Nubu — Privacy Policy

Effective Date: 1 May 2026
Last Updated: 30 April 2026
Applicable Jurisdiction: Hong Kong Special Administrative Region

1. Introduction

Welcome to Nubu ("App", "we", "us", or "our"). Nubu is a personal AI-powered health advisory mobile application operated by Nubu Health AI Limited ("Company"), a company incorporated in Hong Kong.

We are committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, store, disclose, and protect your personal data when you use the Nubu mobile application and related services (collectively, the "Services").

This Privacy Policy is prepared in accordance with the Personal Data (Privacy) Ordinance (Cap. 486) of the Laws of Hong Kong ("PDPO") and the six Data Protection Principles ("DPPs") set out in Schedule 1 thereto.

By using the App, you acknowledge that you have read and understood this Privacy Policy.

2. Our De-Identification Commitment

Your privacy is our highest priority. Nubu is built on a de-identification-first architecture. This means:

  • All health data stored on our servers is de-identified. We strip direct personal identifiers from your health records before storage, so that data at rest cannot be linked back to you without the use of separately held keys.
  • Data sent for AI advisory processing is transmitted in de-identified form through secured, encrypted connections. The AI provider receives health metrics without your name, contact details, or other direct identifiers.
  • No re-identification without authorisation. We maintain strict access controls and policies to prevent the re-identification of de-identified data.
  • Your data is never sold. We do not sell, rent, or trade your personal data — in identified or de-identified form — to any third party, for any purpose, under any circumstance.

3. Data Controller

Nubu Health AI Limited
Hong Kong Special Administrative Region
Email: privacy@nubuhealth.com
Website: https://nubuhealth.com

For all privacy-related enquiries, including data access and correction requests, please contact us at the email address above.

4. Personal Data We Collect

We collect the minimum amount of data necessary to provide our Services. The categories below describe the types of data we may collect. You are always in control — most health data is only collected when you choose to provide it.

4.1 Account & Profile Data

When you create an account or set up your profile, we may collect:

  • Age, gender, height, and weight — to personalise your health advisory experience
  • Fitness level and health goals — to tailor AI recommendations
  • Known health conditions — to provide more relevant advisory insights
  • Preferred language — to deliver content in your chosen language

Authentication: We use third-party sign-in services (such as Apple Sign In and Google Sign In) for secure, passwordless authentication. We receive only the minimum credentials needed to verify your identity. We do not store passwords.

4.2 Health & Medical Data (User-Initiated Only)

We collect health and medical data only when you choose to provide it. You decide what to share, and you can remove your data at any time.

  • Health report uploads — If and when you choose to upload a medical or blood test report (PDF or image), the App will process it to provide AI-powered health advisory insights. Uploading a report is entirely at your discretion; the App functions without it.
  • Health indicators — If you upload a report, certain health indicators may be extracted to generate personalised advisory content and risk summaries. These indicators are stored in de-identified form.
  • Health summaries — The App may generate AI-powered summaries based on your data, displayed only to you within the App.

4.3 Wearable & Device Health Data (Optional)

If you choose to connect a weaable device or health platform, we may read selected health metrics such as activity, vitals, and sleep data from Apple HealthKit or Google Health Connect. This integration is entirely optional and requires your explicit permission. You may revoke access at any time through your device settings.

All wearable data is cached locally on your device. We do not maintain permanent copies on our servers.

4.4 Food & Supplement Logs (User-Initiated Only)

If you choose to use the food or supplement journaling features, you may submit food photographs or supplement records. These are used solely to provide personalised nutritional advisory content.

4.5 AI Interaction Data

When you interact with the AI health assistant, your chat messages and the AI's responses are stored on your device to maintain conversation context. Chat content sent for AI advisory processing is transmitted without your name or direct personal identifiers and is not stored by the AI provider.

4.6 Technical Data

We automatically collect a minimal set of technical data required for the App to function, including device type, operating system version, and app version. We may also collect push notification tokens (with your consent) to deliver notifications.

4.7 Location Data

We may collect approximate location data only when you explicitly grant permission. Location data is used solely to provide location-relevant experiences. We do not track your location continuously or in the background.

5. Purposes of Data Collection and Use

We collect and use your personal data for the following purposes:

  1. Account creation and authentication — secure, passwordless sign-in.
  2. Personalised health advisory — generating de-identified, AI-powered health insights, tips, and advisory reports tailored to your profile.
  3. AI health assistant — providing contextual health guidance through the chatbot, using your de-identified health profile.
  4. Health data visualisation — displaying your health metrics and trends within the App.
  5. Nutritional advisory — providing food and supplement-related insights when you choose to use these features.
  6. Wearable data integration — syncing health data from connected platforms to enrich your health profile (when you opt in).
  7. Push notifications — sending health reminders, tips, and app updates (with your consent).
  8. Service improvement — diagnosing technical issues and improving the App experience.
  9. Compliance with legal obligations — responding to lawful requests from regulatory authorities.

We will not use your personal data for any purpose other than those stated above, or a directly related purpose, without your prior voluntary and explicit consent (DPP 3).

6. Legal Basis for Processing

Under the PDPO, we process your personal data on the following bases:

  • Consent — You provide voluntary consent when you create an account, upload health reports, grant health data permissions, and enable push notifications.
  • Contractual necessity — Processing is necessary to provide you with the Services.
  • Legitimate interest — Improving the App and ensuring security, provided such interest is not overridden by your rights.
  • Legal obligation — Complying with applicable laws and regulations.

7. Third-Party Service Providers

We work with a limited number of trusted third-party service providers to deliver the Services. All providers are bound by contractual obligations to protect your data and process it only as we instruct.

  • AI Advisory Provider — We use a third-party AI model to generate health advisory content. Your health data is sent in de-identified form. The provider does not retain your data after processing and does not use it for model training under our enterprise agreement.
  • Authentication Providers — We use Apple Sign In and Google Sign In for secure account verification. These providers receive only the minimum information required for authentication.
  • Notification Provider — We use a third-party service to deliver push notifications. Only device-level identifiers are shared; no health or personal data is transmitted.
  • Cloud Infrastructure — Our backend services are hosted on enterprise-grade cloud infrastructure with encryption at rest and in transit.

We do not sell your personal data to any third party.

8. Cross-Border Data Transfers

Your personal data may be transferred to, and processed in, jurisdictions outside Hong Kong for the purposes described in this Privacy Policy.

In accordance with the PDPO, we ensure that any cross-border transfer is subject to:

  1. Contractual safeguards requiring the recipient to comply with data protection standards substantially similar to those under the PDPO.
  2. Technical safeguards including encryption in transit and at rest.
  3. De-identification — health data transferred for AI advisory processing is de-identified before transmission.
  4. Enterprise agreements stipulating that your data is not retained or used for model training by AI providers.

9. Data Security & De-Identification

We implement robust technical and organisational measures to protect your personal data against unauthorised or accidental access, processing, erasure, loss, or use (DPP 4):

  • De-identification by default — Health data is de-identified before storage and before transmission to third-party providers. Direct personal identifiers are separated from health records.
  • Encryption in transit — All communications use HTTPS/TLS encryption.
  • Secure local storage — Sensitive credentials are stored in the device's secure enclave (iOS Keychain / Android Keystore).
  • Passwordless authentication — Eliminating password-related attack vectors.
  • Access controls — Server access is restricted to authorised personnel on a need-to-know basis.
  • Biometric protection — The App supports Face ID / Touch ID for additional on-device security.
  • No unnecessary data retention — Data sent for AI advisory processing is discarded immediately upon completion.

10. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected (DPP 2):

Data Category Retention Period
Account & profile data Until you delete your account or request deletion
Health reports and indicators Until you delete them from the App or delete your account. Stored in de-identified form.
AI chat history Stored locally on your device; cleared when you clear app data
Data sent for AI advisory processing Not retained — discarded immediately after processing
Wearable health data Cached locally on your device; no permanent server copy
Push notification tokens Until you disable notifications or delete your account

Upon account deletion, we will erase or anonymise your personal data within 30 days, except where retention is required by law.

11. Your Rights Under the PDPO

Under the PDPO, you have the following rights:

11.1 Right of Access (Section 18)

You have the right to request access to your personal data held by us. We will respond to your data access request within 40 days of receiving the request. We may charge a reasonable fee to cover our administrative costs.

11.2 Right of Correction (Section 22)

You have the right to request correction of any personal data that is inaccurate. We will respond within 40 days.

11.3 Right to Delete

To request deletion of your account and all associated personal data, please send an email to:

Email: privacy@nubuhealth.com

In your email, please include the name or account identifier associated with your Nubu account and state that you wish to delete your account and data. We will verify your identity and process your request. Server-side data will be erased within 30 days of a confirmed deletion request. Locally stored data on your device can be removed by uninstalling the App.

11.4 Right to Withdraw Consent

You may withdraw consent for specific data processing activities at any time through your device settings, including health data permissions, push notifications, camera and photo access, calendar access, and location access.

Withdrawing consent will not affect the lawfulness of processing carried out before withdrawal.

11.5 How to Exercise Your Rights

To submit a data access, correction, or deletion request, please contact us at:

Email: privacy@nubuhealth.com

Please include your account information and a description of your request. We may ask you to verify your identity before processing the request.

12. Cookies and Tracking

The Nubu App is a native mobile application and does not use browser cookies. We do not employ any third-party tracking, advertising, or profiling technologies. We do not use your data for advertising or user profiling.

13. Children's Privacy

The App is not intended for use by persons under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 18 without appropriate parental consent, we will take steps to delete such data promptly.

14. AI-Generated Content Disclaimer

Health insights, tips, advisory reports, and chatbot responses provided by Nubu are generated by artificial intelligence and are for personal reference only. They do not constitute medical advice, diagnosis, or treatment. Always consult a qualified healthcare professional for medical decisions.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated Privacy Policy within the App
  • Updating the "Last Updated" date at the top of this document
  • Sending a push notification for significant changes (where applicable)

Your continued use of the App after any changes constitutes your acceptance of the updated Privacy Policy.

16. Complaints

If you believe that we have not complied with the PDPO in handling your personal data, you may lodge a complaint with:

Office of the Privacy Commissioner for Personal Data (PCPD)
Address: Unit 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wan Chai, Hong Kong
Hotline: (852) 2827 2827
Website: https://www.pcpd.org.hk

We encourage you to contact us first so that we can attempt to resolve your concern.

17. Language

This Privacy Policy is provided in English. In the event of any inconsistency between the English version and any translated version, the English version shall prevail.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Nubu Health AI Limited
Email: privacy@nubuhealth.com
Website: https://nubuhealth.com

This Privacy Policy is governed by and construed in accordance with the laws of the Hong Kong Special Administrative Region.