Privacy Policy for Basis
Effective Date: June 30, 2026 Last Updated: June 30, 2026 Version: 1.0
1. Introduction and Who We Are
This Privacy Policy ("Policy") explains how Basis Health LLC, a Florida limited liability company ("Basis," "we," "us," or "our"), handles information in connection with the Basis mobile application for iPhone and iPad (iOS 17 and later) (the "App").
Basis provides general health and wellness guidance in the highly regulated healthcare field, and this App is published by Basis Health LLC as a legal entity, consistent with Apple's App Store Review Guideline 5.1.1(ix).
We designed Basis to be private by default. Basis has no backend server, no user accounts, no login or authentication, and no cloud database. The App runs entirely on your device. Based on the App's current architecture, the information you provide and the information the App reads from Apple Health remain on your device and are not transmitted to us. The only outbound requests the App makes are described in Sections 3.3 and 3.4 (receiving your subscription status from Apple, and downloading exercise media from a hosting provider), and neither of those requests sends your health data or app data off your device.
This Policy is provided in an easily accessible place within the App (for example, on the App's subscription screen) and is also published at https://basis-exercise-media.s3.us-east-2.amazonaws.com/legal/privacy-policy.html and linked in the App Store listing, consistent with Apple App Store Review Guideline 5.1.1(i).
Please also review our Terms of Use / End User License Agreement, which contains important information, including medical disclaimers, assumption of risk, limitation of liability, and dispute-resolution terms. The medical, assumption-of-risk, warranty, and liability provisions that govern your use of the App are contractual terms set out in the Terms of Use / EULA, which you accept before using the App; the health-related statements in this Policy are provided for transparency and are not a substitute for those contractual terms.
2. Summary (Plain-English Overview)
- We have no server and no account system. We cannot see, access, or receive your health data or app data.
- Apple Health (HealthKit) data is read only with your explicit permission and is used only on your device to generate your daily plan. It is never transmitted off your device, never sold, never shared, and never used for advertising, marketing, or data mining.
- Your app data (profile inputs, generated plan, check-offs, weight log, streak) is stored only on your device and is deleted when you delete the App.
- We do not sell or share your personal information, and we do not track you across other companies' apps or websites. The App contains no third-party analytics, advertising, or tracking software.
- Payments are handled entirely by Apple through In-App Purchase. We never receive, see, or store your payment-card information. Receiving your subscription status from Apple involves a network exchange with Apple's App Store / StoreKit infrastructure, governed by Apple's privacy policy.
- The only outbound request that sends data to a hosting provider we designate is the request to download exercise images and videos from a media host on Amazon Web Services (AWS). As with any internet request, that host receives your device's IP address and standard request metadata. No account information and no health data are ever sent with these requests.
- To delete all your on-device data, delete the App from your device. (Limited log data held by Apple and the AWS host is addressed in Sections 3.4 and 7.)
The rest of this Policy provides the detail behind this summary.
3. Information We Collect — and Do Not Collect
Because Basis has no server and no account system, we (Basis Health LLC) do not collect your personal information on any server we control. Under Apple's App Store definition, data that is processed only on your device is "not collected." The following describes how information is handled.
3.1 Apple Health (HealthKit) Data — Read On-Device Only
With your explicit permission granted through the iOS system permission prompt, the App reads the following specific categories of health and fitness data from Apple Health (HealthKit) on your device:
- Active energy (active energy burned)
- Resting energy (basal/resting energy)
- Heart rate variability / recovery
- Sleep (sleep analysis)
- Body mass / body composition
- Body-weight series (your logged weight over time)
The App requests read access only to the specific HealthKit categories necessary to generate your daily plan, and the iOS permission purpose strings describe that use. We do not request HealthKit data beyond what is needed for this disclosed purpose.
This HealthKit data is used solely on your device to generate and adjust your daily plan. This data is never transmitted off your device, is never sold, is never shared with any third party, and is never used for advertising, marketing, or use-based data mining (including by any third party). We do not store your health information in iCloud, and the App does not write false or inaccurate data into Apple Health.
Granting Apple Health access is optional. If you decline, the App still functions using information you enter manually. Access to paid features does not depend on your granting Apple Health access beyond what core functionality requires.
3.2 App Data Stored Locally on Your Device
The App stores your app state locally, within the App's private storage area (the app sandbox), in a file on your device (for example, Documents/basis_state.json). This app state may include:
- Profile inputs you provide
- Your generated daily plan
- Daily check-offs
- Your weight log
- Your streak
This information stays on your device and is not transmitted to Basis or any third party. It is removed when you delete the App (see Section 7).
3.3 Subscription / Entitlement Status (from Apple)
When you subscribe, the App receives your subscription/entitlement status (whether you have an active subscription) from Apple. Verifying and receiving this status involves a network request to Apple's App Store / StoreKit infrastructure, and, as with any internet request, your device's IP address is inherently exposed to Apple in that exchange. This exchange is governed by Apple's privacy policy. We do not receive, see, or store your name, email, payment-card number, or any billing information; we receive only whether your subscription is active, on your device. See Section 5.
3.4 Exercise Media Requests (AWS Media Host) — IP Address and Request Metadata
The App downloads exercise images and short videos over an encrypted HTTPS connection directly from Amazon Web Services (Amazon S3) (no separate content-delivery network is used). As with any internet request, the hosting/content-delivery provider automatically receives:
- Your device's IP address, and
- Standard request metadata (such as the date and time of the request, the file requested, and the user-agent string).
This is necessary to deliver the media to your device. No account information and no health data are sent with these requests. We do not use this IP address or request metadata to identify you, build a profile of you, track you, or advertise to you.
We use AWS as our infrastructure/content-delivery provider under AWS's standard terms, and we require any provider that has access to information in connection with the App to provide the same or equal protection of user data as stated in this Policy and as required by Apple's App Store Review Guidelines.
The AWS host and Apple may retain IP address and request-metadata log entries under their own retention schedules; this log data is not stored on your device and is not removed by deleting the App. These requests are served from AWS infrastructure in the United States (Amazon S3, US East (Ohio) / us-east-2 region).
3.5 Local Notifications
If you enable them, the App schedules local notifications (optional daily reminders) directly on your device. There is no push notification server. No data is transmitted to us or any third party to deliver these reminders.
3.6 What We Do NOT Collect
We do not collect your name, email address, phone number, contacts, precise or coarse location (beyond the IP address inherently received by Apple and by the AWS media host as described above), photos, or advertising identifiers. The App contains no third-party analytics, advertising, or tracking software development kits (SDKs), does not track you across other companies' apps or websites (there is no App Tracking Transparency prompt because the App does not track you), and does not sell your personal information.
4. How We Use Information
We use information only as described in this Policy:
- Apple Health data — used only on your device to generate and adjust your daily plan.
- Locally stored app data — used only on your device to operate the App's features (your plan, check-offs, weight log, and streak).
- Subscription/entitlement status — used on your device to unlock and maintain access to paid features.
- IP address and request metadata received by Apple and by the AWS media host — used only to service the request (delivering the requested exercise media to your device, or verifying your subscription status with Apple) and for the provider's routine infrastructure, delivery, and security purposes. Basis does not use this data to identify, profile, track, or advertise to you.
We do not use any information for advertising, marketing, cross-context behavioral advertising, or use-based data mining.
5. Payments and In-App Purchases
Subscriptions are sold exclusively through Apple In-App Purchase / StoreKit ($1.00 per month with a 14-day free trial). Apple is the merchant of record and processes all payments. Basis never receives, sees, or stores your payment-card or billing information. We receive only your subscription/entitlement status from Apple, on your device (see Section 3.3).
Apple's handling of your payment information is governed by Apple's privacy policy and the Apple Media Services Terms and Conditions, not by this Policy. Please refer to Apple's terms for information about how Apple processes your payment data. The complete subscription terms, including auto-renewal, cancellation, and refunds, are described in our Terms of Use / EULA.
6. Third Parties and Data Sharing
We do not sell or share your personal information, and we do not disclose your personal information to third parties for their own purposes.
The only third parties inherently involved in operating the App are:
- Apple — provides the App Store, Apple Health (HealthKit) framework, In-App Purchase/payment processing, subscription/entitlement verification (which involves a network exchange that exposes your device IP to Apple, as described in Section 3.3), and local-notification scheduling on your device. Apple's practices are governed by Apple's own privacy policy.
- Amazon Web Services (AWS) — hosts the exercise media that the App downloads. As described in Section 3.4, the AWS media host receives your device IP address and standard request metadata to deliver that media. No account or health data is sent.
We require that any provider with access to information in connection with the App provide the same or equal protection of user data as stated in this Policy and as required by Apple's App Store Review Guidelines. We do not share Apple Health data with any third party.
7. Data Retention and Deletion; How to Delete Your Data
Because Basis holds no copy of your data on any server, your App data is retained only on your device, and you control it:
- Delete the App. Deleting the Basis App from your device removes the App's locally stored data, including the app-state file (for example,
Documents/basis_state.json). - Revoke Apple Health access at any time. Go to iOS Settings > Privacy & Security > Health > Basis (or open the Health app > Sharing/Apps) to turn off any or all Apple Health permissions.
- Turn off notifications at any time in iOS Settings > Notifications > Basis or within the App.
Because there is no account and no server-side copy of your data held by Basis, there is nothing for Basis to delete on its own servers, and no server-side deletion request to Basis is necessary for your on-device data.
Off-device log data. As described in Section 3.4, the AWS media host (and Apple, in connection with media delivery and subscription verification) may retain IP address and standard request-metadata log entries under their own retention schedules. This log data is not stored on your device, is not removed by deleting the App, and is generally not linked by Basis to you as an identified individual. Because Basis does not maintain or control these logs on a Basis server and does not associate them with your identity, Basis's practical ability to access, correct, or delete specific log records is limited. If you have questions or wish to make a request regarding this data, contact us using the information in Section 13, and, where applicable, you may also contact Apple or AWS directly under their respective privacy policies.
Note: Deleting the App does not cancel your Apple subscription. To cancel, manage your subscription in your Apple Account settings (see the Terms of Use / EULA and Section 5).
8. No Accounts
Basis does not offer or require user accounts, logins, or authentication. There is no account to create and no account to delete. Because there are no accounts, Apple's in-app account-deletion requirement (Guideline 5.1.1(v)) does not apply. All data removal for on-device data is accomplished on-device as described in Section 7.
9. Consent and Withdrawing Consent
- Apple Health access and local notifications are enabled only through the operating system's explicit permission prompts, with purpose strings that describe how the App uses the data.
- Access to paid features does not depend on your granting Apple Health or notification access.
- You may withdraw consent at any time through iOS Settings (see Section 7), and you may continue to use the App (including paid features) with manual inputs.
10. Security
We protect information through the built-in protections of your device and iOS, including the App's private sandbox, iOS Data Protection / device encryption, and any device passcode or biometric lock you have enabled. Because Basis operates no server or cloud database, there is no Basis-controlled server holding your health or app data that could be breached, and your health and app data are not held by us. Media requests to the AWS host are made over encrypted HTTPS.
No method of storage or transmission is completely secure, and we cannot guarantee absolute security. Protecting your device with a passcode or biometric lock and keeping iOS up to date are important ways you can help safeguard your information.
Health data and breach notification. Based on the App's current architecture, your health-related information is maintained only on your own device, and Basis does not have the technical means to access, transmit, or acquire it (a posture that depends on the shipping build containing no third-party analytics, advertising, or tracking SDK, as flagged for confirmation in Section 3.6). If Basis ever became aware of an unauthorized acquisition of covered health information for which notice is required under the FTC Health Breach Notification Rule (16 C.F.R. Part 318) or applicable state breach-notification law, Basis would provide the notice required by that law.
11. Children's Privacy
Basis is intended for a general adult wellness audience. The App is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you are under 13, please do not use the App. If we learn that we have inadvertently received personal information from a child under 13, we will take appropriate steps to delete it. Parents or guardians with questions may contact us using the information in Section 13.
12. Your Privacy Rights
Basis is designed so that you control your data directly on your device. Because we have no account system and hold no copy of your data on any server, most privacy rights are exercised through on-device self-service: you can view and edit your data in the App, delete all local data by deleting the App, and revoke Apple Health and notification permissions in iOS Settings (see Section 7). Certain limited off-device log data (the IP address and request metadata held by Apple and the AWS media host) is addressed in Section 7. For any questions or formal requests, contact us using the information in Section 13. We do not discriminate against you for exercising any privacy right.
12.1 California Residents (CCPA/CPRA)
Basis likely does not meet the definition of a "business" under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"). We provide the following disclosures for transparency and in the event the CCPA applies:
- Categories of personal information. The only personal information that leaves your device is your device's IP address and standard request metadata, which reach the AWS media host when exercise media is downloaded (Section 3.4) and, inherently, Apple when media is delivered and your subscription status is verified (Sections 3.3, 6). This information is internet or other electronic network activity information, and an IP address may also be treated as an identifier and, to the extent it is used to infer approximate location, as geolocation data. Your Apple Health data and app data are processed only on your device and are not collected by Basis.
- Categories of sources. This information is generated by your device automatically as part of ordinary internet requests to deliver media and verify your subscription.
- Business or commercial purposes. The IP address and request metadata are used only to service the media/subscription request and for the provider's infrastructure, delivery, and security purposes. Basis does not use it to profile, track, or advertise to you.
- Sensitive personal information. Apple Health data is processed only on your device; Basis does not collect it and does not use it to infer characteristics about you. Accordingly, no "Limit the Use of My Sensitive Personal Information" mechanism is required.
- No sale or sharing. Basis does not "sell" and does not "share" personal information (including for cross-context behavioral advertising) as those terms are defined under the CCPA, and has not done so in the preceding 12 months. We therefore do not provide a "Do Not Sell or Share My Personal Information" link, because we do not sell or share.
- Your rights. Subject to applicable law, California residents may have rights to know/access, delete, and correct personal information, to opt out of sale/sharing (not applicable, as we do not sell or share), and to non-discrimination. To exercise these rights or ask questions, contact us at privacy@basishealth.app. We will respond within the time required by law (generally 45 days), and we may need to verify your request; because we have no account, verification and our practical ability to fulfill requests are limited to information reasonably available to us (for example, we do not hold on-device data on any server, and off-device log data is not linked by us to your identity, as described in Section 7).
12.2 European Economic Area / United Kingdom Users (GDPR / UK GDPR)
This Section applies only if Basis offers the App to, or monitors the behavior of, individuals in the EEA or the UK. Where the GDPR applies:
- Controller. Basis Health LLC, 1750 N Bayshore Dr, Apt 5214, Miami, FL 33132, privacy@basishealth.app.
- On-device processing. Apple Health data and app data are processed only on your device under your control and generally do not reach Basis as a controller. The Basis-related data flows that reach a third-party recipient are the AWS media request (Section 3.4) and the network exchange with Apple to deliver media and verify your subscription status (Sections 3.3, 6).
- Recipients / processors. The recipients of any personal data are Amazon Web Services (media host / infrastructure provider) and Apple (App Store / StoreKit and HealthKit framework provider). Each processes data under its own terms and privacy policy.
- Lawful bases. Where Basis processes personal data, we rely on: performance of a contract (Art. 6(1)(b)) to deliver the subscribed service and media; legitimate interests (Art. 6(1)(f)) for media delivery, infrastructure, and security; and, for any health data, your explicit consent (Art. 9(2)(a)), which you provide through the iOS Health permission prompt and may withdraw at any time.
- Retention. On-device data is retained until you delete it or delete the App. IP address and request-metadata logs held by AWS and Apple are retained per those providers' own schedules (Section 7).
- International transfers. Exercise media and subscription verification may be served from, or routed through, servers outside the EEA/UK, including in the United States. Such transfers rely on appropriate safeguards, such as the EU–U.S. Data Privacy Framework and/or Standard Contractual Clauses.
- Your rights. Subject to applicable law, you may have rights to access, rectification, erasure, restriction, portability, and objection, the right to withdraw consent, and the right to lodge a complaint with a supervisory authority. To exercise these rights, contact us at privacy@basishealth.app. We will respond within the time required by law (generally one month). Our practical ability to fulfill requests regarding off-device log data held by AWS or Apple is limited, as described in Section 7.
12.3 Florida Residents
Basis Health LLC is a Florida limited liability company, and Florida is our home jurisdiction. The Florida Digital Bill of Rights applies only to controllers that exceed a very large global-revenue threshold with additional qualifiers, and therefore does not currently apply to Basis. Although the statute does not require it, we will consider comparable requests described in this Section 12 where feasible, and we welcome questions from Florida residents.
12.4 Other U.S. State Consumer Health Data Laws
Certain U.S. states, including Washington (My Health My Data Act, "MHMDA") and Nevada (SB 370), define "consumer health data" more broadly than federal law. Because Basis processes health data only on your device, Basis does not "collect" or "share" consumer health data as those terms are defined under MHMDA — your health data stays on your device and never reaches Basis, and the only information that reaches the AWS media host or Apple is your IP address and request metadata, which is not consumer health data. Accordingly, we do not believe a separate Consumer Health Data Privacy Policy or MHMDA-specific consent flow is triggered for Basis. Residents of these states may exercise the applicable rights (such as access, withdrawal of consent, and deletion) as described in this Section 12 and Section 7, and may contact us at privacy@basishealth.app. Nevada residents have a right to opt out of the sale of certain covered information; Basis does not sell covered information, so no designated opt-out request is currently offered.
13. How to Contact Us
If you have questions about this Policy or your privacy, contact:
Basis Health LLC 1750 N Bayshore Dr, Apt 5214, Miami, FL 33132 Privacy inquiries: privacy@basishealth.app Support: support@basishealth.app
14. Relationship to HIPAA
Basis Health LLC is not a "covered entity" or a "business associate" under the U.S. Health Insurance Portability and Accountability Act ("HIPAA"), and HIPAA does not apply to the health information you enter or that the App reads from Apple Health. We do not claim to be "HIPAA compliant." Instead, that information is protected on your device by Apple's and iOS's built-in safeguards and is not disclosed by Basis, as described throughout this Policy.
15. General Wellness, Not Medical Advice
Basis provides general wellness and fitness information (including any planned postpartum module) for informational purposes only. Basis is not medical advice, is not a diagnosis or treatment, and is not a medical device, and it is not intended to diagnose, treat, cure, mitigate, or prevent any disease or condition. The plans and guidance the App generates are general estimates derived from information you provide and from data read on-device from Apple Health; the App does not clinically measure or diagnose any physiological value. Always consult a qualified healthcare professional before starting, changing, or continuing any exercise, nutrition, or wellness program, and before making any medical decision — especially if you are pregnant, postpartum, nursing, recovering from childbirth or surgery, or managing a medical condition. If you are postpartum, do not begin the postpartum module without clearance from your physician or midwife, and stop and seek care if you experience pain, bleeding, dizziness, or other warning signs. In an emergency, call 911 or your local emergency number.
The binding medical disclaimer, assumption-of-risk acknowledgment, physician-clearance requirement, warranty disclaimer, and limitation-of-liability terms that govern your use of the App are set out as contractual terms in our Terms of Use / EULA, which you accept before using the App. The statements in this Section are provided for transparency and do not replace those contractual terms.
16. Consistency with the App Store Privacy Label
We keep this Policy consistent with the "App Privacy" information (the privacy "nutrition label") shown on the App's App Store product page. Because Apple Health data and your app data are processed only on your device, they are treated as "Data Not Collected" for the App Store privacy label.
For the one off-device flow — the request that conveys your device IP address and standard request metadata to the AWS media host (and, inherently, to Apple) — Basis declares this data on the App Store privacy label as Diagnostics and/or Identifiers, "Data Not Linked to You," and not used to track you, so that the label does not under-disclose this flow. We will keep both this Policy and the App Store privacy information accurate and up to date.
17. Acceptance of This Policy
By downloading, installing, or using the Basis App, you acknowledge that you have read and understood this Privacy Policy. When you first use the App, and when material changes are made, the App will present this Policy (or a link to it) together with our Terms of Use / EULA for your review and affirmative acceptance (for example, by tapping "I Agree"), and we will record your acceptance (including the version accepted and the date). The operative medical, assumption-of-risk, and liability acknowledgments are contractual terms presented in the Terms of Use / EULA at the same acceptance gate. You may view, save, and print a copy of this Policy at https://basis-exercise-media.s3.us-east-2.amazonaws.com/legal/privacy-policy.html and within the App.
18. Changes to This Policy
We may update this Policy from time to time — for example, if we change the App's features or data practices. When we make material changes, we will update the "Last Updated" date above, post the revised Policy at https://basis-exercise-media.s3.us-east-2.amazonaws.com/legal/privacy-policy.html and within the App, and provide notice in the App. For any change that materially affects your rights, our data practices, or the safety, disclaimer, or liability terms, we will present the updated Policy (together with the Terms of Use / EULA) for your renewed affirmative acceptance (for example, by tapping "I Agree") rather than relying on continued use alone. We encourage you to review this Policy periodically.
End of Privacy Policy.