Privacy Policy
Last updated: July 10, 2026
TruFitAI ("we", "our", "us") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use the TruFitAI mobile application and website. This policy is designed to comply with the Apple App Store Guidelines, Google Play Developer Program Policies, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.
1. Information We Collect
Account Information
- Email address and name (via Supabase authentication)
- Fitness goals, experience level, dietary preferences
- Physical attributes (weight, height, age)
Health & Fitness Data
- Workout logs and exercise data (exercises, sets, reps, weights)
- Food and nutrition logs (meals, calories, macronutrients, including photos for AI analysis)
- Health and fitness information you enter yourself (workouts, sets, reps, weights, meals, calories, macros, steps, and body metrics such as height and weight). TruFitAI does not read data from Apple Health or Google Health Connect.
- Check-in responses and progress metrics (body measurements, mood, energy levels)
- Progress/body photos you choose to upload to track physique changes over time (stored in our storage infrastructure — see Sections 3, 7, and 8)
- Supplement tracking data
Usage Data
- App interaction analytics (screens viewed, features used)
- Device type, operating system, app version, timezone
- Push notification tokens (for sending reminders and alerts)
Billing Data
- Subscription status and tier (managed by RevenueCat via the Apple App Store or Google Play)
- We do NOT directly collect or store credit card numbers or payment credentials
2. How We Use Your Information
For users in the European Economic Area (EEA) and the United Kingdom, the legal basis under Article 6 of the GDPR (and, for health data, Article 9) for each purpose is noted in parentheses.
- AI Personalization: Your fitness data is sent to OpenAI's API to generate personalized workout plans, diet recommendations, supplement suggestions, and coaching responses. (Legal basis: performance of our contract with you, Art. 6(1)(b); for the health-data elements, your explicit consent, Art. 9(2)(a).)
- Food Photo Analysis: Food photos are sent to OpenAI's vision model for nutritional analysis. Food photos are NOT stored on our servers — they are processed in real time and discarded after analysis. (Legal basis: contract, Art. 6(1)(b), and your explicit consent for the health-data element, Art. 9(2)(a).)
- Progress Photo Analysis: Progress/body photos you choose to upload ARE stored so you can review them over time, and are sent to OpenAI's vision model to generate body-composition analysis (see Sections 3 and 8). (Legal basis: contract, Art. 6(1)(b), and your explicit consent for this health-data processing, Art. 9(2)(a).)
- Progress Tracking: Your logs and metrics are stored to track your fitness journey over time. (Legal basis: contract, Art. 6(1)(b); explicit consent for the health-data elements, Art. 9(2)(a).)
- Notifications: Push notifications for workout reminders, streak alerts, and plan updates. (Legal basis: your consent, which you may withdraw at any time in your device or app settings, Art. 6(1)(a).)
- Billing: Subscription management via RevenueCat (Apple App Store / Google Play). (Legal basis: performance of our contract with you, Art. 6(1)(b), and compliance with our legal and tax obligations, Art. 6(1)(c).)
- Service Improvement: Aggregated, anonymized usage data to improve app features and user experience. (Legal basis: our legitimate interest in maintaining and improving the Service, Art. 6(1)(f); you may object as described in Section 11.)
- Customer Support: To respond to your inquiries and provide support. (Legal basis: contract, Art. 6(1)(b), and our legitimate interest in assisting users, Art. 6(1)(f).)
3. AI Data Processing Disclosure
TruFitAI uses OpenAI's API to power its AI features. When you use AI-powered features, the following data may be sent to OpenAI for processing:
- Workout Plan Generation: Your fitness goals, experience level, available equipment, and physical attributes.
- Food Photo Analysis: Your food photos are sent to OpenAI's vision model. Food photos are processed in real time and are not stored by TruFitAI after analysis. OpenAI processes them under its API Data Usage Policy (see below); we do not control OpenAI's retention.
- Progress/Body Photo Analysis: Progress photos you upload for body-composition analysis are stored by TruFitAI (in Supabase Storage) and are sent to OpenAI's vision model. OpenAI processes them under its API Data Usage Policy (see below); we do not control OpenAI's retention.
- Nutrition Recommendations: Your dietary preferences, calorie targets, and macronutrient goals.
- Supplement Suggestions: Your fitness goals and dietary profile.
- AI Coaching: Your conversation messages and relevant fitness context.
OpenAI processes this data under their API Data Usage Policy. As of our last review, OpenAI does not use data submitted via their API to train their models. We recommend reviewing OpenAI's policies directly for the most current information.
4. Data Shared with Third Parties
We share specific data with third-party services to provide the Service. Below is an itemized breakdown:
- Supabase: All user data (account info, workout logs, nutrition data, progress metrics) is stored in our Supabase database with row-level security, and the progress/body photos you upload are stored in Supabase Storage. Supabase acts as our data processor.
- OpenAI: Fitness profile data, food photos, progress/body photos, conversation messages, and relevant context for AI features (see Section 3 above). No persistent personal identifiers are shared beyond what is necessary for AI processing.
- RevenueCat: Anonymous user identifier and subscription status for in-app purchase management. RevenueCat does not receive your fitness or health data.
- Google AdMob: For free tier users only — AdMob may collect device advertising identifiers, IP address, and general usage data to serve advertisements. AdMob does not receive your fitness data, health data, or personal profile information. See Section 6 for tracking details.
We do NOT sell your personal data for money, and we do NOT share your health or fitness data with advertisers. However, when a free tier user consents to personalized ads, the device advertising identifier and usage signals sent to Google AdMob may qualify as "sharing" for cross-context behavioral advertising under the CCPA/CPRA. You can exercise your right to opt out of this — see Section 12 (Do Not Sell or Share).
5. App Tracking and Advertising
App Tracking Transparency (iOS)
Free tier users see advertisements served by Google AdMob. If you are a free tier user and you grant tracking permission when prompted by iOS (Apple's App Tracking Transparency framework) and by Google's consent form, AdMob may use your device advertising identifier (IDFA) to serve personalized advertisements. This can involve cross-context behavioral advertising — that is, advertising based on data about your activity across apps and websites. We never share your health or fitness data for advertising. If you deny tracking, you will see only non-personalized ads, and our core functionality is not affected by your choice. Premium subscribers see no advertisements at all.
Google AdMob (Free Tier Only)
Free tier users see advertisements powered by Google AdMob. AdMob may use device identifiers and general usage signals to serve ads, including personalized ads where you have consented. Premium subscribers do not see any advertisements. You can opt out of personalized advertising through your device settings:
- iOS: Settings → Privacy & Security → Tracking (disable tracking), or Settings → Privacy & Security → Apple Advertising (disable Personalized Ads).
- Android: Settings → Privacy → Ads → Delete advertising ID, or opt out of ad personalization.
6. Cookies and Tracking Technologies
The TruFitAI mobile app does not use browser cookies. Our web services may use the following:
- Session Tokens: Authentication tokens stored securely on your device to keep you logged in.
- Local Storage: App preferences, cached data, and offline functionality stored locally on your device.
- Analytics: Basic, anonymized usage analytics to understand feature adoption and app performance. No third-party tracking pixels or cookies are used on our website.
We do not use cross-site tracking cookies, fingerprinting, or other persistent tracking technologies beyond what is described above.
7. Health Data Handling
We treat all health and fitness data with the highest level of care:
- Health & Fitness Data You Enter: The workout, nutrition, step, and body-metric data you log is used solely to power your plans, display your metrics in the app, and inform AI-powered recommendations. It is never used for advertising, never sold, and is shared only with the service providers described in this policy (and only as necessary for AI processing — see Section 3).
- Workout and Nutrition Data: Stored securely with row-level security in Supabase. Only accessible by you and our AI processing pipeline.
- Progress/Body Photos: Photos you upload to track physique changes are stored in Supabase Storage and are sent to OpenAI's vision model only when you request a body-composition analysis. They are retained while your account is active and are deleted when you delete your account (see Section 8).
8. Data Retention & Deletion
We retain each category of data for the period, or according to the criteria, described below. "While your account is active" means we do not delete this data on a fixed schedule while you keep your account; you can delete it at any time as described at the end of this section. We do not currently delete data automatically after a period of inactivity; if we introduce inactivity-based deletion, we will update this schedule.
| Category | Retention period / criteria |
|---|---|
| Account & profile data (email, name, goals, physical attributes) | While your account is active; permanently deleted within 30 days of account deletion. |
| Workout & nutrition logs | While your account is active; permanently deleted within 30 days of account deletion. |
| Progress / body photos | While your account is active; permanently deleted (including from Supabase Storage) within 30 days of account deletion. |
| Chat transcripts & coaching memory | While your account is active; permanently deleted within 30 days of account deletion. |
| Check-in metrics (mood, energy, body measurements) | While your account is active; permanently deleted within 30 days of account deletion. |
| Push notification tokens | Retained while valid; removed on logout or token invalidation, and within 30 days of account deletion. |
| Analytics events | Retained only on an aggregated, de-identified basis that cannot be linked back to you; because it is no longer personal data, it is not deleted with your account. |
| Billing records | Retained as required by applicable tax and accounting law (typically for the statutory retention period), then deleted. |
| Consent & transaction records (including auto-renewal consent) | Retained as required by law as evidence of the consent you gave. Under California law (Bus. & Prof. Code §17602), auto-renewal consent records are retained for up to 3 years, and for at least 1 year after you cancel. These records survive account deletion and are deleted once the legal retention period ends. |
You may request deletion of your account and all associated data at any time through the app settings or by contacting us. Upon deletion, all personal data (including any progress/body photos you uploaded) is permanently removed within 30 days; anonymized, aggregated data may be retained; billing records are retained as required by law; and data already processed by third-party APIs (e.g., OpenAI) is subject to those services' data retention policies, which we do not control.
9. Data Security
- All data is encrypted in transit (TLS/HTTPS) and at rest
- Row-level security policies restrict data access to account owners
- API endpoints are rate-limited and input-validated
- Admin secrets use timing-safe comparison
- Food photos are ephemeral — analyzed and immediately discarded
- Authentication is managed via Supabase Auth with secure session handling
10. International Data Transfers
TruFitAI is operated from the United States. Your data may be processed in the United States and other countries where our service providers operate, which may have different data protection laws than your country of residence.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, transfers of personal data outside those regions rely on the following mechanism for each recipient:
- OpenAI: Transfers are covered by the EU-US Data Privacy Framework (OpenAI is a certified participant), with the EU Standard Contractual Clauses and the UK International Data Transfer Addendum as a fallback.
- Supabase: Transfers are covered by the EU Standard Contractual Clauses (SCCs), with the UK International Data Transfer Addendum for UK data.
- Google / AdMob: Transfers are covered by the EU-US Data Privacy Framework (Google LLC is a certified participant), with the EU Standard Contractual Clauses and the UK International Data Transfer Addendum as a fallback.
- RevenueCat: Transfers are covered by the EU Standard Contractual Clauses (SCCs), with the UK International Data Transfer Addendum for UK data.
Where a recipient is certified under the EU-US Data Privacy Framework (including its UK Extension and the Swiss-US framework), that certification is the transfer mechanism. Where it is not, we rely on the European Commission's Standard Contractual Clauses and, for UK transfers, the UK International Data Transfer Addendum. You may request a copy of the relevant safeguards using the contact details in Section 16.
11. Your Rights (GDPR / CCPA)
General Rights
You can exercise the most common rights yourself in the app under Settings → Privacy and Data Rights. For anything else, email us (see the address below); we will verify your identity before acting and respond within the window stated at the end of this section.
- Deletion (self-serve): You can permanently delete your account and all associated data yourself, in the app under Settings → Delete Account, or by emailing us. This is the one right you can exercise entirely in-app.
- Access: You can download a copy of your personal data at any time in the app: go to Settings, then Privacy and Data Rights, then Download my data. You can also request a copy by emailing privacy@trufitai.io.
- Portability: The download is a complete, machine-readable file (JSON), and your activity logs are also available as CSV, so you can reuse or move your data.
- Rectification: Update or correct your information — much of it directly in the app; otherwise by emailing us.
- Restriction: Request that we limit how we process your data (by email).
- Objection: Object to data processing based on legitimate interests (by email).
- Opt-out: Disable health data sync, push notifications, or ad personalization (in the app and your device settings).
- Withdraw consent: You can withdraw consent for health-data processing and third-party sharing at any time in Settings, then Privacy and Data Rights. It takes effect immediately and does not delete your account. Withdrawal does not affect the lawfulness of any processing carried out before you withdrew.
CCPA-Specific Rights (California Residents)
- Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you. The in-app download (Settings → Privacy and Data Rights → Download my data) provides the specific pieces; you can also make the request by email after identity verification.
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
- Authorized Agent: You may designate an authorized agent to submit requests on your behalf.
To exercise any of these rights, use the in-app controls above or contact us at support@trufitai.io. We respond to rights requests within the time the law requires for your region: 45 days under California law (with one 45-day extension where permitted), one month under the GDPR (extendable by up to two months where permitted), and 45 days under the Washington My Health My Data Act. We will tell you if we need an extension.
Right to lodge a complaint: If you are in the EEA or UK and believe we have processed your data unlawfully, you may lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EEA, you can find your national authority through the European Data Protection Board's members directory (edpb.europa.eu).
12. Do Not Sell or Share My Personal Information
TruFitAI does not sell your personal information for money. We have never done so and have no plans to. We also never sell or share your health or fitness data for advertising.
However, under the California Consumer Privacy Act (CCPA/CPRA), the term "share" includes disclosing personal information for cross-context behavioral advertising. When a free tier user consents to personalized ads, the device advertising identifier and usage signals provided to Google AdMob may constitute such "sharing." You have the right to opt out of this sharing.
How to opt out (Do Not Sell or Share): Use the "Do Not Sell or Share My Personal Information" control in the app under Settings → Privacy and Data Rights (also available at /app/privacy). Once you opt out, any ads you see are non-personalized. On the web, we also honor the Global Privacy Control (GPC) browser signal as a valid opt-out and confirm on-screen when it has been applied. You can additionally turn off personalized ads at the device level (iOS: decline the App Tracking Transparency prompt, or Settings → Privacy & Security; Android: opt out of ad personalization in Settings), or email support@trufitai.io with the subject line "Do Not Sell or Share." Premium subscribers are shown no ads and are not subject to this sharing.
If you are a California resident and wish to exercise your rights under the CCPA, or if you have questions about our data practices, please contact us at support@trufitai.io.
13. App Store Privacy Disclosures
Apple App Privacy Labels
In accordance with Apple's App Store requirements, we disclose the following data collection practices through Apple's App Privacy Labels on our App Store listing. The privacy labels reflect the data types described in this policy, including:
- Data Used to Track You: For free tier users who grant tracking permission, a device advertising identifier may be used by Google AdMob for personalized advertising, as described in Section 5. Premium subscribers are not tracked, and no health or fitness data is ever used for tracking. The authoritative, per-data-type disclosure is our App Privacy Label on the App Store.
- Data Linked to You: Contact info (email, name), health & fitness data, usage data, identifiers.
- Data Not Linked to You: Diagnostics, anonymized analytics.
For the most current details, see our App Privacy Labels on the App Store.
Google Play Data Safety
In accordance with Google Play's Data Safety Section requirements, we disclose the following:
- Data Collected: Name, email address, health and fitness data you enter (workouts, nutrition, body measurements, progress/body photos), app activity, device identifiers.
- Data Shared: Fitness profile data, food photos, and progress/body photos shared with OpenAI for AI features. Anonymous identifiers shared with RevenueCat for billing. Device identifiers shared with AdMob for advertising (free tier only).
- Data Not Shared: Your health and fitness data is never shared with third parties or used for advertising.
- Security: Data is encrypted in transit and at rest.
- Deletion: Users can request data deletion through the app or by contacting support.
For the most current details, see our Data Safety section on the Google Play Store.
14. Children's Privacy
TruFitAI is not intended for users under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us data, please contact us immediately at support@trufitai.io and we will promptly delete such information.
15. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via the app, push notification, or email at least 30 days before the changes take effect. The "Last updated" date at the top of this policy will be revised accordingly. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.
16. Contact Us & Data Controller
The data controller responsible for your personal data is:
- Entity: TruFitAI Inc.
- Postal address: 2810 N Church St, PMB 636209, Wilmington, Delaware 19802-4447, USA
- Email: support@trufitai.io
- Website: trufitai.io
If you have questions about this privacy policy, your data, or wish to exercise your privacy rights, contact us using the details above.
European Economic Area and United Kingdom
TruFitAI is not offered to, and does not monitor the behavior of, individuals in the European Economic Area or the United Kingdom. The TruFitAI app is not available in EEA or UK app stores, and we do not accept account registrations from those regions. Accordingly, no representative under Article 27 of the GDPR or Article 27 of the UK GDPR has been appointed. If we make TruFitAI available in these regions in the future, we will update this policy and appoint representatives as required.