Privacy Policy

1. Introduction

Apex Tech, SpA (“Company,” “we,” “us,” or “our”), a company organized under the laws of Chile, operates the APEX Fitness — AI Coach mobile application (the “App”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the App.

We process health and fitness data — including, optionally, body photographs in minimal clothing — that constitutes special category data under applicable data protection laws. Given the highly sensitive nature of some of this data, we have designed this policy and our consent flows to provide transparency and granular control over your information.

This policy is designed to meet the requirements of Chile's Law No. 19,628 on the Protection of Privacy (as amended by Law No. 21,719 when applicable), Brazil's LGPD, the California CCPA/CPRA, Canada's PIPEDA, Japan's APPI, South Korea's PIPA, and other applicable privacy legislation. The App is not currently offered in the European Economic Area or the United Kingdom; if and when we expand to those markets, this Privacy Policy will be updated to reflect GDPR and UK GDPR requirements.

If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

2. Data Controller

For the purposes of applicable data protection legislation, the data controller is:

We do not currently have a designated Data Protection Officer (DPO). All privacy-related inquiries should be directed to the contact email above.

3. Data We Collect

The categories of data we collect, how we collect them, and the purposes for which they are processed are listed below. All health and fitness data is entered manually by the user; the App does not integrate with Apple HealthKit, Google Fit, or any other device health platform.

3.1 Account & Identity Data

• Email address, display name, profile photo (provided by you or by your Apple/Google account during sign-in)
• Authentication tokens issued by Apple Sign-In or Google Sign-In
• Account creation date, last sign-in date

3.2 Personal Profile Data (collected during onboarding)

• Date of birth (used to calculate age and tailor training recommendations)
• Gender, height, weight, measurement system preference
• Fitness experience, current fitness state, occupation activity level
• Health conditions you choose to disclose (skippable)
• Dietary preferences, allergies, cooking skill, food budget (skippable)
• Goals, desired pace, weekly training goal

3.3 Health & Fitness Data (sensitive personal data under applicable laws)

• Workout logs: exercises performed, sets, reps, weights, duration, perceived effort
• Body metrics: weight changes, body measurements (chest, waist, hips, etc.)
• Sleep data: hours slept and subjective sleep quality (collected via daily check-ins)
• Subjective wellbeing notes (collected via daily check-ins and progress checks)
• Nutritional logs: foods consumed, calories, macros, meal timing
• Progress check data: scale-based readings, optional measurements, optional body photos

3.4 Visual Data

• Body photographs (optional, only when you initiate a Progress Check at a tier that supports photos and provide separate consent — see Section 4.3).
• Meal photographs (optional, when you submit a photo for nutritional analysis)

3.5 Device & Technical Data

• Device language, locale, time zone
• Operating system and version (iOS or Android)
• Push notification token (issued by the Apple Push Notification Service or Firebase Cloud Messaging), used only to deliver notifications you have enabled.
• Authentication-related state held locally on your device.

3.6 Subscription & Payment Data

• Subscription status and entitlements (managed via Apple App Store / Google Play Store in-app purchase systems)
• Transaction receipts retained for tax and accounting purposes
• We do not collect or store credit card numbers; payment processing is handled entirely by Apple and Google

3.7 Data Not Used for AI Model Training

We do not use your personal data — including body photos — to train, fine-tune, or improve any AI models, whether our own or those of third-party providers. Your data is transmitted to AI providers solely to generate real-time, personalized responses. See Section 5.2 for provider-specific details on retention and training policies.

4. Legal Basis for Processing

4.1 General Legal Bases

We rely on the following legal bases for processing your personal data under applicable privacy laws (including Chile's Law No. 19,628, as amended by Law No. 21,719 when applicable, Brazil's LGPD, the California CCPA/CPRA, and equivalent provisions of other applicable legislation):

• Contractual Necessity: Processing necessary to provide the core App services you have requested, including account management, workout tracking, nutritional analysis, AI coaching, and push notification delivery.
• Legitimate Interests: Operating, maintaining, and securing the App, including processing required to authenticate you, persist your data, and deliver core features. We balance our interests against your rights and freedoms.
• Legal Obligation: Processing required to comply with applicable legal obligations, including tax, accounting, and regulatory requirements.
• Consent: Where required, we obtain your explicit consent. You may withdraw consent at any time (see Section 11).

4.2 Sensitive Health Data

Health and fitness metrics, dietary information, body measurements, sleep data, and subjective wellbeing notes constitute sensitive personal data under applicable laws and require a heightened lawful basis for processing. We process this data on the basis of:

• Contractual necessity: these features are the core purpose of the App; and
• Your explicit consent, obtained at account creation, when you provide explicit, informed, and freely given consent to the processing of your health and fitness data for the purposes described in this Privacy Policy.

Withdrawal of consent: You may withdraw consent at any time by deleting your account, which will result in the permanent and immediate erasure of your personal data from our systems, or by emailing contact@apexfitness.app. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal but will result in cessation of health data processing going forward.

4.3 Body Photos: Enhanced Consent Requirements

Body photographs in minimal clothing are among the most sensitive personal data we process. Because of this heightened sensitivity, body photos are subject to a separate, dedicated consent flow that is distinct from the general health data consent described in Section 4.2.

Before any body photo is processed for the first time, you are presented with a dedicated consent disclosure that clearly explains:

• What is collected: Photographs of your body in minimal clothing (front, back, and/or side views).
• That photos are processed by third-party AI providers — the specific providers (Google Gemini, Anthropic Claude, OpenAI) are identified in Section 5.2 of this Privacy Policy.
• That photos are used solely for body composition analysis and progress tracking, and are never used to train AI models.
• That this is optional: You can use all Progress Check features (weight, measurements, wellbeing notes) without uploading body photos. Declining body photo consent does not affect any other App feature.
• How to decline: You can decline body photo upload at any time and continue using all other Progress Check features (weight, measurements, wellbeing notes). If you wish to remove a body photo after uploading, you can delete the Progress Check it belongs to; doing so permanently removes the check and any body photos uploaded with it.

This consent is never bundled with general terms of service or any other agreement. It requires a separate, affirmative action specific to body photo processing, distinct from any other consent or permission, and you may decline at any time without affecting other App features.

5. AI and Automated Decision-Making

In accordance with applicable privacy legislation, we provide the following disclosure regarding automated processing.

5.1 How We Use AI

The App uses artificial intelligence to provide personalized fitness coaching. Specifically, AI is used to:

• Generate personalized workout plans based on your fitness level, goals, exercise history, and progressive overload data.
• Provide nutritional recommendations based on your dietary preferences, calorie targets, and macronutrient goals.
• Analyze progressive overload trends to suggest weight, rep, or volume adjustments.
• Power an AI coaching chatbot that responds to your health and fitness questions.
• Analyze meal photos (when optionally provided) to estimate nutritional content.
• Analyze body photos (when optionally provided via Progress Checks) to assess body composition, identify visual changes over time, and generate personalized feedback. Body photos are transmitted to AI providers for this purpose only with your separate, explicit consent (see Section 4.3).
• Analyze Progress Check data (weight changes, measurement trends, subjective wellbeing) to adjust workout and nutrition recommendations.

5.2 AI Providers and Data Flow

AI requests are dispatched from our backend to the providers listed below, depending on availability. The App itself does not communicate with AI providers directly. The relevant subset of your data is transmitted to a provider only for the purpose of generating a response to you.

• Google Gemini (Google LLC) — used via the paid Gemini API. Under Google's terms, data submitted through the paid API is not used to improve Google's products or train its models.
• Anthropic Claude (Anthropic PBC) — used via the paid Anthropic API. Under Anthropic's commercial terms, data submitted through the API is not used to train Anthropic's models by default.
• OpenAI (OpenAI, L.L.C.) — used via the paid OpenAI API. Under OpenAI's API data usage policy, data submitted through the API is not used to train OpenAI's models by default, and API data sharing for training is opt-in (we have not opted in).

AI processing occurs primarily in the United States and in other regions where these providers operate. We obtain your explicit, unbundled consent before transmitting body photos to AI providers, in compliance with Apple App Store Guideline 5.1.2(i). General health and fitness data submitted to AI providers for non-photo features (chatbot, workout planning) is processed under the legal bases in Section 4.

5.3 Logic Involved

The AI processes your historical workout data, body metrics, dietary logs, stated goals, and — where you have separately consented — body photographs, to identify patterns and generate recommendations. It uses large language models (LLMs) provided by the third-party AI services listed above, combined with structured fitness algorithms. No single automated decision produces legal effects or similarly significant effects without human oversight.

5.4 Significance and Consequences

AI-generated recommendations influence your workout routines, dietary plans, and body composition assessments. While we design these systems to be safe and beneficial, all recommendations are advisory in nature and do not replace professional medical, dietary, or fitness advice. Body composition analysis based on photographs is an estimate and should not be used as a medical or clinical assessment.

5.5 Your Rights Regarding Automated Decisions

• Obtain meaningful information about the logic involved in automated processing.
• Request human review of any AI-generated recommendation, including body composition assessments.
• Express your point of view and contest any decision based solely on automated processing.
• Opt out of AI-powered features by withdrawing consent or deleting your account. (Some core App features rely on AI; opting out may significantly reduce App functionality.)

6. Device Permissions

The App may request the following device permissions. Each permission is optional unless stated otherwise, and declining a permission will not prevent you from using the rest of the App.

• Camera: requested when you take a body photo (Progress Check) or meal photo. Declining the camera permission means you cannot capture photos in-App, but you can still use the photo library option.
• Photo Library: requested when you select an existing photo for a Progress Check or meal analysis. Declining means you cannot upload existing photos.
• Push Notifications: requested when you enable reminders or daily check-in notifications during onboarding or in Settings. Declining means you will not receive reminders.
• Face ID / Touch ID / Biometric authentication: requested when you enable biometric account unlock. We use this to verify your identity when re-opening the App or accessing sensitive Settings. The biometric match itself is performed by your device's operating system; the App only receives a pass/fail signal and never receives or stores your biometric template.
• Microphone and Speech Recognition: requested when you tap a dictation control on the chatbot input or the meal-description text field to dictate text into the App. Speech recognition is handled by your device's operating system or built-in speech recognition services. Where supported, we request on-device recognition. Audio is not transmitted to APEX servers and is not sent by APEX to any third-party AI provider. The App will only request microphone access at the moment you use a dictation control, and only with your explicit consent through the operating system permission prompt. The App does not record audio in the background or without an active user-initiated action.

Note: Camera permission and body photo consent are separate. Granting camera access does not constitute consent to process body photos for AI analysis. Body photo consent is obtained through the dedicated flow described in Section 4.3.

The App does not integrate with Apple HealthKit, Google Fit, or any other device health platform. All health and fitness data is entered manually by the user.

7. Third-Party Service Providers

In compliance with Apple App Store Guideline 5.1.2(i) and applicable data protection laws, we identify all third-party providers that process your data. We do not sell or share your personal data with advertisers or unrelated third parties.

Storage and authentication (Google LLC):

• Firebase Authentication — account creation, login, session tokens
• Cloud Firestore — primary database for user accounts, workout logs, nutrition logs, progress check records, body photo metadata, and references to user-uploaded files
• Google Sign-In — optional sign-in method

Content delivery and user-file storage (Google LLC):

• Firebase Storage — hosts the App's exercise video library and stores user-uploaded files (encrypted body photos uploaded through Progress Checks, meal photos, and custom meal photos). All user-uploaded files are encrypted at the application layer before being written to Storage; see Sections 7.1 and 14.

Apple Inc.:

• Apple Sign-In — optional sign-in method
• Apple Push Notification Service (APNs) — push notification delivery to iOS devices
• App Store In-App Purchases — subscription management on iOS

Backend hosting (Render Services, Inc.):

• Render — hosts our backend API, which routes requests between the App and AI providers.

Push notifications (Expo, by 650 Industries, Inc.):

• Expo Push Notification Service — relays push notifications to APNs and Firebase Cloud Messaging on our behalf

AI processing (see Section 5.2 for details):

• Google Gemini API (Google LLC)
• Anthropic Claude API (Anthropic PBC)
• OpenAI API (OpenAI, L.L.C.)

7.1 Body Photo Processing by AI Providers

When you upload body photos through Progress Checks and have provided separate consent (Section 4.3), the photos are transmitted through our backend to an AI provider listed in Section 5.2 for body composition analysis. Body photos are sent only when needed to generate a response and are not retained by AI providers beyond their standard API retention periods. We do not grant any AI provider permission to use body photos for model training, and each provider's default API policy excludes API-submitted data from training.

8. Analytics and Tracking Technologies

As a mobile application, APEX Fitness does not use browser cookies. We do not currently use Mixpanel, Firebase Analytics, Google Analytics, Crashlytics, Amplitude, PostHog, Segment, or any other third-party analytics, attribution, or advertising SDK. Our database is used solely for data storage and does not perform analytics or tracking functions.

If we introduce analytics in a future version of the App, we will update this Privacy Policy and, where required by law, request your consent before any analytics SDK begins processing your data.

9. International Data Transfers

Our service providers are primarily located in the United States. Your data — including body photos if you consent to their processing — may be transferred to and processed in the United States. We ensure adequate protection through the following mechanisms:

9.1 Chile

As a Chilean company, we comply with Law No. 19,628 on the Protection of Privacy, as amended by Law No. 21,719 when applicable, regarding international transfers of personal data. Law No. 21,719 establishes the Agencia de Protección de Datos Personales and modifies certain obligations of Law No. 19,628; we will adjust our practices in line with the law as its provisions enter into force.

9.2 Brazil (LGPD)

Transfers from Brazil are conducted pursuant to Standard Contractual Clauses approved by the ANPD, or to countries with adequate protection.

9.3 Other Jurisdictions

For users in Canada, Japan, South Korea, and other jurisdictions, we rely on adequacy decisions where available and on contractual safeguards or equivalent mechanisms made available by our service providers elsewhere.

10. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this policy, or as required by law.

• Account Data: Retained for the duration of your active account. Upon account deletion, your account record and associated personal data are permanently deleted immediately. There is no recovery window — deletion is final.
• Health & Fitness Data (workout logs, metrics, dietary data, Progress Check data, daily check-ins, daily nutrition summaries, routines, workout/nutrition plans, custom meals, and AI chat history): Retained for the duration of your active account. Upon account deletion, all of this data is removed from our database in the same operation that deletes your account, with no recovery window.
• Body Photos: Stored as encrypted files (AES-256-GCM). Retained for the duration of your active account. You can delete a specific Progress Check at any time within the App, which permanently removes the check and any body photos uploaded with it. Upon account deletion, all remaining body photo files are deleted in the same operation that deletes your account.
• AI Conversation Logs: Stored securely in our database and retained for the duration of your active account. Permanently deleted along with all your data upon account deletion. AI providers may retain data for shorter periods under their own policies (see Section 5.2).
• Payment & Subscription Records: Transaction receipts and subscription status retained for 5 years per applicable tax and accounting laws.
• Push Notification Tokens: Used only when a notification needs to be delivered, and not retained on our backend between requests. On-device, the App may cache the token for its own use; the token is removed from the device when you sign out, delete your account, disable notifications, or uninstall the App.
• Authentication Tokens: Apple/Google Sign-In tokens retained for the duration of your active session and account.
• On-Device Data: The App stores certain data locally on your device using encrypted storage, with encryption keys held in platform-provided secure storage (Apple Keychain on iOS, Android Keystore on Android). On-device data persists for the duration of App installation and is removed when you sign out, delete your account, or uninstall the App.

11. Your Rights

Depending on your jurisdiction, you have rights regarding your personal data. To exercise any right, email contact@apexfitness.app.

11.1 How to Exercise Your Rights

• Identity verification: We confirm your identity by verifying your account email and, where necessary, sending a verification code to your registered email.
• Acknowledgment: Within 72 hours of receipt.
• Fulfillment: Within the timeframe required by applicable law (generally 45 days under CCPA/CPRA, with comparable timeframes under other applicable laws, extendable with notice).
• Subprocessor propagation: When you delete your account, your personal data is removed from our database and your user-uploaded files (body photos, meal photos) are removed from storage in the same operation. Our backend is stateless and retains no per-user data between requests. AI providers do not retain per-user state beyond their standard API retention periods, which are governed by their own terms (see Section 5.2).
• Data portability: A self-serve JSON export of your account data is available through the App. The export includes your profile, daily check-ins, meal logs, daily nutrition summaries, Progress Check records, workout logs, routines, workout/nutrition plans, custom meals, and AI chat history.
• Selective deletion: You can delete a specific Progress Check at any time within the App, which permanently removes the check and any body photos uploaded with it.

11.2 California, USA (CCPA / CPRA)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected, including body photos.
• Right to Delete: Request deletion of personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined under CCPA/CPRA.
• Right to Limit Sensitive Personal Information Use: Health data and body photos constitute sensitive personal information under CPRA. You may direct us to limit use to purposes necessary to provide the service.

We will not discriminate against you for exercising any of these rights.

11.3 Brazil (LGPD)

• Confirmation of and access to your personal data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary or excessive data.
• Data portability to another service provider.
• Information about entities with which your data has been shared.
• Withdrawal of consent (including body photo consent separately).
• Review of decisions made solely on the basis of automated processing.

11.4 Chile (Law No. 19,628, as amended by Law No. 21,719 when applicable), Canada (PIPEDA), Japan (APPI), South Korea (PIPA), and Other Jurisdictions

You have equivalent rights to access, rectification, deletion, and portability as provided under your local laws. Contact contact@apexfitness.app for jurisdiction-specific information. Canadian residents may also file a complaint with the Office of the Privacy Commissioner of Canada.

12. FTC Health Breach Notification Rule Compliance

To the extent APEX Fitness is subject to the FTC Health Breach Notification Rule (16 CFR Part 318), as amended July 2024, we will treat applicable breaches of identifiable health information in accordance with that rule. The App collects health and fitness data, including body photographs, fitness metrics, dietary information, sleep data, and calorie tracking. A breach involving body photos would be treated with the highest severity.

In the event of a breach involving unsecured identifiable health information — including unauthorized acquisition or unauthorized sharing of health data — we will:

• Notify affected individuals without unreasonable delay and no later than 60 calendar days following discovery, via email and prominent notice within the App. For breaches involving body photos, notification will include specific guidance on potential risks.
• Notify the FTC: For breaches affecting 500 or more individuals, concurrently with individual notice (within 60 calendar days of discovery). For breaches affecting fewer than 500 individuals, no later than 60 calendar days after the end of the calendar year in which the breach was discovered.
• Notify prominent media outlets if the breach affects 500 or more residents of any single US state or jurisdiction.

Notifications include a description of the information involved, the date of the breach, steps you can take, and our contact information.

13. Children's Privacy

The App is intended for users 16 years of age and older, regardless of jurisdiction. We collect your date of birth during onboarding to tailor training recommendations and to enforce this minimum age. Onboarding validation will reject any account with a date of birth indicating the user is under 16.

If we become aware that we have collected personal data from a user under 16, we will promptly delete that account and all associated data. If you are a parent or guardian and believe your child has provided personal data to us, please contact contact@apexfitness.app and we will delete the account upon verification.

14. Data Security

We implement appropriate technical and organizational security measures, including:

• Encryption of data in transit (TLS 1.2+) between the App, our backend, and all third-party services.
• Encryption at rest for all server-stored records. Body photo files are additionally encrypted with AES-256-GCM at the application layer before being written to storage.
• On-device encryption: sensitive data persisted locally on your device is encrypted, with encryption keys stored using platform-provided secure storage mechanisms (Apple Keychain on iOS, Android Keystore on Android).
• Optional biometric (Face ID / Touch ID / fingerprint) lock for App re-entry and sensitive Settings access. Biometric matching is performed entirely by the device operating system; we never receive or store your biometric template.
• Access controls and authentication requirements for personnel accessing personal data.
• Regular security assessments and vulnerability testing.
• Incident response procedures consistent with breach notification requirements (Section 12).

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we apply heightened protections to the most sensitive data categories, particularly body photographs.

15. Changes to This Privacy Policy

When we make material changes, we will:

• Update this Privacy Policy with a new “Last Updated” date.
• Notify your registered account by push notification or email.
• Where required by law — particularly for changes affecting body photo processing, health data processing, or AI provider changes — request your renewed explicit consent.

Continued use of the App after the effective date of non-consent-requiring changes constitutes acceptance of the updated policy.

16. App Store Privacy Nutrition Labels

This Privacy Policy is consistent with our Apple App Store and Google Play Store privacy disclosure answers. If you notice any discrepancy, please contact contact@apexfitness.app so we can correct it promptly.

17. Contact Us

If you have questions, concerns, or requests:

Supervisory authorities: Chile — the competent Chilean data protection authority, including the Agencia de Protección de Datos Personales once operational under Law No. 21,719; Brazil — ANPD; California — CPPA; Canada — OPC.