Legal
Privacy Policy
Effective May 1, 2026 · Last updated May 5, 2026
Summary
We collect the minimum information needed to deliver a personalized vision-training program. We never sell your data. We never share your health information for marketing. Your data is encrypted in transit and at rest. You can export or delete everything at any time from your account settings.
What we collect
- Account information: email, optional display name, encrypted password hash, profile picture (if you upload one).
- Health-related information: answers to the intake assessment (corrective wear, prescription range, vision type, astigmatism), visual-acuity test results, and exercise session logs (duration, perceived difficulty).
- Community content: posts and comments you publish to the community feed and any media you attach.
- Billing information: handled by Stripe. We receive only a customer ID and subscription status — never your card number.
- Service logs: IP address, user agent, and timestamps for security, fraud prevention, and audit logging.
How we use it
- To generate your personalized program from intake answers.
- To track your progress and surface it back to you.
- To moderate community content (community text only).
- To send transactional emails (account, billing, replies, your daily reminders if you opt in).
- To meet legal and security obligations.
Who we share it with
We share data only with vendors required to operate the service. Each one is bound by a data-processing agreement; vendors that handle Protected Health Information are bound by a Business Associate Agreement (BAA) where required.
- Supabase — database, authentication, storage, and Edge Functions (BAA in place).
- Cloudflare Stream — video lesson hosting and signed playback (BAA in place where applicable).
- Stripe — payments. We never send health information to Stripe.
- Resend — transactional email delivery (BAA in place).
- xAI (Grok) — automated moderation of public community posts and comments only. Health-related data is never sent to xAI.
We do not sell your information. We do not share it with advertisers. We do not use your health data to train AI models.
HIPAA posture
Unblur operates on HIPAA-compliant infrastructure: BAAs are in place with our covered vendors, data is encrypted in transit (TLS 1.2+) and at rest (AES-256), access is role-restricted, and we maintain audit logs of administrative actions on your data. Whether HIPAA itself applies to a specific interaction depends on who is sending the data and why; if you reach Unblur from a covered entity (e.g., your eye-care provider as part of a referral), please contact our Privacy Officer below so we can confirm appropriate handling.
Your rights
- Export: download all of your data as JSON from your account page at any time.
- Delete: permanently delete your account and all associated records from your account page. Some service-log data (e.g., billing records required by law) is retained for the periods required by applicable regulation.
- Correct: update your profile and intake answers from settings.
- Withdraw consent: revoke any consent you have previously granted from the cookie banner or your account settings; revocation does not affect processing performed prior to the revocation.
Data retention
We retain account and program data for as long as your account is active. After deletion, we expunge personal data within 30 days, except records required by law (typically billing records, kept 7 years).
Security
We use encryption in transit and at rest, principle-of-least- privilege access controls, audit logging, and routine review of our security posture. No system is perfectly secure. If you discover a vulnerability, please email security@unblur.app.
Children
Unblur is not intended for use by anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, please contact us so we can delete it.
Changes to this policy
We will post material changes to this page and notify you by email at least 14 days before they take effect. The "Last updated" date above always reflects the current version.
Privacy and Security Officers
Our designated Privacy Officer and Security Officer can be reached at privacy@unblur.app.
- Privacy Officer: (name pending)
- Security Officer: (name pending)
Contact
Questions about privacy: privacy@unblur.app. General support: contact form.