Privacy Policy

Last Updated: March 19, 2026

Introduction

Welcome to HealthyByAI ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, share, and protect your information across our website and native app experiences.

Information We Collect

Account Information

When you register for an account, we collect:

  • Email address
  • Phone number (optional)
  • Password credentials handled by authentication providers
  • Display name or username

Workout Data

When you use our fitness services, we collect:

  • Workout history and results
  • Generated workout preferences
  • Favorite exercises and movements
  • Equipment and skill selections

Usage Information

We automatically collect certain information when you use our website:

  • IP address and browser type
  • Pages visited and time spent
  • Device and operating system information
  • Referral source (how you found us)

Mobile App Data (Android / iOS)

When using our native app wrapper, we may process:

  • App/device metadata needed for security and session handling
  • Authentication provider identifiers (for sign-in flows)
  • Notification token data (when push notifications are enabled)
  • Local app storage/cache for performance and offline support
  • Optional file/share interactions initiated by you (e.g., workout exports)

Payment Information

Payment processing is handled by Mollie. We do not store your full credit card details. We only store:

  • Transaction IDs
  • Payment status
  • Subscription details

How We Use Your Information

We use your information to:

  • Provide our services: Generate workouts, track progress, manage your account
  • Improve our platform: Analyze usage patterns and optimize features
  • Communicate with you: Send service updates, notifications, and support responses
  • Process payments: Handle subscriptions and transactions
  • Ensure security: Detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations: Meet regulatory requirements

Legal Basis for Processing (GDPR)

We process your personal data based on:

  • Contract: To provide services you've signed up for
  • Consent: For analytics and marketing communications (you can withdraw anytime)
  • Legitimate interests: To improve our services and prevent fraud
  • Legal obligations: To comply with laws and regulations

Data Sharing and Third Parties

We share your data only with:

Service Providers

  • Identity providers: Authentication and related account services
  • Cloud hosting providers: Application and database infrastructure
  • Payment providers: Payment processing and transaction events
  • AI providers: AI processing for workout generation and related prompts
  • Analytics providers (if enabled): Usage analytics only when consent is required and provided under applicable law

Legal Requirements

We may disclose your information if required by law, court order, or to protect our rights, property, or safety.

We Never

  • Sell your personal data to third parties
  • Share your workout data with advertisers
  • Use your data for purposes other than stated in this policy

Data Storage and Security

Your data is stored securely using industry-standard encryption and security measures:

  • HTTPS encryption for all data transmission
  • Encrypted passwords using bcrypt
  • Role-based access and service-level security controls
  • Regular security audits and updates

Data Location: Your data may be processed and stored by our service providers (including Firebase and MongoDB Atlas) in regions selected for service delivery, performance, and legal compliance.

Mobile Permissions and Native Features

Our native app may request only the permissions required to operate core features. Examples include internet/network access and limited file/share capabilities for user-initiated actions.

  • Network access to authenticate users and load workouts
  • Storage/file provider access where needed for user-initiated exports or sharing
  • Push notification token handling when notifications are enabled

You can manage permissions at any time in your device settings. Disabling certain permissions may limit related app functionality.

Your Rights

Under GDPR and other privacy laws, you have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a portable format
  • Restriction: Limit how we process your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Revoke consent for analytics or marketing

To exercise these rights, please contact us at our contact page or via your account settings.

Data Retention

We retain your data for as long as:

  • Your account is active
  • Needed to provide services
  • Required by law (e.g., financial records for 7 years)

When you delete your account, we delete user-linked account and training data, subject to legal and operational exceptions.

  • Payment and invoice records may be retained where required for tax, accounting, and legal compliance.
  • We may retain a non-reversible hashed marker of your email to enforce account lifecycle and anti-abuse controls.
  • Where legally required, certain records may be retained for statutory periods and then deleted or anonymized.

Where deletion is not immediate due to backups or legal holds, we complete deletion or anonymization within our operational and legal timelines.

Cookies and Tracking

We use cookies and similar technologies to enhance your experience and support core functionality. Analytics technologies may be used according to applicable consent rules. For detailed information about cookies, please see our Cookie Policy.

You can manage your cookie preferences at any time through our cookie consent banner or browser settings.

Children's Privacy

Our services are not intended for users under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it immediately.

International Data Transfers

Your data may be processed in countries outside your own. We ensure adequate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the EU Commission
  • Adequacy decisions for data transfers
  • Service providers compliant with GDPR

For current subprocessors and transfer mechanisms, contact us via our contact page.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Updating the "Last Updated" date
  • Posting a notice on our website
  • Sending an email notification (for material changes)

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

For GDPR-related inquiries, please include "GDPR Request" in your subject line.