Privacy Policy
Last updated: February 26, 2026
1. Introduction
FromFatToFit (“we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the FromFatToFit application and services (the “Service”).
Given the sensitive nature of health and body-related data we process, we take extra care to handle your information responsibly. Please read this policy carefully.
2. Information We Collect
2.1 Information You Provide Directly
| Category | Data Types | Purpose |
|---|---|---|
| Account Information | Email address, password (hashed), full name | Authentication and account management |
| Physical Profile | Age, gender, height, weight, ethnicity, activity level | Personalized calorie calculations, body fat estimation accuracy, and fitness recommendations |
| Body Images | Photos uploaded for body composition analysis and transformation previews | AI-powered body fat estimation and visualization |
| Food Data | Food photos, meal logs, dietary preferences, allergies | Nutrition tracking and AI food analysis |
| Fitness Data | Workout logs, exercise history, weight logs | Workout and progress tracking |
| Chat Messages | Messages sent to the AI coaching feature | Providing AI-powered fitness and nutrition guidance |
| Goals | Target weight, target body fat, daily calorie goal | Progress tracking and personalized recommendations |
| Payment Information | Payment method details (processed by Stripe/Apple/Google) | Subscription and credit pack purchases |
2.2 Information Collected Automatically
- Usage Data: Feature usage frequency, session duration, pages visited.
- Device Information: Browser type, operating system, device type.
- Log Data: IP address, access times, error logs.
3. How We Use Your Information
We use your information for the following purposes:
- Service Operation: To provide, maintain, and improve the Service, including AI-powered analyses and recommendations.
- Personalization: To customize your experience based on your physical profile, goals, and preferences.
- AI Processing: To transmit your data (including photos) to AI services for analysis — see Section 4 for details.
- Communication: To send you service-related notifications, updates, and promotional materials (with your consent).
- Payment Processing: To process subscriptions and purchases through third-party payment providers.
- Safety & Security: To detect and prevent fraud, abuse, and security incidents.
- Legal Compliance: To comply with applicable laws, regulations, and legal processes.
We do NOT:
- Sell your personal data to third parties.
- Use your body images for advertising or marketing purposes.
- Use your data for purposes unrelated to the Service without your consent.
4. Third-Party AI Services and Data Sharing
This is particularly important. To provide AI-powered features, we transmit certain data to third-party AI service providers. Here is what gets shared with whom:
| Provider | Data Shared | Purpose |
|---|---|---|
| OpenAI | Food photos, body photos, chat messages, profile context | Food analysis, body fat estimation, AI coaching, body enhancement |
| Google (Gemini) | Food photos, body photos, profile context | Food analysis, body fat estimation (free tier) |
| Anthropic (Claude) | Food photos, body photos, profile context | Food analysis, body fat estimation (premium tier) |
| Replicate | Body photos | Body transformation previews, body part segmentation |
| Supabase | All user data | Database hosting, authentication, file storage |
| Stripe | Payment method, email, subscription details | Payment processing (web) |
| RevenueCat | User ID, purchase receipts | In-app purchase management (mobile) |
Each of these providers has their own privacy policies and data processing terms. We encourage you to review their respective privacy policies. We select providers that maintain industry-standard security practices, but we cannot guarantee the security of data once transmitted to third parties.
5. Body Image Data — Special Provisions
We recognize that body images are especially sensitive. The following additional protections apply:
- Purpose Limitation: Body images are used exclusively for the specific feature you request (body fat analysis, transformation preview, etc.) and are not used for any other purpose.
- AI Processing: Images are transmitted to AI providers via encrypted connections (HTTPS/TLS). We do not control how long third-party AI providers retain submitted data — please refer to their respective data retention policies.
- Storage: Original images may be stored in our secure cloud storage (Supabase) linked to your account. You may request deletion at any time.
- No Human Review: Under normal operations, your body images are processed only by automated AI systems. Human review may occur only in cases of abuse investigation or legal requirement.
6. Data Retention
- Active Account: Your data is retained as long as your account is active.
- Account Deletion: Upon account deletion request, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., billing records).
- AI Provider Retention: Data transmitted to third-party AI providers is subject to their respective retention policies. We are unable to guarantee deletion from third-party systems.
- Backups: Deleted data may persist in encrypted backups for up to 90 days before being permanently removed.
7. Data Security
We implement industry-standard security measures including:
- Encryption in transit (TLS/HTTPS) and at rest.
- Row-Level Security (RLS) on database to ensure users can only access their own data.
- Secure authentication with hashed passwords.
- Regular security assessments and updates.
Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of your personal data.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data (“right to be forgotten”).
- Portability: Request your data in a structured, machine-readable format.
- Restriction: Request restriction of processing of your data.
- Objection: Object to processing of your data for certain purposes.
- Withdrawal of Consent: Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please contact us at privacy@fromfattofit.com. We will respond within 30 days.
9. International Data Transfers
Your data may be transferred to and processed in countries other than your country of residence, including the United States (where many of our AI service providers are based). These countries may have different data protection laws. By using the Service, you consent to such transfers. We ensure appropriate safeguards are in place through contractual obligations with our service providers.
10. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected data from a child under 18, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us immediately.
11. Cookies and Tracking
We use essential cookies and local storage for:
- Authentication session management.
- Theme preference (dark/light mode).
- Onboarding state tracking.
We do not currently use third-party advertising cookies or tracking pixels.
12. Data Breach Notification
In the event of a data breach that affects your personal data, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable law (GDPR, Korea PIPA).
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Provide details of the breach, including the nature of the data affected, the approximate number of individuals concerned, and the measures taken or proposed to address the breach.
- Document all breaches internally, including their effects and the remedial action taken.
Notifications will be sent via the email address associated with your account.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy on the Service and updating the “Last updated” date. Your continued use of the Service after changes constitutes acceptance of the revised policy.
14. Contact Us
For privacy-related inquiries, requests, or complaints:
- Email: privacy@fromfattofit.com