Privacy Policy

1. Introduction and Scope

This Privacy Policy explains how FitCommit Ltd. ("FitCommit," "we," "our," "us") collects, uses, stores, shares, and protects your personal information when you use the FitCommit iOS app, the fitcommit.ai website, and related features (together, the "Services").

This policy applies to all users of the Services worldwide. We disclose region-specific rights and obligations under applicable laws including the European Union General Data Protection Regulation (GDPR), the United Kingdom GDPR, the Swiss Federal Act on Data Protection, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the California Consumer Privacy Act and the California Privacy Rights Act (CCPA/CPRA), the Washington My Health My Data Act, the Delaware Personal Data Privacy Act (DPDPA), and other US state privacy laws. Region-specific notices are in section 16, section 17, section 18, and section 19.

Your use of the Services is also governed by our Terms of Service. If you do not agree with this Privacy Policy, do not use the Services.

2. Definitions

• App means the FitCommit mobile application available on the Apple App Store.
• Account means the personal account you create to access the Services.
• Body Scan means the photo-based body composition estimate generated by our AI from images you upload.
• After Photo means the AI-generated visualization of a possible future body state at a target body fat percentage.
• Personal Information means information that identifies, relates to, or could reasonably be linked with you, including under CCPA/CPRA the categories listed in section 16.
• Health Data means data about your body, fitness, nutrition, and goals, including height, weight, body fat percentage, lean mass, calorie targets, and macro targets.
• Photo means any image you upload to the Services, including Body Scan source photos and progress photos.
• Service Providers means third parties we use to operate the Services (cloud hosting, payment processing, analytics, AI model providers).

3. Information We Collect

We collect the following categories of Personal Information:

• Account information. Name, email address, password (hashed), date of birth, sex, and account preferences.
• Health Data. Height, current weight, target weight, body fat percentage, lean mass, activity level, goals, calorie targets, and macro targets. See the Nutrition and Health Information section of our Terms of Service for the full disclaimer about how this data is interpreted.
• Photos. Body Scan source photos and any progress photos you upload. See section 8 for how photos are processed and stored.
• AI Output. The estimates and visualizations generated by our AI from your inputs (Body Scan results, After Photo previews, weight loss timelines).
• Subscription and payment information. Subscription plan, billing status, and a transaction reference returned by the Apple App Store. We do not receive or store your full credit card number.
• Device and usage data. IP address, device model, operating system version, app version, screens viewed, features used, crash logs, performance metrics, and similar telemetry.
• Cookies and similar tracking. See section 11.
• Communications. Email and in-app messages you send us, and our responses.

We do not knowingly collect Personal Information from children under 13. See section 20.

4. Sources of Information

We collect Personal Information from these sources:

• Directly from you when you create an Account, complete onboarding, upload a Body Scan photo, set goals, or contact us.
• Automatically from your device when you use the Services (device and usage data, cookies).
• From the Apple App Store for purchase and subscription status.
• From integrated services if you choose to connect them (for example, Apple Health). You control which data syncs.
• From service providers for analytics, fraud prevention, and security.

5. How We Use Your Information

We use Personal Information for the following purposes:

• Provide the Services. Generate your Body Scan estimate, calculate calorie and macro targets, render After Photo previews, and track progress.
• Personalize your experience. Tailor recommendations, dashboards, and reminders based on your goals and progress.
• Maintain your Account. Authenticate logins, sync data across sessions, and recover access.
• Process payments. Confirm subscription status with the Apple App Store.
• Improve the Services. Diagnose bugs, measure performance, and refine the user experience using aggregated and de-identified usage data.
• Improve our AI models. Subject to the limits in section 8, we use aggregated and de-identified data derived from your inputs to improve estimate accuracy.
• Communicate with you. Respond to support requests, send transactional notices (security, billing, policy changes), and, with your consent, send marketing.
• Comply with law. Meet legal, tax, and regulatory obligations and enforce our Terms of Service.
• Protect the Services. Detect, prevent, and respond to fraud, abuse, security incidents, and unauthorized access.

6. Legal Bases for Processing (GDPR)

If you are in the European Union, EEA, Switzerland, or the United Kingdom, we rely on one or more of the following legal bases under GDPR Article 6 to process your Personal Information:

• Contract. Processing necessary to provide the Services you signed up for, including generating your Body Scan, calculating targets, and managing your Account.
• Consent. Where you have given us specific consent (for example, to use your photos for AI model training, to send marketing emails, or to integrate with Apple Health). You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legitimate interests. For improving the Services, securing them against fraud and abuse, and conducting analytics on aggregated and de-identified data, balanced against your rights.
• Legal obligation. To comply with applicable law, regulation, or court order.
• Vital interests. In the rare event that processing is needed to protect someone's life or physical safety.

For Health Data, we rely on your explicit consent (GDPR Article 9(2)(a)) granted at signup and reaffirmed each time you upload a Body Scan.

7. Automated Decision-Making

The Services use AI to generate estimates from your inputs (Body Scan, After Photo, calorie and macro targets, weight loss timelines). This is automated processing within the meaning of GDPR Article 22.

None of these AI outputs produce legal or similarly significant effects on you. They are informational and motivational estimates. They do not determine credit, employment, insurance, healthcare, housing, or any other legally significant outcome. See the Nutrition and Health Information section of our Terms of Service for the full disclaimer.

If you are in the EU, UK, or Switzerland, you have the right to request human review of an AI estimate that you believe is materially wrong. Contact privacy@fitcommit.ai.

8. Photos and AI Model Training

Your identifiable photos are not used to train our AI models without your separate, opt-in consent.

Body Scan and progress photos you upload are processed by our AI to generate your estimates and visualizations. Photos are stored encrypted in our cloud storage and are accessible only to you and to FitCommit personnel under strict access controls for support and abuse-investigation purposes.

We may use aggregated and de-identified data derived from photos (for example, body composition statistics with no identifying information) to improve the accuracy of our AI models. This data cannot reasonably be linked back to you.

You may delete any individual photo from within the App at any time. Deleted photos are removed from active storage immediately and from backup storage within 30 days. See section 12 for the full retention schedule.

We do not sell your photos. We do not license your photos to third parties for any purpose. We do not use your photos in marketing without your separate written consent.

9. How We Share Your Information

We share Personal Information only as described below. We do not sell Personal Information.

• Service Providers. Cloud hosting (Google Cloud), payment processing (Apple), AI model providers, analytics, error reporting, and security. These providers act on our instructions under written contracts and may not use your data for their own purposes.
• Apple, Inc. For App Store purchases, subscription management, and required platform telemetry.
• Legal compliance. When required to comply with law, valid legal process (for example, court order, subpoena), or to protect the rights, property, or safety of FitCommit, our users, or others.
• Business transfers. In connection with a merger, acquisition, financing, reorganization, sale of assets, or insolvency. We will notify you of any such change of ownership or control of your Personal Information.
• With your consent. Any other sharing requires your explicit consent.

10. Health Data Carve-Out

We do not sell Health Data. We do not use Health Data for advertising. We do not share Health Data with third parties for their own marketing or analytics.

Health Data and photos are processed only to deliver the Services to you and to maintain and improve the Services as described in this policy. This commitment applies in all jurisdictions, regardless of whether local law requires it. It also applies to any data we receive from Apple Health if you choose to connect it.

11. Cookies and Tracking

The fitcommit.ai website uses cookies and similar tracking technologies for the following purposes:

• Strictly necessary. Authentication, security, load balancing.
• Analytics. Aggregated traffic measurement and feature usage.
• Preferences. Remembering your settings (for example, dark mode).

You can manage cookies through your browser settings. Blocking strictly necessary cookies may break parts of the website. The iOS app does not use third-party advertising trackers and does not request the App Tracking Transparency permission.

12. Data Retention

We retain Personal Information only as long as needed for the purposes described in this policy. Specific retention periods:

• Account information (name, email, preferences): retained while your Account is active. Deleted within 30 days of Account deletion.
• Health Data (height, weight, body fat, targets): retained while your Account is active. Deleted within 30 days of Account deletion.
• Photos (Body Scan source, progress): retained while present in your Account. Individual photo deletions removed from active storage immediately and from backups within 30 days. Account deletion removes all photos within 30 days.
• Subscription records: retained for the duration of the subscription plus 7 years to meet tax, accounting, and audit obligations.
• Device and usage telemetry: retained in identifiable form for 90 days, then aggregated or deleted.
• Crash logs: retained for 90 days.
• Support and communications: retained for 3 years from the last interaction, then deleted.
• Aggregated and de-identified data: may be retained indefinitely as it cannot reasonably be linked to you.
• Backups: rolling 30-day window. Deleted Personal Information persists in backups for up to 30 days, then is permanently removed.
• Legal hold: where law requires longer retention (for example, fraud investigation, litigation hold), we retain only the specific records subject to the hold for the period required.

13. Data Security

We use industry-standard technical and organizational measures to protect Personal Information, including encryption in transit (TLS 1.2 or higher) and at rest, access controls based on least privilege, audit logging, and periodic security assessments. Photos and Health Data receive additional access restrictions.

No method of transmission or storage is fully secure. If we become aware of a security incident affecting your Personal Information, we will notify you and the relevant supervisory authorities as required by applicable law.

14. International Data Transfers

FitCommit operates from Canada and the United States. Your Personal Information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States, where data protection laws may differ from those in your country.

For transfers from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable) and supplementary measures. For transfers from Canada, we comply with PIPEDA cross-border transfer requirements. You may request a copy of these safeguards by contacting privacy@fitcommit.ai.

15. Your Privacy Rights

Depending on where you live, you may have the following rights with respect to your Personal Information:

• Access. Request a copy of the Personal Information we hold about you.
• Correction. Ask us to correct inaccurate or incomplete information.
• Deletion. Ask us to delete your Personal Information. See section 22.
• Portability. Receive your Personal Information in a structured, commonly used, machine-readable format.
• Opt-out of marketing. Unsubscribe from marketing emails at any time.
• Object or restrict processing. Object to certain processing or ask us to restrict it.
• Withdraw consent. Where we rely on consent, you may withdraw it at any time.
• Lodge a complaint. File a complaint with your local data protection authority.

To exercise any right, contact privacy@fitcommit.ai. We will respond within 30 days (45 days for EEA/UK requests, extendable by 60 days for complex requests) and will verify your identity before disclosing or deleting any Personal Information. We do not discriminate against you for exercising your rights.

16. Notice for California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act (together, the "CCPA/CPRA") give you the rights described below. We do not sell your Personal Information and we do not share it for cross-context behavioral advertising.

Categories of Personal Information collected in the last 12 months:

• Identifiers. Name, email address, IP address, device identifiers. Sources: you, your device. Used for: providing the Services, security, communications. Shared with: Service Providers.
• Customer records (Cal. Civ. Code § 1798.80(e)). Account information, contact information. Sources: you. Used for: providing the Services. Shared with: Service Providers.
• Commercial information. Subscription plan, billing status. Sources: Apple App Store. Used for: managing your subscription. Shared with: Service Providers, Apple.
• Internet or network activity. App and website usage, performance, crash logs. Sources: your device. Used for: improving the Services and security. Shared with: Service Providers.
• Sensitive personal information. Health Data, photos, account credentials. Sources: you. Used for: providing the Services. Shared with: Service Providers under strict contracts. We use sensitive personal information only for the purposes permitted under CPRA Section 1798.121.
• Inferences. AI-generated body composition estimates, calorie targets, macro targets. Sources: your inputs. Used for: providing the Services. Shared with: Service Providers.

Your CCPA/CPRA rights: right to know, right to delete, right to correct, right to portability, right to opt out of sale or sharing (we do not sell or share for behavioral advertising), right to limit use of sensitive personal information, right to non-discrimination. To exercise any of these rights, contact privacy@fitcommit.ai. You may also designate an authorized agent.

We do not knowingly sell or share Personal Information of consumers under 16 without affirmative authorization.

17. Notice for EEA, UK, and Switzerland (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, the GDPR (and UK GDPR and Swiss FADP, as applicable) apply to our processing of your Personal Information.

Controller. FitCommit Ltd. is the data controller for the Personal Information described in this policy.

Legal bases. See section 6.

Your rights. Access, rectification, erasure, restriction of processing, data portability, objection to processing (including profiling), withdrawal of consent, and the right to lodge a complaint with your supervisory authority. To exercise any right, contact privacy@fitcommit.ai or our Data Protection Officer at dpo@fitcommit.ai.

EU representative. We are evaluating designation of an EU representative under GDPR Article 27. Until appointed, please send GDPR-related inquiries to dpo@fitcommit.ai for our prompt response.

International transfers. See section 14.

18. Notice for Canada (PIPEDA)

For Canadian residents, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (including Quebec's Law 25, British Columbia's PIPA, and Alberta's PIPA) apply to our handling of your Personal Information.

You have the right to access and correct your Personal Information, withdraw consent, and file a complaint with the Office of the Privacy Commissioner of Canada or your provincial commissioner. Contact privacy@fitcommit.ai to exercise these rights.

19. Notice for Other US States

If you are a resident of Washington, Texas, Virginia, Colorado, Connecticut, Utah, Oregon, Tennessee, Indiana, Iowa, Montana, or Delaware, the privacy laws of your state may apply.

Washington My Health My Data Act. Health Data and photos qualify as Consumer Health Data under this law. We collect and process Consumer Health Data only with your consent (granted at signup and at each Body Scan upload), only for the purposes described in section 5, and we do not sell Consumer Health Data. You have the right to access, delete, and withdraw consent. Contact privacy@fitcommit.ai.

Across all listed states, you generally have the rights to access, delete, correct, port, and opt out of the sale of Personal Information and targeted advertising. We do not sell Personal Information and we do not engage in targeted advertising. Contact privacy@fitcommit.ai to exercise your rights.

20. Children's Privacy

The Services are intended for users 13 and older. We do not knowingly collect Personal Information from children under 13 in compliance with the United States Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us with Personal Information, contact us at privacy@fitcommit.ai and we will delete it. Users between 13 and 17 must have permission from a parent or legal guardian.

21. Marketing Communications

We send marketing communications only with your consent. You can opt out at any time by following the unsubscribe link in any marketing email or by contacting privacy@fitcommit.ai. Opting out of marketing does not affect transactional messages (security notices, billing, policy changes).

22. Account Deletion

You can delete your FitCommit Account at any time directly within the App. Go to Settings, select Account, and tap Delete Account.

When you delete your Account, we permanently delete:

• Account information (name, email, preferences).
• All photos (Body Scan source, progress, After Photo previews).
• Health Data (weight, body fat, calorie and macro targets, history).
• AI Output linked to your Account.

Deletion is permanent and cannot be undone. Active-storage deletion happens immediately. Backup-storage deletion completes within 30 days. We retain subscription and tax records as described in section 12.

23. Apple-Specific Notes

The FitCommit App is distributed through the Apple App Store. Apple's privacy practices apply to your App Store account, App downloads, and in-app purchases.

If you connect Apple Health, only the data categories you authorize are shared with the App. We use Apple Health data only to provide the Services and we do not store Apple Health raw data on our servers beyond what is needed for active sessions, unless you explicitly opt in to a long-term sync.

The App does not use Apple's App Tracking Transparency permission. We do not engage in cross-app or cross-website tracking.

24. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top, list the change in section 26, and, for material changes, notify you in the App or by email at least 30 days before the change takes effect. Continued use of the Services after a change becomes effective means you accept the updated policy.

25. Contact Us

For questions about this Privacy Policy or to exercise any privacy right:

26. Revision History

• April 26, 2026: Major revision. Added Definitions, Sources of Information, Legal Bases for Processing (GDPR Article 6 with Article 9(2)(a) for Health Data), Automated Decision-Making (Article 22) with right to human review, Photos and AI Model Training (no training on identifiable photos without opt-in), Health Data Carve-Out (no sale, no advertising), specific Data Retention periods per category, dedicated Notices for California (CCPA/CPRA with categories table), EEA/UK/Switzerland (GDPR + DPO), Canada (PIPEDA + provincial laws), Other US States (Washington MHMD, Texas, Virginia, Colorado, Connecticut, Utah, and others), Apple-Specific Notes (App Tracking Transparency, Apple Health). Added Quick Links table of contents, BreadcrumbList and WebPage JSON-LD schema, dedicated dpo@/security@ contacts.
• April 10, 2026: Effective date update.