Back

Privacy Policy

Effective May 28, 2026

Honedly (“the Service”) is operated by Honedly, LLC (“we”, “us”), an Idaho limited liability company. This policy explains what we collect, how we use it, and the choices you have.

1. What we collect

To run Honedly we collect:

  • Account info, email, password hash, optional display name, age, sex, gender, height, profile photo, and bio you provide. If you enable two-factor authentication, we store an encrypted TOTP secret (encryption keys held by us, not by you).
  • Health & fitness data, meals, macros, workouts, sets, weights, body measurements, mood, sleep, hydration, fasting, daily notes, and progress photos that you log. If you opt into menstrual cycle tracking, the cycle entries you log.
  • Voice journal recordings (Pro+ only), when you record a voice note from the dashboard, we send the audio clip to OpenAI Whisper for transcription. The transcript is kept; the audio clip is retained in our private object storage by default so you can replay it, or discarded immediately after transcription if you turn off audio retention.
  • Imports, if you upload an Apple Health export, we read body weight, steps, and (optionally) heart rate from that file. We do not retain the raw file after import.
  • Device & usage, basic logs (IP address, timestamps, user-agent) to operate and secure the service. Every authentication attempt (sign-in, sign-up, password reset, passkey use) is logged for forensic and abuse-detection purposes. We do not use third-party advertising trackers.
  • Push subscriptions, if you enable notifications, we store the browser/device subscription token to deliver reminders.
  • Payment metadata, if you subscribe to Pro or Pro+, Stripe stores your card and billing details. We retain only the Stripe customer + subscription IDs and the subscription status (active, past_due, canceled, etc.). We never see or store your card number.

2. How we use it

  • To provide the tracking, planning, and analytics features you see.
  • To compute estimates like TDEE, calorie burn, PRs, and trends.
  • To send notifications you have opted into.
  • To secure the service and prevent abuse.

We do not sell your personal data.

3. Sharing

Your data stays private to your account by default. The only exceptions are:

  • Public profile, if you turn on the shareable profile, anyone with the link can see the stats you chose to expose. You control which stats and can disable sharing or regenerate the link.
  • Household, if you join a household, members can see shared meal plans, recipes, and pantry items.
  • Hosting and infrastructure, the application runs on commercial cloud infrastructure (compute, database, and object storage) in the United States, provided by established U.S.-based vendors under standard data-processing agreements. These vendors host the data; they do not access it for their own purposes.
  • Service providers that handle specific user data under contracts limiting them to processing on our behalf:
    • Mailgun, transactional email (password resets, verification, household invites, lifecycle drip campaigns, broadcasts).
    • Stripe, payment processing for Honedly Pro and Pro+. We never see your card details; Stripe stores them. Stripe shares subscription state with us via webhook (no card data).
    • Google Analytics (only with your cookie-banner consent), aggregate page views and feature usage. IPs are anonymized; no Honedly account identifiers are sent. Decline the cookie banner or enable browser Do Not Track to opt out.
  • AI subprocessors (Pro and Pro+ features), the AI features in Honedly are powered by two upstream vendors. Free-tier accounts never send data to either.
    • Anthropic, processes the text inputs for meal parsing, recipe generation, recipe URL import, weekly coach insights, daily briefs (Pro+), plateau narratives (Pro+), prep plans, restaurant lookups, meal swaps, and the nutrition-label scan. The inputs we send are the specific meal text / image / weekly summary you requested AI on — not your full account history. Per Anthropic's data-processing terms, content sent via their API is not used to train their models. Anthropic retains API content for up to 30 days for safety review, then deletes it.
    • OpenAI(Pro+ voice journaling only), processes audio clips you record from the dashboard mic. Used solely for speech-to-text transcription via the Whisper API. Per OpenAI's API data-usage terms, audio sent via their API is not used to train their models. OpenAI retains API content for up to 30 days for abuse review, then deletes it. We delete the audio immediately if you turn off audio retention.
  • Wearable integrations you connect, if you link Fitbit, Whoop, Oura, Strava, Withings, Google Fit, Garmin (.fit upload), or Apple Health, we exchange data with that vendor only at your direction. You can disconnect at any time from Settings → Integrations, which deletes the stored OAuth tokens on our side; you may also revoke our access from the vendor's own settings.
  • Household members, if you join a household, other members see shared pantry, grocery list, and shared meal plans. If you're the beneficiary of a Pro+ “for two” seat, the payer sees that you're covered (your account name + email) in their billing UI. Per-user meals, workouts, weight, sleep, journals, and Coach memory always stay private to your account.
  • Legal, we may disclose information if required by law.

4. Storage and security

Your data is stored in the United States. Account data, logged meals/workouts/weights, and other records live in our managed database; binary uploads (avatars, recipe covers, progress photos, feedback screenshots, voice-journal audio) live in separate object storage, with personal uploads gated behind authenticated access only.

We apply industry-standard security practices: passwords are never stored in plaintext, two-factor authentication and passkeys are supported, sensitive secrets (such as wearable integration tokens and 2FA recovery material) are encrypted at rest, and sessions can be invalidated globally by you or by us in the event of a compromise.

We rate-limit authentication endpoints to slow credential-stuffing attempts. Accounts may be temporarily locked in response to a fraudulent chargeback or other abuse signal; affected users are notified by email and can't be signed into until the issue is resolved. We don't publish further detail on our security implementation here for reasons that should be obvious. No online service is 100% secure.

5. Retention

We retain your data for as long as your account exists. When you delete your account, your personal records are removed from our active systems within 30 days. Backups containing your data may persist for up to 90 days before they roll off, after which they are irrecoverable.

6. Your rights

At any time you can:

  • Access & export your data from the Account tab.
  • Correct information from the profile and settings pages.
  • Delete your account and all associated data from the Account tab.
  • Withdraw consent for notifications, public sharing, or integrations at any time.

If you reside in the EU/UK/California or another region with data-protection laws, you may have additional rights (e.g., the right to lodge a complaint with a supervisory authority).

7. Cookies and sessions

We use a single first-party session cookie set by our authentication system to keep you signed in. We do not use third-party advertising or tracking cookies. See our Cookies Policy for the full inventory.

8. Children

Honedly is not directed to children under 13. If you believe a child under 13 has created an account, contact us and we will remove it.

9. Changes to this policy

We may update this policy. We will note the effective date above and, for material changes, notify you in-app or by email.

10. Contact

Honedly, LLC. Privacy questions or requests? Contact hello@honedly.com.