StayFit is operated by Nabi Ventures LLC, a single-member limited liability company organized under the laws of the State of Illinois (“StayFit,” “we,” “us,” or “our”). We are committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the StayFit mobile application (“App”) and the StayFit website at getstayfitapp.com (“Website,” and together with the App, the “Services”). Please read this policy carefully. By using the Services, you consent to the practices described in this Privacy Policy.
1. What Data We Collect
We collect the following categories of information:
- Account Information: Email address, display name, username, pronouns, bio, and profile information you provide during registration. If you sign in with Apple or Google, we receive your name and email address from the identity provider you choose.
- Workout and Fitness Data: Exercise logs, workout history, sets, reps, weights, RPE/RIR ratings, workout duration, personal records, streaks, weekly goals, training periodization plans, and related fitness data you enter into the App.
- Progress Photos: Photos you voluntarily upload to track your fitness progress. These are stored securely and are private to your account by default.
- Health Data (Apple HealthKit): With your explicit permission, we read step count, resting heart rate, sleep analysis, and active energy data from Apple Health. We also write completed workout sessions back to Apple Health. See Section 7 for details on HealthKit data handling.
- Body Measurements: Weight, body fat percentage, and up to 12 circumference measurements (neck, chest, waist, hips, and others) you voluntarily enter. This data is private by default and protected behind device biometric authentication within the App.
- Reproductive and Menstrual Cycle Data: If you choose to enable cycle tracking, we collect period start dates, cycle and period length, flow intensity, symptoms (such as cramps, fatigue, headache, bloating, and mood changes), daily energy levels, and cycle phase data. This data is classified as sensitive and is subject to the additional protections described in Section 6.
- Food and Nutrition Data: Food logs, macro and micronutrient estimates, water intake, dietary preferences, allergies, and photos of meals you submit for AI analysis.
- Barcode Scan Data: When you scan a product barcode, the barcode number is sent to the Open Food Facts or USDA FoodData Central databases to retrieve nutritional information. No personally identifiable information is included in these lookups.
- Voice and Audio Data: If you use voice commands with the AI assistant, microphone audio is captured and processed using on-device or cloud-based speech recognition to convert your speech to text. The transcribed text is then processed as a text query. We do not store raw audio recordings after transcription is complete.
- Social and Community Data: Follow and friend connections, public profile information (display name, avatar, streaks, level, badges, personal records), challenge participation and results, leaderboard rankings, kudos, reactions, comments, and activity feed content.
- Messages: Direct messages between users and group chat messages. Direct messages are encrypted using AES-GCM encryption. Messages are stored on our servers and are visible only to the participants in the conversation.
- Transformation Stories: Before-and-after progress photos, captions, and visibility settings you share through the Stories feature.
- Community Food Contributions: Food items (name, brand, serving size, and macro information) that you voluntarily submit to the shared community food database. These contributions are visible to other users.
- Wallet and Transaction Data: If you use the wallet feature, we collect records of deposits, purchases, sales, withdrawals, and StayFit Coin transactions (including challenge stakes and winnings). Payment card details are processed by Stripe and are not stored on our servers.
- Creator Payout Data: If you are a creator who receives payouts, Stripe Connect collects your identity verification information, bank or debit card destination, and tax identification information directly. StayFit does not store your full bank account details; we retain only the Stripe transfer and payout identifiers needed to track payout status.
- Coach Certification Data: If you register as a coach, we collect certification type, certification number, issuing organization, issue and expiration dates, and a proof image of your credential.
- Referral Data: Your unique referral code, the identity of users you refer, referral status, and any rewards earned through the referral program.
- Usage and Analytics Data: App interaction events (such as workouts completed, features used, and subscription actions), session duration, and feature usage patterns. These events are linked to your user ID for product improvement purposes.
- Device and Diagnostic Data: Device type, operating system version, app version, crash reports, error logs, and performance traces for debugging and reliability purposes. Crash reports may include your user ID and email address for issue resolution.
- Device Integrity Data: We perform device integrity checks to detect compromised or tampered devices. These checks are used solely for fraud prevention and security purposes, such as restricting wallet operations on jailbroken devices. No data from these checks is shared with third parties.
2. How We Use Your Data
We use the collected information for the following purposes. Where applicable under GDPR, the lawful basis for each purpose is noted in parentheses.
- To provide and maintain the Services, including workout logging, calendar tracking, nutrition tracking, progress photo storage, streak tracking, and cross-device sync. (Contract performance.)
- To power AI features including personalized workout plan generation, food photo macro estimation, natural language food logging, AI chat assistant, and recovery insights. (Contract performance; consent for health data inputs.)
- To provide cycle-aware workout and recovery recommendations if you enable menstrual cycle tracking. (Explicit consent.)
- To enable social features including follow and friend connections, challenges, leaderboards, direct and group messaging, transformation stories, kudos, and reactions. (Contract performance.)
- To operate the creator marketplace, coach marketplace, and referral program, including content purchases, payouts, certification verification, and referral rewards. (Contract performance.)
- To process payments for subscriptions, StayFit Coin purchases, wallet deposits, content purchases, and creator payouts. (Contract performance; legal obligation for payment and tax records.)
- To look up product nutritional information when you scan barcodes. (Contract performance.)
- To send push notifications (workout reminders, challenge updates, friend requests, messages, streak milestones, and payout status updates) if you have opted in. (Consent.)
- To analyze usage patterns and improve the Services. (Legitimate interests in product improvement.)
- To diagnose technical issues and fix bugs using crash reports, error logs, and performance traces. (Legitimate interests in service reliability.)
- To detect and prevent fraud, abuse, and security threats, including device integrity checks and suspicious transaction monitoring. (Legitimate interests in security and fraud prevention.)
- To communicate with you about your account, including support inquiries, important service updates, and transactional emails. (Contract performance; legal obligation.)
- To comply with legal obligations, including maintaining payment and tax records as required by law. (Legal obligation.)
3. Cookies and Website Tracking
The App does not use tracking cookies, advertising cookies, or cross-site tracking technologies. The Website uses only strictly necessary cookies for authentication and session management when you are logged in to the Dashboard. No advertising or cross-site tracking cookies are set.
Vercel Analytics is used on the Website for anonymous, aggregated traffic metrics. Vercel Analytics is cookieless and does not collect personal data or track individual users.
4. Data Storage and Security
Your data is stored on secure servers provided by Supabase, our cloud infrastructure provider. All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or later.
We implement appropriate technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encrypted messaging (AES-GCM for direct messages), Stripe webhook signature verification, and role-based access controls. However, no method of electronic storage or transmission over the Internet is 100% secure, and we cannot guarantee absolute security.
Sensitive data such as body measurements, progress photos, and menstrual cycle data are protected behind device biometric authentication (Face ID or Touch ID) within the App for an additional layer of privacy. StayFit never receives your biometric identifiers; Face ID and Touch ID verification is handled entirely by Apple on your device.
5. Third-Party Services
We use the following third-party services to operate and improve the Services. For each, we describe the data shared and, where relevant, the data that is not shared.
- Supabase: Cloud database, authentication, file storage, real-time subscriptions, and edge functions. Supabase processes all user data stored in the App. Supabase is bound by a data processing agreement.
- Apple (Sign in with Apple): If you choose to sign in with Apple, Apple provides your name and email address (or a private relay address) to authenticate your account. No fitness, health, or financial data is shared with Apple through this flow.
- Google (Sign in with Google): If you choose to sign in with Google, Google provides your name and email address to authenticate your account. No fitness, health, or financial data is shared with Google through this flow.
- Apple StoreKit: In-app purchase processing for subscriptions and StayFit Coin purchases. Apple processes purchase receipts and subscription status. Apple does not receive your fitness or health data through StoreKit.
- Apple HealthKit: With your permission, we read health and fitness data from and write completed workouts to Apple Health. HealthKit data is never sold, never used for advertising, and never shared with third parties. See Section 7 for full details.
- Stripe:Payment processing for wallet deposits, content purchases, and web subscription management. When you make a payment through Stripe, Stripe processes your payment information under Stripe's own privacy policy. We do not store your full credit card number or payment account details on our servers. We store only Stripe customer and transaction identifiers.
- Stripe Connect: If you are a creator who receives payouts, Stripe Connect collects your identity verification information (KYC), bank or debit card destination, and tax identification information directly under the Stripe Connected Account Agreement. StayFit does not store your full bank account or identity verification details; we retain only Stripe transfer and payout identifiers.
- Anthropic (Claude AI):We use Anthropic's Claude API to power AI features (such as food analysis, workout generation, and the chat assistant). Anthropic acts as our data processor under a Data Processing Addendum that includes the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Anthropic does not use the content we send to train its models, except where we submit feedback or where a request is flagged for safety review under its Usage Policy, and it retains this content only transiently for security and abuse prevention. We send only the content needed for each feature and do not attach your name or email. We cache AI responses using non-identifying content hashes to reduce redundant processing.
- Open Food Facts: An open-source product database used for barcode scanning nutritional lookups. Only the barcode number is sent. No personal data is included.
- USDA FoodData Central: A public nutrition database used for food search queries. Only food search terms are sent. No personal data is included.
- Sentry: Crash reporting and performance monitoring. Sentry receives crash logs, stack traces, device information, performance traces, and contextual breadcrumbs. Your user ID and email address are associated with crash reports to help us resolve issues that affect your account. Performance data is sampled at 20% and is not linked to your identity. Sentry does not receive your fitness, health, or financial data.
- Resend: Transactional email delivery for account-related emails (password resets, email confirmations, and important account notifications). Resend receives only your email address.
- Vercel: Website hosting and deployment. Vercel Analytics collects anonymous, aggregated, cookieless traffic metrics on the Website. No personal data is collected by Vercel.
Each third-party service has its own privacy policy governing the use of your information. We encourage you to review their policies. All subprocessors that handle personal data on our behalf are bound by data processing agreements.
6. Sensitive and Health Data
StayFit collects several categories of data that are classified as sensitive or special-category data under applicable law, including GDPR Article 9 and various US state health privacy laws. We process this data only with your explicit consent, and you may decline to provide it or delete it at any time.
Reproductive and Menstrual Cycle Data
Reproductive and menstrual-cycle data you choose to log (such as period dates, flow, symptoms, and predicted phases) is among the most sensitive information we hold. We process it only with your explicit consent and only to provide cycle-tracking and related features. We never sell or share it, never use it for advertising, never use it to train AI models, and never display it on any social or public feature. We store it privately and, where supported, behind your device's biometric lock.
We will not disclose this data to third parties except where required by a valid, binding legal process; we will object to or narrow requests we believe are overbroad or improper, and we will notify you before disclosing your reproductive-health data unless we are legally prohibited from doing so. You can delete this data at any time in the App.
Health and Fitness Data
Workout logs, body measurements, and HealthKit-sourced data (steps, heart rate, sleep, active energy) are health-related data processed with your consent. You may revoke HealthKit access at any time through your device settings. Body measurements are protected behind biometric authentication within the App.
Biometric Authentication
Face ID and Touch ID are used as a local device protection for sensitive screens within the App (progress photos, body measurements, menstrual cycle data). StayFit never receives, processes, or stores your biometric identifiers. All biometric verification is handled entirely by Apple on your device using the Secure Enclave.
7. HealthKit Data Usage
StayFit integrates with Apple HealthKit to provide a more comprehensive fitness tracking experience. With your explicit permission, we:
- Read step count, resting heart rate, sleep analysis (asleep states only), and active energy burned from Apple Health.
- Write completed workout sessions (including type, duration, and calories burned) back to Apple Health.
HealthKit data is read on your device. Derived and aggregated values (such as daily step counts, sleep duration, and calorie totals) are synced to your account on our servers for use in streak calculations, challenge progress, and your fitness dashboard. Raw HealthKit data samples are not bulk-uploaded to our servers.
We do not sell, share, or use HealthKit data for advertising, marketing, or any purpose other than providing and improving the fitness features of the App.
HealthKit data is never shared with third parties, never used for ad targeting, and never included in analytics beyond your personal dashboard. You can revoke HealthKit access at any time through your device's Settings, then Health, then Data Access and Devices.
8. AI Data Processing
StayFit uses AI (powered by Anthropic's Claude models) to provide personalized features. Below is a description of each AI feature, the data it processes, and how that data is handled.
- Food Photo and Text Analysis: When you photograph a meal or describe it in text, the image or text is sent to Anthropic for macro estimation. Your name and email are not attached to these requests. We cache results using a non-identifying content hash so that identical inputs do not require repeated processing. Usage is subject to monthly limits based on your subscription tier.
- AI Chat Assistant: Conversation content (and, for voice input, the transcribed text) is sent to Anthropic for processing. To provide personalized coaching, the AI assistant may access your fitness profile, recent workout history, nutrition logs, recovery status, and (if you have enabled it) your current menstrual cycle phase. Your name and email are not attached to these requests. Conversation history is stored in your account for continuity across sessions.
- Workout Generation: When you request a personalized workout plan, the AI uses your workout history, fitness goals, available equipment, and injury information to generate a plan. This data is specific to your account and is not anonymized or aggregated. Your name and email are not attached to these requests.
- Recovery Insights: Your workout patterns and, if permitted, HealthKit data are analyzed to provide recovery suggestions. This analysis uses your personal data to calculate muscle group recovery status.
Data Handling: Anthropic acts as our data processor under a Data Processing Addendum that includes the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Anthropic does not use the content we send to train its models, except where we submit feedback or where a request is flagged for safety review under its Usage Policy, and it retains this content only transiently for security and abuse prevention. We send only the content needed for each feature and do not attach your name or email.
Important: AI-generated estimates, suggestions, and coaching responses are approximate and are provided for informational purposes only. They are not a substitute for professional medical, nutritional, or fitness advice. Always consult a qualified healthcare provider or certified professional before making changes to your exercise or diet.
9. Social Features and Content Privacy
StayFit includes social features that involve sharing certain data with other users:
- Public Profile:Your display name, avatar, current streak, level, badges, and selected personal records may be visible to other users depending on your privacy settings. You can set your profile, streak, workout details, and PR board visibility to “everyone,” “friends only,” or “hidden.”
- Follows and Friends: StayFit supports both follow relationships (one-directional) and friend connections (mutual). Your follower and following counts are visible on your profile.
- Leaderboards: If you participate in leaderboards, your display name, ranking, and relevant metric (workouts, streak, volume, or XP) are visible to other participants.
- Challenges: Challenge participation, progress, and results are visible to challenge participants. If a challenge is staked with StayFit Coins, the wager amount is visible to participants.
- Direct Messages: Direct messages are encrypted using AES-GCM and are visible only to the sender and recipient. Messages are stored on our servers and are deleted when either participant deletes their account.
- Group Chats: Group chat messages are visible to all members of the group. Group chats may be public or private.
- Transformation Stories: Before-and-after photos and captions you share through the Stories feature are visible to other users according to your chosen visibility setting (public, friends only, or private). View and like counts are tracked.
- Kudos, Reactions, and Comments: Kudos, reactions, and comments on feed items are visible to other users who can view the associated content.
- Community Food Contributions: Food items you submit to the community food database (name, brand, serving size, and macro information) are visible to all users. Your user ID is associated with the submission but your display name is not publicly shown.
- Content Privacy Defaults: Workout data, body measurements, progress photos, menstrual cycle data, and nutrition data are private by default and are never shared through social features unless you explicitly choose to share them.
10. Push Notifications
With your permission, StayFit may send push notifications for:
- Daily workout and meal logging reminders.
- Friend requests, follow notifications, and challenge invitations.
- Challenge updates and results.
- Direct messages and group chat messages.
- Streak milestone celebrations and badge achievements.
- Payout status updates (for creators).
- Referral reward notifications.
You can disable push notifications at any time through your device's Settings, then Notifications, then StayFit.
11. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you with the Services. When you delete your account, all personal data is permanently removed from our servers within 30 days, with the following exceptions:
- Payment and transaction records may be retained for the period required by applicable tax, accounting, and financial regulations.
- Tax documentation (such as W-9 or 1099-K records for creators who received payouts) may be retained as required by law.
- Fraud and abuse records may be retained to enforce our Terms of Service and prevent repeat violations.
- Legal hold records may be retained if required to comply with a legal obligation, court order, or government request.
Anonymized, aggregated data that cannot be used to identify you may be retained indefinitely for analytics and product improvement purposes.
12. Data Breach Notification
In the event of a data breach that affects your personal data, we will notify affected users and relevant supervisory authorities without undue delay, as required by applicable law. For users in the EU/EEA, notification to the relevant supervisory authority will occur within 72 hours of becoming aware of a qualifying breach, as required by GDPR Article 33. For users in the United States, we will comply with applicable state breach notification laws.
13. Your Rights
You have the following rights regarding your personal data:
- Access: You can access all your data through the App at any time.
- Export: You can export your workout history and nutrition logs as CSV files directly from the App (covering the most recent 8 weeks of data), or request a full data export by contacting us at support@getstayfitapp.com.
- Deletion: You can permanently delete your account and all associated data through the App (Settings, then Manage Account, then Delete Account), through the Website (Dashboard, then Profile), or by contacting us. Upon deletion, your Apple Sign-In tokens are revoked, all data across 24 database tables is purged, and all stored files (photos) are removed.
- Correction: You can update or correct your personal information through the App or the Website dashboard at any time.
Additional rights for California residents and EU/UK residents are described in Sections 16 and 17 below.
14. Children's Privacy
The Services are not intended for children under the age of 13 (or, for users in the EU/EEA, under the applicable digital consent age in their member state, which may be up to 16). We do not knowingly collect personal information from children under these age thresholds. If we become aware that we have collected personal data from a child below the applicable age, we will take immediate steps to delete that information. If you believe that a child has provided us with personal information, please contact us at support@getstayfitapp.com.
15. No Sale of Personal Information
StayFit does not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We do not display advertisements in the App or on the Website. We do not use third-party advertising networks, tracking pixels, or behavioral advertising technologies. We do not collect or use the Apple Identifier for Advertisers (IDFA), and we do not participate in advertising tracking frameworks.
16. California Residents (CCPA/CPRA Rights)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
- The right to know what personal information we collect, use, disclose, and share.
- The right to request deletion of your personal information.
- The right to correct inaccurate personal information.
- The right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. Note: we do not sell or share your personal information for these purposes.
- The right to limit the use and disclosure of sensitive personal information. We use sensitive personal information (health data, reproductive data, biometric authentication) only for the purposes of providing the Services as described in this policy, not for inferring characteristics about you.
- The right to non-discrimination for exercising your CCPA/CPRA rights.
To exercise your rights, you may use the in-app account management features, or contact us at support@getstayfitapp.com. You may also designate an authorized agent to submit a request on your behalf. We will verify your identity before processing any request.
17. EU/UK Residents (GDPR Rights)
If you are a resident of the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation (and the UK GDPR):
- The right to access your personal data.
- The right to rectification of inaccurate personal data.
- The right to erasure (“right to be forgotten”).
- The right to restrict processing of your personal data.
- The right to data portability.
- The right to object to processing of your personal data based on legitimate interests.
- The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- The right to lodge a complaint with a supervisory authority in your member state if you believe your data protection rights have been violated.
The data controller for your personal data is Nabi Ventures LLC, 102 Wilson St, Park Forest, IL 60466, USA. For privacy questions or to exercise your rights, contact support@getstayfitapp.com. We have not appointed a Data Protection Officer because our processing does not currently require one; we will appoint a DPO and/or an EU/UK representative if and when applicable law requires it.
Our lawful bases for processing your data are: consent (for health, reproductive, and HealthKit data, and for push notifications); performance of the contract between us (for providing the Services, processing payments, and enabling features you use); legitimate interests (for analytics, security, fraud prevention, and diagnostics, where these interests are not overridden by your rights); and legal obligation (for retaining payment and tax records as required by law).
You may withdraw consent at any time by adjusting your App settings, revoking permissions on your device, or deleting your account. To exercise any of these rights, use the in-app account management features or contact us at support@getstayfitapp.com.
18. International Data Transfers
StayFit's primary data infrastructure (Supabase) is hosted in the United States. If you access StayFit from outside the United States, you understand your information will be transferred to and processed in the United States. We rely on Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable) for transfers of personal data out of the EEA/UK.
Our subprocessors that handle personal data on our behalf are bound by data processing agreements that include these safeguards.
19. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on this page and updating the version number and “Last updated” date. For material changes that affect how we process sensitive data, we will provide notice through the App or by email. We encourage you to review this Privacy Policy periodically.
20. Contact Information
If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:
Nabi Ventures LLC (d/b/a StayFit)
102 Wilson St
Park Forest, IL 60466, USA
support@getstayfitapp.com
Changelog
- v2.2 (June 6, 2026): Clarified AI processor (Anthropic) DPA status and model-training exceptions. Confirmed DPA (with EU SCCs and UK IDTA) is auto-incorporated into Commercial Terms. Added training exception language for feedback submissions and safety-flagged requests.
- v2.1 (June 2026): Named operating entity (Nabi Ventures LLC). Set Illinois governing law. Added data controller identity and DPO status (Section 17). Added Supabase US hosting disclosure and Standard Contractual Clauses / UK IDTA (Section 18). Finalized AI processor and data-retention language with Anthropic DPA (Sections 5, 8). Strengthened reproductive-health data protections (Section 6). Added postal contact address (Section 20).
- v2.0 (June 2026):Comprehensive rewrite. Added voice and audio data, reproductive and menstrual cycle data, Google Sign-In, wallet and coin transaction data, creator payout data (Stripe Connect), coach certification data, referral data, device integrity data, group chat, transformation stories, follow relationships, community food contributions. Added dedicated sensitive and health data section. Corrected HealthKit data handling description. Corrected AI data processing claims (removed inaccurate “anonymized” and “not stored” statements). Added data retention carve-outs for legal, payment, tax, and fraud records. Added data breach notification section. Expanded CCPA/CPRA rights (sensitive PI, correction, authorized agent). Expanded GDPR rights (withdraw consent, complaint right, lawful bases). Added EU digital consent age. Added international data transfer section. Added cookies and website tracking section. Named Anthropic as AI provider, Google as auth provider, USDA FoodData Central and Sentry as third-party services. Added Stripe Connect subprocessor disclosure.
- v1.0 (May 2026): Initial publication.