Thyra
Legal

Privacy policy

Last updated: May 3, 2026

1. Plain-language summary

Thyra is a nutrition app for people living with hypothyroidism and Hashimoto’s. Your health information is sensitive, and we treat it that way:

  • We collect only the data we need to deliver the service.
  • We never sell your data, and we never use your health information for advertising.
  • Your symptoms, medication and food logs are encrypted at rest and protected by per-user access controls.
  • You can export or delete your account at any time from inside the app or by emailing us.

The sections below explain the same thing in detail.

2. Who we are

Thyra (“Thyra,” “we,” “us”) is the data controller responsible for the processing described in this policy. You can reach us at privacy@thyraapp.com.

This policy applies to the Thyra mobile app and the website at thyraapp.com. When you use third-party services (App Store, Google Play, Google Sign-in, Apple Sign-in), those providers also process your data under their own privacy notices.

3. Data we collect

3.1 Data you provide

  • Account. Email address and the auth provider you choose (Apple or Google).
  • Health profile. Self-reported information you give us during onboarding: condition (hypothyroidism / Hashimoto’s), medication name, dose and time, celiac status, dietary approach, weight goal, height, weight, age, biological sex, activity level, cooking level, top symptoms, avoided foods, suspected triggers and food preferences.
  • Daily logs. Symptoms (energy, brain fog, mood, digestion), food entries (text, photos and AI-derived nutrient estimates) and notes you choose to record.
  • Lab results. If you upload them, photos of lab reports and the extracted markers (TSH, T3, T4, antibodies, etc.).
  • Conversations. Messages you send to the AI companion and the food validator.
  • Support. Anything you write to us by email or contact form.

3.2 Data we collect automatically

  • Usage events. Anonymized product analytics (screens viewed, features used, conversion funnel) collected via Amplitude.
  • Crash and performance data. Stack traces and device metadata via Sentry, used to fix bugs.
  • Install attribution. If you install Thyra after clicking a marketing link, AppsFlyer records which campaign brought you in — without personal identifiers.
  • Subscription state. RevenueCat tells us whether you have an active subscription, but the actual payment is handled by Apple or Google and we never see your card.
  • Web analytics. If you visit thyraapp.com we use a cookieless analytics provider that does not track you across sites.

3.3 Data we do NOT collect

  • We do not collect precise location.
  • We do not access your photos beyond images you explicitly attach to a food log or lab upload.
  • We do not access your contacts, microphone, or any HealthKit / Health Connect data unless you explicitly enable a future integration.

4. How we use your data

  • To create your meal plans, classify foods and compute medication windows.
  • To track symptoms and surface food-symptom correlations after a minimum of 14 days of data.
  • To send timely notifications you opted in to (medication reminders, daily check-ins).
  • To keep your subscription state in sync with the App Store and Google Play.
  • To debug crashes, prevent abuse and improve the product.
  • To respond when you contact us.

We never use your health data to target advertising, and we never share it with advertising networks.

6. Who we share data with

We share data only with sub-processors that are required to deliver the service. Each operates under a written data-processing agreement and processes your data only on our instructions.

  • Supabase — database, authentication, file storage. Hosting region: United States.
  • OpenAI — AI inference for the food validator, food logger and AI companion. Inputs are not used to train OpenAI models (zero-retention API).
  • RevenueCat — subscription receipt validation and entitlement state.
  • Apple App Store / Google Play — payment processing, store distribution.
  • Amplitude — product analytics (events only, no health content).
  • Sentry — crash reporting and performance monitoring.
  • AppsFlyer — install attribution for marketing campaigns.
  • Resend — transactional email (account, support).
  • Vercel — hosting of the marketing website.

We do not sell personal information. We may disclose data when legally required by a valid subpoena, court order or law-enforcement request.

7. AI processing

The food validator, food photo logger and AI companion send your input (text, photo, and the relevant parts of your profile such as condition, medication time and dietary approach) to OpenAI’s API to generate a response.

  • OpenAI processes the input only to return the response and does not retain it for training.
  • Conversations with the AI companion are stored on your account so you can read them again. You can delete any conversation from inside the app.
  • The AI is not a doctor. It will never diagnose you, change your dose or contradict your physician’s instructions.

8. International transfers

Our infrastructure runs primarily in the United States. If you use Thyra from outside the U.S., your data will be transferred to the U.S. We rely on the Standard Contractual Clauses approved by the European Commission (and the UK IDTA where applicable) to legitimize these transfers.

9. Data retention

  • Account and health data: kept for as long as your account exists, then deleted within 30 days of account deletion.
  • Backups: rolling 30-day backups; deleted records disappear from backups within 30 days.
  • Anonymized analytics: retained for up to 24 months for product research.
  • Support emails: retained for 24 months.

10. Security

We use industry-standard safeguards: encryption in transit (TLS 1.2+), encryption at rest, per-user Row Level Security on every database table, short-lived access tokens, and audit logs on administrative access. No system is perfectly secure, but we work hard to make breach unlikely. If a breach ever affects you, we will notify you within 72 hours of becoming aware, as required by GDPR.

11. Your rights

You have the right to:

  • Access a copy of your data.
  • Rectify inaccurate data.
  • Delete your account and all associated data.
  • Restrict or object to certain processing.
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent at any time, without affecting prior processing.
  • Lodge a complaint with your local data-protection authority.

The fastest way is to use the “Delete account” button inside the app (Settings → Account). You can also email privacy@thyraapp.com; we respond within 30 days.

12. Children

Thyra is for adults 18 and older. We do not knowingly collect data from anyone under 18. The onboarding asks for your age and blocks accounts under 18. If you believe a minor has created an account, contact us and we will delete it.

13. Cookies and tracking

Thyraapp.com uses a cookieless analytics provider that aggregates page views without personal identifiers. We set a single first-party cookie to remember your language preference. The mobile app does not use web cookies.

We do not participate in cross-site behavioral advertising.

14. California (CCPA)

If you are a California resident, the California Consumer Privacy Act gives you the right to know what personal information we collect, the right to delete it and the right not to be discriminated against for exercising your rights. Thyra does not sell or share personal information as defined under the CCPA. Submit requests to privacy@thyraapp.com.

15. Changes to this policy

When we make material changes we will update the “last updated” date at the top and, where appropriate, notify you in the app or by email at least 14 days before the changes take effect. Continued use after the effective date means you accept the updated policy.

16. Contact

For privacy questions, data requests or complaints, email privacy@thyraapp.com or use the contact form. For general support, email hello@thyraapp.com.