Privacy Policy
Last updated: April 23, 2026
This policy explains what Enchanted Fitness ("we") collects, why, how we use it, who we share it with, and the rights you have over your own data. It applies to the Service at enchantedfitnessapp.com and any future domain we publish it at.
1. Age requirement
The Service is for adults only. We do not knowingly collect information from anyone under 18. If you believe a minor has created an account, email coaching@enchantedfitness.app and we will remove the account and associated data.
2. Data we collect
We collect only what's needed to operate your account and the Service:
- Account data: email, display name, hashed password, account creation date, last-login time, optional avatar photo.
- Profile data: body stats (weight, goals, etc.) you enter during onboarding, equipment you own, nutrition preferences (dietary style, allergies, cooking ability, budget), and workout preferences.
- Activity data: workout logs, meal logs, journal entries, messages you send us or the AI coach, grades and streak counts derived from the above.
- Application data: answers you submit on the coaching application form, plus any admin notes about your review.
- Billing data: payment method details are processed and stored by Stripe. We store a Stripe customer identifier, subscription identifier, and subscription status, but never your full card number.
- Device and session data: IP address, browser user agent, session cookies set by our auth provider. These are used to keep you logged in and to rate-limit abuse.
- Analytics: page views and anonymized performance metrics via Vercel Web Analytics and Speed Insights. These do not set a tracking cookie or associate page views with your identity beyond the current session.
3. How we use your data
- To provide the Service: render your dashboard, generate workouts and meal plans, score your compliance, route messages.
- To personalize coaching output, including AI-generated plans and responses.
- To process subscription payments and issue invoices.
- To send transactional email (welcome, application status, payment issues, expiry nudges, password resets).
- To detect, prevent, and investigate fraud, abuse, or security issues.
- To comply with legal obligations.
We do not sell your personal data, and we do not use your data for third-party advertising.
4. Third-party services (sub-processors)
We use the following providers to operate the Service. Each has its own privacy policy and you are subject to it when we pass your data through:
- Supabase - authentication, database, file storage (avatars, exercise media).
- Vercel - hosting, edge network, analytics, speed insights.
- Stripe - payment processing, subscription management, invoice delivery, the self-serve billing portal.
- Resend - transactional email delivery.
- Anthropic (and/or other providers routed through Vercel AI Gateway) - AI models used to generate workouts, meal plans, and coach messages. Message content you send the AI coach is forwarded to the model provider for inference.
We add or change sub-processors as the Service evolves; we update this list when we do.
5. Cookies and similar technologies
We use cookies only for authentication (to keep you logged in), for basic preferences (e.g. whether you've dismissed the age-gate modal), and for the anonymous analytics pings above. We do not use third-party advertising trackers.
6. How long we keep your data
While your account is active, we keep your data for as long as it's needed to provide the Service. When you delete your account, your profile is anonymized immediately: your display name becomes "Deleted user," your email is rewritten to a non-functional placeholder, and your login is disabled permanently. Related records (workout logs, meal logs, messages) are retained in de-identified form for internal analytics and audit. You may request full deletion of retained records by emailing us.
Billing records are retained as required by tax and financial regulations (typically seven years in the U.S.).
7. Your rights
Depending on where you live, you may have the following rights:
- Access - request a copy of the personal data we hold about you.
- Correction - ask us to fix inaccurate data.
- Deletion - ask us to delete your account and your data (see section 6; soft-delete is automatic, full purge available on request).
- Objection / restriction - object to or restrict certain kinds of processing.
- Portability - receive an export of your data in a machine-readable format. Click Download my data on your Settings page to get an instant JSON file with everything we hold.
- Withdraw consent - where processing is based on your consent, you can withdraw it at any time.
To exercise any of these rights, email coaching@enchantedfitness.app. We may ask you to verify your identity before acting on a request.
8. Security
We use industry-standard practices to protect your data: TLS for data in transit, encrypted database storage via Supabase, hashed and salted passwords, service-role keys held only in our server environment, and strict row-level security on tables that contain personal data. No system is perfectly secure; we cannot guarantee that a determined attacker will never succeed. Notify us immediately if you believe your account has been compromised.
9. International transfers
We are based in the United States and store data in U.S. regions of our providers. If you are in the EEA, UK, or elsewhere, your data is transferred to the U.S. when you use the Service. We rely on the legitimate-interests and contract-performance bases under the GDPR for these transfers.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be noted by updating the "Last updated" date at the top. If a change meaningfully expands what we collect or how we use it, we will notify you by email or in-app banner before it takes effect.
11. Contact
Privacy questions, requests, or complaints:
coaching@enchantedfitness.app
See also our Terms of Service.