Short version: To sync across your devices, the web app stores your profile and tracked
data in our cloud database, tied to your account. We don't sell your data or use it for advertising.
On the iOS app, sensitive on-device data (Apple Health, camera) stays on your device. You can export or
delete your data anytime.
1. Who we are
OPSIN is operated by ZHC Labs Pte Ltd (Singapore) ("OPSIN", "we", "us"). We provide a
sunlight, vitamin D and circadian light tracking app and website (theopsin.com). This policy explains
what we collect and how we handle it, consistent with Singapore's Personal Data Protection Act (PDPA)
and, where applicable, the GDPR/CCPA. Contact: [email protected].
2. Data we process
Account: when you sign in to the web app, our authentication provider (Clerk) processes
your email and/or Google/Apple sign-in identity to create your account. We identify your data by your
account ID.
Profile you provide: skin type, birth year/age, optional BMI, wake and bed times,
clothing/exposure, supplement dose, goals, and preferences. Used to personalize your estimates.
On the web app, this is stored in our cloud database (see §4) under your account so it syncs
across your devices.
Activity you log: sun sessions, supplement entries, blood-test results you enter,
streaks. On the web app, stored in our cloud database under your account (with a local browser cache for
offline use).
Location: your approximate coordinates, used to calculate sun position and fetch your
local UV/weather forecast. Coordinates (or a city name you search) are sent to our forecast provider
(Open-Meteo) for this purpose.
AI coach: if you use the coach, the messages you send and a snapshot of your current
OPSIN data (scores, plan) are sent to our LLM provider (Flow AI) to generate a reply, and the exchange
may be logged for safety and quality. Don't put information in the coach you don't want processed this way.
Apple Health / device health data (iOS app, optional): with your explicit permission,
the iOS app may read data such as time in daylight, sleep, and body metrics, and write your estimated
vitamin D / light-exposure sessions back to Health. Raw HealthKit data stays on your device; only derived
aggregates sync, with consent.
Camera ("mirror" feature, iOS, optional): used on-device only to estimate light level
and exposed skin. Images are processed on your device and are not stored or uploaded.
Product analytics & error reporting: on the web app we use PostHog to understand how
features are used (pages viewed, buttons tapped, feature usage) and to capture technical errors so we can
fix them. You are identified only by your opaque account ID — not your name or email. Values you type into
forms are masked, and we do not record your screen or session. See §4.
3. What we do NOT do
We do not sell your personal data.
We do not use your data for third-party advertising.
We do not upload raw camera images or raw Apple Health data from the iOS app.
4. Third-party processors
We use these providers to run the service; each processes only what's needed for its function:
Clerk — authentication / account management.
Railway — application hosting and the PostgreSQL database that stores your web-app data.
Cloudflare — DNS, content delivery, and security.
Open-Meteo — UV/weather forecasts and geocoding (receives coordinates or a city name).
Flow AI — the LLM that powers the coach (receives coach messages + your data snapshot).
PostHog (US region) — product analytics and error reporting for the web app; receives usage
events and errors keyed to your opaque account ID, with typed input values masked.
5. Storage, security & retention
Web-app data is stored in our cloud database (Railway PostgreSQL), associated with your account and protected
in transit and at rest by our providers' security. A copy may be cached in your browser for offline use. We
retain your data while your account is active; when you delete your data or account, it is removed from our
active database. Use the in-app export before deleting.
6. Your choices & rights
You can revoke location, camera, and Health permissions at any time in your device/browser settings.
You can export your data (Settings → Data) and delete all of it (Settings → Reset all data), or contact us
to delete your account and associated data.
Depending on where you live (e.g. Singapore PDPA, EEA/UK GDPR, California CCPA), you may have rights to
access, correct, delete, or port your personal data — contact [email protected].
7. Children
OPSIN is not directed to children under 13 (or the minimum age in your country), and we do not knowingly
collect their data.
8. Changes
We may update this policy; we'll change the effective date above and, for material changes, notify you
in the app.