LilaLila

Privacy Policy

Last update: March 24, 2026

Lila, a Tidalflow.com product, Privacy and Data Protection Policy

Purpose and Scope

In its everyday business operations Tidalflow.ai makes use of a variety of personal data, including data about:

  • Current, past and prospective employees
  • Customers
  • Users of and visitors to its websites
  • Subscribers
  • Other stakeholders

In collecting and using this data, the organization is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it. The purpose of this policy is to set out the relevant legislation and to describe the steps Tidalflow.ai is taking to ensure that it complies with it. This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Tidalflow.ai systems.

Applicable privacy legislation

The list below shows the main items of privacy legislation that apply to the countries (or groups of countries) and states within which Tidalflow.ai operates.

  • Argentina, Personal Data Protection Law (PDPL)
  • Australia, Privacy Act
  • Australia, Privacy and Personal Information Protection Act
  • Brazil, General Data Protection Law (LGPD)
  • Canada, Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Canada (Quebec), Act respecting the protection of personal information in the private sector
  • European Union, General Data Protection Regulation (GDPR)
  • Singapore, Personal Data Protection Act
  • United Kingdom, UK GDPR Data Protection Act
  • USA (California), California Consumer Privacy Act (CCPA)

Tidalflow.ai has a legal obligation to comply with the provisions of this legislation at all times. Whilst there will be variations in these provisions, this policy establishes the key principles that are commonly required to be observed in such legislation. Significant fines may be applicable if a breach is deemed to have occurred under the relevant privacy legislation, which is designed to protect the personal data of citizens of the country (or state, region or countries) involved. It is Tidalflow.ai’s policy to ensure that our compliance with applicable legislation is clear and demonstrable at all times.

Definitions

The definitions used within privacy legislation vary and it is not appropriate to reproduce them all here. However, the common terms used within this policy are as follows:

  • Personal data: Any information that (a) can be used to identify the personal data principal to whom such information relates, or (b) is or might be directly or indirectly linked to a personal data principal.
  • Personal data principal: Natural person to whom the personal data relates. Also referred to as data subject.
  • Processing of personal data: Operation or set of operations performed upon personal data, including collection, storage, alteration, retrieval, consultation, disclosure, anonymization, pseudonymization, dissemination or otherwise making available, deletion or destruction.
  • Data Controller: Privacy stakeholder that determines the purposes and means for processing personal data.
  • Data Processor: Privacy stakeholder that processes personal data on behalf of and in accordance with the instructions of a data controller.

Principles relating to processing of personal data

  • Lawfulness, fairness and transparency, personal data shall be processed lawfully, fairly and in a transparent manner.
  • Purpose limitation, collected for specified, explicit and legitimate purposes and not further processed in an incompatible manner.
  • Data minimization, adequate, relevant and limited to what is necessary for the purposes processed.
  • Accuracy, kept accurate and up to date; inaccurate data is erased or rectified without delay.
  • Storage limitation, kept identifiable for no longer than is necessary for the purposes processed.
  • Integrity and confidentiality, processed with appropriate security against unauthorized or unlawful processing and accidental loss, destruction or damage.

Processing of special categories of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, sex life or sexual orientation shall be prohibited. Exceptions apply only where lawful, including reasons of public interest, preventive medicine, or defense of a legal claim.

Tidalflow.ai will ensure that it complies with all these principles both in the processing and as part of the introduction of new methods of processing such as new IT systems.

Rights of the individual

The personal data principal has rights with regard to their personal data:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Each of these rights is supported by appropriate procedures within Tidalflow.ai that allow the required action to be taken within the timescales stated in applicable privacy legislation:

  • Right to be informed, when data is collected, or within one month if not supplied directly
  • Right of access, one month
  • Right to rectification, one month
  • Right to erasure, without undue delay
  • Right to restrict processing, without undue delay
  • Right to data portability, one month
  • Right to object, on receipt of objection
  • Rights re: automated decision making and profiling, not specified

If Tidalflow.ai does not take action on a request, we will inform the personal data principal within one month of receipt of the request of the reasons. Where requests are unfounded or excessive, Tidalflow.ai may either charge a reasonable fee or refuse to act on the request, and may request additional information to confirm the identity of the requester. Information provided shall be comprehensible and clearly legible. Tidalflow.ai shall take reasonable steps to inform relevant data controllers, processors, and recipients of any rectification, erasure, or restriction request.

Lawfulness of processing

Depending on the legislation involved, there may be a number of alternative ways in which the lawfulness of processing personal data may be established. It is Tidalflow.ai policy to identify and document the appropriate basis for processing.

Consent

Where appropriate, Tidalflow.ai will obtain consent from a personal data principal to collect and process their data. For children below the applicable age, parental consent will be obtained. Transparent information about our usage and rights (including the right to withdraw consent) will be provided in an accessible form, in clear language, free of charge. If data is not obtained directly from the principal, this information will be provided within a reasonable period and definitely within one month.

Performance of a contract

Where the personal data is required to fulfill a contract with the principal, consent is not required (e.g. an address needed to make a delivery).

Legal obligation

If the personal data is required to be collected and processed in order to comply with applicable law, then consent is not required (e.g. some employment and taxation data, or processing relating to criminal convictions and offenses).

Vital interests of the personal data principal

Where required to protect the vital interests of the principal or another natural person, this may be used as the lawful basis. Tidalflow.ai will retain reasonable, documented evidence whenever this reason is used.

Task carried out in the public interest

Where Tidalflow.ai needs to perform a task it believes is in the public interest or as part of an official duty, consent will not be requested. The assessment will be documented and made available as evidence where required.

Legitimate interests

If the processing is in the legitimate interests of Tidalflow.ai and is judged not to affect the rights and freedoms of the principal in a significant way, this may be defined as the lawful reason. The reasoning will be documented.

Privacy by design

Tidalflow.ai has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.

  • How and what types of personal data will be processed and for what purposes
  • Whether the proposed processing is necessary and proportionate
  • Risks to individuals in processing the personal data
  • Controls necessary to address risks and demonstrate compliance

Use of techniques such as data minimization, pseudonymisation, and encryption will be considered where appropriate, including at the end of processing, and documented. Where a data protection impact assessment indicates a high residual risk, Tidalflow.ai shall consult the supervisory authority prior to processing.

Contracts involving the processing of personal data

Tidalflow.ai will ensure that all relationships it enters that involve the processing of personal data are subject to a documented contract that includes the specific information and terms required by applicable legislation.

International transfers of personal data

Transfers of personal data between countries will be carefully reviewed prior to the transfer to ensure that they fall within the limits imposed by the applicable legislation. Where an adequacy decision (or similar statement) does not exist for a destination country, an appropriate safeguard such as standard contractual clauses will be used, or a relevant exception identified as permitted under the applicable legislation.

Data Retention

We retain personal data, including HealthKit data, only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by applicable law. Upon deactivation of your account, all associated personal data, including any HealthKit data we have stored, will be permanently deleted within 30 days, unless retention is required to comply with legal obligations, resolve disputes, or enforce our agreements.

AI Processing

When you engage with our AI Assistant, we collect and process the text or images you provide. This may include health-related information if you choose to share it. Depending on the nature of your data and your region, Tidalflow.ai will seek explicit consent for processing health data as required by applicable law (e.g., GDPR). We may share the conversation content with a subprocessor that provides AI and machine learning functionality on our behalf. This subprocessor is contractually bound to use the information only for the purpose of fulfilling our service to you and to adhere to confidentiality and data protection requirements consistent with our obligations under applicable law.

When you sign in with Google, the only Google user data we process is your name and email address, as described in the “Use of Google User Data” section below.

Where health or fitness data originating from Apple Health (HealthKit) is processed by our AI assistant, all personally identifiable information is removed prior to transmission to any third-party subprocessor. Only the minimum data necessary to generate a personalized response is shared, and the subprocessor may not retain or use this data beyond fulfilling your request.

Apple Health (HealthKit) Data

Our App offers optional integration with Apple Health (HealthKit). If you choose to enable this integration, you control exactly which health and fitness data categories are shared with Lila through your device’s Health permissions screen.

  • Types of data. Depending on your selections, we may read data such as activity and exercise metrics, heart rate, sleep analysis, body measurements, nutrition, menstrual cycle tracking, and other categories available through HealthKit. The specific categories are displayed in the App before you grant access.
  • How we use HealthKit data. Solely to provide, personalize, and improve the health and wellness guidance within the App. HealthKit data is not used for advertising, marketing, data brokerage, or any purpose other than delivering and improving the Lila experience.
  • AI processing of HealthKit data. Where HealthKit data is used as context for our AI assistant, we first anonymize it by removing all personally identifiable information (such as your name, email address, and account identifiers). Only the minimum health data necessary to generate a personalized response is transmitted to our AI subprocessor. The subprocessor is contractually prohibited from retaining, training on, or using this data for any purpose other than generating your response.
  • No sale or unauthorized sharing. We do not sell, license, or otherwise disclose HealthKit data to third parties. We do not use HealthKit data to serve advertisements or build user profiles for third-party use.
  • No use for training. HealthKit data is not used to train machine-learning or AI models.
  • Storage and security. HealthKit data is stored securely within our systems and is subject to the same technical and organizational safeguards described elsewhere in this Privacy Policy.
  • Revoking access. You may revoke Lila’s access to Apple Health at any time through your device’s Settings > Health > Data Access & Devices. Revoking access will stop future data collection but will not automatically delete data already collected. To request deletion, see the “Rights of the individual” section of this policy or contact us at support@tidalflow.ai.

Use of Google User Data

When you choose to sign in with your Google account, Lila AI (a Tidalflow.ai product) accesses limited information from your Google profile. Specifically, we access: (i) your name and (ii) your email address.

We use this information solely to:

  • Create and maintain your Lila AI account
  • Identify you within the application
  • Communicate with you about your account and our services (e.g. onboarding emails, service updates, security notifications)

We do not access any other Google data (such as your emails, contacts, files, or calendar). We do not sell your Google user data or use it for advertising. We only share your name and email address with subprocessors that help us operate our service (for example, cloud hosting, email delivery, or analytics providers), and only under contracts that require them to protect your data and use it solely to provide services to us.

You can stop our access to your Google account at any time by disconnecting Lila AI from your Google account in your Google account settings or by contacting us to delete your account. When you delete your account with us, we delete or anonymize your associated personal data, including your name and email address, unless we are required to retain some information to comply with legal obligations.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data protection officer

A defined role of Data Protection Officer (DPO) is generally required under privacy legislation if an organization is a public authority, performs large scale monitoring, or processes particularly sensitive types of data on a large scale. Based on these criteria, Tidalflow.ai has an internal Data Protection Officer appointed.

Breach notification

It is Tidalflow.ai’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. Where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within the specified timeframe (for the GDPR, within 72 hours). If acting as a data processor, Tidalflow.ai shall notify the data controller of the data breach security incident. This will be managed in accordance with our Security Incident Response Policy.

Under privacy legislation, the relevant authority may have the right to impose a range of fines, often based on a percentage of annual worldwide turnover or a specific amount, for infringements of the regulations.

Addressing compliance to applicable privacy legislation

The following actions are undertaken to ensure that Tidalflow.ai complies at all times with the accountability principle of privacy legislation:

  • The legal basis for processing personal data is clear and unambiguous
  • A Data Protection Officer is appointed (where required)
  • All staff handling personal data understand their responsibilities
  • Data protection training has been provided to all staff
  • Rules regarding consent are followed
  • Routes are available to principals wishing to exercise their rights, and inquiries are handled effectively
  • Regular reviews of procedures involving personal data are carried out
  • Privacy by design is adopted for all new or changed systems and processes

The following documentation of processing activities is recorded:

  • Organization name and relevant details
  • Purposes of the personal data processing
  • Categories of individuals and personal data processed
  • Categories of personal data recipients
  • Agreements and mechanisms for transfers of personal data to other countries, including controls in place
  • Personal data retention schedules
  • Relevant technical and organizational controls in place

These actions are reviewed on a regular basis as part of the management process concerned with privacy and data protection.

Exceptions

Tidalflow.ai business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Tidalflow.ai policy. If an exception is needed, Tidalflow.ai management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Tidalflow.ai policy or procedure may result in disciplinary action, up to and including termination of employment. Tidalflow.ai reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Tidalflow.ai does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who is requested to undertake an activity that they believe is in violation of this policy must provide a written or verbal complaint to their manager or any other manager of Tidalflow.ai as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Tidalflow.ai reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Sebastianrtj Jorna. Last updated on 03/18/2024.

Contact

For privacy-related questions or to exercise your rights, contact us at support@tidalflow.ai.