Privacy Policy

Effective date: March 19, 2026 · Last updated: March 19, 2026

Vayu Health Inc (“Vayu Health,” “we,” “our,” or “us”) operates Malkolm, an AI-powered health coaching application. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what choices you have. By using Malkolm, you agree to the practices described in this policy.

We take the privacy of your health data seriously. We do not sell your data. We do not use your health data for advertising. We do not share your health data with third parties for their own marketing purposes.

1. Information we collect

1.1 Account information

When you create a Malkolm account, we collect the information needed to identify you and provide coaching: your name (or the name you ask Malkolm to use), your email address, and your authentication credentials via Apple Sign-In, Google Sign-In, or email/password. If you sign in with Apple or Google, we receive the name and email address associated with that account.

1.2 Health data from Apple HealthKit

With your explicit permission, Malkolm reads health data from Apple HealthKit on your device. This includes data your Apple Watch, iPhone, and other connected devices have recorded. The types of data we access include:

Tier 1 (core vitals): Step count, heart rate, resting heart rate, heart rate variability (HRV), sleep analysis (including sleep stages), active energy burned, basal energy burned, workouts (type, duration, distance, heart rate zones), weight, body fat percentage, lean body mass, and VO2 max.
Tier 2 (extended metrics): Respiratory rate, blood oxygen saturation, blood pressure, blood glucose, body temperature, walking heart rate average, exercise minutes, distance walked/run, distance cycled, and flights climbed.
Tier 3 (contextual): Dietary energy, macronutrients (protein, carbohydrates, fat, fiber), water intake, caffeine intake, mindfulness minutes, and menstrual cycle data (if available and relevant).

We access your full HealthKit history (not just recent data) to identify long-term trends. For example, Malkolm may compare your resting heart rate this month to the same month last year to surface meaningful changes you would not otherwise notice.

Malkolm reads your HealthKit data with read-only access. We do not write data back to HealthKit unless you explicitly request it. You can revoke HealthKit access at any time through your iPhone’s Settings > Privacy & Security > Health > Malkolm.

In compliance with Apple’s HealthKit guidelines, we do not use HealthKit data for advertising, marketing, or sale to data brokers. We do not use HealthKit data to build user profiles for purposes unrelated to providing health coaching through Malkolm.

1.3 Conversation content

When you chat with Malkolm, we store your messages and Malkolm’s responses. This includes text messages, follow-up selections, and feedback (thumbs up/thumbs down) you provide on Malkolm’s responses. Conversation history is used to maintain context across sessions so Malkolm can reference previous discussions and track your progress over time.

1.4 Photos and files you share

If you share photos with Malkolm (such as food photos, supplement labels, restaurant menus, lab results, or body composition scans), those images are transmitted to our servers for AI analysis. Malkolm processes the image, extracts relevant health information, and provides coaching based on what it sees. Images are stored to maintain conversation context.

1.5 Location data

If you grant location permission, Malkolm uses your location to provide weather-aware coaching and route recommendations for walks, runs, hikes, and rides. Location data is accessed only when needed for a specific coaching request (such as “find me a run near here”) and is not continuously tracked in the background.

1.6 Device and usage information

We collect standard device information including device model, operating system version, app version, and timezone. We also collect usage analytics: which features you use, how often you open the app, session duration, and interaction patterns. This helps us understand which aspects of Malkolm are most valuable and where to improve.

1.7 Notification preferences

If you enable push notifications, we store your notification token and your preferred notification times (such as your morning briefing time). We also log which notifications you receive, open, and dismiss to improve notification relevance.

1.8 Information Malkolm discovers through conversation

Over time, Malkolm learns about you through natural conversation. This includes health constraints (dietary preferences, allergies, injuries, medical conditions you mention), demographic information you share (age, biological sex), lifestyle information (work schedule, workout preferences, sleep habits), and goals you set with Malkolm. This information is stored in your constraint profile and used to personalize coaching. You can view and edit everything Malkolm knows about you in Settings > What Malkolm Knows.

2. How we use your information

We use the information we collect for the following purposes:

Provide AI health coaching: Your health data, conversation history, and constraint profile are sent to our AI model to generate personalized coaching responses. This is the core function of Malkolm.
Deliver proactive coaching: We use your health data and notification preferences to send morning briefings, post-workout analysis, meal-time nudges, and other timely coaching messages.
Process photos and files: When you share images, we use AI to analyze their content and provide relevant health coaching (such as meal analysis from a food photo).
Generate health visualizations: We use your health data to create charts, trends, and weekly summaries that help you understand your health patterns.
Recommend routes: If you request route recommendations, we use your location, fitness level, and recovery status to suggest appropriate routes.
Improve Malkolm: We use anonymized and aggregated usage data to understand how people use Malkolm, identify bugs, and improve the coaching experience. We do not use your individual health data or conversations to train AI models.
Communicate with you: We may send you service-related emails (such as account verification, security alerts, or policy updates) to the email address associated with your account.

3. How we share your information

We share your information only with the following parties, only for the purposes described, and only to the extent necessary:

3.1 Anthropic (AI processing)

Your conversation messages and relevant health context are sent to Anthropic’s Claude API to generate Malkolm’s coaching responses. Anthropic processes this data to produce a response and does not retain it for training their AI models. Anthropic’s data handling is governed by their API terms of service and their privacy policy, available at anthropic.com/privacy.

3.2 Firebase (authentication)

We use Google Firebase for authentication. Firebase receives your email address and authentication credentials to manage sign-in. Firebase’s data handling is governed by Google’s privacy policy.

3.3 Analytics providers

We may use analytics services to understand app usage patterns. Any data sent to analytics providers is anonymized and does not include your health data, conversation content, or personally identifiable information beyond standard device and usage metrics.

3.4 Subscription management

If you subscribe to a paid Malkolm tier, your subscription is managed through Apple’s in-app purchase system. We do not directly handle your payment information. Apple’s data handling is governed by their privacy policy.

3.5 We do not sell your data

We do not sell, rent, or trade your personal information or health data to any third party. We do not share your data with advertisers. We do not share your HealthKit data with any party for purposes unrelated to providing health coaching through Malkolm.

4. Data storage and security

Your data is stored on cloud-hosted PostgreSQL databases on servers located in the United States. Data is encrypted in transit using TLS 1.2 or higher. Data is encrypted at rest using industry-standard encryption.

Your health data is stored in a per-user isolated schema. Each user’s data is associated with their unique user ID and is not accessible to other users.

While we implement security measures consistent with industry best practices, no system is completely secure. We cannot guarantee the absolute security of your data. If we become aware of a security breach affecting your personal information, we will notify you in accordance with applicable law.

Malkolm is not a HIPAA-covered entity. However, we follow HIPAA-grade security practices as a matter of principle, including data encryption, access controls, audit logging, and per-user data isolation.

5. Data retention

Active account: Your data is retained for as long as your account is active. This includes your health data, conversation history, constraint profile, and usage data.
Account deletion: If you delete your account (Settings > Profile > Delete Account), all of your personal data — including health data, conversation history, and your constraint profile — is permanently purged from our systems within 30 days.
30-day grace period: After requesting account deletion, you have 30 days to recover your account by signing back in. After 30 days, deletion is irreversible.
Anonymized data: Anonymized, aggregated data that cannot be traced back to you (such as aggregate usage statistics) may be retained after account deletion.
Conversation logs sent to Anthropic: Messages sent to Anthropic’s Claude API for processing are subject to Anthropic’s retention policies. Anthropic does not retain API conversation data for model training.

6. Your rights and choices

You have the following rights regarding your data:

Access: You can view everything Malkolm knows about you in Settings > What Malkolm Knows. You can review your conversation history in the app.
Correction: You can update your profile information in Settings > Profile. You can correct any constraint Malkolm has learned by tapping it in Settings > What Malkolm Knows and editing or removing it.
Deletion: You can delete your account and all associated data through Settings > Profile > Delete Account. You can also request deletion by emailing support@malkolm.health.
Revoke HealthKit access: You can revoke Malkolm’s access to your HealthKit data at any time through iPhone Settings > Privacy & Security > Health > Malkolm. Revoking access means Malkolm will no longer receive new health data, but previously synced data remains in your account unless you delete it.
Opt out of analytics: You can opt out of anonymized analytics collection in Settings > Units & Coaching.
Notification control: You can disable or customize push notifications in Settings > Notifications or through your device’s notification settings.

7. Children’s privacy

Malkolm is not intended for users under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected data from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal information, please contact us at support@malkolm.health.

8. California privacy rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our business purpose for collecting it, and the categories of third parties with whom we share it.
Right to delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
Right to opt out of sale: We do not sell your personal information. There is nothing to opt out of.
Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To exercise these rights, contact us at support@malkolm.health. We will respond to verifiable requests within 45 days.

9. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the app and by email at least 14 days before the changes take effect. Your continued use of Malkolm after the effective date of a revised policy constitutes acceptance of the changes.

We will not retroactively apply material changes to data collected under a previous version of this policy without your explicit consent.

10. Contact us

If you have questions about this Privacy Policy or your data, contact us at:

Vayu Health Inc
Email: support@malkolm.health
Website: malkolm.health