Privacy Policy

Body Routines ("Body Routines," "we," "us") is a multi-tenant AI-powered fitness, recovery, and lifestyle companion. This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the choices you have.

The Service is operated by Lundquist Inc., a California S-Corporation ("Lundquist Inc."). [Business address — TODO before launch.]

We collect the following categories of information:

Account

• Email address (for sign-in + transactional email)
• Full name (used to personalize the app)
• Password hash (managed by Supabase Auth — we never see plaintext)
• Date of birth (optional; required for some pregnancy + age-aware features)
• Pregnancy state (optional; used to tailor program safety)
• Height, weight, sex, training experience, sport preferences

Health and training

• Apple HealthKit reads (only with explicit per-scope permission): sleep, heart-rate variability (HRV), resting heart rate, weight, body composition, and workout summaries
• Workout logs (sets, reps, RIR, perceived effort)
• Supplement and protocol entries
• InBody scan readings (extracted from photos you upload)
• Blood test results (extracted from PDFs/photos you upload)
• Recovery scores and AI-derived insights

Sensitive media

• Voice recordings (only if you use voice logging — recordings are transcribed by OpenAI Whisper and the audio is deleted after transcription unless you opt to keep it)
• Photos you upload (InBody scans, progress photos, meal photos, supplement and peptide barcodes)

Payment

Payment information is processed exclusively by Stripe (PCI-DSS compliant). We never see, store, or transmit your card numbers; we only retain a Stripe customer ID and invoice metadata.

Usage

• Anonymous product analytics via PostHog — distinct IDs are hashed pseudonyms, never raw user IDs or emails. Auth-related routes (sign-in, sign-up, onboarding, settings) are excluded.
• Error reports via Sentry — PII is stripped server-side before sending (Authorization headers, cookies, JWTs, Stripe and Supabase keys are redacted).

• To provide the Service: generate programs, log workouts, run intensity recommendations
• To run AI features: program generation, companion chat, vision analysis (InBody, blood tests, photos)
• To deliver insights, recovery scores, drift detection, and supplement guidance
• To process billing and send transactional email (receipts, trial reminders, password resets)
• To respond to support requests and operate the Service safely (fraud prevention, rate limiting, abuse response)
• To improve the Service via aggregated, anonymized analytics — never via training AI models on your identifiable data

We rely on the following sub-processors. Each is bound by a data-processing agreement and only handles the data needed to deliver its service.

• Anthropic (privacy) — Claude AI inference (Sonnet 4.6, Opus 4.6) for program generation, companion chat, vision analysis. Anthropic does not train its models on API requests by default.
• Stripe (privacy) — payment processing (PCI-DSS Level 1).
• Supabase (privacy) — database, authentication, storage. Encrypted at rest.
• Vercel (privacy) — hosting and edge compute.
• Resend (privacy) — transactional email delivery.
• PostHog (privacy) — anonymized product analytics.
• Sentry (privacy) — error monitoring with PII stripped before send.
• Apple (privacy) — HealthKit integration. Apple Health data stays on device unless you explicitly sync it to your Body Routines account.
• Spotify (privacy) — workout playback (linked account; we receive playback control tokens, not your full library).
• OpenAI (privacy) — Whisper transcription for voice logging only. Audio is sent for transcription and not retained for training.
• Cloudflare (privacy) — DNS and inbound email routing for hello@bodyroutines.com.

Body Routines treats health data with extra care, both because it's sensitive and because Apple's HealthKit framework requires us to.

• We read sleep, HRV, heart rate, weight, body composition, and workout summaries only with your explicit per-scope permission. You can revoke access at any time from iOS Settings → Health → Body Routines.
• We do not sell, share, or use health data for advertising.
• Health data is encrypted at rest in Supabase storage and in transit via TLS 1.3.
• Apple HealthKit data never leaves your device unless you explicitly sync it to Body Routines via the in-app HealthKit toggle.
• We do not access HealthKit data while the app is in the background unless you have granted background-refresh permission for that specific purpose.

We use the minimum set of cookies needed to operate the Service:

• Auth session cookie (set by Supabase Auth) — required for sign-in.
• Anonymous PostHog distinct ID — a hashed pseudonym used for product analytics. Auth-related pages skip tracking entirely.

We do not run third-party advertising trackers, behavioral ad networks, fingerprinting scripts, or social-media pixels.

• Access: download a JSON export of your data via Settings → Export.
• Correction: edit profile fields directly in the app.
• Deletion: Settings → Delete Account. Deletion is irreversible after the 30-day grace period.
• Portability: the same JSON export covers GDPR Article 20 portability.
• GDPR (EEA / UK): you may object to processing, withdraw consent, and lodge a complaint with your local supervisory authority.
• CCPA (California):you may request to know what we've collected, request deletion, and opt out of any "sale" of your data (Body Routines does not sell personal data). We will not discriminate against you for exercising any CCPA right.

Body Routines is intended for adults 18 years or older. We do not knowingly collect personal information from children under 13 (COPPA in the United States) or under 16 (in jurisdictions with stricter age limits). If you believe a minor has signed up, contact us immediately at hello@bodyroutines.com and we will delete the account.

• Active accounts: retained as long as your account is active.
• Deleted accounts: 30-day grace period, after which we purge your data from primary storage.
• Billing and tax records: retained for up to 7 years to comply with United States tax-record requirements (IRS, California FTB).
• Backups: rolling encrypted backups expire on the same 30-day cadence; deleted data does not survive past one backup cycle.

Body Routines is operated from the United States. Our infrastructure (Vercel, Supabase, Stripe US accounts) is primarily in US data centers. By using the Service, users outside the United States (including in the EEA and UK) consent to transfer of their data to and processing in the United States.

For EEA / UK transfers, we rely on the European Commission's Standard Contractual Clauses where required. Each US sub-processor we use has published an SCC-equivalent commitment.

• Encryption in transit: TLS 1.3 across the entire stack.
• Encryption at rest: AES-256 via Supabase managed Postgres and Vercel-managed disks.
• Row-level security (RLS): every multi-tenant table is RLS-scoped to the owning user; service-role access is server-side only.
• Sensitive UI surfaces (sign-in, billing) are gated by verified-authors-only deployment protection.
• Incident response: in the event of a data breach, we will notify affected users within 72 hours where required by GDPR and applicable US state laws.

We may update this Privacy Policy. Material changes will be notified via email and via an in-app banner at least 30 days before they take effect. The effective date at the top of this page is the operative version. Continued use of the Service after an update constitutes acceptance of the revised policy.

Questions, requests, or concerns: hello@bodyroutines.com (Cloudflare Email Routing → blake.lundquist@gmail.com).