Privacy Policy
Effective Date: March 26, 2026
1. Introduction
FitHer ("we", "us", or "the Company") values your privacy and is committed to protecting your personal information in accordance with applicable data protection laws, including the Korean Personal Information Protection Act (PIPA). This Privacy Policy applies to the FitHer mobile application ("Service").
2. Information We Collect
2.1 Required Information
| Data | Purpose | When Collected |
|---|---|---|
| Email, name | Account creation and identification | Social login |
| Height, weight, goal weight | AI-personalized workout routines | Onboarding |
| Fitness goal, environment, frequency, preferred duration, intensity | AI personalization | Onboarding |
| Workout data (sets, reps, weight, duration) | Workout tracking and performance analysis | During workouts |
2.2 Optional Information (Including Sensitive Data)
| Data | Purpose | Sensitive Data |
|---|---|---|
| Menstrual cycle start date and length | Cycle-based workout intensity adjustment | Health data |
| Body fat percentage, skeletal muscle mass | Body composition tracking | Health data |
| Age | AI workout intensity adjustment | No |
2.3 Automatically Collected Information
| Data | Purpose |
|---|---|
| Device information (OS, model) | Service stability |
| App usage events (PostHog) | Service improvement and usage analytics |
| Error logs (Sentry) | Bug fixes and service stability |
| Push notification tokens | Notification delivery |
| Advertising identifier (AdMob) | Personalized ads (free users only) |
2.4 Collection Methods
- Direct input by users during registration and onboarding
- Automatic collection during service usage
- Authentication information from social login providers (Google, Apple)
3. Handling of Sensitive Information
Menstrual cycle and body composition data are classified as sensitive health information.
- Separate consent: We obtain explicit, separate consent before collecting sensitive data.
- Optional: Menstrual cycle tracking is completely optional. The service functions fully without it.
- Encrypted storage: Sensitive data is stored with encryption and access is minimized.
- Purpose limitation: Used only for AI workout routine generation and cycle-based intensity adjustment.
- Consent withdrawal: You can withdraw consent for cycle tracking at any time in app settings.
4. How We Use Your Information
| Purpose | Details |
|---|---|
| Service delivery | AI-powered workout routine generation, workout tracking, performance analytics |
| Account management | Identity verification, account identification |
| AI personalization | Personalized AI coaching based on body and health data, menstrual cycle-based workout intensity adjustment |
| Notifications | Workout reminders, streak milestone alerts, cycle-related notifications |
| Payment processing | Subscription management (processed through RevenueCat) |
| Advertising | Personalized ads via Google AdMob (free users only; ads are removed with premium subscription) |
| Service improvement | Quality improvement, bug fixes, feature development through analytics |
5. Third-Party Sharing and International Data Transfers
We do not sell your personal information. We share data with the following service providers only as necessary to operate the Service:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, serverless functions | All service data | South Korea (Seoul) |
| Google LLC (Gemini AI) | AI workout routine generation and coaching | Profile summary (height/weight/goals/experience), workout records, menstrual cycle phase | USA |
| Google LLC (AdMob) | Personalized ads (free users) | Ad identifier, device info, app usage data | USA |
| RevenueCat Inc. | Subscription payment management | User ID, subscription status | USA |
| Functional Software Inc. (Sentry) | Error tracking and performance monitoring | Device info, error logs | USA |
| PostHog Inc. | Service analytics and usage patterns | Anonymized usage events | USA |
| Expo (650 Industries Inc.) | Push notifications, app updates | Push tokens, device info | USA |
When using AI features, your body information, workout records, and chat content are sent to Google Gemini API. This data is transmitted through server-side Edge Functions — the client app never directly accesses external AI services. No directly identifying information (name, email) is included in the transmitted data.
6. Data Retention and Deletion
| Data | Retention Period | Legal Basis |
|---|---|---|
| Account information | Until account deletion | Service provision |
| Workout records and AI chats | Until account deletion | Service provision |
| Menstrual cycle data | Until account deletion | Service provision |
| Payment records | 5 years | E-Commerce Act |
| Service usage logs | 3 months | Communications Privacy Act |
7. Your Rights
You have the following rights regarding your personal information:
- Request access to your personal data
- Request correction of inaccurate data
- Request deletion of your data
- Request to stop processing your data
- Withdraw consent for sensitive data (menstrual cycle) collection
Account Deletion
- In the app: Profile > Settings > Delete Account
- By email: Send a deletion request to bill@jocoding.net
Upon account deletion, all personal information, workout records, AI chat history, and menstrual cycle data are permanently and immediately deleted. This action cannot be undone.
8. Security Measures
- Data encryption: SSL/TLS encryption for data in transit and encryption at rest in the database
- Access control: Row Level Security (RLS) policies ensure users can only access their own data
- Authentication security: OAuth 2.0 social login — we never store passwords directly
- Server-side AI processing: AI API keys are managed server-side only and never exposed to the client
- Input validation: User input sanitization to prevent prompt injection attacks
9. Cookies and Tracking Technologies
The FitHer mobile app does not use web cookies. However, we use the following technologies:
- MMKV (local storage): Stores app settings and authentication state locally. Removed when the app is uninstalled.
- PostHog SDK: Collects usage events for service improvement.
- Sentry SDK: Tracks app errors and performance.
- Google AdMob SDK: Collects data for ad display. Disabled for premium subscribers.
10. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us:
Data Protection Contact
Email: bill@jocoding.net
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in law, policy, or security practices. Changes will be announced at least 7 days before taking effect via in-app notification. For material changes that significantly affect your rights, we will provide at least 30 days' notice.
This Privacy Policy is effective as of March 26, 2026.
Previous version: February 25, 2026