Legal

Privacy Policy

Last Updated: May 30, 2026

This Privacy Policy explains how Natura Inc (“Natura,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes personal data in connection with our website (natura.inc), our AI-powered personal agents (the “Agents,” also referred to as tinyPeople), our messaging-based agent services delivered through WhatsApp, iMessage, and Telegram, the NatureOS application, HumanPods hardware, and any other product, service, or application that references or links to this Privacy Policy (collectively, the “Service”).

Please also refer to our Cookie Policy, AI Disclosure, Privacy Rights, and Do Not Sell (CA) pages for additional disclosures that may apply to you.

This Privacy Policy is not a contract and does not create any legal rights or obligations not otherwise provided by law.

00

Our Core Privacy Principles

Before going into the details, here is what matters most:

  • Your data is encrypted in transit and at rest. All data moving between your device, our backend, and our service providers is protected with industry-standard encryption, and stored data is encrypted at rest.
  • Access is strictly restricted. Access to stored data is limited to authorized systems and personnel, only as needed to operate and provide the Service, and is governed by controls that have been independently audited under SOC 2 Type I.
  • We do not sell your personal data. We do not sell, rent, license, or trade your personal data, and we do not use it for advertising or to train third-party AI models for unrelated purposes.
  • Sensitive features are opt-in. Health data and location access are off by default and only operate if you explicitly enable them.
  • You can delete your data. You can request export or deletion of your data at any time.
01

How the Service Works and What We Store

To use the Service, you interact with the Agents through a messaging platform (WhatsApp, iMessage, or Telegram), through the NatureOS application, or by voice through HumanPods earbuds. To provide context-aware, continuous assistance, our backend stores certain data associated with your account identifier, as described below.

1.1 Conversation history

We store the history of your conversations with the Agents — text messages, and any voice notes you record — on our backend, associated with your account identifier. This lets the Agent maintain context across sessions and lets you review past interactions in the app's History. Conversation history and voice notes are retained for the lifetime of your account unless you delete them or request deletion. You can request export or deletion of this data at any time (see Section 8, “Your Rights”).

1.2 Audio and voice conversations

When you start a voice conversation with an Agent (for example, by double-tapping your HumanPods earbuds), your microphone audio is streamed in real time to our voice processing provider, ElevenLabs, which performs speech-to-text, generates the Agent's response, and synthesizes the spoken reply. This real-time audio stream is processed transiently and is not stored in its raw form — neither by us nor, under our zero-retention configuration, by ElevenLabs. A transcript of the conversation is used transiently to generate the Agent's reply and a short summary that is saved to your History for context.

Voice notes are different: when you record a voice note, the audio file is uploaded to our backend and stored so you can replay it in the app's History. Voice notes are retained for the lifetime of your account unless you delete them or request deletion.

1.3 Authentication via Composio

We use Composio as our authentication provider. Your credentials are handled within Composio's infrastructure, and Natura receives an account identifier used to associate you with your conversation history and Agents. Composio's handling of your data is governed by their own privacy policy.

1.4 Account pairing (Telegram and WhatsApp)

When you link a messaging platform to your account, you send a pairing code through Telegram or WhatsApp. We use these platforms only as a channel to receive that pairing code. We do not access your broader message history on these platforms.

1.5 Website

When you visit our website, we may collect minimal, standard web analytics data as described in our Cookie Policy.

02

Health and Fitness Data (Opt-In)

If you enable the Health feature (off by default), NatureOS reads the following data from Android Health Connect (or Apple HealthKit on iOS): heart rate, heart-rate variability, sleep stages and duration, steps, distance, active calories burned, and VO2 max.

This data is sent over an encrypted connection to our backend and used to give the Agent context about your activity and recovery, so its responses fit your day. This health and fitness data:

  • Is not used for advertising;
  • Is not sold; and
  • Is not used to train AI models.

You can disable Health access at any time in Settings or in Android Health Connect / Apple HealthKit. Health and fitness data is retained for the lifetime of your account unless you request deletion. For residents of Washington or Nevada, or individuals whose consumer health data is collected in those states, please also see the consumer health data disclosures on our Privacy Rights page (Washington My Health My Data Act; Nevada Consumer Health Data Privacy Law).

03

Location Data (Opt-In)

If you enable the Location feature (off by default), NatureOS reads your device location, including in the background. We use low-power, significant-change updates (approximately every 500 meters) rather than continuous GPS.

The location is sent to our backend and used as context for the Agent: when you start a conversation — including from your earbuds while the app is closed or the screen is off — the Agent uses your latest known location to make its responses relevant to where you are. We store only your most recent location: each update overwrites the previous one, so we do not keep a location history. Your location:

  • Is not used for navigation;
  • Is not shared with other users; and
  • Is not used for advertising.

You can disable Location at any time in Settings. Your latest location is retained for the lifetime of your account, until you disable Location or request deletion.

04

Data Retention

Real-time conversation audioNot stored; processed transiently and discarded after the response.
Conversation history and voice notesLifetime of your account, until you delete them or request deletion.
Location dataMost recent location only (no history); lifetime of your account, until you disable Location or request deletion.
Health and fitness dataLifetime of your account, until you request deletion.
Account identifier and push notification tokenUntil your account is deleted.

You can request deletion of any or all of your data at any time (see Section 8). We action verified deletion requests within 30 days.

05

Third-Party Service Providers (Sub-Processors)

We share the minimum necessary data with the following service providers, who act on our behalf under data-processing agreements and may not use your data for their own purposes:

  • ElevenLabs — receives your real-time voice audio, conversation text, and your account identifier to provide speech-to-text, language-model responses, and text-to-speech for voice conversations. Operates under a zero-retention configuration and does not retain your conversations.
  • AI model providers — receive your conversation content, together with the context the Agent uses to respond (such as your location, and your health data when the Agent retrieves it), to generate the Agent's responses. As explained in our AI Disclosure, we do not name the specific providers for security reasons.
  • Composio — receives your account identifier for authentication.
  • Expo (Expo Application Services) — receives a push notification token to deliver notifications to your device (forwarded to Google FCM or Apple APNs).
  • Twilio — carries the voice/telephony connection used for voice calls with the Agents.
  • Cloudflare — hosts our backend infrastructure and stores media such as voice notes.
  • Supabase — our database provider; stores your account data, conversation history, and — where you opt in — your health and location data.
  • Vercel — hosts our website (natura.inc).
  • Google — only if you connect Gmail or Calendar integrations (opt-in); accessed in real time to fulfill your requests.
  • Telegram and WhatsApp — used only as channels through which you send your pairing code to link your account; we do not access your message history on these platforms.
  • Payment Processors — any financial transactions are handled by third-party payment providers. Natura does not process or store your payment card information.

We do not sell your personal data.

The third-party messaging and platform providers also operate under their own privacy policies, which we encourage you to review: WhatsApp (Meta Platforms, Inc.), iMessage (Apple Inc.), and Telegram (Telegram FZ-LLC).

06

How We Use Your Data

We use the data described above to:

  • Provide the Service and generate Agent responses;
  • Maintain conversational context across sessions and let you review your History;
  • Provide voice conversations and voice-note playback;
  • Give the Agent context about your activity, recovery, and location where you have opted in;
  • Deliver push notifications;
  • Authenticate you and maintain your account;
  • Maintain the security, integrity, and reliability of the Service; and
  • Comply with legal obligations.

We do not use your personal data for advertising, and we do not sell it.

07

Security

  • Encryption. Data is encrypted in transit and at rest using industry-standard protocols.
  • Restricted access. Access to stored data is limited to authorized systems and personnel, only as needed to operate and provide the Service. Access is governed by internal controls and access policies.
  • SOC 2 Type I. Our security controls have been independently audited under SOC 2 Type I, which evaluates the design of those controls at a point in time against standards established by the American Institute of Certified Public Accountants (AICPA).
  • Limitations. No method of transmission or storage is completely secure. While we work to protect your data, we cannot guarantee its absolute security, and you provide data at your own risk.
08

Your Rights

You can request export or deletion of any or all of your data — including conversation history, voice notes, health data, and location data — at any time. You may also disable Health and Location access at any time in Settings.

To submit a request, use the in-app request flow, our Privacy Rights page, or contact us at ops@natura.inc. We will verify your identity before acting on a request and will respond within the timeframe required by applicable law.

For detailed rights under specific laws (CCPA/CPRA, VCDPA, CPA, CTDPA, GDPR, and the Washington and Nevada consumer health data laws), see our Privacy Rights page. California residents may also see our Do Not Sell (CA) page.

09

Children's Privacy

Our Service is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at ops@natura.inc and we will take appropriate steps to delete it.

10

International Data Transfers

If you access our Service from outside the United States, your data may be transferred to, stored in, and processed in the United States. All data is encrypted in transit and at rest regardless of origin or destination. Where required, we rely on appropriate safeguards for international transfers as described on our Privacy Rights page.

11

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Users of material changes by posting the updated policy, updating the “Last Updated” date, and/or through the Service. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy.

12

Contact Us

If you have any questions or concerns about this Privacy Policy, or if you would like to exercise any of your rights, please contact us:

Natura Inc
Email: ops@natura.inc