Privacy Policy — FitNow360

1) Who we are

2) Scope and legal basis

We process data in accordance with Brazil's LGPD (Law 13,709/2018). For sensitive health data (e.g., sleep, workouts, lab results), we use specific and explicit consent (Art. 11, I). For other purposes, we rely on: performance of a contract (Art. 7, V), compliance with legal obligations (Art. 7, II), and legitimate interests (Art. 7, IX) where appropriate.

3) What data we collect

• Account and contact: name, email, E.164 phone (+55), Firebase UID, login identifiers (Apple/Google).
• Health data (sensitive): Apple Health/HealthKit (sleep, workouts, steps, resting HR, HRV, VO₂ max, body composition), questionnaires/intake forms, and uploaded lab results (PDF/JPG) processed by AI into structured JSON (we retain the original file).
• Engagement and metrics: delivery and click logs (deliveries/<date>/<uid>/<sid>) and content votes (content_stats/<content_id>).
• Technical/analytics: usage events, crash logs, approximate IP, device/OS, push tokens (FCM), web cookies/identifiers.

HealthKit transparency (Apple requirement): HealthKit data is used solely for the app's health/fitness purposes; it is not used for advertising, not sold, and not shared with third parties for marketing.

4) Purposes and legal bases

• Provide the core service (personalized content, dashboards and trends; HealthKit sync; history) — performance of a contract.
• Send 1 content/day via WhatsApp (Mon–Fri) and operational communications (opt-in/opt-out; testing) — consent.
• AI personalization (tuning by votes/clicks/profile) — consent (for sensitive data) and legitimate interests for aggregated metrics and product improvements.
• Sharing with healthcare professionals chosen by you (with scoped access and audit) — specific consent.
• Security, fraud prevention, support — legitimate interests and/or legal obligation.
• Compliance with legal/regulatory obligations — legal obligation.
• Statistics and R&D with anonymized data — outside LGPD's scope.

5) WhatsApp

• Daily messages are only sent after opt-in (in the app/web).
• You may stop at any time by replying "PARAR".
• We avoid specific sensitive data in the message; details are available in the app/web via a secure deep link.

6) Sharing with third parties

Processors (acting on our behalf):

• Google Cloud/Firebase (Auth, Firestore, Storage, Analytics, Crashlytics) — infrastructure and app data.
• Vercel (web/Edge hosting) — website and APIs.
• Twilio/WhatsApp Business API — sending and receiving messages.
• Apple (HealthKit frameworks) — permissions and iOS integrations.

Healthcare professionals designated by you: when sharing is enabled (shared_with with scopes), they act as independent controllers for the portion of data they receive. Access can be revoked at any time in the app.

7) International transfers

Data may be processed/stored outside Brazil by our providers. We adopt contractual and technical measures to ensure adequate protection (e.g., specific clauses, encryption, access controls).

8) Retention

We retain your data while your account is active and as required for contractual and legal needs. After a deletion request, we apply technical timelines for deletion/backups (e.g., up to 30–90 days), except where retention is required by law.

9) Security

Encryption in transit (TLS) and at rest (cloud services), least-privilege access, auditing of sensitive access, monitoring, and backups. No method is 100% secure; we maintain incident response plans and, when applicable, will notify in accordance with the LGPD.

10) Your rights (LGPD)

• Confirmation and access to your data;
• Correction of incomplete/inaccurate data;
• Anonymization, blocking, or deletion of unnecessary/excess data;
• Portability;
• Deletion of data processed based on consent;
• Information about sharing and about the possibility of refusing consent;
• Withdrawal of consent;
• Review of automated decisions that affect your interests.

To exercise your rights, contact: dpo@fitnow360.com.

11) Children and adolescents

FitNow360 is intended for users aged 18+. We do not knowingly collect data from minors.

12) Changes to this policy

We may update this document at any time. The current version will be published in the site/app with the update date. Material changes may require fresh consent.