Privacy Policy

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Email address (for authentication and communication)
• Account creation timestamp
• Login activity and session data

1.2 Health and Fitness Data (Special Category Data)

IMPORTANT: Under GDPR Article 9, health data is "special category" personal data requiring explicit consent and extra protection.

We collect the following health-related data:

• Physical measurements: Age, weight, height, gender
• Fitness profile: Training experience level, available equipment, training frequency
• Workout performance: Exercises performed, sets, reps, weights used, RIR (Reps In Reserve), rest times
• Pain and injury data: Reported limitations, pain locations, severity, affected exercises
• Workout notes: Free-text feedback including subjective feelings, fatigue, discomfort
• Mental readiness: Self-reported readiness scores
• Body composition: (if provided) body fat percentage, muscle mass
• Caloric phase: Bulk, maintenance, or cut status

1.3 Usage Data

We automatically collect:

• Device information (browser, operating system, screen size)
• IP address (anonymized)
• Pages visited and features used
• Error logs and performance metrics
• AI interaction patterns (e.g., workouts generated, exercises selected)

1.4 Data from Third-Party Services

We use:

• Supabase: Authentication and database hosting
• Anthropic/OpenAI: AI model providers for workout generation (data anonymized)
• Vercel: Hosting and analytics

2. How We Use Your Data

2.1 Primary Purposes

• Workout generation: AI uses your profile, history, and limitations to create personalized workouts
• Exercise recommendations: Selecting exercises based on equipment, experience, and preferences
• Progression tracking: Calculating appropriate weight/rep progressions based on performance
• Insight extraction: AI analyzes workout notes to detect patterns, preferences, and potential issues
• Safety features: Avoiding exercises that caused pain or injury
• Volume management: Tracking weekly volume to prevent overtraining

2.2 Service Improvement

• Improving AI algorithms and recommendation accuracy
• Debugging errors and fixing bugs
• Understanding user behavior to enhance UX
• Developing new features based on usage patterns

2.3 Communication

• Sending authentication emails (magic links)
• Service updates and security notifications
• Responding to support requests
• Marketing communications (only with your explicit consent)

2.4 Legal Obligations

• Complying with legal requirements (e.g., tax, law enforcement)
• Protecting our rights and property
• Preventing fraud and abuse

3. Legal Basis for Processing (GDPR)

We process your data based on:

• Explicit consent (Article 9): For health data collection and AI processing
• Contract performance: To provide the Service you signed up for
• Legitimate interests: Service improvement, fraud prevention, security
• Legal obligations: Compliance with laws and regulations

You can withdraw your consent at any time by contacting us or deleting your account.

4. Data Storage and Security

4.1 Where We Store Data

• Primary database: Supabase (PostgreSQL) hosted in EU data centers
• Client-side storage: localStorage (workouts in progress, drafts)
• Backups: Encrypted backups stored in EU

4.2 Security Measures

• Encryption in transit (HTTPS/TLS)
• Encryption at rest for sensitive data
• Row-level security (RLS) in database
• Access controls and authentication
• Regular security audits
• Anonymization of data sent to AI providers

4.3 Data Retention

We retain your data:

• Active accounts: As long as your account exists
• Deleted accounts: 30 days (to allow recovery), then permanently deleted
• Backups: Up to 90 days in encrypted backups
• Anonymized analytics: Indefinitely (cannot be linked back to you)

5. Data Sharing and Third Parties

5.1 We DO NOT Sell Your Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

5.2 Service Providers

We share data with trusted service providers who help us operate:

• Supabase: Database and authentication (GDPR-compliant, EU-hosted)
• Anthropic/OpenAI: AI models (data anonymized, no PII sent)
• Vercel: Hosting and CDN (GDPR-compliant)

All service providers are bound by data processing agreements (DPAs) and comply with GDPR.

5.3 AI Model Processing

When generating workouts, we send anonymized data to AI providers (Anthropic, OpenAI). This data:

• Does NOT include your name, email, or other identifying information
• Includes only workout-relevant data (exercise history, preferences, limitations)
• Is not used to train AI models (per provider agreements)
• Is not stored by AI providers beyond processing time

5.4 Legal Requirements

We may disclose your data if required by:

• Law enforcement or government authorities
• Court orders or legal processes
• Protection of our rights, safety, or property
• Prevention of fraud or illegal activities

6. Your Rights (GDPR)

You have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure ("Right to be forgotten"): Request deletion of your data
• Data portability: Receive your data in a structured, machine-readable format
• Restriction: Limit how we process your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Revoke consent for health data processing at any time
• Lodge a complaint: File a complaint with a data protection authority

To exercise these rights, contact us at privacy@aetha.ai or use the settings page when available.

7. Cookies and Tracking

We use minimal cookies and tracking:

7.1 Essential Cookies

• Authentication tokens (to keep you logged in)
• Session management
• Security and fraud prevention

7.2 Analytics Cookies (Optional)

• Vercel Analytics (anonymized usage statistics)
• Error tracking (to fix bugs)

You can disable analytics cookies through your browser settings.

8. Children's Privacy

Arvo is intended for users aged 14 and older. Users under 18 should use the Service under parental supervision.

We do not knowingly collect data from children under 14. If you believe we have collected such data, please contact us immediately, and we will delete it.

9. International Data Transfers

Your data is primarily stored and processed within the European Union. If data is transferred outside the EU (e.g., to AI providers in the US), we ensure adequate safeguards such as:

• Standard Contractual Clauses (SCCs)
• Data anonymization
• GDPR-compliant data processing agreements

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will:

• Notify you of material changes via email or in-app notification
• Update the "Last updated" date at the top
• Obtain your consent if required by law

Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions, data access requests, or to exercise your rights:

Data Protection Contact:
Email: privacy@aetha.ai
Website: https://aetha.ai

EU Representative (if applicable):
[To be determined if needed based on your business structure]