Where does your GLP-1 data go? GDPR, US apps, and private cloud

Every Mounjaro injection logged in an app, every weigh-in on Ozempic, every side effect noted with Wegovy builds a journal of health data. In France, that journal falls under the GDPR and receives strengthened protection. Who can access it depends mainly on the publisher’s architecture: device only, private iCloud container, or a centralised server.

Your doses and weight are health data

GDPR classifies information about your physical or mental health as special category data (Article 9). In a GLP-1 tracking app, that covers doses and injection dates, weight or BMI, blood glucose if you track it, effects you log, medications, and titration steps.

France’s CNIL states that mobile health apps fall under this framework when they process such information. Resale or commercial exploitation of health data is prohibited in the French healthcare sector. That journal may span eighteen months of treatment, so storage architecture matters as much as the pen you use.

GDPR in Europe, different rules elsewhere

In France and the European Union, France’s CNIL regulates health apps: identifiable data controller, resale prohibited in the healthcare sector. Publishers that host your data on their own servers must document transfers outside the EU (Data Privacy Framework, Standard Contractual Clauses, etc.).

Outside the European Union, the legal framework differs by country of residence. The app’s architecture remains the decisive factor: device only, private cloud container, or a centralised publisher database.

GoodRx, BetterHelp: the promise on screen and practice in court

In 2023, the FTC penalised GoodRx for transmitting health data to Facebook, Google, and other advertising partners without adequate notification: a $1.5 million fine and a ban on reusing that data for ads. The same year, BetterHelp received $7.8 million in penalties for sending mental-health-related information to advertising platforms while the site suggested enhanced confidentiality.

On markets beyond GLP-1, the FTC identified the same pattern: collect sensitive data, link it to advertising identifiers, pass it to advertising platforms. Before trusting an app with your journal, open the full privacy policy, look for third-party tools that access health data, identify the data controller.

Gloe GLP-1: on your device or in iCloud, never on our servers

Gloe GLP-1 stores your doses, effects, weight, and stock on your iPhone, or in your private CloudKit container when you enable iCloud. None of that passes through Gloe servers. The app’s publishers and developers cannot access your iCloud container.

Apple built this private cloud around on-device encryption and encryption keys stored on your trusted devices. Sync works only between devices authenticated with your Apple ID. Apple may host the data in centres in the United States and Europe; with two-factor authentication enabled, it remains end-to-end encrypted, readable only by you.

To sync between iPhone and iPad: Settings > [Your name] > iCloud > See All (or Apps Using iCloud) > turn on Gloe.

The app helps you keep a reliable history for titration and day-to-day treatment tracking.

Gloe GLP-1 does not provide medical advice. Always consult your healthcare professional for any treatment decision.

Sources

Download Gloe GLP-1 on the App Store

View all articles
Gloe App Icon

Gloe

Your GLP-1 Treatment Companion

Download on the App Store

Now: free 1-month trial