Privacy Policy

Last updated: March 3, 2026

Plexo is a health data aggregation platform. We connect your health devices — Garmin, 8-Sleep, MacroFactor, and others — into one unified view. This privacy policy explains what data we collect, how we use it, and the rights you have over it.

The short version: your health data belongs to you. We store it to provide the service, never to sell it, and you can delete it at any time.

1. Who we are

Plexo is operated by an independent developer. If you have questions about this policy or your data, contact us at:

Email: privacy@plexo.health

Website: plexo.health

2. What data we collect

2a. Health data from connected devices

When you authorize a device or app integration, Plexo collects health metrics via official APIs. This may include:

  • Sleep data: duration, stages, efficiency scores
  • Heart rate: resting heart rate, heart rate variability (HRV), zone data
  • Activity: steps, distance, active calories, movement patterns
  • Exercise sessions: type, duration, intensity, performance metrics
  • Nutrition: calorie intake, macronutrient logs
  • Body measurements: weight, body composition
  • Recovery metrics: readiness scores, stress levels

We only request the API scopes necessary to retrieve the specific data types above. We do not request access to your contacts, location history, payment information, or any data unrelated to health metrics.

2b. Account information

To create an account, we collect your email address. We may also collect a display name if you choose to provide one.

2c. Usage data

We collect basic server logs (IP addresses, request timestamps, error logs) for security and debugging purposes. These are retained for 30 days and are not associated with your health data.

3. How we use your data

We use your health data solely to:

  • Display your health metrics in the Plexo interface
  • Compute trends, scores, and analytics shown to you
  • Sync data from your connected devices on your behalf
  • Provide data export functionality at your request

We will never:

  • Sell your health data to third parties
  • Share your data with advertisers or data brokers
  • Use your data to train machine learning models without explicit consent
  • Share your data with insurance companies or employers

4. How we store and protect your data

All health data is stored in encrypted databases. Data is encrypted at rest using industry-standard encryption (AES-256) and in transit over TLS (HTTPS).

We use reputable cloud infrastructure providers with SOC 2 compliance. Access to production data is restricted to authorized personnel only.

In the event of a data breach that affects your personal health data, we will notify you within 72 hours of becoming aware of the incident.

5. Third-party integrations

Plexo connects to third-party health platforms (e.g., Garmin Connect, 8-Sleep, MacroFactor) via their official developer APIs. When you authorize an integration:

  • You will be redirected to the third party's authorization flow (OAuth)
  • We receive an access token; we never see or store your passwords
  • You can revoke access at any time through the third party's settings or through Plexo

Each connected platform has its own privacy policy governing how they handle your data on their side. We encourage you to review those policies.

6. Your rights

Regardless of your location, you have the following rights over your data:

Right to access

You can request a copy of all health data we have stored for you at any time.

Right to export

You can export your data in machine-readable format (JSON or CSV) at any time without restriction.

Right to deletion

You can request complete deletion of your account and all associated health data. Deletion is permanent and irreversible. We will confirm completion within 30 days.

Right to correction

If we hold inaccurate information about you (e.g., account details), you can request it be corrected.

Right to object

You can object to any processing of your data beyond what is strictly necessary to provide the service.

To exercise any of these rights, email us at privacy@plexo.health. We will respond within 30 days.

7. GDPR (European users)

If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:

  • Contract performance: to deliver the Plexo service you signed up for
  • Explicit consent: for health data, which is a special category under GDPR Article 9. You consent when you connect a device and authorize data sync.
  • Legitimate interests: for security logging and fraud prevention

You may withdraw consent at any time by disconnecting integrations and deleting your account. This does not affect processing prior to withdrawal.

8. CCPA (California users)

California residents have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information. For any CCPA requests, contact privacy@plexo.health.

9. Data retention

We retain your health data for as long as your account is active. If you delete your account, all health data is permanently deleted within 30 days. Server logs are retained for 30 days. Backups may contain your data for up to 90 days after deletion, after which they are purged.

10. Children's privacy

Plexo is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us and we will delete it promptly.

11. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email (if you have an account) or by posting a notice on this page with the updated date. Continued use of Plexo after changes constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions, requests, or concerns:

Email: privacy@plexo.health

We aim to respond to all privacy inquiries within 5 business days.