Last updated: 24 April 2026
This policy explains what personal data Dinara collects, why we collect it, how we use it, and the rights you have over it. Dinara handles sensitive health information, so we’ve written this in plain language wherever possible. If anything is unclear, email us at [email protected].
Dinara is operated by Snap Media Ltd, a company registered in England and Wales (company number 16390638). Our registered office is 347a Wallisdown Road, Poole, BH12 5BU. "Dinara" is the trading name of the product. We are the data controller for the personal data described in this policy under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO). Registration reference: ZC132905. Our general contact email is [email protected]. For privacy matters specifically, please use [email protected].
The categories below describe everything Dinara may collect. You control how much you share — some categories only apply if you use the relevant feature. Account data: email address, encrypted password, account creation date, subscription tier. Profile data: display name, date of birth or age, biological sex, height, weight, training experience level, goals (e.g. fat loss, muscle gain, maternal health), dietary preferences, training days per week, unit system (metric or imperial). Health condition data: any health conditions, allergies, intolerances, and current medications you choose to record. You enter this directly — we never obtain it from third parties. Menstrual and reproductive health data: cycle tracking data if enabled, contraception method, pregnancy status, estimated due date, pregnancy history (current pregnancy, past pregnancies, postpartum status, after-loss status), and breastfeeding status. You control every field. Mental health screening data: answers to the Edinburgh Postnatal Depression Scale (EPDS) if you complete a postpartum mental health check-in. EPDS is a validated 10-question screening tool — not a diagnosis. See section 5 for how we handle this. Nutrition data: food logs, calories, macronutrients, meal photos (if you upload them), barcode scans, supplement logs. Workout data: exercises performed, sets, reps, weights, workout durations, personal records, programme assignments. Daily check-in data: sleep hours, mood, energy level, stress, pain level, symptoms, side effects. Medication tracking data: medication names, dosages, schedules, adherence, and photographs of pill bottles or labels (if you upload them). Blood test data: blood test results (biomarkers and values) if you choose to upload them for AI interpretation. Progress photos: body photographs if you choose to upload them to the progress tab. AI conversation data: the full text of conversations you have with Dinara (the AI coach). This is stored so we can show you your conversation history and give the AI the context it needs for subsequent messages. Payment data: if you subscribe to a paid plan, Stripe processes payment on our behalf. We receive and store only your subscription status, tier, and billing metadata. We never see your full card number. Device and usage data: IP address (used for session management and abuse prevention, not stored long-term), browser type, device type, pages visited, features used. Analytics are anonymised where possible. Push notification subscription data: if you enable notifications, we store the notification subscription token so we can send you reminders.
We process your personal data under the following lawful bases (UK GDPR Article 6): (a) Consent — for health data (see section 4), analytics, and push notifications. You can withdraw consent at any time. (b) Contract — processing necessary to provide the service you've signed up for (e.g. account management, subscription billing, storing the data you log). (c) Legitimate interest — for security, abuse prevention, service improvement, and defending against legal claims. Your rights always take precedence where they would override our interests. (d) Legal obligation — where we have to process data to comply with UK law (e.g. tax records, responding to lawful information requests).
Health data, mental health data, reproductive data, and anything about sex life are classified as "special category data" under UK GDPR Article 9 and receive stronger protections. We rely on your explicit consent (Article 9(2)(a)) to process this data. You provide it voluntarily when you use the health features of Dinara. You can delete any piece of health data at any time through the app. You can also withdraw consent entirely by deleting your account, at which point all health data is erased in accordance with section 11.
Dinara offers the Edinburgh Postnatal Depression Scale (EPDS), a validated 10-question screening tool for postpartum depression and anxiety. The EPDS is a screening tool only — it is not a diagnosis, and Dinara is not a medical device. Your EPDS answers are stored alongside your profile so we can track changes over time. If your responses include item 10 (thoughts of self-harm) or a high total score, Dinara will display in-app content encouraging you to contact your GP, health visitor, or urgent UK mental health support (Samaritans on 116 123, or NHS 111). We do not automatically contact any third party (including your GP, coach, or emergency services) based on EPDS responses — the choice to seek help is yours. See our Medical Disclaimer for full context.
Dinara's in-app coach is powered by Anthropic Claude, a large language model operated by Anthropic PBC. When you message the coach, the following is sent to Anthropic: your message text, your recent profile context (goals, experience level, training stats), your relevant health context (conditions, allergies, medications, pregnancy status if applicable), and your recent conversation history. Anthropic does not use data submitted through their API to train their models. Data sent to Anthropic is processed in accordance with their enterprise terms and UK GDPR-compliant Data Processing Addendum. Some of this processing may take place in the United States under Standard Contractual Clauses (see section 13). If you are uncomfortable with this, you can still use Dinara's non-AI features (logging, tracking, workout tracker, nutrition tracking) without ever messaging the coach.
We share data with the following categories of third party, only where strictly necessary: Supabase — our database and storage provider. All data is hosted in AWS eu-central-1 (Frankfurt). Supabase processes data on our behalf under a Data Processing Agreement. Anthropic — our AI provider for the coach chat (see section 6). Stripe — our payment processor. Stripe receives payment card data directly from you; we never see it. Cloudflare — our CDN and DDoS protection. Cloudflare processes transit data (IP addresses, requests) but does not access stored user data. Google Analytics and Microsoft Clarity — anonymised usage analytics. These tools help us understand how people use Dinara but do not have access to your health data or account identifiers where we can avoid it. Healthcare professionals you choose to connect — only with your explicit, per-category consent. See section 8. Personal trainers (coaches) you choose to connect — only with the visibility settings you choose. See section 9. We never sell your data. We never share your data with advertisers. We never share your data with insurance companies, employers, or any other third party outside the categories above without your explicit consent, unless required to do so by UK law (e.g. a valid court order).
If you choose to connect a healthcare professional to your account, you explicitly select which data categories they can see — up to 18 separate toggles covering different types of health data. This sharing is based on your explicit consent. You can revoke access at any time, taking effect immediately. Every access by a healthcare professional is logged in an audit trail that is visible to you. Dinara is not a substitute for NHS systems, your GP record, or any official medical record.
If you connect a personal trainer through Dinara, you control what they can see via privacy toggles in Settings. Your coach can see: daily check-ins, nutrition data, workout history, and health conditions — only where you have toggled each on. Your coach cannot see: data you have toggled off, your direct conversations with the AI coach, or your connected healthcare professionals. You can disconnect from your coach at any time.
All data is encrypted in transit using TLS 1.3. All data is encrypted at rest using AES-256 encryption. Row Level Security (RLS) is enforced on every database table, ensuring users can only access their own data. We use HSTS with preload, a strict Content Security Policy, and standard security headers. Server access is key-only with root login disabled. We run automatic security updates. We do not currently offer two-factor authentication but plan to. If you discover a security issue, please email [email protected].
Active accounts: your data is retained while your account is active. Account deletion: if you delete your account, your personal and health data is permanently erased within 30 days, except where UK law requires us to keep it longer. Audit logs: healthcare professional audit logs are retained for 8 years (aligned with NHS standards) even after account deletion. This is a legal-obligation retention and cannot be shortened on request. Payment and tax records: minimal billing records are retained for up to 7 years after the last transaction to meet UK tax requirements. Backups: our routine database backups may contain copies of deleted data for up to 7 days before the backups themselves roll off. This is standard industry practice and ensures we can recover from data-loss incidents.
Under UK GDPR, you have the following rights: Access — request a copy of the personal data we hold about you. Rectification — correct inaccurate or incomplete data. Erasure — delete your data (the "right to be forgotten"), subject to the retention exceptions above. Restriction — limit how we process your data. Portability — receive a copy of your data in a machine-readable format to move to another service. Objection — object to specific processing activities. Withdraw consent — withdraw consent for any consent-based processing. Most of these can be done directly in-app through the data export and account deletion tools. For anything else, email [email protected] and we'll respond within one calendar month. If you believe we have mishandled your data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Your data is primarily stored and processed within the EU, in AWS eu-central-1 (Frankfurt, Germany). Some processing necessarily takes place in the United States: Anthropic (AI coach), Stripe (payments), Google Analytics, Microsoft Clarity. These transfers are protected by Standard Contractual Clauses (SCCs) and the providers maintain appropriate certifications under the EU-US Data Privacy Framework where applicable.
Dinara is not intended for use by anyone under 16. We do not knowingly collect data from anyone under 16. If you are under 16, please do not create an account. If we become aware that we hold data on someone under 16, we will delete it promptly. Where you are 16 or 17, some features (particularly mental health screening and pregnancy tracking) are designed with adults in mind — please consider whether they are appropriate for you and involve a trusted adult if helpful.
We use essential cookies for authentication and session management — these are required for the service to work. We use Google Analytics and Microsoft Clarity cookies for anonymised usage analytics, which you can opt out of via browser settings or privacy tools. We do not use advertising cookies or cross-site tracking cookies.
We may update this policy from time to time. For significant changes (new data categories, new third parties, changes that reduce your rights), we will notify you by email or in-app notification before the change takes effect. The current version will always be at dinara.uk/privacy with a "last updated" date at the top.
Privacy matters: [email protected] General enquiries: [email protected] Support: [email protected] Data Controller: Snap Media Ltd, 347a Wallisdown Road, Poole, BH12 5BU, United Kingdom. You can also raise concerns with the UK Information Commissioner's Office at ico.org.uk.