Legal
Privacy Policy
Who We Are
Morning Kept LLC is a Connecticut limited liability company that operates Tuned (AI fitness coaching) and Handled (AI meal planning), accessible at subdomains of morningkept.com. References to "Morning Kept," "we," "us," or "our" refer to Morning Kept LLC.
Privacy questions and requests: privacy@morningkept.com. This inbox is monitored regularly and we respond to privacy requests within 45 days.
Who This Service Is For
Morning Kept's products are for adults. You must be 18 years of age or older to create an account. We do not knowingly collect personal information from anyone under 18. If we learn that an account belongs to someone under 18, we will close it and delete the associated data. If you believe a person under 18 has created an account, contact privacy@morningkept.com.
What We Collect and Why
1. Account information
Email address and display name, used to authenticate your account and communicate with you about the service. Passwords are managed by our authentication provider using industry-standard hashing; we never see or store them in readable form.
2. Onboarding and profile information
Both products configure themselves through a conversational onboarding experience. The information you share is used solely to personalize your experience.
For Tuned: fitness goals, physical limitations and injury history, equipment, training history and experience, schedule and availability, wearable device type, activities you enjoy, and general nutrition habits.
For Handled: household composition and member names, dietary restrictions and food allergies (including health-related food needs), protein and cuisine preferences, cooking schedule, kitchen equipment, general location (city and state, for seasonal ingredient relevance only), and delivery day preference.
Some of this information relates to your health, such as physical limitations, injuries, and dietary needs tied to health conditions. We treat all such information as sensitive personal information. Before we collect health-related information during onboarding, we ask for your affirmative consent. You can decline; the products will work with reduced personalization. You may withdraw this consent at any time by contacting privacy@morningkept.com, and you may request deletion of health-related information independently of closing your account.
3. Wearable device data (Tuned)
If you connect a wearable device, we access biometric data through the device platform's official API using OAuth 2.0 authorization.
Fitbit devices and Google Pixel Watch (via the Google Health API): we access sleep session data (duration, sleep stages such as deep, REM, light, and awake, and efficiency), daily resting heart rate, daily step count, and body weight measurements. We do not access your GPS location, nutrition logs, ECG or other clinical-grade data, or any other data types from your Google Health account.
Oura Ring (via the Oura API): we access sleep session data, resting-period heart rate, daily activity (steps and activity score), and readiness data.
Biometric data retrieved on your behalf is stored in our database and used to generate your personalized coaching. If you also use Handled and have linked your accounts, your training and recovery signals may also inform your household's meal planning. We store summary-level fields only: sleep duration and stages, sleep efficiency, resting heart rate, daily steps, and weight. We do not store raw per-second or per-minute data streams, and we do not store wearable profile data such as your name, date of birth, or biological sex from the device platform.
How wearable credentials are stored: the OAuth tokens that authorize us to retrieve your data are stored server-side in our database, encrypted at rest. They are never held in your browser. Your browser authenticates to our servers with your account session; our servers retrieve wearable data on your behalf using credentials you never directly handle.
Transition disclosure: users who connected a Fitbit or Oura Ring before we moved wearable credentials to encrypted server-side storage may still have authorization tokens stored in their browser's local storage. Those tokens move to encrypted server-side storage automatically the next time the device is reconnected. No action is required, and in the meantime those tokens are protected by the browser's same-origin policy and accessible only to our application code.
In-app disclosure and consent: when you connect a Google Health-linked device, a disclosure appears in the app on the connection screen, before the connection begins, describing the data we access and how it is used. Connection requires your affirmative action. Help documentation explaining how to manage and delete your wearable data is available at morningkept.com/help/your-data.
Revoking access: disconnect anytime in the Tuned app. Google Health users can also revoke access at myaccount.google.com/permissions; Oura users via Oura's account settings. Revoking stops future collection; to delete already-stored biometric data, contact privacy@morningkept.com.
4. Activity within the products
Workout sessions you log in Tuned (exercises, sets, reps, weights, session type, notes). Meals you log in Handled (what you cooked, ratings, tags, notes) and your meal and recipe libraries. Basic usage events and errors, used only to operate and improve the service. We do not use third-party advertising trackers.
Consumer Health Data
Some information we collect is "consumer health data" under state laws including the Connecticut Data Privacy Act and Washington's My Health My Data Act: biometric measurements from your wearable, physical limitations and injury history, and dietary needs tied to health conditions.
We collect this data from you directly (onboarding, logging) and, with your authorization, from your wearable device platform. We use it for exactly one purpose: generating your personalized coaching and meal planning. We share it only with the service providers listed below, only as needed to operate the service. We do not sell consumer health data. We do not use it for advertising. We do not share it with data brokers.
You have the right to: confirm whether we collect your consumer health data and access it; obtain a list of the third parties with whom it has been shared; withdraw consent to its collection or sharing; and have it deleted. Exercise any of these rights at privacy@morningkept.com. We respond within 45 days. If we decline a request, you may appeal by replying to our response; appeal outcomes are provided within 45 days.
How We Use Your Information
To authenticate your account; personalize and generate your daily fitness recommendations and weekly meal plans; improve recommendation quality for you over time; communicate with you about your account; diagnose technical problems; and comply with law.
We do not use your information for advertising. We do not sell it. We do not combine it with other users' data for commercial purposes.
AI Systems, Profiling, and Model Training
Tuned and Handled generate recommendations using AI. When generating a recommendation, relevant portions of your profile, activity history, and biometric summary are sent to the Claude API (Anthropic, PBC) to produce your coaching or meal plan. Anthropic processes this data under commercial API terms; per those terms, Anthropic does not use Morning Kept's API data to train its models.
Model training disclosure: Morning Kept does not collect, use, or sell your personal data to train large language models or any other AI models, neither our own (we have none) nor any third party's. Dish names and recipe notes (not health data, not personal identifiers) are converted into mathematical representations using OpenAI's embeddings API to help match meals to your preferences; per OpenAI's API terms, that data is not used for model training either.
Profiling disclosure: we build and continuously update a profile of your preferences, activity, and biometrics to personalize recommendations. That is the product. This profiling is not used to make decisions producing legal or similarly significant effects. It decides what workout or dinner to suggest, nothing more.
Recommendations are not medical or dietary advice. If you have a medical condition affecting your diet or physical activity, consult a qualified healthcare professional. Morning Kept is not a healthcare provider, and nothing in this policy should be read as offering protections equivalent to HIPAA. Morning Kept is not a HIPAA-covered entity.
Service Providers
Each provider receives only the data necessary for its function:
| Provider | Function | Data involved |
|---|---|---|
| Supabase | Database and authentication | All stored user data; hosted in the United States; encrypted at rest and in transit |
| Vercel | Application hosting and serverless functions | Request data in transit; no persistent user data stored |
| Anthropic (Claude API) | AI recommendation generation | Profile, history, and biometric summary included in generation requests; not used for model training |
| OpenAI (embeddings API) | Meal preference matching | Dish names and recipe notes only; no health data or identifiers; not used for model training |
| Google (Google Health API) | Wearable data access, Fitbit and Pixel Watch | OAuth credentials stored server-side, encrypted; biometric data retrieved on your behalf. Google's practices: policies.google.com/privacy |
| Oura (Oura API) | Wearable data access, Oura Ring | OAuth credentials; biometric data retrieved on your behalf |
| Stripe | Payment processing | Name, email, payment method. No health or biometric data reaches Stripe. |
| Resend | Transactional email | Email address and account-related email content |
| Beehiiv | Prospect email list (pre-signup) | Email address you submit on morningkept.com |
| Sentry | Error monitoring | Technical error data used to diagnose product issues |
We do not share your data with anyone else except as required by law.
Google Health API: Limited Use Disclosure
The use of information received from Google Health API and/or Developer Tools will adhere to the Google Health API Developer and User Data Policy, including the Limited Use requirements.
In plain language: Google Health data is used only to provide and improve Tuned's coaching features that are visible to you in the app. It is never transferred to advertising platforms, data brokers, or resellers; never used for advertising; never used for creditworthiness or lending; and humans do not read it except with your explicit consent, for security investigations, or where required by law.
Data Security
Data is encrypted in transit (HTTPS) and at rest. Database access is enforced through row-level security. Your data is accessible only to you and to Morning Kept for operating the service. Wearable OAuth credentials are encrypted at rest in server-side storage. AI API keys are held server-side only and never exposed to browsers.
To report a security vulnerability or suspected account compromise: security@morningkept.com.
Breach Notification
If a breach of security involving your unsecured identifiable health information occurs, we will notify you without unreasonable delay and within 60 days of discovery, by email and by in-app or banner notice, consistent with the FTC Health Breach Notification Rule. The notice will describe what happened, what information was involved, what we are doing, and what you can do.
Data Retention and Deletion
We retain your data while your account is active. If you cancel, your account and data remain accessible to you. On a deletion request, we delete your personal data within 30 days except where law requires retention. Deletion covers: account credentials, fitness profile, session history, biometric history, wearable authorization credentials, usage events, meal planning profile, meal and recipe libraries, ratings and cook history, and onboarding records. Deletion is permanent.
You may delete biometric data independently of your account. Help documentation for managing and deleting your data: morningkept.com/help/your-data. Requests: privacy@morningkept.com.
Your Rights
Subject to applicable law, you may access, correct, delete, and export your personal data; opt out of any sale of personal data (we sell none) and of targeted advertising (we do none); and contest profiling decisions that produce legal or similarly significant effects (we make none). Connecticut residents have these rights under the Connecticut Data Privacy Act; residents of other states may have similar rights under their own laws, and we honor the rights of the state where you live. Contact privacy@morningkept.com; we respond within 45 days and provide an appeal path if we decline a request.
Children
The service is for adults 18 and over. We do not knowingly collect personal information from children under 13, and if we learn we have, we delete it promptly, consistent with COPPA. Contact privacy@morningkept.com.
Changes to This Policy
When we make material changes, we will notify you by email or in-app notice before they take effect. The effective date above reflects the current version. Continued use after notice constitutes acceptance.
Morning Kept LLC · Connecticut, United States · privacy@morningkept.com