Privacy Policy

1.1 Information You Provide Directly

• Account details: name, email address, and hashed password (for email/password accounts).
• Authentication provider data: name and email from Apple Sign-In or Google Sign-In, as returned by those services.
• Anonymous account data: a device identifier used to create and maintain an anonymous session if you do not register.
• Profile and fitness data: age, biological sex, height, current weight, target weight, fitness goals, experience level, training preferences, equipment access, injury history or blockers, and allergies or dietary restrictions.
• Workout logs: exercises performed, sets, reps, weights, session notes, perceived difficulty ratings, and workout completion status.
• Nutrition logs: food entries, estimated macronutrients, meal photos submitted for AI analysis, water intake, and calorie targets.
• Check-in data: voice recordings and/or text messages you submit via the check-in feature, which are processed to update your adaptive coaching plan.
• Communications: messages and attachments you send us via support channels or email.

1.2 Information Collected Automatically

• Usage data: features accessed, screens viewed, session duration, interaction patterns, and adaptive engine events.
• Device data: device type, model, operating system version, app version, and unique device identifiers.
• Crash and performance data: error logs, stack traces, and diagnostic information used to identify and fix issues.
• Authentication tokens: short-lived JWT access tokens and rotating refresh tokens stored securely on your device.
• Push notification tokens: device tokens used solely to deliver workout reminders, streak alerts, and milestone notifications.

1.3 Apple Health Data (Optional)

If you grant permission through the iOS HealthKit permission prompt, we may access the following types of data from Apple Health: body weight measurements, workout records, step count, active energy burned, and resting heart rate. This permission is entirely optional — the app functions fully without it. We do not collect any Apple Health data without your explicit consent, and you may revoke access at any time via iOS Settings.

1.4 Subscription and Payment Data

Payments are processed entirely by Apple App Store or Google Play Store. We do not collect or store your payment card information. We receive subscription status, entitlement data, and transaction identifiers from RevenueCat (our subscription management provider) to determine your access tier and apply promotional pricing.

We use the information we collect to:

• Create and authenticate your account (including anonymous device-based accounts).
• Generate personalised, periodised workout and meal plans tailored to your goals, preferences, and training history.
• Power the adaptive engine — processing check-ins, session ratings, health signals, and declared events (missed sessions, travel, soreness) to automatically recalibrate your plan.
• Maintain and update your AI context — a rolling structured summary of your fitness state that is included in AI prompts to produce relevant, personalised coaching responses.
• Provide progress tracking, strength trends, streak history, calorie and macro tracking, and goal projection features.
• Transcribe and process voice check-ins to understand your intent and update your plan accordingly.
• Analyse meal photos to estimate nutritional content (calories, macronutrients) for your log.
• Deliver push notifications — workout reminders, streak alerts, weekly summaries, and milestone celebrations.
• Validate subscription status, free trials, and entitlements via RevenueCat (linked to Apple App Store or Google Play billing).
• Respond to support requests and communications.
• Monitor, maintain, secure, and improve the Service.
• Produce aggregated, anonymised analytics to understand usage patterns and improve AI output quality.
• Comply with applicable legal obligations.

We do not sell your personal information to third parties. We do not use your personal health or fitness data for advertising, retargeting, or profiling for commercial purposes.

Zenith uses artificial intelligence services to generate workout programmes, meal plans, interpret check-ins, produce adaptive coaching decisions, and analyse meal photos. The third-party AI subprocessors we share data with are:

• OpenAI (United States) — receives your structured profile (age, biological sex, height, weight, goal weight, fitness goal, experience level, training preferences, equipment access, dietary restrictions, allergies, injuries, AI context notes) and meal photos to generate and adapt your workout and meal plan and to estimate the nutritional content of meals.
• Deepgram (United States) — receives the audio of voice check-ins and goal-capture recordings, streamed over an encrypted connection via our backend, for live speech-to-text transcription. Audio is not retained by Deepgram or by us beyond the duration of the transcription request; only the resulting transcript is stored on your account.
• Cloudflare R2 (United States) — stores the meal photos you upload, served back to you through our authenticated proxy. Photos are linked to your account and are not used by Cloudflare for any other purpose.

When your data is processed by these AI systems:

• Only the minimum necessary data is included in each API call — typically a structured AI context summary, relevant metrics, and the specific input being processed.
• Your full name, email address, and raw Apple Health records are not sent to OpenAI or Deepgram.
• Meal photos are transmitted to our servers over encrypted connections, processed by AI to estimate nutritional content, and are not permanently stored beyond the session unless you explicitly save the log entry.
• Your AI context is stored on our servers to maintain coaching continuity across sessions. You can view, edit, or clear your AI context at any time from within the app.
• OpenAI and Deepgram are contractually bound to process your data only on our instructions and not to use it to train their foundational models or for advertising.
• Aggregated and de-identified interaction data may be used internally to evaluate and improve the quality and safety of our AI features. Raw personal data is not shared with third parties for foundational model training.

Your data is stored on secure servers hosted by reputable cloud infrastructure providers. We implement industry-standard security measures including:

• Encrypted data transmission (HTTPS / TLS 1.2+) for all API and web communications.
• Secure token authentication using short-expiry JWT access tokens and rotating refresh tokens.
• Secure on-device storage of authentication tokens using the iOS Keychain.
• Hashed and salted passwords — your plain-text password is never stored.
• Strict access controls limiting internal access to user data on a need-to-know basis.
• Regular security reviews, dependency auditing, and vulnerability assessments.

While we take reasonable and industry-standard steps to protect your information, no method of transmission or electronic storage is 100% secure. We cannot guarantee absolute security and are not liable for unauthorised access resulting from circumstances beyond our reasonable control.

We retain your personal data for as long as your account is active or as necessary to provide the Service and fulfil our legal obligations. Specifically:

• Account and profile data: retained until you delete your account.
• Workout and nutrition logs: retained for the duration of your account to power progress tracking, strength history, and AI context.
• AI context and adaptation history: retained to maintain coaching continuity; you may delete or reset your AI context at any time within the app.
• Voice check-in audio: streamed to our transcription processor (Deepgram) for live speech-to-text and discarded immediately after transcription; not retained by Zenith or by Deepgram.
• Voice transcriptions: stored on your account so the AI can use them to update your plan; you can delete them at any time by deleting the corresponding log entry or your account.
• Meal photos: stored only for the duration of the analysis session unless you explicitly save the log entry.
• Crash and diagnostic logs: retained for up to 90 days.
• Anonymous account data: retained for up to 12 months of inactivity, after which the device identifier and associated data may be purged.

You may request deletion of your account and associated data at any time by using the account deletion option in the app settings or by contacting us at support@zenith.fit. We will process deletion requests within 30 days, subject to any legal retention obligations.

We do not sell your personal information. We may share your information only in the following limited circumstances:

• Service providers: trusted third-party vendors and subprocessors who assist us in operating the Service. Current key providers include: OpenAI (AI plan generation, check-in interpretation, and meal photo analysis), Deepgram (speech-to-text transcription of voice check-ins), Cloudflare R2 (meal photo storage), RevenueCat (subscription management and entitlement validation), Render (application hosting), MongoDB Atlas (primary database), and crash / performance monitoring services. All providers are contractually bound to protect your data and may not use it for their own purposes.
• Legal requirements: if required by applicable law, regulation, court order, subpoena, or government authority, or where disclosure is necessary to protect the rights, safety, or property of Zenith, our users, or the public.
• Business transfers: in connection with a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, in which case user data may be transferred as part of that transaction. We will notify affected users via the app or email.

We never share your health, fitness, or personally identifiable data with advertisers, data brokers, or marketing platforms.

Depending on your location and applicable law, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data (right to erasure).
• Portability: request your data in a structured, machine-readable format.
• Restriction: request that we restrict the processing of your data.
• Objection: object to certain types of processing, including profiling.
• Withdrawal of consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@zenith.fit. We will respond within 30 days. We may request verification of your identity before processing certain requests.

Push notifications: You can manage all push notification preferences within the app settings or via iOS notification settings at any time.

Apple Health: You can revoke Apple Health access at any time via iOS Settings → Privacy & Security → Health.

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights regarding your personal information:

• The right to know what personal information we collect, use, disclose, and sell.
• The right to delete personal information we have collected from you.
• The right to opt out of the sale or sharing of personal information — we do not sell your personal information.
• The right to non-discrimination for exercising your CCPA rights.
• The right to correct inaccurate personal information.
• The right to limit use and disclosure of sensitive personal information.

To exercise your California privacy rights, contact us at support@zenith.fit.

The Service is not directed to individuals under the age of 13 and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected information from a user under 13, we will immediately terminate that account and delete the associated data. If you believe a child under 13 has provided us with personal information, please contact us promptly at support@zenith.fit. If you are between 13 and the age of legal majority in your jurisdiction, please use the Service only with the consent of a parent or legal guardian.

The Service may contain links to or integrations with third-party websites or services not operated by us (e.g. Apple Health, App Store). We have no control over and assume no responsibility for the content, privacy practices, or data handling of any third-party services. We encourage you to review the privacy policies of any third-party services you connect to or visit.

We may update this Privacy Policy from time to time at our discretion. When we do, we will revise the "Last updated" date at the top of this page. For material changes we will provide more prominent notice — such as an in-app notification or email — prior to the change taking effect.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with a change, you should stop using the Service and may request account deletion.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: