Last updated: May 2026
Elio Inc. ("Elio", "we", "us") operates the Elio platform at elio.com. We are the data controller for personal data processed through the Service. Contact us at support@elio.com for any privacy-related queries.
This policy applies to users of the Elio platform. The Service is only available to users aged 18 and over. We do not knowingly collect personal data from anyone under 18. This age threshold exceeds the minimum requirements of both US COPPA (under 13) and EU/UK GDPR Article 8 (13–16 depending on member state), reflecting the sensitive nature of the biometric and health data we process. If you become aware that a minor has submitted data to us, please contact us immediately at support@elio.com.
Payment processing is handled by Stripe. We do not store your full card details. We retain transaction records (amount, date, last 4 digits) for billing purposes.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the analysis Service | Facial images, account data | Contract performance |
| Generate your protocol | Analysis results, health data | Contract performance |
| Process payments | Payment data | Contract performance |
| Improve our AI models | Only with explicit opt-in consent | Consent |
| Send service communications | Email address | Contract performance |
| Send marketing (optional) | Email address | Consent (opt-in only) |
| Legal compliance | As required | Legal obligation |
We recognise that facial and biometric data is uniquely sensitive. In addition to our general data practices, we commit to the following:
If you are an Illinois resident, you have specific rights under the Illinois Biometric Information Privacy Act (BIPA). By using Elio, you provide informed written consent to our collection and use of biometric identifiers as described in this policy. You have the right to know what biometric data we hold, to request deletion, and to not be discriminated against for exercising these rights.
California residents have the right to know, access, delete, and opt out of the sale of their personal information. We do not sell personal information. To exercise your rights, contact support@elio.com.
We do not sell your personal data. We share data only in the following limited circumstances:
All third-party service providers are bound by data processing agreements and are prohibited from using your data for their own purposes.
Depending on your location, you have the following rights:
To exercise any of these rights, email support@elio.com. We will respond within 30 days.
We use strictly necessary cookies to operate the Service (authentication, session management). We use analytics cookies only with your consent. We do not use advertising or tracking cookies. You can manage cookie preferences through your browser settings.
We implement industry-standard security measures including:
If you are located in the EU/UK, your data may be transferred to and processed in countries outside the EEA. Where this occurs, we ensure appropriate safeguards are in place (Standard Contractual Clauses or equivalent).
Elio is not directed to anyone under the age of 18. We do not knowingly collect personal data from minors. Our Service involves biometric and health data processing — categories that carry significant sensitivity — and we apply an 18+ minimum age as a global standard. This applies regardless of local law or parental consent.
COPPA prohibits US websites and online services from collecting personal information from children under 13 without verifiable parental consent. Because our 18+ threshold well exceeds COPPA's under-13 scope, we do not collect data from anyone in this age group. We do not:
If you are the parent or legal guardian of a child under 13 who you believe has submitted information to Elio, please contact us immediately at support@elio.com. We will verify the report and delete all associated data within 72 hours, and will notify you once this is complete. You may also contact the US Federal Trade Commission (FTC) at ftc.gov if you have concerns about COPPA compliance.
Article 8 of the EU General Data Protection Regulation (GDPR) governs when a child can provide their own consent to the processing of personal data for information society services. The GDPR sets a default threshold of 16, but allows Member States to lower it to a minimum of 13. Current thresholds include: 16 in the Netherlands, Germany, Hungary, Slovakia, and Croatia; 15 in France; 14 in Austria, Bulgaria, Cyprus, Italy, Lithuania, Romania, and Spain; 13 in Denmark, Estonia, Finland, Latvia, Malta, Poland, Portugal, and Sweden. Because our 18+ threshold exceeds all of these, we do not rely on minors' consent under GDPR Article 8 in any EU member state. EU residents who believe a minor's data has been collected may contact their national Data Protection Authority (DPA) — a full list is available at edpb.europa.eu.
The UK GDPR sets the minimum age for children's online consent at 13. The UK Information Commissioner's Office (ICO) Age Appropriate Design Code (Children's Code) sets high standards for services likely to be accessed by under-18s. Elio is not directed at under-18s. If you are a UK resident and believe a minor has used Elio, please contact us at support@elio.com or the ICO directly at ico.org.uk.
If we discover — through our own checks or a report — that we have collected personal data from a user under 18, we will: (1) immediately suspend the account; (2) delete all personal data including any biometric data, analysis results, and account information; (3) notify the user by email explaining the reason for deletion. We will complete this process within 72 hours of confirmation.
Because Elio analyses physical appearance, we recognise that certain users may be particularly vulnerable to harm. We take specific steps to protect these individuals:
We do not ask users to disclose whether they have a mental health condition. If you choose to share such information with us (for example, by emailing our support team), we treat it as special-category health data under GDPR Article 9, processed only with your explicit consent and solely for the purpose of providing appropriate support.
If our support team becomes aware that a user has BDD or an active eating disorder, we may — with user awareness and consent — flag this on the account solely to ensure our team handles any communications with appropriate care and, if relevant, can provide signposting to support resources. We will never use this information for marketing, profiling, or any purpose other than user safety.
Any user who decides that using Elio is not right for their mental health may request immediate deletion of their account and all personal data, effective immediately, without any waiting period. Email support@elio.com with the subject line "Wellbeing Deletion Request" and we will process this within 24 hours and confirm by email.
We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
For privacy questions or to exercise your rights: support@elio.com
If you are an EU/UK resident and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (e.g. ICO in the UK, your national DPA in the EU).
Elio Inc. · Privacy Policy · Terms of Service