Privacy Policy

Last updated: July 10, 2026

TruFitAI ("we", "our", "us") is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your information when you use the TruFitAI mobile application and website. This policy is designed to comply with the Apple App Store Guidelines, Google Play Developer Program Policies, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

1. Information We Collect

Account Information

Health & Fitness Data

Usage Data

Billing Data

2. How We Use Your Information

For users in the European Economic Area (EEA) and the United Kingdom, the legal basis under Article 6 of the GDPR (and, for health data, Article 9) for each purpose is noted in parentheses.

3. AI Data Processing Disclosure

TruFitAI uses OpenAI's API to power its AI features. When you use AI-powered features, the following data may be sent to OpenAI for processing:

OpenAI processes this data under their API Data Usage Policy. As of our last review, OpenAI does not use data submitted via their API to train their models. We recommend reviewing OpenAI's policies directly for the most current information.

4. Data Shared with Third Parties

We share specific data with third-party services to provide the Service. Below is an itemized breakdown:

We do NOT sell your personal data for money, and we do NOT share your health or fitness data with advertisers. However, when a free tier user consents to personalized ads, the device advertising identifier and usage signals sent to Google AdMob may qualify as "sharing" for cross-context behavioral advertising under the CCPA/CPRA. You can exercise your right to opt out of this — see Section 12 (Do Not Sell or Share).

5. App Tracking and Advertising

App Tracking Transparency (iOS)

Free tier users see advertisements served by Google AdMob. If you are a free tier user and you grant tracking permission when prompted by iOS (Apple's App Tracking Transparency framework) and by Google's consent form, AdMob may use your device advertising identifier (IDFA) to serve personalized advertisements. This can involve cross-context behavioral advertising — that is, advertising based on data about your activity across apps and websites. We never share your health or fitness data for advertising. If you deny tracking, you will see only non-personalized ads, and our core functionality is not affected by your choice. Premium subscribers see no advertisements at all.

Google AdMob (Free Tier Only)

Free tier users see advertisements powered by Google AdMob. AdMob may use device identifiers and general usage signals to serve ads, including personalized ads where you have consented. Premium subscribers do not see any advertisements. You can opt out of personalized advertising through your device settings:

6. Cookies and Tracking Technologies

The TruFitAI mobile app does not use browser cookies. Our web services may use the following:

We do not use cross-site tracking cookies, fingerprinting, or other persistent tracking technologies beyond what is described above.

7. Health Data Handling

We treat all health and fitness data with the highest level of care:

8. Data Retention & Deletion

We retain each category of data for the period, or according to the criteria, described below. "While your account is active" means we do not delete this data on a fixed schedule while you keep your account; you can delete it at any time as described at the end of this section. We do not currently delete data automatically after a period of inactivity; if we introduce inactivity-based deletion, we will update this schedule.

CategoryRetention period / criteria
Account & profile data (email, name, goals, physical attributes)While your account is active; permanently deleted within 30 days of account deletion.
Workout & nutrition logsWhile your account is active; permanently deleted within 30 days of account deletion.
Progress / body photosWhile your account is active; permanently deleted (including from Supabase Storage) within 30 days of account deletion.
Chat transcripts & coaching memoryWhile your account is active; permanently deleted within 30 days of account deletion.
Check-in metrics (mood, energy, body measurements)While your account is active; permanently deleted within 30 days of account deletion.
Push notification tokensRetained while valid; removed on logout or token invalidation, and within 30 days of account deletion.
Analytics eventsRetained only on an aggregated, de-identified basis that cannot be linked back to you; because it is no longer personal data, it is not deleted with your account.
Billing recordsRetained as required by applicable tax and accounting law (typically for the statutory retention period), then deleted.
Consent & transaction records (including auto-renewal consent)Retained as required by law as evidence of the consent you gave. Under California law (Bus. & Prof. Code §17602), auto-renewal consent records are retained for up to 3 years, and for at least 1 year after you cancel. These records survive account deletion and are deleted once the legal retention period ends.

You may request deletion of your account and all associated data at any time through the app settings or by contacting us. Upon deletion, all personal data (including any progress/body photos you uploaded) is permanently removed within 30 days; anonymized, aggregated data may be retained; billing records are retained as required by law; and data already processed by third-party APIs (e.g., OpenAI) is subject to those services' data retention policies, which we do not control.

9. Data Security

10. International Data Transfers

TruFitAI is operated from the United States. Your data may be processed in the United States and other countries where our service providers operate, which may have different data protection laws than your country of residence.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, transfers of personal data outside those regions rely on the following mechanism for each recipient:

Where a recipient is certified under the EU-US Data Privacy Framework (including its UK Extension and the Swiss-US framework), that certification is the transfer mechanism. Where it is not, we rely on the European Commission's Standard Contractual Clauses and, for UK transfers, the UK International Data Transfer Addendum. You may request a copy of the relevant safeguards using the contact details in Section 16.

11. Your Rights (GDPR / CCPA)

General Rights

You can exercise the most common rights yourself in the app under Settings → Privacy and Data Rights. For anything else, email us (see the address below); we will verify your identity before acting and respond within the window stated at the end of this section.

CCPA-Specific Rights (California Residents)

To exercise any of these rights, use the in-app controls above or contact us at support@trufitai.io. We respond to rights requests within the time the law requires for your region: 45 days under California law (with one 45-day extension where permitted), one month under the GDPR (extendable by up to two months where permitted), and 45 days under the Washington My Health My Data Act. We will tell you if we need an extension.

Right to lodge a complaint: If you are in the EEA or UK and believe we have processed your data unlawfully, you may lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EEA, you can find your national authority through the European Data Protection Board's members directory (edpb.europa.eu).

12. Do Not Sell or Share My Personal Information

TruFitAI does not sell your personal information for money. We have never done so and have no plans to. We also never sell or share your health or fitness data for advertising.

However, under the California Consumer Privacy Act (CCPA/CPRA), the term "share" includes disclosing personal information for cross-context behavioral advertising. When a free tier user consents to personalized ads, the device advertising identifier and usage signals provided to Google AdMob may constitute such "sharing." You have the right to opt out of this sharing.

How to opt out (Do Not Sell or Share): Use the "Do Not Sell or Share My Personal Information" control in the app under Settings → Privacy and Data Rights (also available at /app/privacy). Once you opt out, any ads you see are non-personalized. On the web, we also honor the Global Privacy Control (GPC) browser signal as a valid opt-out and confirm on-screen when it has been applied. You can additionally turn off personalized ads at the device level (iOS: decline the App Tracking Transparency prompt, or Settings → Privacy & Security; Android: opt out of ad personalization in Settings), or email support@trufitai.io with the subject line "Do Not Sell or Share." Premium subscribers are shown no ads and are not subject to this sharing.

If you are a California resident and wish to exercise your rights under the CCPA, or if you have questions about our data practices, please contact us at support@trufitai.io.

13. App Store Privacy Disclosures

Apple App Privacy Labels

In accordance with Apple's App Store requirements, we disclose the following data collection practices through Apple's App Privacy Labels on our App Store listing. The privacy labels reflect the data types described in this policy, including:

For the most current details, see our App Privacy Labels on the App Store.

Google Play Data Safety

In accordance with Google Play's Data Safety Section requirements, we disclose the following:

For the most current details, see our Data Safety section on the Google Play Store.

14. Children's Privacy

TruFitAI is not intended for users under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us data, please contact us immediately at support@trufitai.io and we will promptly delete such information.

15. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via the app, push notification, or email at least 30 days before the changes take effect. The "Last updated" date at the top of this policy will be revised accordingly. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

16. Contact Us & Data Controller

The data controller responsible for your personal data is:

If you have questions about this privacy policy, your data, or wish to exercise your privacy rights, contact us using the details above.

European Economic Area and United Kingdom

TruFitAI is not offered to, and does not monitor the behavior of, individuals in the European Economic Area or the United Kingdom. The TruFitAI app is not available in EEA or UK app stores, and we do not accept account registrations from those regions. Accordingly, no representative under Article 27 of the GDPR or Article 27 of the UK GDPR has been appointed. If we make TruFitAI available in these regions in the future, we will update this policy and appoint representatives as required.