Privacy Policy
How Molt collects, processes, and protects your data.
Effective Date: 1 May 2026
Use of the Platform constitutes acceptance of this Privacy Policy.
About This Policy
Molt Technologies L.L.C-FZ (“Molt”) operates a personal health operating system. The Platform collects a defined set of health and activity metrics to generate a precise daily plan, track progress against targets, and deliver structured health outcomes.
This Privacy Policy describes exactly what data Molt collects, why it is collected, which third-party services process it on Molt’s behalf, how long it is retained, and the rights available to each user. It applies to the Molt mobile application, website (molt.app), and all related services. This Policy is read alongside the Terms & Conditions (molt.app/terms).
1. Data Controller
| Entity | Molt Technologies L.L.C-FZ |
|---|---|
| Address | Dubai, United Arab Emirates |
| Privacy enquiries | support@molt.app |
| General support | support@molt.app |
| Website | molt.app/privacy-policy |
Molt acts as the Data Controller for personal data collected through the Platform. Third-party service providers act as Data Processors under written data processing agreements.
2. Data Collected
The complete and accurate list of data categories collected by Molt. No data is collected beyond this scope.
2.1 Account & Identity Data
Collected at registration and maintained throughout use:
-
Full name, email address, phone number.
-
Date of birth and gender — used solely for calorie target and BMR calculation within the setup wizard.
-
Height — used solely for calorie target calculation. Not displayed as a tracked metric.
-
Profile photo (optional).
-
Login credentials (passwords stored in hashed, encrypted form; not accessible to Molt personnel).
2.2 Activity & Movement Data
Health and activity data is classified as Special Category Personal Data under UAE PDPL. See Section 6 for applicable protections and consent requirements.
Collected from the device, connected wearables, or manual user input:
-
Daily step count — tracked against a system or user-configured daily target.
-
Activity logs — manually logged by the user. Retroactive logging permitted for up to 7 days. Past entries do not update closed weekly progress reports.
-
Calories burnt (active energy) — synced from device or connected wearable.
-
Heart rate — resting and active values, synced from a connected wearable or device. Not manually entered.
2.3 Sleep Data
- Total sleep duration per night — synced from a connected wearable or device.
Sleep staging, sleep quality scores, HRV, and recovery metrics are not collected, stored, or processed by Molt, regardless of whether the connected wearable generates such data.
2.4 Body Weight Data
- Body weight — logged manually by the user or synced from a connected device where weight data is available. Tracked over time and included in the weekly progress review.
BMI and body fat percentage are not collected but may be calculated and displayed within the app based on logged data.
2.5 Nutrition & Calorie Intake Data
-
Food entries logged against the daily calorie intake target.
-
AI-assisted meal logging from photo or text input. Free for the first 90 days from account activation; post-trial access subject to the subscription tier in place.
-
Calorie intake target — set via the onboarding wizard, manual adjustment, or Coach input. A configuration setting, not a logged metric.
Nutritional estimates from AI photo or text analysis are approximate and are not clinical dietary prescriptions.
2.6 Tasks, Reminders & Habits
-
Tasks and reminders created by the user or assigned by a linked Coach.
-
Habit entries including frequency, target, and completion status.
-
Completion and streak data for tracked habits.
Task and habit data is used to generate nudges and reminders. It is not shared beyond the linked Coach.
2.7 User Preferences & Tracking Configuration
-
Metrics chosen for display on the home screen.
-
Notification preferences for nudges, reminders, and goal alerts.
Preference data is used solely to personalise the Platform display and notification schedule. It is not used for profiling or advertising.
2.8 Wearable & Connected Device Data
Where a user connects a supported wearable or health platform, only the data types Molt tracks (Sections 2.2–2.4) are imported, regardless of what broader data the wearable holds.
| Wearable / Platform | Data Synced into Molt | User Control |
|---|---|---|
| Garmin | Steps, calories burnt, heart rate, sleep total duration. | Disconnect via app settings. Sync stops immediately. |
| Fitbit | Steps, calories burnt, heart rate, sleep total duration. | Disconnect via app settings. Sync stops immediately. |
| Apple Health (HealthKit) | Steps, calories burnt, heart rate, sleep total duration, body weight (permission-scoped). | Managed via iOS Health app permissions. |
| Google Health Connect | Steps, calories burnt, heart rate, sleep total duration, body weight (permission-scoped). | Managed via Android Health Connect permissions. |
| Whoop | Heart rate, sleep total duration. | Disconnect via app settings. Sync stops immediately. |
| Oura | Heart rate, sleep total duration. | Disconnect via app settings. Sync stops immediately. |
HRV, recovery scores, readiness scores, sleep stages, and strain data are not requested or stored by Molt, regardless of what the connected wearable generates.
Data received from Apple HealthKit and Google Health Connect is not used for marketing, advertising, or transferred to third parties for those purposes.
2.9 Coach & Coaching Data
-
Coach identity and credentials (for Coaches).
-
Session records and QR-code verified attendance data.
-
Coach-assigned tasks, habits, and calorie target inputs applied to a Client’s profile.
-
Coach notes recorded within the Platform.
2.10 Payment, Transaction & Delivery Data
-
Billing name and last four digits of card number (retained for billing records only).
-
Transaction reference, subscription tier, and billing cycle.
-
Physical delivery address registered for Meal Plan subscriptions — shared with the assigned Kitchen Vendor and logistics provider solely for order fulfilment.
-
BNPL plan selection and payment status confirmation (where Tabby or Tamara is used).
Full card details are not stored by Molt. Payment processing and tokenisation are handled by Checkout.com. Where Tabby or Tamara is selected, the transaction is processed under the respective provider’s own terms. Molt receives payment status confirmation only.
2.11 Coach Scheduling Data
Calendly is used to schedule Coach verification calls. Data collected via Calendly: Coach name, email address, preferred time zone, and availability selection. This data is processed by Calendly and is not retained by Molt beyond completion of the verification process.
2.12 Device & Usage Data
Collected automatically when the Platform is accessed:
-
Device type, operating system, and application version.
-
IP address and mobile advertising identifier.
-
Session duration, screen views, and feature interaction events.
-
Crash logs and error reports.
-
In-app behaviour events tracked via CleverTap for push notification delivery, usage analytics, and retention workflows.
Device and usage data is used for Platform stability, performance monitoring, fraud prevention, and product improvement. It is not used to build advertising profiles.
2.13 Cookies & Tracking Technologies
| Cookie Type | Purpose | User Control |
|---|---|---|
| Required | Platform security, session management, fraud prevention. | Cannot be disabled without affecting core functionality. |
| Functional | Preference storage, performance analytics, feature improvements. | Configurable via cookie settings on the website. |
| Analytics | Aggregate usage analysis via CleverTap and Google Analytics. | Configurable via cookie settings or browser opt-out tools. |
3. Purpose of Processing & Legal Basis
Why Molt processes each data category, and the lawful basis under UAE PDPL.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation and authentication | Account & Identity Data | Performance of contract |
| Daily plan and calorie target generation | Account Data, Activity Data, Body Weight, Nutrition Data | Explicit consent + Performance of contract |
| Step tracking against daily target | Activity & Movement Data, Wearable Data | Explicit consent + Performance of contract |
| Manual activity logging (7-day window) | Activity & Movement Data | Explicit consent + Performance of contract |
| Sleep total duration tracking | Sleep Data, Wearable Data | Explicit consent |
| Body weight tracking and trend analysis | Body Weight Data | Explicit consent |
| Heart rate monitoring from devices | Activity & Movement Data, Wearable Data | Explicit consent |
| Food logging and calorie intake tracking | Nutrition & Calorie Intake Data | Explicit consent + Performance of contract |
| AI meal logging (photo and text) | Nutrition & Calorie Intake Data | Explicit consent |
| Weekly progress review and step trend analysis | Activity, Sleep, Body Weight Data | Explicit consent + Legitimate interest |
| Task, reminder, and habit tracking | Tasks, Reminders & Habits Data | Performance of contract |
| User customisation and tracking preferences | User Preferences Data | Performance of contract |
| Nudges, reminders, and goal alerts (CleverTap) | Tasks Data, User Preferences, Device Data | Consent + Performance of contract |
| Wearable and health platform data sync | Wearable & Connected Device Data | Explicit consent |
| Coach connectivity and plan management | Coaching Data, Activity Data, Nutrition Data | Explicit consent |
| Meal Plan fulfilment and delivery | Payment & Delivery Data | Performance of contract |
| Payment processing (card and BNPL) | Payment & Transaction Data | Performance of contract |
| Coach verification scheduling | Coach Scheduling Data | Performance of contract |
| Marketing and promotional communications | Account Data, Device Data (CleverTap) | Consent |
| Platform security and fraud prevention | Device & Usage Data, Account Data | Legitimate interest |
| Platform performance and improvement | Device & Usage Data, anonymised activity data | Legitimate interest |
| Algorithm calibration (anonymised only) | Anonymised, aggregated Platform data | Legitimate interest + Terms licence grant |
| Compliance with UAE legal obligations | All categories as required | Legal obligation |
Processing does not extend beyond the purposes stated above without additional consent or a distinct lawful basis. Where processing is based on consent, withdrawal does not affect the lawfulness of prior processing.
4. Third-Party Service Providers
Named providers that process data on Molt’s behalf. Each operates under a written Data Processing Agreement and may not use Molt user data for their own commercial purposes.
| Provider | Category | Data Processed | User Controls |
|---|---|---|---|
| Checkout.com | Payment processing | Billing name, card token, transaction value, subscription details. Full card data processed by Checkout.com directly — not stored by Molt. | Remove saved payment method via app settings. |
| Tabby | BNPL payment | Name, email, phone, order value, instalment schedule. Governed by Tabby’s own privacy policy. | Governed by Tabby’s privacy policy at checkout. |
| Tamara | BNPL payment | Name, email, phone, order value, instalment schedule. Governed by Tamara’s own privacy policy. | Governed by Tamara’s privacy policy at checkout. |
| CleverTap | Marketing & analytics | In-app behaviour events, push notification delivery, device identifiers, session data. | Opt out of marketing via app settings. |
| Garmin Connect | Wearable sync | Steps, calories burnt, heart rate, sleep total duration. | Disconnect via app settings. |
| Fitbit | Wearable sync | Steps, calories burnt, heart rate, sleep total duration. | Disconnect via app settings. |
| Apple HealthKit | Health platform sync | Steps, calories burnt, heart rate, sleep total duration, body weight (permission-scoped). | Managed via iOS Health app permissions. |
| Google Health Connect | Health platform sync | Steps, calories burnt, heart rate, sleep total duration, body weight (permission-scoped). | Managed via Android permissions. |
| Whoop | Wearable sync | Heart rate, sleep total duration. | Disconnect via app settings. |
| Oura | Wearable sync | Heart rate, sleep total duration. | Disconnect via app settings. |
| Calendly | Coach scheduling | Coach name, email, time zone. Verification calls only. | Not retained by Molt post-verification. |
| Google Analytics | Website analytics | Anonymised session metrics and page views on molt.app. | Opt out via cookie settings. |
5. Data Sharing
Who Molt shares data with, and under what conditions. Third-party processors are listed in full in Section 4.
5.1 Kitchen Vendor Partners
Kitchen Vendors receive only the minimum data required to prepare and dispatch orders: user name, delivery address, meal selection, and macro targets per order. No health metrics, activity data, or wearable data is shared with Vendors.
5.2 Linked Coaches
When a Coach link is active and confirmed by the user, the Coach receives access to the tracking data in Sections 2.2–2.7, within the scope configured in app settings. Coaches do not receive payment data, scheduling data, or delivery addresses. Access is revoked immediately upon unlinking.
5.3 Legal & Regulatory Disclosure
Data may be disclosed to UAE regulatory authorities, law enforcement, or courts where legally required. Disclosure is limited to what is required by law. Users are notified where permitted by applicable law.
5.4 Business Transfers
In the event of a merger, acquisition, or asset sale, personal data held by Molt may transfer to the acquiring entity. Users are notified before personal data becomes subject to a different privacy policy.
5.5 No Sale of Personal Data
Personal data is not sold to third parties. Health data, activity data, and wearable-sourced data are never used for advertising or shared with advertising networks.
6. Health Data — Special Protections
Additional controls applied to all health and activity data, including wearable-synced metrics.
Steps, heart rate, sleep duration, body weight, and wearable-synced data are classified as Special Category Personal Data under UAE PDPL. The following protections apply across all health data categories collected by Molt:
-
Explicit consent is obtained and recorded with a timestamp at onboarding before any health data is collected or processed.
-
Health data is stored in isolated, encrypted data stores. Access is restricted on a strict need-to-know basis.
-
Health data is not shared with third parties for advertising, profiling, or commercial purposes under any circumstances.
-
Health data is not used to train external AI models or shared with external research organisations without anonymisation and explicit consent.
-
Users may request deletion of health data at any time. Deletion is processed within 30 days. Anonymised aggregated data may be retained for product improvement.
Where health data is used for algorithm calibration or product improvement, it is anonymised and aggregated before use. Individual records are never used in identifiable form beyond plan generation and service delivery.
7. AI & Automated Processing
How Molt uses automated systems to generate plans and nutritional estimates.
Molt uses AI and machine learning for two purposes: generating and adjusting personalised daily plans, and estimating nutritional content from food photo or text input.
Plan generation uses account data, tracked activity metrics, and calorie intake logs to calculate daily targets and generate weekly progress reviews with step trend analysis. Adjustments are applied based on progress against targets across the tracking period.
AI meal logging estimates the caloric and macronutrient content of a meal from photo or text input. Estimates are approximate and are not clinical nutritional prescriptions.
Automated outputs do not constitute medical advice. Users may request human review of any automated decision by contacting privacy@molt.app. All targets are configurable by the user and, where a Coach is linked, by the linked Coach.
8. Data Retention
How long Molt retains each data category.
| Data Category | Retention Period |
|---|---|
| Account & Identity Data | Duration of active account. Deleted within 30 days of account closure. |
| Activity, Sleep, Heart Rate, Body Weight, Nutrition Data | Duration of active account. Deleted within 30 days of account closure or deletion request. |
| Wearable & Connected Device Data | Duration of active connection. Deleted within 30 days of disconnection or account closure. |
| Tasks, Reminders & Habits Data | Duration of active account. Deleted within 30 days of account closure. |
| Payment & Transaction Data | 7 years from transaction date (UAE commercial records obligation). |
| BNPL Records (Tabby / Tamara) | Retained by the BNPL provider under their own policy. Molt retains payment status only. |
| Coach Session & Assignment Records | Duration of active Coach-Client relationship. Deleted within 30 days of account closure. |
| Coach Scheduling Data (Calendly) | Deleted upon completion of the verification process. Not retained by Molt. |
| CleverTap Event Data | 13 months from collection, then anonymised per CleverTap’s standard retention policy. |
| Device & Usage Data | 13 months from collection, then aggregated and anonymised. |
| Anonymised & Aggregated Data | Retained indefinitely for product improvement. No longer identifiable; not subject to deletion requests. |
| Legal Hold Data | Duration of applicable legal obligation, dispute, or regulatory investigation. |
Encrypted backup copies may persist for up to 90 days following deletion. They are inaccessible to Molt personnel during this period and are purged automatically.
9. User Rights
Rights available to all users under UAE PDPL.
| Right | Description |
|---|---|
| Access | Request a copy of all personal data held by Molt. Provided within 30 days of verified request. |
| Correction | Request correction of inaccurate or incomplete data. Applied within 15 days. |
| Deletion | Request deletion of personal data including health and wearable data. Processed within 30 days. Exceptions apply where retention is required by law. |
| Restriction | Request restriction of processing pending resolution of an accuracy or lawfulness dispute. |
| Portability | Request personal data in a structured, machine-readable format for transfer to another provider. |
| Objection | Object to processing based on legitimate interest. Processing ceases unless compelling grounds are demonstrated. |
| Withdraw Consent | Withdraw consent for health data processing, wearable syncing, or marketing at any time. Does not affect prior lawful processing. |
| Disconnect Integrations | Revoke access to any connected wearable or health platform via app settings. Sync stops immediately. |
| Human Review | Request human review of any automated decision with a significant effect on the user. |
Rights are exercised by contacting privacy@molt.app with a verified identity. Responses are provided within 30 days; complex requests may be extended by a further 30 days with notice. Complaints may be submitted to the UAE Data Office.
10. Data Security
Technical and organisational measures protecting user data.
-
All data in transit is encrypted using TLS 1.2 or higher.
-
Health and activity data is encrypted at rest using AES-256 encryption.
-
Access to personal data is restricted to authorised personnel on a need-to-know basis. Access logs are maintained and audited.
-
Third-party integrations are connected via authenticated APIs with scoped permissions. Tokens are revocable from app settings at any time.
-
Payment data is handled via Checkout.com’s PCI-DSS compliant infrastructure. Full card data does not transit Molt’s systems.
-
Regular security assessments, penetration testing, and vulnerability management are conducted.
-
Users are notified of any breach affecting their personal data within 72 hours of Molt becoming aware, where required by law.
Users are responsible for maintaining the security of their login credentials. Suspected unauthorised access must be reported to support@molt.app immediately.
11. Children’s Data
The Platform is not intended for individuals under 18. Molt does not knowingly collect personal data from minors. Account creation requires minimum age confirmation at registration. Where Molt becomes aware that data has been collected from a minor, the account and all associated data are deleted within 7 days.
12. International Data Transfers
Personal data is stored on servers in the UAE or in jurisdictions with adequate data protection standards under UAE PDPL. Third-party providers including Checkout.com, CleverTap, Calendly, and wearable API providers may process data outside the UAE. Where such transfers occur, Molt ensures appropriate safeguards via standard contractual clauses or equivalent protections. Specific jurisdictions per integration are available on request at privacy@molt.app.
13. Marketing & Notification Communications
CleverTap is used to deliver push notifications and manage marketing communication workflows. Communication types and opt-out controls:
-
In-app notifications (plan updates, system alerts, weekly progress availability): service-essential, sent regardless of marketing preferences.
-
Push notifications (habit reminders, goal nudges, task alerts, promotional campaigns): configurable in app settings.
-
Email communications (account updates, Molt Credits activity, promotional offers): unsubscribe link included in all emails.
Opt-out is processed within 10 business days. Transactional communications are sent regardless of opt-out status as they are necessary for service delivery.
14. Changes to This Policy
This Policy is updated periodically to reflect changes to the Platform, integrations, or applicable law. The current version is always accessible at molt.app/privacy-policy. Material changes — including new data types, new integrations, or reductions in user rights — are communicated via in-app notification and email at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.
15. Contact & Data Enquiries
| Privacy Enquiries | support@molt.app |
|---|---|
| General Support | support@molt.app |
| Website | molt.app/privacy-policy |
| Company | Molt Technologies L.L.C-FZ, Dubai, UAE |