Privacy Policy

FitNexus ("Platform", "we", "us", "our") is a fitness networking platform that connects fitness institutions, trainers, and enthusiasts. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website (fitnexus.net) and mobile application.

We are committed to protecting your privacy in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

2.1 Account Information

When you create an account, we collect:

• Email address and password (password is hashed and encrypted)
• Name and phone number
• Role selection (Institution, Trainer, or Enthusiast)
• Terms acceptance timestamp and version

2.2 Profile Information

Depending on your role, you may provide:

• Institutions: Business name, address, location coordinates, logo, cover image, Google Maps link.
• Trainers: Bio, certifications, certification images, specializations, social media links, availability, skill level.
• Enthusiasts: Date of birth, gender, height, weight, fitness goals, activity level, avatar, fitness interests.

2.3 Health & Fitness Data

With your permission, we collect health data from your device via:

• Health Connect (Android) — Steps, heart rate (average, resting, min, max), active calories burned, sleep data, exercise sessions.
• HealthKit (iOS) — Steps, heart rate, calories, sleep, and workout data.
• Manual Input — Workout logs (exercise, sets, reps, weight, duration), nutrition logs (meals, calories, macros).

Health data sync is optional and requires your explicit consent through device-level permissions. You can revoke these permissions at any time through your device settings.

2.4 Location Data

• Institutions: Address, state, city, area, and GPS coordinates for map display and nearby search.
• Trainers: State, city, and area for the trainer marketplace and location-based discovery.
• Enthusiasts: Location is used for check-in verification when enabled by your institution. We do not track continuous location.

2.5 Payment Information

Payment processing is handled by Razorpay. We do not store your credit/debit card numbers or bank account details. We store only transaction references, subscription IDs, and payment amounts for record-keeping.

2.6 Usage Data

We collect information about how you use the Platform, including feature usage logs, for analytics and to improve our Services.

We use your information to:

• Provide, maintain, and improve our Services.
• Process payments and manage subscriptions.
• Enable social features (activity feed, challenges, connections, cheering).
• Send push notifications for relevant events (new connections, challenge updates, demo requests, etc.).
• Power AI features across the Platform, including:
  • Ojas AI Coach (enthusiasts) — personalised workout programs & diet plans, daily readiness, weekly summary narratives, "Ask Ojas" chat, and Daily Pulse personalisation.
  • AI Plan Writer (trainers) — generate workout plans for clients.
  • AI Assistant & AI Support Chat (institutions) — member/lead insights, engagement copy, and product/account Q&A.
  • AI-curated research summaries.
• Generate fitness insights, streak tracking, and progress reports.
• Match trainers with institutions through the job marketplace.
• Verify check-in attendance for institutions.
• Comply with legal obligations.

We share your information only in the following circumstances:

4.1 Within the Platform

• Institutions can see data of their registered members (name, contact, attendance, payments).
• Trainers can see data of clients assigned to them or connected via freelance relationships (health snapshots, workout plans).
• Enthusiasts can see limited profile information of connected users based on privacy settings.
• Your activity feed posts (workouts, streaks, check-ins, challenges) are visible to connected users and community members based on your feed privacy settings.

4.2 Third-Party Services

• Razorpay — For payment processing. Subject to Razorpay's privacy policy.
• Google Gemini — Powers paid-tier AI features (Ojas AI Coach personalised plans, weekly summary narratives, AI Plan Writer, AI Assistant). Prompts include the user's own fitness profile, recent workout and nutrition logs, and readiness snapshots needed to generate a useful response. We do not send personally identifiable contact information (email, phone, full name beyond first name) to Gemini.
• DeepSeek — Powers free-tier and shared AI features (Daily Pulse template-based tips, AI Support Chat retrieval-augmented answers). Free-tier prompts do not include personal health data; they use only the user's role (e.g. enthusiast / trainer / institution) and the support-knowledge corpus.
• Supabase — Our database and authentication provider. Data is stored on Supabase infrastructure hosted on Amazon Web Services (AWS).
• Expo / Firebase Cloud Messaging — For push notification delivery.

4.3 We Do Not

• Sell your personal data to any third party.
• Share your data for advertising or marketing by third parties.
• Transfer your data outside India except as necessary for the above services (Supabase/AWS infrastructure).

Your data is stored on Supabase infrastructure hosted on Amazon Web Services (AWS). We implement security measures including:

• Row-Level Security (RLS) — Database policies that ensure users can only access data they are authorized to see.
• Encryption at Rest — All data stored in the database is encrypted at rest.
• Encryption in Transit — All communication between your device and our servers uses HTTPS/TLS encryption.
• Hashed Passwords — Passwords are hashed using industry-standard algorithms and never stored in plaintext.
• Vault Secrets — API keys and internal secrets are stored using Supabase Vault (pgsodium encryption).

While we implement commercially reasonable security measures, no system is completely secure. We encourage you to use a strong, unique password and protect your account credentials.

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable laws, you have the right to:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate or incomplete personal data.
• Erasure — Delete your account and personal data at any time via our self-service page at fitnexus.net/delete-account (also in the app under Profile → Delete account), subject to legal retention requirements.
• Data Portability — Request your data in a structured, commonly used format.
• Withdraw Consent — Withdraw consent for data processing at any time (this may affect your ability to use certain features).
• Grievance Redressal — Lodge a complaint with our Grievance Officer or the Data Protection Board of India.

To delete your account, use fitnexus.net/delete-account. To exercise any other right, contact us at info@fitnexus.net.

We treat health and fitness data with special care:

• Health data sync (Health Connect / HealthKit) requires your explicit device-level permission.
• Health data is only synced when you actively use the sync feature in the app.
• Your health data is visible only to you, unless you are connected to a trainer who has access through an approved profile view request or a client relationship.
• Institutions can see check-in attendance but do not have access to your personal health data.
• You can revoke health data permissions at any time through your device settings.
• Health data used for AI-powered insights is processed without sharing personally identifiable information with AI providers.
• The paid Ojas AI Coach features receive de-identified health and training context (workout history, macros, readiness snapshots) to generate personalised plans. You can stop this processing at any time by cancelling the Ojas AI Coach subscription per Terms §8.

FitNexus uses minimal local storage:

• Authentication Tokens — Supabase session tokens stored securely in HTTP-only cookies (web) or secure storage (mobile) to keep you signed in.
• Preferences — Local storage of user preferences (theme, onboarding completion).

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track your browsing behavior across websites.

FitNexus is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will take steps to delete such information promptly.

If you are between 13 and 18, you should review these terms with a parent or guardian before using the Platform.

We retain your personal data for as long as:

• Your account is active and you are using our Services.
• Necessary to fulfill the purposes described in this Privacy Policy.
• Required by applicable laws (tax records, billing data).

When you delete your account, your personal data — profile, workouts, nutrition and health data, AI coach history, connections and notifications — is permanently removed, and your uploaded images (profile photo, meal-scan photos) are deleted from storage. We retain payment, order and subscription records (invoices, transactions, and the contact details on them) for the period required by tax and accounting law and to resolve any later refund, chargeback or billing dispute; these are kept on a need-to-know basis and are not used for any other purpose. We may also keep anonymized, aggregated data that cannot identify you. Notification data is automatically cleaned up (read notifications after 30 days, all notifications after 90 days).

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and effective date at the top of this page. We may also notify you through the Platform or via email for significant changes.

Your continued use of FitNexus after changes are posted constitutes your acceptance of the revised Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Grievance Officer / Data Protection Contact
Email: info@fitnexus.net
Website: fitnexus.net

We will respond to your request within 30 days, or as required by applicable law.