This Privacy Policy explains how Health by Habit ("HBH," "we," "us") collects, uses, shares, and protects information when you use healthierbyhabit.com, the HBH paid subscriber app, the Drive Habit App, The Helm, The Galley, The Bunkhouse, the Workout Tracker, and any related services (together, the "Services").
We wrote this in plain language. Where legal terms are used, we explain what they mean. If anything is unclear, write to us at alan@rewire-reset.com and we will answer directly.
1. Who we are
Health by Habit publishes content, tools, and a subscription product for men over 50 working to rebuild their health. Our contact details:
- Email: alan@rewire-reset.com
- Mailing address: available on request
- Data controller: Health by Habit
2. The data we collect
2.1 Information you give us directly
| Category | Examples |
|---|---|
| Account | Name, email, password (hashed), display name |
| Profile | Date of birth (if provided), location (if provided), goals |
| Assessment responses | Your answers to the HBH Assessment and your resulting archetype |
| Habit data | Habits, routines, daily logs, journal entries, goals, projects, reach-out lists |
| Galley data | Recipes you save or upload, meal plans, shopping lists, dietary preferences, and any "Avoid Commitments" you select |
| Helm Peopling data | Contacts you import into the Peopling module on your phone |
| Payment information | Handled by Stripe; we do not store full card numbers |
| Communications | Emails you send us, replies to our emails, support tickets |
| Survey, review, and testimonial input | Anything you choose to send us |
2.2 Health and wearable data
If you connect your Oura Ring to The Bunkhouse, we collect the following Oura data through Oura's API:
- Daily sleep summaries (duration, stages, efficiency, latency, heart rate, HRV)
- Daily readiness summaries (score, contributors, HRV balance, body temperature deviation, resting heart rate)
- Daily activity summaries (steps, calories, activity time, sedentary time)
- Daily stress and recovery summaries
- The OAuth tokens that authorize the connection
We treat this data as sensitive personal information. We do not sell it. We do not share it with advertisers. We do not use it to train third-party models.
2.3 Information collected automatically
| Category | Examples |
|---|---|
| Device and usage | Browser type, operating system, IP address, pages visited, time on page, referrer |
| Cookies and similar | Session cookies, preference cookies, analytics cookies (see section 10) |
| Email engagement | Whether you opened or clicked emails we send (tracked through our email platform, Nimble) |
3. How we use your data
We use the data above to:
- Provide the Services you signed up for, including the assessment result, The Bunkhouse views, recommendations, your habit tracker, your Helm dashboard, your Galley plan, and email updates.
- Bill you and process subscription payments through Stripe.
- Send you product updates, the Weekly Brief newsletter, and onboarding emails. You can unsubscribe at any time.
- Personalize recommendations based on your archetype, habit log, and (if connected) Oura data.
- Generate aggregated, anonymized signals that improve recommendations for everyone (see section 6).
- Operate the business: customer support, fraud prevention, security, legal compliance, internal analytics.
- Improve the Services based on usage patterns and direct feedback.
4. Helm Peopling — a special carve-out
The Helm includes a Peopling module that lets you import contacts from your phone for your private use.
- These contacts are yours alone. We do not share them.
- We never add them to any HBH marketing list, internal or external.
- They are never pushed to our CRM (Nimble).
- You can delete them from the Peopling module in two taps. Deletion is immediate and permanent.
This is the only category of data that is fully siloed from our CRM. It exists because Peopling is a personal organizing tool, not a lead-capture surface.
5. The Galley community recipe pool
The Galley lets you upload, save, and plan meals from recipes. To make the recipe pool useful from day one, recipes you upload are shared with the HBH community by default so other members can find, save, and cook them. We use this content only to power the recipe pool. We do not sell it, license it to third parties, or use it for advertising.
You stay in control of every recipe:
- Make any recipe private. When you upload or edit a recipe, toggle it to private. Private recipes appear only on your own meal plans and shopping lists. Other members never see them.
- Change your mind later. You can switch a recipe from shared to private at any time. The switch removes it from the community pool immediately.
- Delete it entirely. Deleting a recipe removes it from your account and from the community pool.
Shared recipes appear in the community pool with a first-name-last-initial attribution (for example, "Recipe by Alan M."). Other members can save the recipe and rate it. Ratings and reviews are anonymous unless you choose otherwise.
5.1 AI tagging
When you upload a recipe, an AI tagging step runs to attach metadata: estimated macros (protein, fat, carbs), estimated calories, and dietary tags (gluten-free, high-protein, low-carb, and similar). This step sends the recipe text to one of our AI providers (see Section 7) for the single purpose of generating tags. The provider does not retain the recipe under our agreements and does not use it for model training.
AI tags are best estimates, not nutrition labels. They are not a substitute for professional nutrition advice and they may be wrong for specific ingredients, brands, or preparations.
5.2 Safety and brand scan
Uploaded recipes also run through a safety and brand scan to filter out content that fails basic food safety, contains misleading health claims, infringes copyright, or otherwise breaches our community standards. Recipes that fail the scan are not added to the community pool, and you will be notified.
6. Aggregated and anonymized data
We may use aggregated, anonymized data to identify which habits move which health metrics across the HBH user base. We use it to refine recommendations across the Services. We only include a habit-metric pairing in aggregated outputs when at least 30 unique users have linked that habit to that metric with sufficient adherence and post-link data.
Aggregated data does not identify you personally and is not sold.
7. Who we share data with
We share data only with the parties below and only as needed to run the Services.
| Recipient | Purpose | Data shared |
|---|---|---|
| Supabase | Hosting your account and product data | All product data, encrypted at rest |
| Stripe | Processing subscriptions and one-time payments | Name, email, billing info — handled directly by Stripe |
| Nimble (CRM and email) | Customer relationship, newsletter, onboarding sequences | Name, email, archetype, signup source, engagement tags |
| Oura Health | Authorizing and reading your Oura data | OAuth tokens; we read your Oura data, Oura does not receive your HBH data |
| Vercel | Running the website and app | Technical logs, request data |
| AI providers (Anthropic, OpenAI) | Generating personalized summaries and Helm outputs; tagging recipes uploaded to The Galley | Only the specific text or data we send per request; no long-term training use under our agreements |
| Legal, accounting, professional advisors | As required to run the business | Only what is necessary |
| Government and law enforcement | Required by valid legal process | Only what is required |
We do not sell your personal information. We do not share Oura data, habit data, journal entries, or Peopling contacts with advertisers.
8. Where data is stored
Our primary database is hosted by Supabase in the United States. Our application is hosted by Vercel in the United States. If you are outside the United States, your data is transferred to and processed in the United States.
For users in the European Economic Area, the United Kingdom, or Switzerland: this transfer is made under appropriate safeguards (Standard Contractual Clauses or equivalent) where required.
9. How long we keep data
| Data type | Retention |
|---|---|
| Account data | While your account is active, plus 12 months after deletion or final cancellation |
| Subscription and billing records | 7 years (tax and accounting compliance) |
| Habit logs, assessment results, Helm and Galley data | While your account is active; deletable on request |
| Oura data | While your Oura connection is active; deleted within 30 days of disconnection or account deletion |
| Helm Peopling contacts | Until you delete them; permanently removed on account deletion |
| Email engagement records | While you are subscribed, plus 24 months after unsubscribe |
| Aggregated, anonymized data | Indefinitely |
You can request deletion at any time. See section 11.
10. Cookies and analytics
We use cookies to keep you signed in, remember preferences, and understand how the Services are used. We use a small set of analytics tools to measure traffic and improve content. Where required by law, we ask for your consent before setting non-essential cookies.
You can disable cookies in your browser. The Services may not work correctly without session cookies.
11. Your rights
You have the following rights over your data. To exercise any of them, email alan@rewire-reset.com.
- Access. Request a copy of the personal data we hold about you.
- Correction. Ask us to correct information that is inaccurate.
- Deletion. Ask us to delete your account and associated data. We will complete deletion within 30 days, except for records we are required to keep for tax, accounting, or legal reasons.
- Portability. Request a copy of your data in a structured, commonly used format.
- Withdraw consent. If we are processing your data based on consent, you can withdraw it at any time.
- Opt out of marketing. Unsubscribe from any email using the link at the bottom of the message.
- Disconnect Oura. Disconnect from your account settings at any time. We will purge your Oura data within 30 days.
If you are in the European Economic Area, the United Kingdom, Switzerland, or California, you have additional rights under GDPR, UK GDPR, and CCPA respectively, including the right to lodge a complaint with your local supervisory authority. We will not discriminate against you for exercising any of these rights.
12. Security
We protect your data with industry-standard measures:
- Encryption in transit (TLS) and at rest
- OAuth tokens stored in Supabase Vault, encrypted
- Row-level security policies on every database table — users can only read their own records
- Access controls and audit logging on our systems
- Regular security review of third-party services we rely on
No system is perfect. If a breach occurs that materially affects your data, we will notify you in accordance with applicable law.
13. Children
The Services are not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, write to alan@rewire-reset.com and we will delete it.
14. Not medical advice
The Services are not medical advice and do not replace professional medical care.
Recommendations are not a diagnosis or a treatment plan. Always consult a qualified physician before changing your diet, exercise routine, supplement use, sleep medication, or any other element of your health care, especially if you have a chronic condition, take prescription medication, or are pregnant. See the full health disclaimer in the Terms of Service.
15. Changes to this policy
We may update this policy as the Services evolve. When we make material changes, we will update the "Last updated" date above and notify you by email if the change materially affects how we handle your data. Continued use of the Services after the change takes effect means you accept the updated policy.
16. Contact
Questions about privacy or this policy:
- Email: alan@rewire-reset.com
- Subject line:"Privacy request"
We aim to respond within 5 business days.
See also: Privacy Policy · Terms of Service