Back to home

Privacy policy

Effective date: March 23, 2026 · Last updated: April 22, 2026 · App: Max (iOS/Android bundle: com.cannon.mobile)

This Privacy Policy describes how the operator of Max (“Max,” “we,” “us,” or “our”) collects, uses, discloses, stores, and protects personal information when you use our mobile applications, websites, APIs, and related services (collectively, the “Services”). By using the Services, you acknowledge this policy. If you do not agree, do not use the Services.

App Store alignment: This policy is published at a public HTTPS URL, linked inside the Max app, and should match the Privacy Policy URL you provide in App Store Connect. If your app supports account creation, Max provides in-app account deletion (see Account deletion). For Apple’s privacy requirements, see App Review Guidelines — Legal.

1. Who we are (data controller)

The data controller responsible for personal information processed through the Services is: Amma Health Inc., with its principal place of business at 1481 Peralta Boulevard, Fremont, California, USA. You can contact us about privacy at mog.max123@gmail.com.

We will respond to verified requests within a reasonable time and as required by applicable law. We may need to verify your identity before fulfilling certain requests.

2. Scope

This policy applies to:

  • The Max mobile app (iOS and Android).
  • Our websites and web-hosted legal or marketing pages.
  • Backend services that power accounts, subscriptions, community features, coaching or AI-assisted features, uploads, and support.

It does not apply to third-party sites or services that we link to; their policies govern those services.

3. Information we collect

We collect information in the categories below. The exact data depends on which features you use.

3.1 Camera and media

When you use camera, photo library, or microphone permissions, you may submit images, video, or audio for features such as face scans, progress tracking, or attachments. Submission is voluntary except where a feature cannot function without it. How we handle in-app face scans (including photos, derived landmarks, AI coaching, storage, subprocessors, retention, and deletion) is described in Section 7 “Face scans, images, and AI processing”.

3.2 You provide directly

  • Account and profile: email address; password (stored using one-way hashing—we do not store your plain-text password); first and last name; username; optional bio; phone number where required for account or SMS features; profile and progress photos you choose to upload.
  • Community and messaging: text, images, and other content you post in channels, chat, or similar features.
  • Payments: when you pay through Apple, Google, or our card processor, we receive transaction-related identifiers and status from the payment provider—not your full card number on our servers.
  • Support: information you include in emails, forms, or in-app support requests.
  • Onboarding and preferences: answers or settings you provide in questionnaires (for example goals, experience level, lifestyle fields) where the product collects them.

3.3 Automatically collected

  • Device and technical data: device type, operating system, app version, language, IP address, timestamps, crash or diagnostic logs, and security-related events.
  • Usage data: interactions with features, session information, and aggregated analytics where enabled.
  • Authentication tokens: tokens or cookies used to keep you signed in on web, where applicable.

3.4 From third parties

  • App stores: Apple and Google may provide limited purchase, refund, or subscription status information according to their terms.
  • Payment processors: Stripe or similar may share payment outcome and fraud signals.
  • When you sign in through a third party (if offered): basic profile details as authorized by that provider.

3.5 Sensitive or special categories

Max may process photos or wellness-related information you choose to provide. We do not use the app to provide regulated medical diagnosis or treatment. Do not submit information you consider highly sensitive if you are uncomfortable with processing described here and in the app’s permission prompts.

4. How we use information (purposes)

We use personal information to:

  • Create and maintain your account, authenticate you, and provide core app functionality.
  • Operate community features, including moderation, safety, reporting, and enforcement of our Terms and Community Guidelines.
  • Process purchases and subscriptions, prevent fraud, and comply with tax or accounting obligations.
  • Provide AI-assisted or automated features (for example coaching, scan-related insights, or content suggestions) where enabled, including by sending necessary inputs to subprocessors described below.
  • Store and deliver files you upload (for example images) using cloud storage.
  • Send service-related messages (for example security alerts, receipts, or important policy updates) and, where you opt in, marketing or product updates.
  • Improve reliability, security, and performance of the Services; conduct analytics in aggregated or de-identified form where permitted.
  • Comply with law, respond to lawful requests, and enforce our agreements.
Not medical advice. Outputs in Max are for general wellness and education only, not a substitute for professional medical advice, diagnosis, or treatment. See Apple’s health-related expectations in the App Review Guidelines (e.g., physical harm / medical accuracy).

5. Legal bases (EEA, UK, Switzerland, and similar)

Where GDPR or similar laws apply, we rely on: performance of a contract (providing the Services); legitimate interests (security, fraud prevention, product improvement, balanced against your rights); consent where required (for example optional marketing or non-essential cookies on web); and legal obligation where applicable.

6. How we share information and subprocessors

We share personal information with service providers (“subprocessors”) who process data on our behalf under contracts that require appropriate security and use only for our instructions. We require that they protect personal information consistently with this policy and applicable law, as required by Apple’s guidelines for third-party data recipients.

Categories of recipients may include:

  • Cloud databases and hosting: for example PostgreSQL providers (such as Supabase) and related infrastructure for user accounts and app data.
  • Additional data stores: for example shared or forum-related data on separate database infrastructure (such as AWS RDS) where the product architecture uses it.
  • File storage: for example Amazon S3 or comparable object storage for uploads (avatars, progress photos, attachments).
  • Payments: Apple App Store / Google Play billing for in-app purchases; Stripe (or similar) for web or non-store payments where used.
  • Messaging: Twilio or similar SMS providers for verification, password reset, or notifications where enabled.
  • AI and analysis: Google (Gemini) or other model providers for generating or processing text; for face scans, landmark extraction uses Google’s MediaPipe Face Landmarker on our infrastructure (see Section 7). To produce natural-language feedback about a scan, the image and/or its derived measurements may be sent to a large-language-model provider (Google Gemini; OpenAI where configured) as a per-request subprocessor under their published terms.
  • Analytics, logging, and security: tools used to monitor errors, performance, or abuse, subject to configuration and consent where required.

Face scan data: Face images are stored as private objects in Amazon S3 under our AWS account. Derived landmark coordinates and measurement scores are stored in our application database (PostgreSQL on Supabase). Face data is not shared with advertising networks, data brokers, or analytics vendors. Further detail appears in Section 7.

We may also share information: (a) with other users as part of community features you use; (b) if required by law or to protect rights, safety, and security; (c) with professional advisers under confidentiality; (d) in connection with a merger, acquisition, or asset transfer, with notice where required by law.

Sale / sharing (U.S. state laws): We do not sell personal information for money in the traditional sense. Where state laws define “sale” or “sharing” to include certain advertising or analytics disclosures, we honor applicable opt-out rights and describe choices below.

7. Face scans, images, and AI processing

7.1 What we collect and how we process it

We collect three still photographs of the user’s face (front, left profile, right profile) that the user voluntarily captures during an in-app “face scan.” From those photos we derive up to 478 non-identifying (x, y, z) facial landmark coordinates using Google’s MediaPipe Face Landmarker (run server-side on our infrastructure) plus derived geometric measurements (symmetry, proportions, angles). We do not generate, store, or use a biometric faceprint or template intended to identify an individual. We do not use Face ID, the TrueDepth API, or any Apple biometric framework.

7.2 Planned uses

Face scan data is used exclusively to generate the user’s own wellness, aesthetic, and coaching feedback inside Max—symmetry and proportion scores, facial-training suggestions, and AI-generated coaching content about the user’s own scan. It is not used for identification, authentication, cross-service tracking, advertising, profiling, or training third-party models.

7.3 Third-party sharing and storage

Face images are stored as private objects in Amazon S3 under our AWS account. Derived landmark coordinates and measurement scores are stored in our application database (PostgreSQL on Supabase). To produce natural-language feedback about a scan, the image and/or its derived measurements may be sent to a large-language-model provider (Google Gemini; OpenAI where configured) as a per-request subprocessor under their published terms. Face data is never shared with advertising networks, data brokers, or analytics vendors.

7.4 Retention

Face images and derived data are retained only while the user’s account is active and the scan remains in their history. Users can delete individual scans in-app at any time, which removes the image from S3 and the record from our DB (subject to limited backup retention). Deleting the Max account deletes or anonymizes all face images, landmarks, and derived scan data, subject to the same limited backup and legal-retention exceptions. See also Section 9.1 and Section 8.

7.5 Where to find this policy and related sections

This Section 7 is the primary disclosure for face scans, images, and related AI processing. Related information also appears in Section 3.1 (Camera and media), Section 6 (How we share information and subprocessors), Section 8 (Retention), and Section 9.1 (Account deletion). The Privacy Policy is available at the URL listed in App Store Connect and inside the app under Settings → Privacy Policy and on the subscription paywall.

We do not use HealthKit or Apple health APIs for face scans unless explicitly integrated and disclosed separately. Do not use the Services to obtain regulated medical measurements that the app does not support; Apple may reject apps that claim unsupported clinical measurements from device sensors alone.

8. Retention

We retain personal information for as long as your account is active, as needed to provide the Services, and as required by law (for example tax, fraud prevention, or dispute resolution). When you delete your account, we delete or anonymize personal information unless a limited exception applies (for example backups for a short period, financial records, or information we must retain to comply with law or enforce our terms). Community content may be removed or anonymized as described in-app (for example posts may show as deleted).

For face scans specifically, retention and per-scan deletion are described in Section 7.4; account-level deletion is described in Section 9.1.

9. Your choices and rights

Depending on your location, you may have the right to:

  • Access, correct, or update your information (many edits are available in-app).
  • Delete your account or request deletion of personal information, subject to exceptions above.
  • Object to or restrict certain processing, or withdraw consent where processing is consent-based.
  • Data portability where applicable.
  • Opt out of certain analytics or targeted advertising, including via device settings (iOS App Tracking Transparency where applicable) and cookie choices on web.
  • Lodge a complaint with a supervisory authority in your country.

9.1 Account deletion

You can delete your Max account using in-app account deletion where available. Deleting your account deletes or anonymizes face images, facial landmarks, derived scan measurements, and related records, consistent with Section 7.4 and the general retention exceptions above (limited backup retention and legal retention where applicable).

To exercise rights, use in-app settings where available or email mog.max123@gmail.com. We may verify your identity before responding.

10. Children

The Services are not directed to children under 13 (or the minimum digital consent age in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take steps to delete it. If you target the Kids Category on the App Store, additional Apple rules apply (analytics, ads, linking out)—this app is not described as a Kids Category app here.

11. International transfers

We may process and store information in the United States and other countries. Where required, we use appropriate safeguards (such as Standard Contractual Clauses) for transfers from the EEA, UK, or Switzerland.

12. Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, loss, or alteration. No method of transmission or storage is completely secure; we cannot guarantee absolute security.

13. User-generated content and safety (UGC)

Where the Services include user-generated content, we provide mechanisms to report content and block users, and we apply moderation and enforcement measures consistent with our Community Guidelines. This aligns with Apple’s UGC expectations (for example reporting, blocking, contact information, and moderation) under Guideline 1.2. We may use automated or human review to help detect policy violations; false positives can be appealed via support.

14. Third-party links

Links to third-party websites or services are governed by those parties’ policies. Review them before providing personal information.

15. Changes to this policy

We may update this Privacy Policy. We will post the revised policy with a new effective date. If changes are material, we will provide additional notice as required by law or through the app. Continued use after the effective date may constitute acceptance where permitted by law.

16. Contact

Privacy questions and requests: mog.max123@gmail.com.