Holi Privacy Policy
Effective date: 01.07.2026 Last updated: 01.07.2026
Introduction
This Privacy Policy describes how Denis Rossiev ("we", "us", "our", or the "Operator") collects, uses, maintains, and discloses information when you use the Holi mobile application and related online services (the "Services"). Holi is an iOS application for health, nutrition, and longevity that combines your personal health data with an AI assistant to help you understand your body and progress toward your goals.
The Operator is the data controller responsible for your personal data under the EU General Data Protection Regulation ("GDPR") and other applicable data protection laws.
By accessing and using the Services, you accept and agree to this Privacy Policy. If you do not agree, you must not access or use the Services.
Because Holi processes sensitive health data, we ask for your explicit consent before collecting and processing such data. You can withdraw that consent at any time, as described below.
Personal Data We Collect
We collect information that identifies, relates to, describes, or could reasonably be linked to you ("Personal Data") in the following categories.
Account and Profile Data
- Name and username
- Email address
- Sign in with Apple identifiers (when you choose Apple sign-in)
- Date of birth and sex
- Geolocation and city / general region
Health and Wellness Data (Special Category Data)
The core of the Services involves health data. This is "special category" data under Article 9 of the GDPR and is processed only on the basis of your explicit consent. It may include:
- Body and vital metrics: weight, body composition and bioelectrical impedance analysis (BIA), body measurements, heart rate variability (HRV), resting heart rate, blood oxygen saturation (SpO2), respiratory rate, body temperature, VO2max, and blood glucose
- Lab biomarkers: laboratory test results and biomarker values, together with uploaded lab result documents (PDF files and photos)
- Biological age and health scores: derived indicators and scores calculated from your data
- Nutrition data: food and meal logs, food photos, dishes, and meals
- Supplements and medications: name, active ingredient, dosage, and form
- Workouts: activity logs including GPS routes and workout telemetry
- Sleep: sleep phases, duration, and circadian metrics
- Menstrual cycle data: reproductive health and cycle tracking information
AI Assistant Data
- Your chat history with the Holi AI assistant
- AI assistant "memory" (context retained to provide continuity across conversations)
- Files you attach to conversations, including images, documents, and audio
Apple HealthKit Data
With your permission, Holi integrates with Apple HealthKit to import many of the body and vital metrics listed above (such as heart rate, HRV, SpO2, respiratory rate, sleep, workouts, weight, and related measurements). This integration is optional and controlled by you through iOS permission settings. Our use of HealthKit data is described in the "Apple HealthKit" section below.
Technical Data
To operate and secure the Services, we may process limited technical information such as device identifiers, app version, and diagnostic and error logs.
Payments for any subscriptions are processed by Apple through the App Store under Apple's own privacy policy. We do not receive or store your payment card details.
How We Collect Your Personal Data
We collect Personal Data:
- Directly from you, when you register, complete your profile, log meals, workouts, supplements, or measurements, upload documents or photos, or interact with the AI assistant.
- From Apple HealthKit, when you grant permission to import health metrics from your device.
- Automatically, in the form of limited technical and diagnostic data generated when you use the app.
How We Use Your Personal Data
We use your Personal Data for the following purposes:
- To provide the Services: to store, sync, and display your health, nutrition, and longevity data, calculate biological age and health scores, and deliver personalized insights.
- To power the AI assistant: to generate AI responses, coaching, and educational guidance based on your data and messages, and to maintain conversation history and memory for continuity.
- To maintain and improve the Services: to fix errors, ensure reliability, and improve functionality.
- To provide customer support: to answer your questions and respond to your requests.
- To ensure security and prevent misuse: to protect the Services and users against fraud, abuse, and unauthorized access, and to comply with legal obligations.
We do not use your health data for advertising or marketing.
Legal Bases for Processing (GDPR)
We process your Personal Data only where we have a lawful basis under the GDPR:
- Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)): for the processing of your health and other special-category data, including all biometric, lab, nutrition, reproductive, and related health information, and for its transmission to the AI processors described below. You may withdraw this consent at any time.
- Performance of a contract (Art. 6(1)(b)): to provide the Services you request, including account management and the core app functionality.
- Legitimate interests (Art. 6(1)(f)): to secure our systems, prevent fraud and abuse, and maintain and improve the Services, where such interests are not overridden by your rights.
- Compliance with legal obligations (Art. 6(1)(c)): where processing is required to meet legal or regulatory requirements.
Where processing relies on consent, withdrawing your consent does not affect the lawfulness of processing carried out before the withdrawal.
AI and Third-Party Processing
The Services use artificial intelligence features to generate responses, insights, search results, voice output, and media. To provide these features, the relevant portions of your data (including, where necessary, health data, messages, and attached files) are transmitted to and processed by the following third-party sub-processors solely to generate the requested output:
- OpenRouter — large language model routing (AI text generation and reasoning)
- Perplexity — AI-powered search
- ElevenLabs — voice generation and text-to-speech
- Fal — image and media generation and processing
We transmit only the data reasonably necessary to generate a response. These providers process your data on our behalf and are subject to contractual confidentiality and data-protection obligations. Once your data is processed by a third-party provider, it is also subject to that provider's own systems and safeguards.
We do not sell your Personal Data, and we do not share your health data for advertising or marketing purposes.
Data Sharing and Processors
Beyond the AI providers named above, we may share Personal Data with:
- Infrastructure and hosting providers, including our object-storage provider Hetzner (located in Germany, EU), where uploaded files such as lab documents, food photos, and attachments are stored.
- Authorities, where disclosure is required by applicable law, legal process, or a lawful request, or where reasonably necessary to protect the rights, property, or safety of our users, the Operator, or others.
- Successors in a business transfer, in the event of a reorganization, merger, or transfer of the Services, in which case any recipient will be required to protect your data consistent with this Policy.
Each processor acting on our behalf is bound by a data-processing agreement that limits their use of your data to providing services to us.
Storage, Security, and Location of Data
Your Personal Data is stored and processed in the European Union. Uploaded files are stored with Hetzner in Germany (EU), and our databases are hosted in Europe.
We use appropriate technical and organizational measures to protect your Personal Data against unauthorized access, use, alteration, or disclosure, including access controls and encryption in transit. No method of transmission or storage is completely secure, and while we work to protect your data, we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.
If we become aware of a personal data breach affecting your information, we will notify you and the relevant supervisory authority where required by, and within the timeframes set by, applicable law.
International Transfers
Your Personal Data is stored and processed within the European Union. Where any processing by our sub-processors involves a transfer of data outside the European Economic Area, we rely on appropriate safeguards recognized under the GDPR, such as European Commission adequacy decisions or Standard Contractual Clauses, to ensure your data receives an equivalent level of protection.
How Long We Keep Your Data
We retain your Personal Data only for as long as necessary for the purposes described in this Policy:
- Account, profile, and health data: retained for as long as your account is active, and for a reasonable period thereafter to meet legal obligations or resolve disputes. You may request deletion at any time.
- AI assistant conversation history and memory: retained to provide continuity until you request its deletion or delete the relevant content in the app.
- Diagnostic and log data: retained for a limited period for debugging, security, and quality assurance, and then deleted.
When you delete your account, we delete or irreversibly anonymize your Personal Data, except where we are required or permitted to retain certain information by law.
Your Rights (GDPR)
Subject to applicable law, you have the following rights regarding your Personal Data:
- Access — to obtain confirmation of whether we process your data and a copy of it.
- Rectification — to have inaccurate or incomplete data corrected.
- Erasure — to have your data deleted ("right to be forgotten"), subject to legal exceptions.
- Portability — to receive your data in a structured, commonly used, machine-readable format and, where feasible, have it transmitted to another controller.
- Restriction — to request that we restrict processing in certain circumstances.
- Objection — to object to processing based on our legitimate interests.
- Withdraw consent — to withdraw your consent to health-data and AI processing at any time, without affecting the lawfulness of prior processing.
- Complaint — to lodge a complaint with a supervisory authority in your country of residence, place of work, or the place of an alleged infringement.
To exercise any of these rights, contact us at [email protected]. We may ask you to verify your identity before responding, and we will respond within the timeframes required by applicable law.
Apple HealthKit
Where you enable HealthKit integration, our handling of data obtained through Apple HealthKit follows Apple's requirements:
- We use HealthKit data only to provide you with health, nutrition, and longevity features within the Services (for example, displaying your metrics, calculating scores, and informing AI insights that you request).
- We do not use HealthKit data for advertising, marketing, or any use-based data mining beyond providing the Services to you.
- We do not sell HealthKit data, and we do not share HealthKit data with third parties except as necessary to provide the features you use (such as the AI processing you request) or as required by law.
- You control HealthKit access at all times through your iOS settings and can revoke it whenever you wish.
Children
The Services are not directed to children, and we do not knowingly collect Personal Data from children under the age of 16 (or the minimum age required by the law of your country). If you believe a child has provided us with Personal Data without appropriate consent, please contact us at [email protected], and we will delete it.
Medical Disclaimer
The Services, including AI-generated insights and coaching, are provided for informational and educational purposes only. AI responses may be inaccurate, incomplete, or inconsistent. Holi does not provide medical advice and must not be relied upon as a substitute for professional medical care, diagnosis, or treatment. Always consult a qualified healthcare provider with any questions about your health.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes — such as changes to the categories of data we collect, the purposes for which we use it, or the third parties with whom we share it — we will notify you within the app or by email before the change takes effect. Your continued use of the Services after the effective date of the updated Policy constitutes acceptance of it, to the extent permitted by law.
Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, you can contact the Operator, Denis Rossiev, at: