Privacy Policy

1. Important Information and Who We Are

Purpose of this Privacy Policy

This privacy policy aims to give you information on how Symbiote Fitness collects and processes your personal data through your use of this App, including any data you may provide when you create an account, upload physique photos, log nutrition, or interact with our AI coach.

Controller

SYMBIOTE FITNESS LTD is the controller and responsible for your personal data.

Company Details

• Legal Entity: SYMBIOTE FITNESS LTD
• Company Number: 16649354
• Nature of Business: Business and domestic software development (62012)
• Registered Location: United Kingdom
• Email: joel@symbiotefitness.com

2. The Data We Collect About You

We collect, use, store, and transfer different kinds of personal data about you which we have grouped together as follows:

A. Identity and Contact Data

• Identity Data: First name, last name, date of birth, gender.
• Contact Data: Email address.

B. Health and Fitness Data

• Physical Data: Weight, height, body measurements (e.g., waist, chest, arms), and calculated metrics (e.g., BMI, FFMI - Fat-Free Mass Index).
• Activity Data: Workout logs (exercise type, reps, sets, weight lifted), workout history, and routines.
• Nutrition Data: Daily calorie intake, macronutrients (protein, carbs, fats), micronutrients, food logs (manual entry, barcode scans, and AI food scans), and supplement usage/schedules.

C. Special Category Data (Biometrics & Visuals)

Given the specific nature of our AI Physique Analysis feature, we collect sensitive data that requires higher protection:

• Physique Photos: Images of your body that you voluntarily upload for analysis, progress tracking, or food scanning.
• AI Analysis Results: Data derived from these images regarding body composition, muscle development estimates, body fat percentage estimates, and identification of asymmetries.

D. Technical and Usage Data

• Technical Data: Internet protocol (IP) address, login data, device type (e.g., iPhone model), operating system and platform, time zone setting.
• Usage Data: Information about how you use our App, including interactions with the AI Chatbot Assistant and feature usage patterns.

E. Children's Privacy

The Services are not for individuals under 18. We don't knowingly collect data from minors. If we learn we've collected data from a minor, we'll delete it promptly. If you believe we've collected data from a minor, contact us.

3. Legal Basis for Processing (GDPR)

We will only use your personal data when the law allows us to. For users in the UK and EU, we process personal data based on the following legal grounds:

• Consent: We process Special Category Data (Physique Photos) based on your Explicit Consent (Article 9(2)(a) UK GDPR). You will be asked to provide consent within the App before using the Physique Analysis feature. We also rely on consent for genetic testing, bloodwork analysis, research participation, or marketing communications.
• Contract Performance: To create your account, provide the Services you've requested, and fulfill our Terms of Service.
• Legitimate Interests: To improve our Services, conduct research with de-identified data, ensure security, and operate our business (balanced against your rights).
• Legal Obligations: To comply with laws, regulations, and legal processes.

4. How We Use Your Personal Data

Most commonly, we use your personal data in the following circumstances:

• To Provide the Service: To create and manage your user account, calculate strength metrics (e.g., FFMI), nutritional targets, and track your progress towards fitness goals.
• AI Analysis & Coaching:
  • Food Scanning: To identify foods from images and barcodes to log calories.
  • Physique Analysis: To analyze user-uploaded photos to provide feedback on body composition and muscle development.
  • AI Chatbot Assistant: To provide personalized, context-aware fitness advice (e.g., "Drill Sergeant" mode) by processing your stored profile data (workouts, diet, physique stats).
• Service Improvement: To improve our algorithms and App functionality, and to troubleshoot technical issues.

5. Photo Privacy & Rights

Because we deal with intimate images (physique photos), we provide specific guarantees:

• What We Collect: Progress photos, physique photos for AI analysis, food photos for scanning.
• How We Use It: Provide AI-based physique feedback, scan/identify food items, track visual progress, and improve AI models (using de-identified images only).
• Your Rights:
  • You control who can see your photos.
  • Photos are stored securely and privately.
  • You can delete photos at any time.
  • We do not publicly display photos without your explicit consent.
  • By uploading, you grant us rights per our Terms of Service (solely for the purpose of providing the analysis).

6. Artificial Intelligence and Third-Party Processors

Symbiote Fitness utilizes advanced Artificial Intelligence to power our core features.

Our AI Providers

• Amazon Web Services (AWS) Bedrock: We use Amazon Bedrock to access AI models, including Anthropic (Claude) and Amazon's proprietary models.
• How Data is Processed: When you use AI features (Chatbot, Food Scanner, Physique Analysis), relevant data (text prompts, food images, or physique photos) is securely transmitted to AWS Bedrock for processing.
• No Training on Your Data: We utilize enterprise-grade agreements with our AI providers ensuring that your personal data is NOT used to train their public foundation models.
• Security: Data in transit to these services is encrypted.

7. Medical and AI Disclaimer

AI Limitations: You acknowledge that our "Physique Analysis" and "Coach" features utilize Artificial Intelligence. AI can hallucinate or produce inaccurate results. You should not rely solely on these results for health decisions. The AI provides informational/coaching advice only and does not constitute a medical diagnosis or automated legal decision.

8. How We Share Your Information

We do not sell your personal health information. We may share your information in the following circumstances:

8.1 Service Providers

We share data with third-party service providers who help us operate the Services. These providers are contractually obligated to protect your data and use it only for specified purposes:

• Cloud hosting and storage providers
• Payment processors
• Customer support platforms
• Analytics providers
• Email and communication services
• AI and machine learning platforms
• Laboratory partners (if applicable for bloodwork)
• Genetic analysis partners (if applicable)

8.2 Business Transfers

If we are involved in a merger, acquisition, sale of assets, bankruptcy, or reorganization, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to different privacy practices.

8.3 Legal Requirements

We may disclose information when required by law or to:

• Comply with the legal process (subpoena, court order)
• Enforce our Terms of Service
• Protect our rights, property, or safety (or that of our users)
• Investigate fraud or security issues

8.4 With Affiliates

We may share data with our corporate affiliates for purposes described in this Privacy Policy.

9. International Transfers

We are based in the United Kingdom.

• For UK/EEA Users: Your data remains protected under the UK GDPR.
• For International Users: By using the App, you acknowledge that your data will be transferred to and processed in the United Kingdom, which offers a high standard of data protection.

10. Data Security

We implement industry-standard technical and organizational measures to protect your data.

Technical Safeguards

• Encryption of data in transit (TLS 1.3)
• Encryption of data at rest (AES-256)
• Secure authentication and access controls
• Multi-factor authentication options
• Regular security assessments and penetration testing
• Intrusion detection and monitoring
• Secure development practices
• Isolated database environments for sensitive data
• Storage Standards: While governed by GDPR, our infrastructure utilizes storage that meets HIPAA-compliant security standards (Health Insurance Portability and Accountability Act), ensuring the highest level of encryption for your health data.

Organizational Safeguards

• Employee training on data protection
• Access controls based on role and need ("least privilege" access)
• Confidentiality agreements with employees and contractors
• Vendor security assessments
• Incident response procedures and regular security audits

Limitations

No security is absolute. While we use reasonable measures, we cannot guarantee complete security. Unauthorized entry, hardware/software failure, or other factors may compromise security. You use the Services at your own risk.

11. Data Retention

We retain your personal data for as long as necessary to provide Services, comply with legal obligations, resolve disputes, and enforce agreements.

• Account Data: Stored while your account is active and for 90 days after deletion (for backup and recovery).
• Health, Fitness, and Photo Data: Stored while your account is active and for up to 90 days after deletion.
• Temporary Data: Raw processing data for AI requests may be stored temporarily for technical execution and then deleted.
• Payment Data: Retained as long as required for accounting, tax, and legal purposes (typically 7 years).
• Communications: For as long as needed to resolve your inquiry or comply with legal obligations.

After retention periods expire, we securely delete or anonymize your data.

12. Your Rights and Choices

12.1 Access and Portability

You can access your personal data through your Account Settings. You have the right to request a copy of your personal data or download it in a portable format (JSON, CSV).

12.2 Correction and Updates

You can update most information through Account Settings. For other corrections, contact us directly.

12.3 Deletion

You can delete your account through Account Settings. This will delete most of your personal data, subject to the retention requirements described in Section 11.

12.4 Restriction and Objection

You have the right to restrict processing of your data in certain circumstances or object to processing based on legitimate interests. You may also opt out of direct marketing at any time.

12.5 Withdraw Consent

Where processing is based on consent (specifically for Physique Analysis photos), you can withdraw consent at any time via the "Data Opt Out" section in Settings.

12.6 California Privacy Rights (CCPA)

California Residents have additional rights to:

• Know what personal information is collected, used, and shared in the last 12 months.
• Request deletion of personal information (with exceptions).
• Opt-out of the "sale" of personal information (Note: We do not sell personal information).
• Non-discrimination for exercising privacy rights.

To exercise CCPA rights, contact us. We will respond within 45 days.

12.7 UK/EU Rights

Residents have rights under GDPR including: Right to access, rectification, erasure ("right to be forgotten"), restriction, portability, objection, and withdrawal of consent.

12.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority.

• UK Supervisory Authority: Information Commissioner's Office (ICO) - ico.org.uk
• EU Supervisory Authorities: Each EU member state has a data protection authority.

How to exercise your rights

To exercise any of these rights, please contact us at privacy@symbiotefitness.com. We generally respond to GDPR requests within 1 month.

13. Cookies and Tracking Technologies

We use cookies and similar technologies (Pixels, Mobile Identifiers) to operate and improve our Services.

• Essential Cookies: Required for the Services to function (authentication, security). Cannot be disabled.
• Analytics Cookies: Help us understand usage (e.g., Google Analytics, Firebase Analytics).
• Advertising & Social Media Cookies: Used to deliver relevant ads or enable sharing features (if applicable).
• Managing Cookies: You can control cookies through browser settings, mobile privacy settings, or our cookie preference center.

Do Not Track: We do not currently respond to Do Not Track signals because there is no industry standard.

14. Third-Party Links

The App may include links to third-party websites, plug-ins, and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in practices, features, or legal requirements.

• Notice: We will notify you of material changes by posting the updated policy with a new "Last Updated" date, sending an email, or providing an in-app notification.
• Continued Use: Using the Services after changes means you accept the updated Privacy Policy.

16. Contact Us

If you have any questions about this privacy policy or our privacy practices, please contact us: