Privacy Policy for Basis

Effective Date: June 30, 2026 Last Updated: June 30, 2026 Version: 1.0


1. Introduction and Who We Are

This Privacy Policy ("Policy") explains how Basis Health LLC, a Florida limited liability company ("Basis," "we," "us," or "our"), handles information in connection with the Basis mobile application for iPhone and iPad (iOS 17 and later) (the "App").

Basis provides general health and wellness guidance in the highly regulated healthcare field, and this App is published by Basis Health LLC as a legal entity, consistent with Apple's App Store Review Guideline 5.1.1(ix).

We designed Basis to be private by default. Basis has no backend server, no user accounts, no login or authentication, and no cloud database. The App runs entirely on your device. Based on the App's current architecture, the information you provide and the information the App reads from Apple Health remain on your device and are not transmitted to us. The only outbound requests the App makes are described in Sections 3.3 and 3.4 (receiving your subscription status from Apple, and downloading exercise media from a hosting provider), and neither of those requests sends your health data or app data off your device.

This Policy is provided in an easily accessible place within the App (for example, on the App's subscription screen) and is also published at https://basis-exercise-media.s3.us-east-2.amazonaws.com/legal/privacy-policy.html and linked in the App Store listing, consistent with Apple App Store Review Guideline 5.1.1(i).

Please also review our Terms of Use / End User License Agreement, which contains important information, including medical disclaimers, assumption of risk, limitation of liability, and dispute-resolution terms. The medical, assumption-of-risk, warranty, and liability provisions that govern your use of the App are contractual terms set out in the Terms of Use / EULA, which you accept before using the App; the health-related statements in this Policy are provided for transparency and are not a substitute for those contractual terms.


2. Summary (Plain-English Overview)

The rest of this Policy provides the detail behind this summary.


3. Information We Collect — and Do Not Collect

Because Basis has no server and no account system, we (Basis Health LLC) do not collect your personal information on any server we control. Under Apple's App Store definition, data that is processed only on your device is "not collected." The following describes how information is handled.

3.1 Apple Health (HealthKit) Data — Read On-Device Only

With your explicit permission granted through the iOS system permission prompt, the App reads the following specific categories of health and fitness data from Apple Health (HealthKit) on your device:

The App requests read access only to the specific HealthKit categories necessary to generate your daily plan, and the iOS permission purpose strings describe that use. We do not request HealthKit data beyond what is needed for this disclosed purpose.

This HealthKit data is used solely on your device to generate and adjust your daily plan. This data is never transmitted off your device, is never sold, is never shared with any third party, and is never used for advertising, marketing, or use-based data mining (including by any third party). We do not store your health information in iCloud, and the App does not write false or inaccurate data into Apple Health.

Granting Apple Health access is optional. If you decline, the App still functions using information you enter manually. Access to paid features does not depend on your granting Apple Health access beyond what core functionality requires.

3.2 App Data Stored Locally on Your Device

The App stores your app state locally, within the App's private storage area (the app sandbox), in a file on your device (for example, Documents/basis_state.json). This app state may include:

This information stays on your device and is not transmitted to Basis or any third party. It is removed when you delete the App (see Section 7).

3.3 Subscription / Entitlement Status (from Apple)

When you subscribe, the App receives your subscription/entitlement status (whether you have an active subscription) from Apple. Verifying and receiving this status involves a network request to Apple's App Store / StoreKit infrastructure, and, as with any internet request, your device's IP address is inherently exposed to Apple in that exchange. This exchange is governed by Apple's privacy policy. We do not receive, see, or store your name, email, payment-card number, or any billing information; we receive only whether your subscription is active, on your device. See Section 5.

3.4 Exercise Media Requests (AWS Media Host) — IP Address and Request Metadata

The App downloads exercise images and short videos over an encrypted HTTPS connection directly from Amazon Web Services (Amazon S3) (no separate content-delivery network is used). As with any internet request, the hosting/content-delivery provider automatically receives:

This is necessary to deliver the media to your device. No account information and no health data are sent with these requests. We do not use this IP address or request metadata to identify you, build a profile of you, track you, or advertise to you.

We use AWS as our infrastructure/content-delivery provider under AWS's standard terms, and we require any provider that has access to information in connection with the App to provide the same or equal protection of user data as stated in this Policy and as required by Apple's App Store Review Guidelines.

The AWS host and Apple may retain IP address and request-metadata log entries under their own retention schedules; this log data is not stored on your device and is not removed by deleting the App. These requests are served from AWS infrastructure in the United States (Amazon S3, US East (Ohio) / us-east-2 region).

3.5 Local Notifications

If you enable them, the App schedules local notifications (optional daily reminders) directly on your device. There is no push notification server. No data is transmitted to us or any third party to deliver these reminders.

3.6 What We Do NOT Collect

We do not collect your name, email address, phone number, contacts, precise or coarse location (beyond the IP address inherently received by Apple and by the AWS media host as described above), photos, or advertising identifiers. The App contains no third-party analytics, advertising, or tracking software development kits (SDKs), does not track you across other companies' apps or websites (there is no App Tracking Transparency prompt because the App does not track you), and does not sell your personal information.


4. How We Use Information

We use information only as described in this Policy:

We do not use any information for advertising, marketing, cross-context behavioral advertising, or use-based data mining.


5. Payments and In-App Purchases

Subscriptions are sold exclusively through Apple In-App Purchase / StoreKit ($1.00 per month with a 14-day free trial). Apple is the merchant of record and processes all payments. Basis never receives, sees, or stores your payment-card or billing information. We receive only your subscription/entitlement status from Apple, on your device (see Section 3.3).

Apple's handling of your payment information is governed by Apple's privacy policy and the Apple Media Services Terms and Conditions, not by this Policy. Please refer to Apple's terms for information about how Apple processes your payment data. The complete subscription terms, including auto-renewal, cancellation, and refunds, are described in our Terms of Use / EULA.


6. Third Parties and Data Sharing

We do not sell or share your personal information, and we do not disclose your personal information to third parties for their own purposes.

The only third parties inherently involved in operating the App are:

We require that any provider with access to information in connection with the App provide the same or equal protection of user data as stated in this Policy and as required by Apple's App Store Review Guidelines. We do not share Apple Health data with any third party.


7. Data Retention and Deletion; How to Delete Your Data

Because Basis holds no copy of your data on any server, your App data is retained only on your device, and you control it:

Because there is no account and no server-side copy of your data held by Basis, there is nothing for Basis to delete on its own servers, and no server-side deletion request to Basis is necessary for your on-device data.

Off-device log data. As described in Section 3.4, the AWS media host (and Apple, in connection with media delivery and subscription verification) may retain IP address and standard request-metadata log entries under their own retention schedules. This log data is not stored on your device, is not removed by deleting the App, and is generally not linked by Basis to you as an identified individual. Because Basis does not maintain or control these logs on a Basis server and does not associate them with your identity, Basis's practical ability to access, correct, or delete specific log records is limited. If you have questions or wish to make a request regarding this data, contact us using the information in Section 13, and, where applicable, you may also contact Apple or AWS directly under their respective privacy policies.

Note: Deleting the App does not cancel your Apple subscription. To cancel, manage your subscription in your Apple Account settings (see the Terms of Use / EULA and Section 5).


8. No Accounts

Basis does not offer or require user accounts, logins, or authentication. There is no account to create and no account to delete. Because there are no accounts, Apple's in-app account-deletion requirement (Guideline 5.1.1(v)) does not apply. All data removal for on-device data is accomplished on-device as described in Section 7.


9. Consent and Withdrawing Consent


10. Security

We protect information through the built-in protections of your device and iOS, including the App's private sandbox, iOS Data Protection / device encryption, and any device passcode or biometric lock you have enabled. Because Basis operates no server or cloud database, there is no Basis-controlled server holding your health or app data that could be breached, and your health and app data are not held by us. Media requests to the AWS host are made over encrypted HTTPS.

No method of storage or transmission is completely secure, and we cannot guarantee absolute security. Protecting your device with a passcode or biometric lock and keeping iOS up to date are important ways you can help safeguard your information.

Health data and breach notification. Based on the App's current architecture, your health-related information is maintained only on your own device, and Basis does not have the technical means to access, transmit, or acquire it (a posture that depends on the shipping build containing no third-party analytics, advertising, or tracking SDK, as flagged for confirmation in Section 3.6). If Basis ever became aware of an unauthorized acquisition of covered health information for which notice is required under the FTC Health Breach Notification Rule (16 C.F.R. Part 318) or applicable state breach-notification law, Basis would provide the notice required by that law.


11. Children's Privacy

Basis is intended for a general adult wellness audience. The App is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are under 13, please do not use the App. If we learn that we have inadvertently received personal information from a child under 13, we will take appropriate steps to delete it. Parents or guardians with questions may contact us using the information in Section 13.


12. Your Privacy Rights

Basis is designed so that you control your data directly on your device. Because we have no account system and hold no copy of your data on any server, most privacy rights are exercised through on-device self-service: you can view and edit your data in the App, delete all local data by deleting the App, and revoke Apple Health and notification permissions in iOS Settings (see Section 7). Certain limited off-device log data (the IP address and request metadata held by Apple and the AWS media host) is addressed in Section 7. For any questions or formal requests, contact us using the information in Section 13. We do not discriminate against you for exercising any privacy right.

12.1 California Residents (CCPA/CPRA)

Basis likely does not meet the definition of a "business" under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"). We provide the following disclosures for transparency and in the event the CCPA applies:

12.2 European Economic Area / United Kingdom Users (GDPR / UK GDPR)

This Section applies only if Basis offers the App to, or monitors the behavior of, individuals in the EEA or the UK. Where the GDPR applies:

12.3 Florida Residents

Basis Health LLC is a Florida limited liability company, and Florida is our home jurisdiction. The Florida Digital Bill of Rights applies only to controllers that exceed a very large global-revenue threshold with additional qualifiers, and therefore does not currently apply to Basis. Although the statute does not require it, we will consider comparable requests described in this Section 12 where feasible, and we welcome questions from Florida residents.

12.4 Other U.S. State Consumer Health Data Laws

Certain U.S. states, including Washington (My Health My Data Act, "MHMDA") and Nevada (SB 370), define "consumer health data" more broadly than federal law. Because Basis processes health data only on your device, Basis does not "collect" or "share" consumer health data as those terms are defined under MHMDA — your health data stays on your device and never reaches Basis, and the only information that reaches the AWS media host or Apple is your IP address and request metadata, which is not consumer health data. Accordingly, we do not believe a separate Consumer Health Data Privacy Policy or MHMDA-specific consent flow is triggered for Basis. Residents of these states may exercise the applicable rights (such as access, withdrawal of consent, and deletion) as described in this Section 12 and Section 7, and may contact us at privacy@basishealth.app. Nevada residents have a right to opt out of the sale of certain covered information; Basis does not sell covered information, so no designated opt-out request is currently offered.


13. How to Contact Us

If you have questions about this Policy or your privacy, contact:

Basis Health LLC 1750 N Bayshore Dr, Apt 5214, Miami, FL 33132 Privacy inquiries: privacy@basishealth.app Support: support@basishealth.app


14. Relationship to HIPAA

Basis Health LLC is not a "covered entity" or a "business associate" under the U.S. Health Insurance Portability and Accountability Act ("HIPAA"), and HIPAA does not apply to the health information you enter or that the App reads from Apple Health. We do not claim to be "HIPAA compliant." Instead, that information is protected on your device by Apple's and iOS's built-in safeguards and is not disclosed by Basis, as described throughout this Policy.


15. General Wellness, Not Medical Advice

Basis provides general wellness and fitness information (including any planned postpartum module) for informational purposes only. Basis is not medical advice, is not a diagnosis or treatment, and is not a medical device, and it is not intended to diagnose, treat, cure, mitigate, or prevent any disease or condition. The plans and guidance the App generates are general estimates derived from information you provide and from data read on-device from Apple Health; the App does not clinically measure or diagnose any physiological value. Always consult a qualified healthcare professional before starting, changing, or continuing any exercise, nutrition, or wellness program, and before making any medical decision — especially if you are pregnant, postpartum, nursing, recovering from childbirth or surgery, or managing a medical condition. If you are postpartum, do not begin the postpartum module without clearance from your physician or midwife, and stop and seek care if you experience pain, bleeding, dizziness, or other warning signs. In an emergency, call 911 or your local emergency number.

The binding medical disclaimer, assumption-of-risk acknowledgment, physician-clearance requirement, warranty disclaimer, and limitation-of-liability terms that govern your use of the App are set out as contractual terms in our Terms of Use / EULA, which you accept before using the App. The statements in this Section are provided for transparency and do not replace those contractual terms.


16. Consistency with the App Store Privacy Label

We keep this Policy consistent with the "App Privacy" information (the privacy "nutrition label") shown on the App's App Store product page. Because Apple Health data and your app data are processed only on your device, they are treated as "Data Not Collected" for the App Store privacy label.

For the one off-device flow — the request that conveys your device IP address and standard request metadata to the AWS media host (and, inherently, to Apple) — Basis declares this data on the App Store privacy label as Diagnostics and/or Identifiers, "Data Not Linked to You," and not used to track you, so that the label does not under-disclose this flow. We will keep both this Policy and the App Store privacy information accurate and up to date.


17. Acceptance of This Policy

By downloading, installing, or using the Basis App, you acknowledge that you have read and understood this Privacy Policy. When you first use the App, and when material changes are made, the App will present this Policy (or a link to it) together with our Terms of Use / EULA for your review and affirmative acceptance (for example, by tapping "I Agree"), and we will record your acceptance (including the version accepted and the date). The operative medical, assumption-of-risk, and liability acknowledgments are contractual terms presented in the Terms of Use / EULA at the same acceptance gate. You may view, save, and print a copy of this Policy at https://basis-exercise-media.s3.us-east-2.amazonaws.com/legal/privacy-policy.html and within the App.


18. Changes to This Policy

We may update this Policy from time to time — for example, if we change the App's features or data practices. When we make material changes, we will update the "Last Updated" date above, post the revised Policy at https://basis-exercise-media.s3.us-east-2.amazonaws.com/legal/privacy-policy.html and within the App, and provide notice in the App. For any change that materially affects your rights, our data practices, or the safety, disclaimer, or liability terms, we will present the updated Policy (together with the Terms of Use / EULA) for your renewed affirmative acceptance (for example, by tapping "I Agree") rather than relying on continued use alone. We encourage you to review this Policy periodically.


End of Privacy Policy.