Privacy Policy

Body by AI ("we," "us," or "our") is operated by Body by AI Coaching LLC, located in the United States. We are committed to protecting your privacy and handling your personal data responsibly.

This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our AI-powered fitness coaching platform at bodybyaicoach.com and our mobile applications (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

• Email address
• Display name
• Date of birth
• Sex at birth and gender identity (optional, used for fitness calculations)
• Password (stored securely hashed; we never see your plaintext password)

1.2 Health and Fitness Data

• Body measurements (weight, height, body fat percentage)
• Workout data (exercises, sets, reps, weights, duration)
• Nutrition data (meals, calories, macronutrients)
• Morning check-in data (sleep quality, energy level, mood, soreness)
• Progress photos (body photos uploaded for tracking physique changes)
• Fitness goals (target weight, target body fat, aesthetic goals)

1.3 Wearable and Connected Device Data

With your explicit permission, we may collect health data from connected devices and services, including:

• Apple HealthKit — steps, heart rate, resting heart rate, HRV, sleep data, active energy, workout data
• Google Health Connect — steps, heart rate, sleep data, exercise sessions, nutrition records
• Garmin Connect — activity data, sleep data, heart rate, stress scores, body composition
• Strava — activity type, duration, distance, heart rate data, pace, calories, elevation. We access Strava data in read-only mode via OAuth. We do not use Strava data for AI/ML model training — it is used only as real-time context for personalized coaching recommendations. You can disconnect Strava at any time and all Strava-sourced data is permanently deleted immediately. See Strava's Privacy Policy (opens in a new tab).

You choose which devices and services to connect. You can disconnect any integration at any time. We only access the data categories you authorize.

1.4 Payment Information

Payment processing is handled by Stripe. We do not store your credit card number, expiration date, or CVV on our servers. Stripe provides us with a customer ID, subscription status, and billing history. See Stripe's Privacy Policy (opens in a new tab) for details on their data handling.

1.5 Usage Data

• AI interaction history (questions asked, coaching responses received)
• Feature usage patterns
• Device type and browser information
• IP address (for security and abuse prevention only)

2. How We Use Your Data

We use your personal information exclusively to provide and improve the Service:

• AI-powered fitness coaching — generating personalized workout programs, nutrition recommendations, and progress analysis
• Progress tracking — calculating weight trends, body composition changes, and time-to-goal estimates
• Personalized recommendations — adjusting training intensity, calories, and macros based on your data
• Account management — authentication, subscription management, and customer support
• Service improvement — improving AI routing accuracy and response quality (using anonymized, aggregated data only)

3. Third-Party Services

We use the following third-party services to provide the Service. Each receives only the data necessary for its function:

4. Data Sharing — We Do NOT Sell Your Data

We do not sell, rent, trade, or otherwise share your personal data with third parties for their marketing purposes. Ever.

Your data is shared only with the third-party services listed above, solely to provide the Service. We will never:

• Sell your health data to advertisers
• Share your fitness data with insurance companies
• Use your body photos for any purpose other than your personal progress tracking
• Share your AI coaching conversations with anyone

We may disclose your data only if required by law (e.g., court order, legal process) or to protect the safety of our users.

5. Wearable and Health Data

Health data from connected wearable devices (Apple HealthKit, Google Health Connect, Garmin, Strava) is treated with the highest level of care:

• Used solely for providing personalized fitness coaching and recommendations
• Never sold to third parties
• Never shared with advertisers, data brokers, or insurance companies
• Never used for purposes other than providing the Service to you
• Stored with encryption at rest and in transit
• You can disconnect any integration and delete associated data at any time

In compliance with Apple HealthKit guidelines: data obtained through HealthKit is not used for advertising or similar services, and is not sold to advertising platforms, data brokers, or information resellers.

6. Data Retention and Deletion

• Active accounts: We retain your data for as long as your account is active.
• Data export: You can export all your data at any time in JSON and CSV formats from your account settings.
• Account deletion: You can request full account deletion from your account settings or by emailing us. Upon deletion, all your personal data, fitness data, body photos, and AI interaction history are permanently removed within 30 days.
• Canceled subscriptions: If you cancel your subscription, your data is retained indefinitely until you request deletion. You can request deletion at any time by emailing privacy@bodybyaicoach.com.
• Anonymized data: Aggregated, anonymized statistics (e.g., "average number of workouts per week across all users") may be retained indefinitely for service improvement.

7. Data Security

We implement comprehensive security measures to protect your data:

• Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2+ (HTTPS)
• Encryption at rest: All data stored in our database is encrypted at rest using AES-256
• Row-Level Security (RLS): Database-level access controls ensure users can only access their own data
• Authentication: Secure authentication with Supabase Auth, including OAuth providers
• Security headers: Strict CSP, HSTS, X-Frame-Options, and other security headers on all pages
• Input sanitization: All user inputs are sanitized to prevent XSS and injection attacks
• Regular security reviews: We conduct regular security reviews of our codebase and infrastructure
• Minimal data collection: We only collect data necessary to provide the Service

8. Body Photos and Sensitive Images

Progress photos are an optional feature. If you choose to upload body photos:

• Photos are stored in encrypted storage accessible only to your account
• Photos are used solely for your personal progress tracking and optional AI-powered physique analysis
• Photos are never shared with other users, used in marketing, or accessed by our team
• Photos are permanently deleted when you delete your account or remove them individually
• AI analysis of body photos is processed ephemerally — the AI does not store or retain images after analysis

9. Cookies and Local Storage

We use minimal cookies and local storage:

• Authentication cookies: Essential cookies to maintain your login session (strictly necessary)
• Preferences: Local storage for user preferences (theme, units preference)

We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not use Google Analytics or similar tracking services.

10. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will promptly delete that information. If you believe a child under 18 has provided us with personal information, please contact us at support@bodybyaicoach.com.

11. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of all personal data we hold about you
• Correction: Update or correct any inaccurate personal data
• Deletion: Request permanent deletion of your account and all associated data
• Data portability: Export all your data in machine-readable formats (JSON, CSV)
• Withdrawal of consent: Disconnect any health data integration at any time
• Objection: Object to any processing of your data beyond what is necessary for the Service

To exercise any of these rights, use the tools in your account settings or contact us at support@bodybyaicoach.com.

12. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: You can request details about the categories and specific pieces of personal information we have collected
• Right to delete: You can request deletion of your personal information
• Right to opt out of sale: We do not sell your personal information, so there is nothing to opt out of
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights

To make a CCPA request, email us at support@bodybyaicoach.com with the subject line "CCPA Request."

13. International Users

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer. We take steps to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on the Service. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: support@bodybyaicoach.com
• Operator: Body by AI Coaching LLC
• Address: 500 Westover Dr. #20307, Sanford, NC 27330

Additional Health Data We Collect

• GLP-1 medications, including dosage, start date, and side effects
• Reproductive status and menstrual cycle data
• Lab results and blood work
• Dietary preferences and restrictions
• Alcohol and smoking status
• Supplement tracking with dosage information
• DEXA scan and body composition measurement methods
• Tape measurements
• Metabolic test data including RMR and VO2 max
• Medication records

We classify all health data as special category / sensitive health data under applicable privacy laws. We do not collect genetic or genomic data.

Wearable Device Data

• SpO2 and blood oxygen levels
• Stress scores and body battery metrics
• Readiness and recovery scores

OAuth tokens for wearable connections are stored encrypted. If you disconnect a wearable, all synced wearable data is deleted.

6. HIPAA and Health Data Classification

Body by AI is not a covered entity under HIPAA.

7. Third-Party Service Providers

• Anthropic — Body photos are sent to Anthropic for AI analysis. Medication context (including GLP-1) is sent to Anthropic. Responses are not retained by Anthropic. Your data is not used to train AI models. Anthropic implements prompt caching for performance.
• Strava / Garmin — We may push workout plans to Garmin devices.
• ElevenLabs — Coaching text sent to ElevenLabs may contain health context.
• Resend — Daily digest emails contain health data summaries.

We maintain a data processing agreement with each sub-processor.

How Your Health Data Is Processed by AI

Your email, payment details, and other identifying PII are not sent to the AI engine. We apply data minimization principles. Food photos are not retained after macro analysis. Voice output is text-to-speech only — we do not record any audio.

Data Retention Schedule

• AI interaction logs are retained for 90 days
• Data exports auto-delete after 7 days
• Automated backups are encrypted (backup encryption at rest)
• Tamper-evident audit log is retained after account deletion for legal compliance

Voice analytics data is retained while your account is active.

Account Deletion

When you delete your account, the following data categories are removed: workout data is deleted, wearable connection data is deleted, nutrition logs, body measurements, conversation history, and goal tracking.

Consent for Health Data Processing

Consent is obtained during onboarding through an explicit checkbox acknowledgment. You may withdraw consent by deleting your account or contacting support.

GDPR (European Economic Area)

We process health data under Article 9(2)(a) — explicit consent. We implement Standard Contractual Clauses for international transfers. Data breach notification within 72 hours.

State Health Privacy Laws

Washington My Health My Data Act

For Washington residents: we process consumer health data as defined under this act.

Connecticut

Connecticut residents have additional health data privacy rights.

Nevada

Nevada residents may opt out of the sale of personal information.

Colorado

Colorado residents have rights under the Colorado Privacy Act.

Virginia

Virginia residents have rights under the Virginia Consumer Data Protection Act (VCDPA).

We will never share your health data with insurance companies.