Privacy Policy

Bornly Privacy Policy

Effective as of: January 5, 2026 Version: 3 Company: Bornly ApS ("Bornly", "we", "us")

Your health and well-being information can be highly sensitive. This Privacy Policy explains how we collect, use, store, and share personal data when you use Bornly's websites, apps, and related services (together, the "Services"), and the choices and rights you have.

This Privacy Policy should be read together with our Terms of Service and Medical Disclaimer.

1) Key points (tl;dr)

  • We don't sell your personal data.
  • We use data to run the Services, provide personalised features, keep things secure, and improve reliability.
  • Health and well-being data (including things like symptoms, body measurements, pregnancy info, heart data, food logs) is treated as sensitive. Where required, we process it only with your explicit consent, and you can withdraw consent at any time.
  • AI features: when you use AI-powered functionality, we send the prompt and relevant user-entered data needed to produce the output. We design these requests to exclude direct account identifiers such as your name, email address, or internal account/user ID. ⚠️ If you include identifying details in what you type, that content may still be personal data.
  • We use trusted vendors ("processors/subprocessors") to operate the Services (hosting, security, email delivery, payments, and AI). They are bound by data processing terms and may only process data on our instructions.
  • You can access, correct, export, delete, and otherwise control your data by contacting privacy@bornly.com.

2) Who we are (data controller)

Bornly ApS is the data controller responsible for the processing described in this Privacy Policy.

Company information

  • Company name: Bornly ApS
  • VAT number: DK-39857340
  • Address: Vassingerødvej 97, 3540 Lynge, Denmark (C/O Mikkel Ulstrup)

Contact

3) What this policy covers

This Privacy Policy applies to personal data processed through:

  • our apps and web apps,
  • our websites (including marketing pages),
  • subscription and billing flows,
  • newsletters and communications,
  • customer support interactions,
  • and any other service that links to this Privacy Policy.

It does not cover third-party services you use separately (for example, Apple Health, Google Fit, or a wearable provider). Those services have their own privacy policies.

4) Definitions

  • Personal data: information that identifies you or can reasonably be linked to you (directly or indirectly).
  • Health / well-being data: information about physical or mental health, symptoms, pregnancy, nutrition, fitness/activity, biometrics, and related data that may be treated as special category / sensitive data under applicable law.
  • Processor / subprocessor: a third party that processes personal data on our behalf under a contract.

5) Personal data we collect

We collect data in three ways: (A) data you provide, (B) data collected automatically, and (C) data we receive from third parties when you choose to use integrations or paid services.

5.1 Data you provide directly

Account and profile data

  • name (or preferred name),
  • email address,
  • password (stored in a protected & encrypted form),
  • language preferences and similar account settings.

Health and well-being data you choose to enter or import Depending on the Services you use, you may enter (or import) data such as:

  • workout/activity data (e.g., exercise duration and type),
  • heart-related data (e.g., heart rate and heart rate variability),
  • date of birth,
  • gender,
  • body measurements (e.g., height, weight, waist size, body composition),
  • body temperature,
  • mood logs,
  • food logs (e.g., dietary intake and calories),
  • pregnancy information,
  • dietary preferences,
  • health symptoms and related notes.

Payments and subscriptions If you purchase a subscription or other paid Services, we may process:

  • billing address (for tax, invoicing, and fraud prevention),
  • transaction metadata and subscription status,
  • a record of the payment transaction (which may include limited card metadata such as last 4 digits, where applicable).

We do not store full card numbers on our servers. Payment card data is handled by our payment providers.

Support and communications

  • emails and messages you send to us,
  • support tickets and troubleshooting information you share,
  • feedback, survey responses, and bug reports (if you choose to provide them).

Newsletter and marketing sign-ups

  • email address and (optionally) name and preferences.

5.2 Data we collect automatically

When you use our Services, we may collect:

Device and technical data

  • IP address,
  • device type/model, operating system, app version,
  • language setting and time zone (where available),
  • network and performance data needed to deliver and secure the Services.

Usage and diagnostics

  • feature usage and event data (how you interact with the Services),
  • crash and error logs,
  • security logs used to detect abuse and protect accounts.

5.3 Data we receive from third parties (only when relevant)

Health and wearable integrations (with your permission) If you choose to connect third-party services such as Apple Health or Google Fit (or similar), we may receive the categories of data you authorise those services to share.

Sign-In providers If you use Sign in with Apple (or similar services), we receive the information that provider shares based on your settings. We do not receive health data from Apple solely because you use Sign in with Apple.

App stores and payment platforms If you subscribe via Apple App Store / Google Play or a payment provider, we may receive purchase and subscription status signals needed to provide access, handle refunds/disputes, and support billing.

6) How we use personal data

We use personal data for the following purposes:

  1. Provide and operate the Services

    • create and manage accounts,
    • deliver features you request,
    • provide insights, recommendations, and summaries based on data you choose to enter.

  2. Personalisation

    • tailor content, insights, and recommendations to your inputs and preferences.

  3. Subscriptions and billing

    • process payments and manage subscriptions,
    • maintain purchase history and invoices,
    • prevent fraud and resolve billing issues.

  4. Customer support

    • respond to questions and troubleshoot,
    • maintain support history for follow-up.

  5. Security and integrity

    • protect accounts and prevent abuse,
    • detect and address suspicious behaviour,
    • maintain logs needed for incident response.

  6. Analytics and service improvement

    • understand how the Services perform,
    • fix bugs and improve stability,
    • test and refine product experiences.

    Where available, you can opt out of analytics tracking in app settings.

  7. Marketing communications (with consent where required)

    • newsletters and product updates,
    • announcements and promotions.

  8. Research and statistics (only where appropriate)

    • aggregated reporting and analysis to improve our Services,
    • scientific research participation only with explicit consent (see Section 10).

7) Legal bases for processing

Where the GDPR/UK GDPR (or similar laws) apply, we rely on one or more of the following legal bases:

  • Contract (to deliver the Services you request) Example: account creation, providing paid features, processing subscription access.

  • Consent Example: newsletters, optional analytics where required, and processing of health/sensitive data where explicit consent is required.

  • Legitimate interests Example: security, fraud prevention, maintaining and improving performance, and basic service analytics (where permitted). We consider your rights and the impact on you before relying on this basis.

  • Legal obligation Example: retaining certain accounting records, complying with lawful requests, responding to regulatory obligations.

Health and well-being data: where required by law, we process this data on the basis of your explicit consent, which you can withdraw at any time.

8) AI features and AI processing

Some Bornly features use AI to generate content such as recommendations, summaries, or responses.

8.1 What we send for AI processing

When you use an AI feature, we may send:

  • the text/content you submit (your prompt), and
  • the relevant user-entered data needed to complete the request (for example, logs or entries you want the AI to consider).

8.2 Excluding direct identifiers

We design AI requests to exclude direct account identifiers, such as:

  • your name,
  • your email address,
  • and internal account/user IDs.

⚠️ Important: if you include identifying details in what you type (for example, your name, phone number, or other identifiers), that information may be included in the content being processed. Please avoid entering information you do not want processed for that request.

8.3 AI providers and safeguards

We may use third-party AI providers (listed on our Subprocessors page) to deliver AI features. These providers act as our processors and are contractually required to protect personal data and process it only to provide services to us and according to our instructions.

8.4 AI is not medical advice

AI-generated outputs are provided for informational/educational purposes and are not a substitute for professional medical advice, diagnosis, or treatment. See our Medical Disclaimer for details.

9) How we share personal data

We share personal data only in limited circumstances:

9.1 Service providers (processors/subprocessors)

We use vendors to operate the Services, such as:

  • hosting and infrastructure,
  • security and content delivery,
  • transactional email,
  • payments/subscription management,
  • AI processing.

Our current subprocessor list is published here: https://bornly.com/subprocessors

9.2 With your permission or at your request

For example:

  • when you enable Apple Health / Google Fit integrations,
  • when you choose to sign in using a third-party identity provider.

9.3 Legal and safety reasons

We may disclose data if we reasonably believe disclosure is necessary to:

  • comply with law or legal process,
  • enforce our Terms,
  • protect the safety, integrity, and security of the Services and our users,
  • investigate suspected fraud or misuse.

9.4 Business transfers

If Bornly is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. Where required, we will provide notice and any choices available under applicable law.

10) Research, aggregated data, and de-identification

We may use aggregated, statistical information to understand performance and improve the Services.

If we invite you to participate in surveys or scientific research:

  • we will explain what data is involved,
  • we will request explicit consent where required,
  • and we will not share your data for research without your prior consent.

Where feasible, we use de-identified and/or aggregated data for analysis and publications. If data is truly anonymised, it is no longer personal data. If it can still be linked back to an individual, we treat it as personal data.

11) Cookies and similar technologies

Our websites may use cookies and similar technologies for:

  • Necessary cookies (required for core functionality),
  • Analytics cookies (to understand usage and improve performance),
  • Personalisation cookies (to tailor content based on preferences and behaviour).

Where required by law, we ask for consent for non-essential cookies. You can also control cookies via your browser settings. Blocking cookies may affect website functionality.

If we link to or embed third-party content, those third parties may set cookies under their own policies.

12) Storage, retention, and deletion

12.1 Where we store data

We store data using trusted infrastructure providers and security services (see our Subprocessors page).

12.2 Retention

We keep personal data only as long as needed for the purposes described in this policy, including:

  • Account and user-entered data: typically kept until you delete your account or withdraw consent (where applicable).
  • Support correspondence: kept as needed to resolve issues and maintain reasonable support history.
  • Billing and transaction records: kept as required by tax/accounting rules and to handle disputes.

12.3 Deletion (including backups)

When you request deletion, we delete or de-identify personal data within a reasonable period, subject to legal and operational limitations. Some data may remain in secure backups for a limited time before being overwritten.

13) Security

We use technical and organisational measures designed to protect personal data, such as:

  • encryption in transit (e.g., TLS),
  • access controls and least-privilege permissions,
  • monitoring and logging for security and reliability,
  • security reviews and best-practice implementation.

No system can be guaranteed 100% secure. Please use a strong password and keep your credentials confidential.

If we become aware of a personal data breach, we will take appropriate steps and provide notices where required by law.

14) International data transfers

Bornly is based in Denmark, but some service providers may process data outside the EEA/UK.

When transferring personal data internationally, we apply appropriate safeguards where required (for example, contractual protections such as Standard Contractual Clauses and related assessments).

For details about our safeguards, contact privacy@bornly.com.

15) Your rights

Depending on your location and applicable law, you may have rights including:

  • Access: obtain a copy of your personal data.
  • Correction: fix inaccurate or incomplete data.
  • Deletion (erasure): request deletion of personal data (subject to legal limits).
  • Restriction: request limited processing in certain cases.
  • Objection: object to some processing (including direct marketing).
  • Portability: request your data in a structured, commonly used format.
  • Withdraw consent: where processing is based on consent, you can withdraw at any time.
  • Complaint: lodge a complaint with the relevant supervisory authority.
  • Automated decision-making: where applicable, object to decisions made solely by automated means that have legal or similarly significant effects.

15.1 How to exercise your rights

Email privacy@bornly.com and include:

  • the email linked to your account (if any), and
  • what you want to do (access/correct/export/delete/withdraw consent).

We may need to verify your identity. We aim to respond within the time limits set by applicable law (often within one month, with extensions where legally permitted).

16) Children and age limits

Bornly's Services are not intended for children.

  • The Services are not intended for persons under 18.
  • You must be 18+ to purchase a subscription. If you are under 18, you must have consent from a parent or guardian to use the Services.

If we learn we collected personal data from a child in a way that violates applicable law, we will take steps to delete it.

17) Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example if our Services change or laws change. The latest version will be published on our website. If changes are material, we will provide additional notice where required (for example, by email or in-app).

18) Contact

Bornly ApS Vassingerødvej 97 3540 Lynge, Denmark (C/O Mikkel Ulstrup) VAT: DK-39857340

Privacy: privacy@bornly.com Support: support@bornly.com Subprocessors: https://bornly.com/subprocessors

19) California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

Categories of Personal Information We Collect

CategoryExamplesPurpose
IdentifiersName, email, IP addressAccount management, communications
Health informationSymptoms, body measurements, food logs, pregnancy dataProvide core app features and insights
Commercial informationSubscription status, purchase historyBilling and service delivery
Internet/network activityUsage data, device info, crash logsSecurity, analytics, service improvement

Sale and Sharing of Personal Information

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

Sensitive Personal Information

We collect sensitive personal information (health data) only with your explicit consent and solely to provide the Services you request. You can limit our use of sensitive personal information to what is necessary to perform the Services by contacting privacy@bornly.com.

Your California Rights

As a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Delete your personal information (subject to exceptions)
  • Correct inaccurate personal information
  • Opt-out of sale/sharing — we do not sell or share your data
  • Limit use of sensitive personal information — contact us to limit processing
  • Non-discrimination — we will not discriminate against you for exercising these rights

How to Exercise Your Rights

Submit requests to privacy@bornly.com. We will verify your identity and respond within 45 days (extendable by 45 days if needed).

You may designate an authorized agent to make requests on your behalf.

Version: 3

Updated: 2026-01-05