Privacy Policy

Effective date: April 29, 2026 Last updated: April 29, 2026

This Privacy Policy explains how Placio Labs (“we,” “us,” “our”) collects, uses, stores, shares, and protects information when you use 10 to 100 — our mobile application, website at tento100.com, and the related backend services (collectively, the “Service”).

10 to 100 is a wellness and longevity application that aggregates data from your wearable devices and other health sources to generate a personalized daily plan. Because the Service depends on sensitive health-related information, we have designed it to collect the minimum necessary data, store it securely, and give you direct control over connections, retention, and deletion.

This Policy is written to be read. Defined terms are in bold. If anything is unclear, contact us at the address in § 14.

1. Quick summary

We tried to put the most important things in one place:

What we are. A wellness and longevity app. We are not a medical provider, not a covered entity under HIPAA, and we do not provide medical advice, diagnosis, or treatment. See § 11.
What data we use. Your account information, the health and activity data you authorize us to read from connected sources (e.g., WHOOP, Apple Health, Oura, Strava), and information about how you use the app. See § 3.
Why we use it. To generate your daily plan, explain it, and help you track adherence over time. We do not sell your data, we do not use it for advertising, and we do not share it with data brokers. See § 4 and § 6.
Where it lives. Encrypted at rest and in transit, hosted on Microsoft Azure in the United States. OAuth tokens for connected services are stored in Azure Key Vault, not in our application database. See § 7.
AI processing. We use AI models hosted within Microsoft Azure AI Foundry to write the plain-language rationale and prompts in your daily plan. Your health data is processed by these models inside Microsoft’s Azure environment and is not used to train third-party foundation models. See § 5.
Your rights. You can disconnect any data source at any time, export your data, delete your account, and request that we erase your information. See § 9 and § 10.

2. Who this Policy applies to

This Policy applies to anyone who:

creates a 10 to 100 account;
uses the 10 to 100 mobile application on iOS (and, when released, Android);
visits tento100.com or any of our subdomains; or
otherwise interacts with our Service.

10 to 100 is intended for adults aged 18 and over. We do not knowingly collect information from children. If you believe a child has provided us with information, please contact us so we can delete it.

3. Information we collect

3.1 Information you give us directly

Account information. Your name, email address, and an authentication credential (we store a salted hash, never the credential itself).
Profile and goals. Information you choose to provide during onboarding and ongoing use, such as your sex, age or birth year, height, weight, training preferences, dietary preferences, and the goals you want the daily plan to optimize toward.
Adherence and feedback. Whether you completed the elements of your daily plan, optional notes about how you felt, and other feedback you send us.
Optional manual entries. Biomarker values, body-composition measurements, or other information you choose to enter manually.
Support communications. Messages, emails, and screenshots you send when you contact us for support.

3.2 Information from connected services

When you authorize a connection, we receive data from that service through its official API or platform integration. You control which services are connected and can revoke any connection at any time.

The connections currently supported, planned, or under evaluation include:

WHOOP. Recovery, sleep, workout, and physiological cycle data, plus profile information needed to associate that data with your account. We request only the OAuth scopes required to read this data (read:recovery, read:cycles, read:sleep, read:workout, read:profile, and offline for token refresh).
Apple Health (HealthKit). Workouts, heart-rate data, sleep records, nutrition data (including data brought in by other apps such as MyFitnessPal), and other categories you explicitly authorize through iOS. HealthKit data is read on your device and transmitted to our backend over an encrypted channel only for categories you have approved.
Oura. Sleep, readiness, and activity data through the Oura API (planned).
Strava. Workout and activity data through the Strava API (planned).
Other sources. We may add additional integrations over time. Each new integration will be opt-in, will request only the scopes it needs, and will be disclosed in this Policy before it is enabled in production.

3.3 Information collected automatically

Device and technical information. Device model, operating system version, app version, language, time zone, IP address, and crash diagnostics.
Usage information. Which screens you view, which actions you take in the app, and aggregate timing of plan generation events. We use this to operate the Service and improve reliability.

3.4 Information we do not collect

We do not collect precise location unless you explicitly enable a feature that requires it.
We do not collect contacts, photos, microphone, or camera data.
We do not use third-party advertising trackers or marketing pixels in the mobile app.

4. How we use information

We use information only for the purposes below. We do not use your information for advertising, and we do not sell or rent it.

Generate your daily plan. Combine inputs from connected sources into a normalized snapshot of your physiological state, run our deterministic rules engine, and produce a concrete daily plan (training, nutrition, recovery, sleep targets).
Explain the plan. Use AI models to translate the rules engine’s output into a plain-language rationale, adherence prompts, and short coaching messages. See § 5.
Track adherence and adapt. Compare what you reported back against the plan to refine future plans, and to show you progress against your goals.
Operate and improve the Service. Diagnose errors, monitor reliability, secure the platform, and improve features.
Communicate with you. Send transactional messages (account, security, plan availability) and respond to your support requests.
Comply with law. Meet legal, regulatory, tax, and audit obligations, and respond to lawful requests.

4.1 Legal bases (for users in the EU/UK/EEA)

Where applicable, we rely on the following legal bases under the GDPR or UK GDPR: consent (for processing of health data and for each connected source), performance of a contract (to deliver the Service you signed up for), legitimate interests (to secure and operate the Service), and legal obligation.

You may withdraw consent at any time by disconnecting a source, deleting your account, or contacting us.

5. AI and automated processing

The daily plan is produced by a deterministic rules engine. The decisions in your plan — what to train, what to eat, when to sleep — are made by rules grounded in published physiological literature, not by a language model.

A separate AI synthesis layer generates the natural-language rationale, adherence prompts, and short coaching content shown alongside the plan. We use AI models hosted within Microsoft Azure AI Foundry. When this layer runs:

Your relevant health data and the rules engine’s output are sent to the model within Microsoft’s Azure environment;
The data is not used to train the underlying foundation model;
We log the model’s outputs alongside the plan so it remains auditable and reproducible from the inputs.

You will always see the concrete plan (the “what”) whether or not the AI rationale (the “why”) has finished generating. We do not use AI to make decisions that have a legal or similarly significant effect on you.

We share your information only as described below.

Service providers (sub-processors). We share information with vendors that help us run the Service, under contracts that require them to protect your data. Our current sub-processors include:
- Microsoft Azure (cloud hosting, database, storage, application observability, AI model hosting via Azure AI Foundry).
- [Email/transactional communications provider — TBD].
- [Crash and analytics provider — TBD] (no advertising trackers).
Connected source providers. When you authorize a connection (e.g., WHOOP), we exchange OAuth tokens with that provider so we can read your data. We do not push your 10 to 100 data back into those providers unless you explicitly enable that.
Legal and safety. We may disclose information when we believe in good faith it is necessary to comply with applicable law, lawful requests, or legal process; to enforce our agreements; or to protect the rights, safety, or property of you, us, or others.
Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you and give you choices before your information becomes subject to a different privacy policy.

We do not:

sell your personal information for money or other valuable consideration;
share your personal information for cross-context behavioral advertising;
share data from Apple HealthKit with any third party for advertising or data brokerage; or
use data from connected sources for any purpose other than delivering and improving the Service.

We will keep an up-to-date list of sub-processors at tento100.com/legal/subprocessors (link to be activated before launch).

7. Storage and security

Hosting. Service data is hosted on Microsoft Azure, primarily in the United States.
Encryption. All data is encrypted in transit (TLS 1.2 or higher) and at rest using industry-standard encryption.
OAuth tokens. Tokens for connected services (WHOOP, Oura, Strava, etc.) are stored in Azure Key Vault, not in our application database. Our database stores only references to these tokens and metadata about them (such as last refresh time and granted scopes).
Access controls. Access to production systems is limited to the smallest set of personnel needed to operate the Service, behind multi-factor authentication.
HIPAA framing. We are not a HIPAA-covered entity, and the Service is not a substitute for clinical care. We nonetheless aim to apply HIPAA-equivalent technical safeguards (access control, audit logging, encryption, transmission security) as a security baseline.
Incident notification. If we discover a security incident affecting your information, we will notify you and any required regulators in accordance with applicable law.

No system is perfectly secure. By using the Service, you accept that some residual risk exists despite our controls.

8. How long we keep information

We keep information only as long as we need it for the purposes described in this Policy, then delete or anonymize it.

Account information. While your account is active, and for a limited period after deletion to allow recovery, audit, and legal compliance.
Raw health data from connected sources. While your account is active and the source is connected. If you disconnect a source, we stop ingesting new data from that source; existing data is retained according to the schedule below or until you delete it.
Derived state snapshots and daily plans. Retained for as long as your account is active so you can review history. You can delete history from settings.
Backups. Retained for a short rolling window for disaster recovery, then overwritten.
Logs and diagnostics. Retained for a limited operational window, then deleted or aggregated to non-identifying form.

Specific retention periods will be published in our [Data Retention Schedule] before launch and updated as the Service evolves.

9. Your rights and choices

Regardless of where you live, you have the following choices:

Disconnect a source. Revoke our access to any connected service from inside the 10 to 100 app, or directly from that service’s own settings (e.g., the WHOOP app). New data stops flowing immediately.
Export your data. Request a copy of the personal information we hold about you in a portable format.
Delete your account. See § 10.
Update your preferences. Edit your profile, goals, and notification settings from within the app.

Depending on where you live, you may have additional rights, including:

9.1 California (CCPA / CPRA)

If you are a California resident, you have the right to: know what personal information we collect and how we use it; access a copy of that information; request correction; request deletion; and limit our use of sensitive personal information. Health data is “sensitive personal information” under California law; we use it only for the purposes described in § 4. We do not “sell” or “share” personal information as those terms are defined under California law. To exercise any right, contact us at privacy@TenTo100.com.

If you are in the EU, UK, or EEA, you have the right to: access; rectification; erasure; restriction of processing; data portability; objection to processing; and to withdraw consent at any time without affecting the lawfulness of prior processing. You also have the right to lodge a complaint with your local data protection authority. Our legal bases for processing are listed in § 4.1.

9.3 Other jurisdictions

We extend the same core rights — access, correction, deletion, export — to all users regardless of jurisdiction.

To exercise any of these rights, email us at privacy@TenTo100.com from the email address associated with your account, or use the in-app controls. We will respond within the time period required by applicable law.

10. Deleting your data

You can delete your 10 to 100 account at any time:

From the app: Settings → Account → Delete account.
Or by emailing privacy@TenTo100.com from the email address on your account.

When you delete your account, we will:

Revoke our OAuth tokens with all connected services so we can no longer read your data;
Delete the personal information we have stored about you within thirty (30) days, except for information we are required to retain by law or for legitimate operational reasons (e.g., fraud prevention, audit logs);
Allow short-rolling backups to age out within our normal backup retention window.

Deleting your 10 to 100 account does not delete data held by the connected services themselves. To remove data from WHOOP, Apple Health, Oura, Strava, MyFitnessPal, or any other source, you must do so directly in those services.

If you delete the iOS app from your device without first deleting your account, the data we previously received from Apple HealthKit and stored on our backend remains until you delete your account.

11. Not medical advice

10 to 100 provides general wellness and lifestyle information based on the data you choose to share with us. It is not medical advice, diagnosis, or treatment. Information generated by the Service — including the daily plan, the rationale, recovery guidance, training prescriptions, and macronutrient targets — is not a substitute for professional medical advice from a qualified clinician.

Always seek the advice of your physician or other qualified health provider with any questions you have about a medical condition.
Never disregard professional medical advice or delay seeking it because of something you read in 10 to 100.
If you think you may have a medical emergency, call your local emergency number immediately.

If the Service surfaces a pattern that may warrant clinical evaluation, that is a prompt to talk to a clinician — not a diagnosis.

12. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will:

post the updated Policy at tento100.com/privacy;
update the “Effective date” at the top;
notify you in-app or by email before the change takes effect for material changes that affect your rights or how we use your data.

Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

13. Compliance with platform requirements

13.1 Apple HealthKit

If you grant 10 to 100 permission to read Apple HealthKit data, we agree to the following, consistent with Apple’s developer requirements:

We use HealthKit data only to deliver and improve the Service for you.
We do not use HealthKit data for advertising, marketing, or other use-based data mining.
We do not disclose HealthKit data to any third party for advertising, marketing, or data brokerage purposes.
We do not sell HealthKit data.

13.2 WHOOP

We comply with the WHOOP Developer API Terms of Use. We use WHOOP data only as needed to deliver the Service to the WHOOP member who authorized the connection, and we do not redistribute WHOOP data to third parties beyond the disclosures described in this Policy.

14. Contact us

For privacy questions, requests, or complaints:

Placio Labs Email: privacy@TenTo100.com

If you live in the EU/UK and we are required to designate a representative or data protection officer, that information will appear here before launch.

This Policy is provided in English. If we make it available in other languages and there is a conflict, the English version controls.