Privacy Policy

Welcome to Ando (“we”, “our”, or “us”). Ando Care is based in France.

Ando is a personal health companion that helps people understand how daily activities affect their glucose levels. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web services at https://ando.care and https://app.ando.care (collectively, the “Service”).

2.1 Information You Provide Directly

• Account Information: Email address and display name when you create an account
• Food Logs: Meal names, timestamps, and photos you choose to log
• Manual Activity Logs: Activities you manually record in the app

2.2 Information from Third-Party Services

When you connect third-party services to Ando, we receive data from those services:

We only access data you explicitly authorize through each service's OAuth consent flow. You can revoke access at any time.

2.3 Information Collected Automatically

• Usage Data: App interactions, features used, and timestamps
• Device Information: Device type, operating system version
• Log Data: Error logs and performance data to improve the Service

2.4 What We Do NOT Collect

We use your information solely to provide and improve the Service:

Under the General Data Protection Regulation (GDPR), we process your data based on:

• 1Contract: To provide the services you signed up for
• 2Consent: For optional features like Strava description updates and research participation
• 3Legitimate Interest: To improve our services, fix bugs, and ensure security

5.1 With Third-Party Services (At Your Request)

When you connect Strava, we may update your activity descriptions with glucose statistics. This is done only with your explicit consent and can be disabled in Settings.

5.2 Service Providers

We use the following service providers to operate Ando:

All providers are bound by data processing agreements and appropriate safeguards (Standard Contractual Clauses).

5.3 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests by public authorities.

Ando connects to external services like Strava, Dexcom, LibreLinkUp, and Nightscout. When you use these integrations, their privacy policies also apply to the data they process.

We recommend reviewing their privacy policies:

• Strava Privacy Policy →
• Dexcom Privacy Policy →
• Abbott/LibreLinkUp Privacy Policy →
• Nightscout (open-source, self-hosted) →

We are not responsible for the data practices of these third-party services.

7.1 Participation in Research

With your explicit consent, your anonymized data may be used to support research conducted by accredited academic institutions or healthcare organizations.

7.2 What This Means

7.3 How to Participate

To participate, enable “Contribute to Research” in Settings → Privacy.

To withdraw, disable “Contribute to Research” at any time. Previously shared anonymized data cannot be recalled, but no new data will be shared.

7.4 Research Partners

We only partner with:

• Accredited academic institutions
• Healthcare organizations with ethics board approval (IRB/CPP)
• Research projects that have passed ethical review

We implement appropriate technical and organizational measures to protect your data:

• 🔒Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• 🔐Authentication: Secure authentication via Supabase Auth
• 🔑Token Security: Third-party tokens (Strava, CGM) are encrypted using AES-256-GCM before storage
• 🛡️Access Control: Row-level security ensures you can only access your own data
• 👤Anonymization: Research data is irreversibly anonymized before any sharing

While we strive to protect your information, no method of transmission over the Internet is 100% secure.

If you are located in the European Economic Area (EEA), you have the following rights:

To exercise any of these rights, contact us at privacy@ando.care.

Your data may be transferred to and processed in countries outside the EEA (notably the United States for some service providers). We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Service providers with appropriate data protection certifications

Most web browsers and some mobile operating systems include a “Do Not Track” (DNT) feature. As there is no uniform standard for DNT signals, we do not currently respond to DNT browser signals. If a standard is adopted in the future, we will update this policy accordingly.

Ando is intended for users aged 16 years and older. We do not knowingly collect personal information from users under 16. By creating an account or using our services, you confirm that you meet this age requirement.

If we learn that we have collected data from a user under 16, we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Updating the “Last updated” date
• Sending you an email notification for material changes

We encourage you to review this Privacy Policy periodically.

If you have any questions about this Privacy Policy, please contact us: