Back

Privacy Policy

Last updated: May 5, 2026

1. Data Collection

We collect information you provide directly, such as your name, email address, and fitness data (workouts, body measurements, and nutrition logs). We may also collect usage data automatically, including device information, log data, and how you interact with the app, to improve our service.

Sensitive health data. If you choose to upload, we also process: blood test results (biomarkers), genetic / DNA reports, and health-tracker metrics (heart rate, HRV, sleep, VO₂max). These are classified as "special category data" under GDPR Art. 9 and "genetic information" under California GIPA / GINA. We process them only with your explicit, granular, revocable consent recorded in our consent ledger.

1a. Genetic & Laboratory Data

  • Lawful basis: explicit consent (GDPR Art. 9(2)(a)) and CA GIPA-compliant separate written consent for each processing purpose (storage, AI analysis, personalization).
  • What we store: uploaded files (private storage, accessible only via short-lived signed URLs) and parsed marker values keyed to your account.
  • What we do NOT do: we do not sell, lease, or disclose your genetic data to insurers, employers, advertisers, or data brokers. We do not share with law enforcement absent a valid court order.
  • AI processing: reports may be sent to LLM providers (e.g. OpenAI, Anthropic) for parsing only after your consent. No identifiers are sent; data is not used to train upstream models per the providers' zero-retention API terms.
  • Retention: kept until you revoke consent or delete your account; deletion is hard-deletion (no soft-delete) with storage files purged within 24 hours.
  • Audit trail: every read, write, and deletion of your health data is recorded; you can request a copy.

2. How We Use Your Data

We use your data to provide and improve NAFA, personalize your experience, generate workout and nutrition insights, and communicate with you about your account or service updates. We do not sell your personal information to third parties. Aggregated, anonymized data may be used for analytics and product development.

3. Data Storage & Security

Your data is stored in EU (eu-west-1) with AES-256 encryption at rest and TLS 1.3 in transit. Row-level security ensures only you can read your records. Health files reside in a private bucket reachable only via short-lived signed URLs. We do not transmit health data to analytics or error-tracking services; sensitive payloads are scrubbed before any error report is sent.

4. Third Parties

We may share limited data with trusted third-party service providers who assist us in operating the app (e.g., hosting, analytics, email delivery). These providers are contractually obligated to handle your data securely and only for the purposes we specify. We will never share your personal fitness data with advertisers.

5. Your Rights

You have the right to access, correct, or delete your personal data at any time. You may export your data or request account deletion through the app settings. If you are located in the EU, you have additional rights under the GDPR, including the right to data portability and the right to restrict processing.

  • Export: GET /api/account/export returns a complete JSON archive of your data including health records and consent history.
  • Deletion: Account deletion is hard-delete and irreversible; auth identity is removed and all referencing rows cascade.
  • Revoke consent: any granted consent (genetic storage, AI analysis, etc.) can be revoked from Settings; revocation halts further processing for that purpose.
  • California residents: CCPA / CPRA rights to know, delete, correct, opt-out of sale (we do not sell), and limit use of sensitive personal information apply.

6. Contact

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at privacy@nafa.fitness. We will respond to your inquiry within 30 days.