Legal

Privacy Policy

In plain English

Your health data stays yours. Cōrta reads data you choose to share from Apple Health (HealthKit) or Health Connect — like HRV, sleep, resting heart rate, and cycle — only to power your own tracking. We never sell your health data and never use it for advertising. If you join the waitlist, we store your email to tell you when we launch, and nothing else. Analytics are aggregate and privacy-respecting. You can revoke health access or ask us to delete your data at any time.

This policy explains what Cōrta collects, why, and what control you have over it. Cōrta is a pre-launch cortisol and HPA-axis protocol tracker operated by the Cōrta team. If anything here is unclear, email privacy@getcorta.app.

Who we are

Cōrta ("Cōrta," "we," "us," or "our") is a health-tracking application and website operated by the Cōrta team. This policy applies to our website at getcorta.app and to the Cōrta mobile app once it is available. For privacy questions, contact privacy@getcorta.app. For anything else, contact hello@getcorta.app.

What we collect

We collect the minimum data needed to run the waitlist today and the app in the future:

  • Waitlist email. If you join our early-access list on the website, we collect the email address you submit.
  • Health data (in the app). With your explicit permission, the app reads health metrics from Apple Health (HealthKit) or Health Connect — including heart rate variability (HRV), sleep, resting heart rate (RHR), and cycle data — plus any protocol, symptom, or supplement entries you log yourself.
  • Aggregate analytics. Privacy-respecting, aggregate usage data that helps us understand how the website and app are used. This is not tied to your identity.

How we use your data

  • Waitlist email is used solely to notify you about the launch and related product updates. No spam. You can unsubscribe at any time using the link in any email.
  • Health data is used only to power your own tracking inside the app — to display your rhythm, connect your habits to how you feel, and surface personalized insights for you.
  • Aggregate analytics is used to improve reliability, understand which pages and features are useful, and prioritize what to build next.

Your health data stays yours

Health data from HealthKit and Health Connect is treated with special care. We never sell your health data, and we never use it for advertising or marketing. In line with Apple's and Google's platform rules, HealthKit and Health Connect data is never sold, never shared with third parties for their own purposes, and never used for advertising. Health metrics power your own tracking and nothing else.

You control access at all times. You can grant or revoke Cōrta's permission to read specific health data types directly in Apple Health or Health Connect, or in your device settings, whenever you like. Revoking access stops future reads immediately.

Legal bases for processing

Where data-protection laws such as the GDPR apply, we rely on the following legal bases:

  • Consent — for reading health data from HealthKit or Health Connect, and for adding you to the waitlist. You can withdraw consent at any time.
  • Legitimate interests — for aggregate, privacy-respecting analytics used to operate and improve our website and app.
  • Contract — where processing is necessary to provide a service you have asked us to provide.

Data retention

We keep waitlist emails until you unsubscribe or ask us to delete them, or until we no longer operate the waitlist. Health data you sync or log in the app is retained to provide your tracking history and is deleted when you delete it or close your account. Aggregate analytics are retained in de-identified form. We do not keep personal data longer than we need to for the purposes described here.

Your rights

You can ask us to:

  • Access the personal data we hold about you.
  • Correct data that is inaccurate.
  • Delete your data ("right to be forgotten").
  • Export a copy of your data.
  • Object to or restrict certain processing, and withdraw consent.

To exercise any of these rights, email privacy@getcorta.app. Depending on where you live, you may also have the right to lodge a complaint with your local data-protection authority.

How we share data

We do not sell your personal data. We share data only with service providers that help us operate — for example, our waitlist email is stored with Supabase, which processes it on our behalf under its own security and privacy commitments. Health data from HealthKit and Health Connect is not shared with any third party for their own purposes. We may disclose data if required by law, or to protect the rights, safety, or security of our users or the public.

Security

We use reasonable technical and organizational measures to protect your data, including encryption in transit and access controls on our systems. No method of transmission or storage is perfectly secure, but we work to safeguard the data you trust us with and to limit what we collect in the first place.

Children

Cōrta is intended for adults aged 18 and over. It is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact privacy@getcorta.app and we will delete it.

International data transfers

We may process and store data in countries other than the one you live in, including the United States. Where we transfer personal data across borders, we take steps to ensure it receives an adequate level of protection, using appropriate safeguards such as standard contractual clauses where required.

Medical disclaimer

Cōrta is an educational and self-tracking tool. It is not medical advice, and it is not a medical device. Nothing in the app or on this website is intended to diagnose, treat, cure, or prevent any condition. Always consult a qualified clinician about your health, symptoms, and any changes to your routine.

Changes to this policy

We may update this policy as the product evolves or as laws change. When we make material changes, we will update the effective date below and, where appropriate, notify you. Continued use of the website or app after changes take effect means you accept the updated policy.

Contact us

Questions about this policy or your data? Email us at privacy@getcorta.app for privacy and legal matters, or hello@getcorta.app for anything else.

Effective date: July 1, 2026. This policy describes our current practices for a pre-launch product and may be updated before general availability.