LC
lcovid
← Back home

Privacy Policy

Last updated: 11 April 2026

lcovid is a beta wellness platform built by and for Long COVID patients. We take your privacy seriously because we know what it feels like to be dismissed, unheard, and exposed. This policy explains — in plain language — what we collect, why, and the rights you have.

Who we are

lcovid is operated by Maurits Huisman, a Long COVID patient and founder based in the Netherlands. Contact: hello@lcovid.io.

Important: lcovid is not a medical provider. We do not offer diagnosis, treatment, or medical advice. All content on the platform is for educational and self-management purposes only. Always consult qualified healthcare providers for medical decisions.

What we collect

We collect the following categories of information:

  • Account information: email address, name (optional), hashed password, and the invite code you used.
  • Onboarding profile: symptoms you report, the duration of your illness, and treatments you have tried. You can skip this step.
  • Symptom tracking data: daily energy, brain fog, sleep, crash status, tags, and free-text notes that you voluntarily log.
  • Meal logs: photos you upload and the AI-generated nutritional analysis of those photos.
  • AI Q&A interactions: the questions you ask our AI assistant and the responses shown to you.
  • Wearable data (optional): if you connect a wearable device, we receive heart rate, HRV, sleep, steps, and related metrics from the device provider.
  • Feedback submissions: any feedback you provide through the in-app feedback form.
  • Technical logs: basic access logs (IP address, browser, timestamps) for security and troubleshooting.

We do not collect: your medical records, lab results, prescription data, insurance information, or government identifiers.

Why we collect it

  • Operating the service:to give you the knowledge base, AI Q&A, symptom tracker, and meal analyzer you signed up for.
  • Personalization: to tailor AI answers and insights to your profile and history.
  • Improving the platform: to understand which features help Long COVID patients and which do not.
  • Keeping you informed: to send occasional product updates or feature announcements (you can unsubscribe at any time).
  • Legal compliance: to meet our obligations under GDPR and similar laws.

Your legal basis (GDPR)

Under the General Data Protection Regulation (GDPR), we process your data based on:

  • Your consent — which you give by signing up and accepting these terms. You can withdraw consent at any time.
  • Contractual necessity — we need to process some data (email, password) to provide the service you requested.
  • Legitimate interest — for security, fraud prevention, and basic analytics.

Health-related data you log in the symptom tracker is considered a special category of data under GDPR Article 9. We process it only with your explicit consent, given when you create an account.

Your rights

You have the right to:

  • Access — request a copy of your data
  • Rectify — correct inaccurate data
  • Erase— delete your account and all associated data (“right to be forgotten”)
  • Portability — receive your data in a structured JSON format to take elsewhere
  • Restrict processing — ask us to stop using your data while a dispute is resolved
  • Object — to processing you disagree with
  • Complain to a supervisory authority (in the Netherlands: Autoriteit Persoonsgegevens)

You can exercise most of these rights directly from your account settings, or email us at privacy@lcovid.io. We respond within 30 days.

Who we share it with

We share data with a small set of trusted infrastructure partners that are strictly necessary to operate lcovid:

  • Railway (US / EU) — hosting and database infrastructure
  • Anthropic(US) — powers the AI Q&A and meal analysis features. Your questions and meal photos are processed by their API. Anthropic does not train on this data.
  • Resend (EU) — delivers transactional email (welcome, password reset)
  • Garmin (US) — if you opt in to wearable sync, we receive your metrics via their API

We do not sell your data. We do not share data with advertisers, insurers, or employers. We do not run third-party analytics or ad tracking.

International transfers

Because some of our infrastructure partners are based outside the EU (notably Anthropic and Railway for certain regions), your data may be transferred to the United States. These transfers are covered by Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.

Data retention

We keep your data for as long as your account is active. If you delete your account, we remove all personal data within 30 days, except for aggregated statistics (which cannot be tied back to you) and records we are legally required to retain.

Security

We store your data on encrypted Railway infrastructure. Passwords are hashed with bcrypt. Only a small set of allowlisted admin accounts can access user data, and then only for support, debugging, or honoring privacy requests. We log admin access for accountability.

No system is 100% secure. If we become aware of a data breach affecting you, we will notify you within 72 hours as required by GDPR.

Children

lcovid is not intended for users under 18. If we discover an account belonging to a minor, we will delete it.

Changes to this policy

We may update this policy as lcovid evolves. We will notify you of material changes by email and in the app. The date at the top of this page always reflects the latest version.

Contact

Questions? Email privacy@lcovid.io or hello@lcovid.io. We answer every message personally.