that on.
We Do NOT Use Your Data For:
- Sale to third parties — we never sell your health data
- Training any other company's AI or machine learning models with your data — our processors, including Google, are contractually forbidden from using your data to train their own models, and we never provide your data to anyone else for that purpose
- Advertising or marketing targeting based on health conditions
- Employment or insurance decisions
- Any purpose you have not authorized
3. How We Share Your Health Information
With Healthcare Professionals You Authorize
- Only when you explicitly connect with a professional and select data sharing categories
- Per-category permissions: fitness, nutrition, sleep, vitals, cycle & hormonal, mental wellness, health scores, AI conversation themes
- You can pause or revoke sharing at any time; revocation is immediate
With Service Providers
- Google Cloud (via Vertex AI / Gemini) — AI conversations and vision analysis, under a contractual data processing agreement
- Amazon Web Services (AWS) — database hosting (RDS PostgreSQL, Stockholm region — eu-north-1), compute (EC2), file storage (S3), under a contractual data processing agreement
- Google Cloud / Firebase — authentication services. Note: Firebase Auth handles only email, password hashes, and tokens — no health data
- Fullscript — supplement prescriptions (only when a practitioner prescribes), under a contractual data processing agreement
- Sentry — error monitoring. Personal health data is scrubbed from all error reports before transmission via beforeSend hooks
As Required by Law
- In response to a court order, subpoena, or administrative request
- To report suspected abuse, neglect, or domestic violence
- For public health activities as required by law
- To prevent a serious and imminent threat to health or safety
We review every government or law enforcement request for your data case-by-case. Where a request is overbroad, unclear, or not properly issued, we push back, object, or seek to narrow it before producing anything. Where we are legally permitted to do so, we notify you before or after we respond. We do not voluntarily provide reproductive-health data — including cycle, fertility, pregnancy, or abortion-related information — to any party for purposes of surveillance or prosecution related to reproductive healthcare decisions. We will only produce it if compelled by valid legal process that we have reviewed and cannot successfully narrow or challenge.
4. Data Security
- All data is encrypted in transit (TLS/HTTPS enforced, HSTS preload) and at rest (AWS RDS with KMS encryption, S3 with SSE-AES256)
- All data is stored on AWS infrastructure in the Stockholm region (eu-north-1), within the European Union
- Authentication via Firebase with backend token exchange
- Automatic session timeout after 15 minutes of inactivity
- Rate limiting on all authentication endpoints
- Security headers: Content Security Policy, X-Frame-Options, Referrer-Policy
- Professional access audit trail logs every data access with timestamp, categories, and method
5. Data Retention
We keep your data only as long as we need it. In general: your data is retained while your account is active; it is deleted once it is no longer needed for the purpose it was collected for; it is deleted when you delete your account; and a small number of records are kept longer only where we have a specific legal obligation to do so, such as the professional-access audit log described below. Within that framework:
- All health data is retained until you delete it or delete your account
- Lab PDFs are processed in memory only and immediately discarded — no persistent storage of original documents
- Account deletion permanently removes all data within 30 days
- Professional access audit logs are retained for at least 6 years for security and compliance purposes
6. Your Privacy Rights
You have the following rights regarding your information:
- Right to Access: You can export all your data in JSON format through Settings > Download My Data. We will respond to access requests within 30 days.
- Right to Correction: You can edit most data directly within the app. For data you cannot edit directly, contact our Privacy Contact.
- Right to Know Who Accessed Your Data: The professional access log (Settings > Sharing > Access Log) shows every time a connected professional accessed your data.
- Right to Restrict Processing: You can manage per-category sharing controls for each connected professional, and can revoke HealthKit access at any time in iOS Settings > Privacy > Health.
- Right to Delete: You can request deletion of all your data. Account deletion is irreversible.
- Right to Data Portability: You can export all your data at any time in machine-readable JSON format.
7. AI Features — Consent and Control
AI features (Delphi chat, vision analysis) are entirely optional. You may enable or disable them at any time. When you use AI features:
- Your consent is logged securely in our system with timestamp and policy version
- We do not attach your name or email to data sent for AI processing
- AI insights are not medical advice and should not replace professional consultation
- To withdraw consent, disable the feature in settings or email us
Helping improve Gaia's own AI models is a separate, additional choice from using AI features — see Section 11 below and our AI Insights Terms.
8. Email Communications
By creating an account, you consent to receive service-related email communications including:
- Account confirmation and verification
- Password reset and security alerts
- Important service updates and announcements
- Compliance with legal requirements
These are essential service communications, not marketing. To stop receiving them, you may delete your account.
9. How to Exercise Your Rights or File a Complaint
To exercise any right:
- In-app: Settings > Privacy & Data
- Email: [email protected]
To file a complaint:
If you believe your privacy rights have been violated, you may contact us directly at [email protected]. EU users also have the right to lodge a complaint with their national data protection authority. You will not be retaliated against for filing a complaint.
10. Changes to This Policy
We may update this policy periodically. We will notify you of material changes by posting the updated policy on this page and, where required, by notifying you directly. You are advised to review this policy periodically.
11. Research, Service Improvement & AI Model Training
Improving Gaia (aggregate, applies to everyone). We may use de-identified, aggregated data to understand patterns across our user base at a statistical level and to improve the app. This aggregate data is not tied to your identity and is not shared outside the company. Every aggregate statistic we compute is calculated over a group of at least 100 members; any subgroup that would fall below that threshold is suppressed or rolled into a broader category rather than published or used. This applies to all members, regardless of the choice described below.
Helping improve Gaia's own AI models (optional, only if you opt in). With your explicit permission, we also use your data — including individual-level data that is not reduced to aggregate statistics — to train and improve Gaia's own internal AI models, including a foundation model that may power future features across the app. This is how the app gets smarter and more personal over time. This is entirely optional:
- It is off by default. It only happens if you turn on “Help Improve Gaia's AI Models” at sign-up or in Settings.
- We never sell this data, and we never share it outside Go Go Gaia. We never use it to train any other company's AI models.
- We never use data from members under 18 to train our AI models, even if the consent toggle is turned on.
- We do not attach your name or email to data used for model training, and we take technical steps — including de-duplicating training data and testing models before release for whether they can reproduce an individual's information — to reduce the chance that a trained model could reproduce any individual member's data.
- You can withdraw at any time in Settings, and we will stop using your data for future training. Because training happens in batches, data already incorporated into a model before you withdraw cannot always be pulled back out of that model; withdrawing stops all future use.
- Turning this off does not affect your access to any part of the app.
External research: We do not currently use your data for external research, clinical studies, or population-level publications. If we ever offer the opportunity to participate in research conducted by us or in partnership with others, we will request your explicit, separate opt-in consent for each specific study — with full disclosure of the study's purpose, who is conducting it, what data will be used, and how to withdraw. You can decline research participation at any time without losing access to any app features.
For more detail on our optional AI features, see our AI Insights Terms.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), gives you the following rights over your personal information:
- Right to know what personal information we collect, use, and disclose, and why
- Right to delete personal information we hold about you, subject to certain legal exceptions
- Right to correct inaccurate personal information
- Right to data portability — receive your data in a portable, readily usable format
- Right to opt out of the sale or sharing of your personal information
- Right to limit the use of sensitive personal information, including health information, to what is necessary to provide the app
- Right to non-discrimination for exercising any of these rights — we will not deny you service, charge you a different price, or provide a different level of service because you exercised a CCPA right
We do not sell or share your personal information, as those terms are defined by the CCPA/CPRA.
To exercise any of these rights, email [email protected]. We will verify your identity before responding and will respond within 45 days (extendable by an additional 45 days when reasonably necessary, with notice to you). You may designate an authorized agent to make a request on your behalf; we may require proof of the agent's authority and may still ask you to verify your own identity directly. California residents may make up to two such requests in a 12-month period at no charge.
13. Washington Consumer Health Data (My Health My Data Act)
Washington's My Health My Data Act (MHMDA) gives Washington consumers specific rights over “consumer health data.” Because nearly everything Go Go Gaia collects is consumer health data, we've published a standalone notice describing what we collect, why, who we work with, and your rights under the Act, rather than folding it into this policy as a subsection. Read it here: Consumer Health Data Privacy Notice.
In short: we do not sell consumer health data, and any use we make of your individual-level health data to train our own AI models happens only under the separate, named, opt-in consent described in Section 11 above — never as a blanket authorization bundled into these terms.
14. European Union & UK Data Protection (GDPR)
If you are located in the European Economic Area or the United Kingdom, the GDPR (and UK GDPR) gives you additional rights and requires us to identify our legal basis for processing your data:
- Performing our contract with you (Art. 6(1)(b)) — for the core functionality of the app: storing your logs, generating dashboards and scores, and the account itself
- Your explicit consent (Art. 9(2)(a)) — for processing special-category health data through optional features, including AI-powered insights and, separately, helping improve Gaia's own AI models
- Legal obligation (Art. 6(1)(c)) — for the narrow set of disclosures described in Section 3, “As Required by Law”
Your data is hosted on AWS infrastructure in Stockholm, Sweden (eu-north-1), within the EU. When you opt in to help improve Gaia's own AI models, the training itself is also carried out on infrastructure inside the EU — your data does not leave the EU for that purpose, so no international transfer mechanism is required for it.
You have the right to lodge a complaint with your national data protection supervisory authority at any time; see Section 9 above for how to reach us first if you'd like to try to resolve a concern directly.
We are in the process of appointing an EU representative under Art. 27 GDPR, as required for controllers outside the EU that process EU residents' data at our scale. This page will be updated with the representative's contact details once appointed.
15. Age Requirements
You must be at least 16 years old to create a Go Go Gaia account. Go Go Gaia is not directed at, and is not intended for, anyone under 16, and we do not knowingly collect personal information from anyone under 16. If we learn that an account belongs to someone under 16, we will delete the account and the associated data. If you are 16 or 17, you are welcome here, and we hold your data to a stricter standard: we never use data from members under 18 to train our AI models. If you believe someone under 16 has created an account, contact [email protected].
Contact Information
Go Go Gaia, operated by Holland Neurotech Inc.
Privacy Contact: Abby Holland
Email: [email protected]
General support: [email protected]