Privacy Policy

CalenFit Training ("CalenFit," "the App," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains what personal data we collect, how we process and protect it, and the rights you have regarding your data.

1. Data Controller

CalenFit Training is the data controller responsible for processing your personal data. For any inquiries regarding your data, you can contact us at: contact@calenfit.com.

2. Data We Collect

We collect the following categories of personal data: (a) Account Data: your email address and, if you sign in via Google or Apple, your name as provided by those services; (b) Fitness Data: workout session data you enter or that is parsed from your text input, including exercises, sets, repetitions, weights, and durations; (c) Health Data (with your explicit consent): heart rate, heart rate zones, calories burned, body weight, and weight trends — classified as special category data under Art. 9 GDPR; (d) Usage Data: session timestamps, device type, operating system, timezone, and language preference; (e) Subscription Data: subscription status and payment transaction identifiers (we do not store full payment card details — these are handled by Stripe, Apple App Store, or Google Play).

3. Legal Basis for Processing

We process your personal data on the following legal bases: (a) Contract Performance (Art. 6(1)(b) GDPR): basic session tracking (exercises, sets, reps, weights) is necessary to deliver the service you signed up for — this basis cannot be withdrawn without deleting your account; (b) Explicit Consent (Art. 9(2)(a) GDPR): health data (heart rate, body weight, HR zones, calories) is processed only with your explicit consent, collected via in-app checkboxes at signup and manageable at any time in Settings > Privacy; (c) Consent (Art. 6(1)(a) GDPR): AI analysis (sending your training data to third-party AI services) requires separate consent, also manageable in Settings > Privacy; (d) Legal Obligation (Art. 6(1)(c) GDPR): consent records are retained to prove consent validity. You can withdraw consent for health data and AI analysis at any time — withdrawal is as easy as granting consent (toggle in Settings > Privacy). Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.

4. AI Data Processing

CalenFit uses third-party AI services to provide optional analysis features. When you enable AI analysis in your privacy settings: (a) Session Parsing: your raw workout text is sent to our AI services to convert it into structured training data; (b) Exercise Reports: your exercise history and training stats are sent to our AI services to generate performance insights; (c) Weekly Reports: your recent training data is analyzed to produce weekly summaries; (d) Pre-Session Recommendations: your training history is used to generate preparation suggestions. No AI provider uses your data to train their models. Data is either processed under zero data retention policies or subject to minimal retention solely for abuse detection and legal compliance — it is not stored for any other purpose. Data sent to AI services includes: exercise names, sets, reps, weights, duration, training goals, age, sex. If you have granted health data consent, it also includes: body weight, weight trends, heart rate, HR zones, and calories. Data NOT sent to AI services: your email, password, OAuth tokens, payment data, or push notification tokens. AI-generated content is stored in your account in the EU.

5. Sub-Processors

We use the following third-party services to process your data: Supabase (database hosting, EU), Railway (backend API, EU), AI services (session parsing and analysis, US — no training on your data), Stripe (payments, US/EU), RevenueCat (mobile subscriptions, US), Firebase/APNs (push notifications, US). Your primary data is stored and processed in the EU (Supabase in Ireland, backend in Amsterdam). AI data is transferred to providers only when you have granted AI consent. No AI provider uses your data to train models. For US-based providers certified under the EU-US Data Privacy Framework, transfers rely on the adequacy decision. For others, Standard Contractual Clauses apply. The detailed list of sub-processors is available upon request.

6. Data Storage & Security

Your data is stored on Supabase (PostgreSQL on AWS) in the EU region (Ireland) with row-level security policies ensuring that only you can access your own data. All data is encrypted in transit (TLS 1.2+) and at rest (disk-level encryption). OAuth tokens for connected services (Strava, Polar) are encrypted at the application level using Fernet symmetric encryption. We implement industry-standard security measures including JWT authentication, rate limiting, and parameterized database queries. Password policy requires minimum 12 characters with uppercase, lowercase, digits, and special characters.

7. Data Retention

We retain your personal data as follows: active account data (sessions, stats, bodyweight) for the duration of your account; raw session text for 6 months after parsing; AI exercise reports for 12 months; weekly reports for 24 months; pre-session recommendations for 6 months; consent records for 5 years after withdrawal (legal obligation). If you delete your account, all personal data is permanently deleted immediately from 26+ tables. Consent history is anonymized (not deleted) to maintain legal proof. Inactive accounts with no session for 24 months are deleted after a 30-day warning email.

8. Your Rights

You have the following rights: (a) Right of Access (Art. 15): view your data overview in Settings > Privacy, or download all your data in JSON format; (b) Right to Rectification (Art. 16): edit your sessions and profile directly in the app; (c) Right to Erasure (Art. 17): delete your account and all data in Settings > Account; (d) Right to Data Portability (Art. 20): export all your data in JSON format from Settings > Privacy; (e) Right to Restrict Processing: disable health data or AI analysis in Settings > Privacy; (f) Right to Withdraw Consent (Art. 7(3)): toggle health data and AI analysis consent in Settings > Privacy — changes take effect immediately; (g) Right Regarding Automated Decision-Making (Art. 22): AI-generated reports are informational suggestions only and do not constitute automated decision-making with legal or significant effects. To exercise any of these rights, use the in-app controls or contact us at: contact@calenfit.com. We will respond within 30 days.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to opt out of the "sale" or "sharing" of your personal information. CalenFit does not sell your personal data. When AI analysis is enabled, training data is sent to third-party AI services — you can opt out via Settings > Privacy or the "Do Not Sell My Data" page. We honor Global Privacy Control (GPC) browser signals.

10. Cookies & Local Storage

The App uses only essential cookies and local storage for authentication tokens and user preferences (language, theme, notification settings). We do not use tracking cookies, advertising cookies, or third-party analytics.

11. Children's Privacy

CalenFit is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and updating the "Last updated" date.

13. Contact

For any questions, requests, or complaints regarding this Privacy Policy or your personal data, contact us at: contact@calenfit.com. Supervisory authority: CNIL (Commission Nationale de l'Informatique et des Libertés), France.