We take your privacy seriously. This policy explains how we collect, use, store, share and protect your personal and health information when you use ExecutiveOS (“ExecOS”) and our related advisory services. We have written it in plain English so you can understand what actually happens to your information. If anything here is unclear, please ask us.
A quick note on what ExecOS is. It is a premium executive-performance advisory and coaching service. It is not a medical or clinical service. We do not provide diagnosis, treatment, or medical advice. We work with health-related information to give you performance and lifestyle guidance, not clinical care. This distinction runs through everything below.
This Privacy Policy should be read together with our Terms of Service and Client Consent Form. Unless defined here, capitalised terms have the meaning given in our Terms of Service.
1. Who we are and how to contact us
Taylored Health is a trading name of Taylored Technologies Limited, a company registered in New Zealand (NZBN 9429048762588) (“we”, “us”, “our”). Our principals are Luke Taylor and Rachel Kelly.
For the purpose of your information, we are the “agency” responsible under the New Zealand Privacy Act 2020, the “data controller” under the EU General Data Protection Regulation (GDPR) where it applies, and the “business” under the California Consumer Privacy Act (CCPA) where it applies. Because your data is held in Australia, we are also the responsible entity under the Australian Privacy Act 1988 and the Australian Privacy Principles (APPs).
Our Privacy Officer is responsible for making sure we handle your information properly and for dealing with your questions, requests and complaints.
- Privacy Officer: Rachel Kelly
- Email: privacy@taylored.health
The fastest way to reach us about anything in this policy is privacy@taylored.health.
2. What information we collect, and where it comes from
Basic identity, contact and billing information: your name, email, phone and other contact details; your account and login details; billing information (we do not take card payments inside ExecOS and we do not store card or payment-instrument data; billing is handled separately by invoice through Xero); and records of your communications with us.
Health and performance information (sensitive information), collected only with your express consent (see section 3):
- wearable metrics from Oura: heart rate variability (HRV), resting heart rate, sleep, recovery, and body temperature
- continuous glucose monitoring (CGM) data from your Abbott Libre sensor
- blood-test results
- genetic data
- self-reported health information, including a daily “pulse” covering health, mood and stress
- Google Calendar events
If you engage us for an event or workshop, we also collect basic attendee information (name, contact details, and any information attendees choose to share during the session). Event-attendee information is not health information and is handled under the same principles set out in this policy.
Where this information comes from. Most comes directly from you. Some we collect from third-party sources, but only after you authorise us to connect to them: Oura (via secure OAuth); Google Calendar (via OAuth); and your own lab or clinic (bloods and genetics). You can disconnect these at any time (see section 8).
3. Health information is collected only with your express consent
We treat your health and performance information as sensitive, and we only collect and use it with your express, informed consent. Before we collect anything, we tell you what we want to collect and why. You actively opt in to each health data source separately. You can withdraw consent at any time, after which we stop collecting going forward and can delete what we hold (sections 8 and 9). We do not collect sensitive information we do not need.
Consent is obtained before any health data is collected, through our Client Consent Form at onboarding. That form also carries a separate, express consent for cross-border hosting and processing (see section 6) and an acknowledgment that ExecOS is advisory and not medical.
4. Why we collect your information, and what we will not do with it
We collect and use your information for one core purpose: to deliver the ExecOS advisory service to you. That includes building your performance picture, giving you personalised guidance, communicating with and supporting you, managing your account and billing, and meeting our legal obligations.
What we will not do: we do not sell your information; we do not use it for advertising; and we do not use your information to train public or third-party AI models.
A note on AI. ExecOS uses an AI model to help generate some of your guidance, for example your daily “Directive”. When it does, your relevant health and performance data is sent to our AI provider, Anthropic (Claude), and processed solely to produce your guidance. This processing happens in the United States (see section 6). We operate with model-training disabled on our account, so your data is not used to train AI models. We are honest that an AI processes your data to write your guidance; what we do not do is train models on it. If we ever want a genuinely new purpose, we will explain it and get your consent first.
5. Who can access your information
Our team. Access is limited to our two principals, Luke Taylor and Rachel Kelly, who need it to deliver your service and are bound by confidentiality. We work on least-privilege access.
Our sub-processors (they act under our instructions, not for their own purposes):
- Supabase — the managed database where your information is stored — hosted on AWS in the ap-southeast-2 region (Sydney, Australia). Supabase is SOC 2 Type 2 certified and HIPAA-capable.
- Render — hosts the ExecOS API, the service that reads your data to produce your insights — in Render’s Oregon region, in the United States. This means your data is processed in the US as well as stored in Australia (see section 6).
- Vercel — hosts the ExecOS frontend, the app you log into, on its global edge network. It serves only static files and runs no functions that process your health data; all data requests pass through to our API on Render.
- Anthropic (Claude) — our AI provider, used to generate some of your guidance such as your daily Directive. It processes your relevant health data in the United States to produce that guidance. We operate with model-training disabled on our account.
Oura and Google are data sources you authorise, not sub-processors acting on our instructions.
Other disclosures. We disclose your information only where the law requires it, or to protect someone’s safety in an emergency. We will not otherwise disclose your information without your consent, and we do not sell, rent or lease it.
6. Where your information is stored and processed, and what that means for you
Your information is stored in Australia (Sydney), in AWS ap-southeast-2, through Supabase. It is also processed in the United States, because our API server (Render, Oregon) reads your data to produce your insights, and our AI provider (Anthropic) processes your relevant health data to generate some of your guidance. So your data is stored in Australia and processed in the United States. The Vercel frontend serves only static files and does not process your health data.
Because your data is held in Australia, it is subject to Australian law (the Privacy Act 1988 and the Australian Privacy Principles) as well as New Zealand law. Before relying on an overseas provider we take reasonable steps to ensure they protect your information to a standard comparable to New Zealand’s Privacy Act, including through our contracts with them.
This cross-border storage and processing is covered by a separate, express consent in our Client Consent Form, because it involves your sensitive health information leaving New Zealand.
7. How we keep your information secure
We are committed to keeping your information secure. Our safeguards include:
- encryption in transit and at rest
- Row-Level Security on all database tables, so each client’s data is isolated at the database level and one client can never reach another’s information
- multi-factor authentication on all administrative accounts
- authenticated OAuth connections (we never hold your Oura or Google passwords)
- secrets held in managed secret stores and rotated when needed
- least-privilege access, limited to our two principals
- vetted infrastructure providers with recognised certifications (for example, Supabase is SOC 2 Type 2 certified)
No system is perfectly secure, but we work to protect your information and keep our safeguards current.
8. How long we keep your information, and deletion
We keep your information only as long as we need it to provide the service and meet our legal obligations. While you are a client we retain it. When you leave, or ask us to delete it, we delete or securely de-identify it in line with our retention schedule, except where the law requires us to keep certain records.
In short: health data (wearable, CGM, bloods, genetics, self-reported) is retained for the engagement plus up to 12 months; raw Google Calendar events for the engagement plus 30 days (de-identified insights derived from them may be kept); and billing and financial records for 7 years, to meet New Zealand tax law. De-identified or aggregated data that cannot reasonably identify you falls outside these periods. Full detail is in our internal Data Retention and Deletion Schedule available on request. You can ask us to delete your information at any point (section 9).
9. Your rights and how to use them
Under the NZ Privacy Act 2020 and the Health Information Privacy Code 2020, the Australian Privacy Act 1988 and the APPs, and (where they apply) the GDPR and CCPA, you can:
- access the information we hold about you
- correct it if it is wrong or out of date
- ask us to delete (erase) it, subject to legal retention
- withdraw consent and disconnect any data source
- ask for a copy of information you gave us in a commonly used, machine-readable format
- complain (section 12)
To make a request, contact privacy@taylored.health. We may verify your identity first. For access requests, we respond as soon as practicable and no later than 20 working days (NZ Privacy Act). We do not charge for these requests. If we cannot do what you asked (for example, because of legal retention), we will explain why.
If you are in the EU, you also have the GDPR rights of rectification, restriction of processing, access and portability, and erasure (“right to be forgotten”), and the right to lodge a complaint with a supervisory authority. Some information may be retained where necessary to meet a legal obligation or to establish, exercise or defend a legal claim, and residual copies may remain in secure backups until they age out.
If you are a California resident, you also have the CCPA rights of access, deletion, opt-out of sale (we do not sell personal information), and the right not to be discriminated against for exercising your rights.
10. Automated decisions and AI-assisted guidance
Some of your guidance, including your daily Directive, is generated with the help of an AI model (see section 4). This guidance is advisory and is not a decision that produces legal or similarly significant effects on you by itself; you remain in control of what you do with it, and no medical or clinical decision is made by the system. We describe the kinds of information used and the kind of output produced here and in section 4 so you understand how the automated element works.
11. If there is a data breach
If we experience a privacy breach likely to cause you serious harm, we will notify you as soon as we reasonably can (what happened, what was involved, and what you can do), and we will notify the regulators: the Office of the Privacy Commissioner in New Zealand and, where the Australian scheme applies, the Office of the Australian Information Commissioner. This is in line with the NZ Privacy Act 2020 and the Australian Notifiable Data Breaches scheme.
12. How to make a complaint
Step 1, contact us: email privacy@taylored.health. We will acknowledge it and work to resolve it.
Step 2, if you are not satisfied, contact the regulator:
- New Zealand: Office of the Privacy Commissioner, https://www.privacy.org.nz
- Australia: Office of the Australian Information Commissioner, https://www.oaic.gov.au
- EU: your local supervisory authority
- California: as set out in the CCPA
13. Changes to this policy
We may update this policy, for example if our service, our providers or the law change. For a material change we will update the effective date and let you know by email or an in-app notice. The version that applies is the one in force at the time.
This Privacy Policy is governed by the laws of New Zealand and is intended to comply with the NZ Privacy Act 2020, the Health Information Privacy Code 2020, the Australian Privacy Act 1988 and the APPs, and (where they apply) the GDPR and CCPA.