Section 01
Introduction
Prime Factors ("the App") is a continuous glucose monitor (CGM) companion application designed to help individuals — including healthy users, pre-diabetics, and diabetics — better understand and manage their blood sugar for improved health outcomes. The App is available on iOS, Android, and as a web application (with limited functionality).
This Privacy Policy explains how M Three Health Pte. Ltd., operating under the brand name Prime Factors ("we", "us", or "our") collects, uses, stores, and protects your personal information. By using the App, you agree to the practices described in this Privacy Policy.
Section 02
Information We Collect
We collect the following categories of information:
Personal Identity Information
When you create an account, we collect:
- Full name
- Email address
- Date of birth
Personal Health Information
During onboarding, you may optionally provide your HbA1c test results to help personalise your experience. The App integrates with your CGM device to collect continuous glucose data. We do not integrate with Apple HealthKit.
Usage Analytics
We collect anonymised data about how you interact with the App to improve performance and user experience.
Device Identifiers
We collect device identifiers to support app functionality, security, and analytics.
AI Coach Inputs (sent to our AI service provider)
When you use the AI Coach feature, the following inputs are transmitted to our AI service provider, Google Cloud (Vertex AI Gemini and Dialogflow CX), so the Coach can generate an answer:
- The text of the question you type to the Coach.
- Any images you choose to attach to a Coach message (analyzed with Vertex AI Gemini so the Coach can describe what's in them).
- Only when you have explicitly opted in via the in-app AI Coach disclosure: a de-identified summary of your last 7 days of glucose data (average Glucose Load, spike count, latest baseline, unit) and a de-identified summary of your last 7 days of meal logs (number of days with meal logs and total meal count).
We also send meal photos you upload to Vertex AI Gemini (for nutritional analysis of your meal) and to Vertex AI Imagen 4 (to generate a stylised dish thumbnail). These happen when you log a meal — they are described to you in the meal-logging flow.
We never transmit your name, date of birth, sex, email address, phone number or timezone to any AI service — neither with your consent nor without it. Identity fields are stripped at the server before any request leaves our backend.
Section 03
How We Use Your Information
We use your information to:
- Provide, operate, and improve the App
- Personalise your blood sugar management experience
- Generate AI-assisted answers in the AI Coach feature (using Google Cloud Vertex AI Gemini and Dialogflow CX), including — only when you have granted consent in the app — de-identified summaries of your recent glucose and meal data so the Coach can tailor its answers to your situation
- Analyse meal photos to estimate nutritional content and generate dish thumbnails (using Google Cloud Vertex AI Gemini and Vertex AI Imagen 4)
- Manage your account and subscription
- Ensure the security and integrity of our services
- Comply with legal obligations
We do not use your data for advertising purposes and have no plans to do so.
Section 04
Data Storage & Retention
Storage
Your data is stored in two ways:
- Online data: Stored on secure servers hosted via Supabase (Amazon Web Services, US), Google Cloud Platform, and Google Vertex AI.
- Offline data: Stored locally on your device.
Retention
We retain your personal data for as long as your account remains active. If you delete your account, we will process your data deletion request. Please note that deletion requests are currently handled manually and may take a short period to complete.
Section 05
Data Security
We take the security of your data seriously and implement the following measures:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using industry-standard protocols.
- Encryption at rest: Data stored on our servers is encrypted by default.
- Access controls: Access to your data is strictly limited to authorised personnel only, in accordance with the security standards of our cloud infrastructure providers (AWS and GCP).
While we apply industry-standard security practices, please note that we have not yet undergone independent third-party security audits or certifications (e.g. ISO 27001, SOC 2). We are committed to strengthening our security posture as the product matures.
Section 06
Third-Party Services
We work with the following third-party service providers who may process your data as part of delivering our services:
| Provider | Purpose | Infrastructure |
|---|---|---|
| Supabase | Database, authentication & backend infrastructure | AWS, US |
| Google Cloud Vertex AI Gemini | Meal photo analysis and AI Coach image understanding | GCP |
| Google Cloud Dialogflow CX | AI Coach conversational engine (processes your question and, with consent, de-identified glucose/meal summaries) | GCP |
| Google Cloud Vertex AI Imagen 4 | Generates stylised thumbnail images for meals you log | GCP |
| Google Cloud Vertex AI Search | Retrieves curated coaching knowledge used to ground AI Coach answers | GCP |
| Firebase | App performance & crash analytics | GCP |
| Google Analytics | Usage analytics (aggregated, de-identified) | GCP |
| Stripe | Payment processing | — |
Each provider operates under their own privacy and security policies. We share only the data necessary for each provider to perform their function.
Our use of Google Cloud services is governed by Google's Cloud Data Processing Addendum. Under that agreement, Google processes the data we send only to deliver the service we requested and does not use it to train Google's generally-available AI models. Google Cloud holds ISO/IEC 27001, 27017, 27018 and SOC 2 certifications, providing a level of data protection at least equivalent to the safeguards described in this policy.
Section 07
AI Coach Consent & Data Minimisation
The AI Coach is the only feature that can transmit a summary of your personal glucose and eating-habit data to a third-party AI service. Because this involves health data, we ask for your explicit permission before doing so.
How consent works
- The first time you open the AI Coach, we show an in-app disclosure sheet that lists exactly what would be sent to Google Cloud and asks you to choose between Personalised mode (we include the de-identified glucose + meal summary with your question) and General mode (the Coach answers from general knowledge only; no personal summary is sent).
- You can change your choice at any time from Settings → AI Coach personal data or by tapping the mode indicator shown at the top of the Coach screen.
- Your current consent state is stored on your profile on our servers and is the authoritative check used by the backend before any glucose or meal summary is assembled.
Data minimisation for AI Coach
When you have granted personalised-mode consent, the data sent to Google Cloud with your question consists only of:
- Average Glucose Load over the last 7 days, number of spike events, latest baseline value, and the glucose unit.
- Number of days you logged meals in the last 7 days and the total meal count.
- Your current Prime Factors program day number.
Your name, date of birth, sex, email address, phone number and timezone are never included in the payload sent to the AI service — not in personalised mode, and not in general mode. Identity fields are excluded at the source code level in our backend, independently of your consent state.
Section 08
Your Rights & Choices
GDPR — Users in the EU and UK
If you are located in the European Union or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:
- Right to access your personal data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
To exercise any of these rights, please contact us at support@myprimefactors.com.
CCPA — Users in California
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell your personal data.
Account Deletion
You may request deletion of your account and associated data at any time by contacting us at support@myprimefactors.com. Requests are processed manually and completed in a timely manner.
Section 09
Children's Privacy
The App is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, please contact us and we will take steps to remove that information.
Section 10
Subscription & Payments
Prime Factors is available via a paid subscription. Payment processing is handled by Stripe. We do not store your payment card details. Please refer to Stripe's privacy policy for information on how your payment data is handled.
Section 11
Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we do, we will revise the Effective Date at the top of this document. We encourage you to review this policy regularly. Your continued use of the App after any changes signifies your acceptance of the updated policy.
Section 12
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out:
support@myprimefactors.com