Privacy Policy

FitNexus ("Platform", "we", "us", "our") is a fitness networking platform that connects fitness institutions, trainers, and enthusiasts. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website (fitnexus.net) and mobile application.

We are committed to protecting your privacy in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

2.1 Account Information

When you create an account, we collect:

• Email address and password (password is hashed and encrypted)
• Name and phone number
• Role selection (Institution, Trainer, or Enthusiast)
• Terms acceptance timestamp and version

2.2 Profile Information

Depending on your role, you may provide:

• Institutions: Business name, address, location coordinates, logo, cover image, Google Maps link.
• Trainers: Bio, certifications, certification images, specializations, social media links, availability, skill level.
• Enthusiasts: Date of birth, gender, height, weight, fitness goals, activity level, avatar, fitness interests.

2.3 Health & Fitness Data

With your permission, we collect health data from your device via:

• Health Connect (Android) — Steps, heart rate (average, resting, min, max), active calories burned, sleep data, exercise sessions.
• HealthKit (iOS) — Steps, heart rate, calories, sleep, and workout data.
• Manual Input — Workout logs (exercise, sets, reps, weight, duration), nutrition logs (meals, calories, macros).

Health data sync is optional and requires your explicit consent through device-level permissions. You can revoke these permissions at any time through your device settings.

2.4 Location Data

• Institutions: Address, state, city, area, and GPS coordinates for map display and nearby search.
• Trainers: State, city, and area for the trainer marketplace and location-based discovery.
• Enthusiasts: Location is used for check-in verification when enabled by your institution. We do not track continuous location.

2.5 Payment Information

Payment processing is handled by Razorpay. We do not store your credit/debit card numbers or bank account details. We store only transaction references, subscription IDs, and payment amounts for record-keeping.

2.6 Usage Data

We collect information about how you use the Platform, including feature usage logs, for analytics and to improve our Services.

We use your information to:

• Provide, maintain, and improve our Services.
• Process payments and manage subscriptions.
• Enable social features (activity feed, challenges, connections, cheering).
• Send push notifications for relevant events (new connections, challenge updates, demo requests, etc.).
• Power AI features using Google Gemini (AI Assistant for institutions, AI Plan Writer for trainers, research article summaries).
• Generate fitness insights, streak tracking, and progress reports.
• Match trainers with institutions through the job marketplace.
• Verify check-in attendance for institutions.
• Comply with legal obligations.

We share your information only in the following circumstances:

4.1 Within the Platform

• Institutions can see data of their registered members (name, contact, attendance, payments).
• Trainers can see data of clients assigned to them or connected via freelance relationships (health snapshots, workout plans).
• Enthusiasts can see limited profile information of connected users based on privacy settings.
• Your activity feed posts (workouts, streaks, check-ins, challenges) are visible to connected users and community members based on your feed privacy settings.

4.2 Third-Party Services

• Razorpay — For payment processing. Subject to Razorpay's privacy policy.
• Google Gemini — For AI features. Prompts may include anonymized or contextual data to generate responses. We do not send personally identifiable health data to Gemini without anonymization.
• Supabase — Our database and authentication provider. Data is stored on Supabase infrastructure hosted on Amazon Web Services (AWS).
• Expo / Firebase Cloud Messaging — For push notification delivery.

4.3 We Do Not

• Sell your personal data to any third party.
• Share your data for advertising or marketing by third parties.
• Transfer your data outside India except as necessary for the above services (Supabase/AWS infrastructure).

Your data is stored on Supabase infrastructure hosted on Amazon Web Services (AWS). We implement security measures including:

• Row-Level Security (RLS) — Database policies that ensure users can only access data they are authorized to see.
• Encryption at Rest — All data stored in the database is encrypted at rest.
• Encryption in Transit — All communication between your device and our servers uses HTTPS/TLS encryption.
• Hashed Passwords — Passwords are hashed using industry-standard algorithms and never stored in plaintext.
• Vault Secrets — API keys and internal secrets are stored using Supabase Vault (pgsodium encryption).

While we implement commercially reasonable security measures, no system is completely secure. We encourage you to use a strong, unique password and protect your account credentials.

Under the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable laws, you have the right to:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate or incomplete personal data.
• Erasure — Request deletion of your personal data, subject to legal retention requirements.
• Data Portability — Request your data in a structured, commonly used format.
• Withdraw Consent — Withdraw consent for data processing at any time (this may affect your ability to use certain features).
• Grievance Redressal — Lodge a complaint with our Grievance Officer or the Data Protection Board of India.

To exercise any of these rights, contact us at info@fitnexus.net.

We treat health and fitness data with special care:

• Health data sync (Health Connect / HealthKit) requires your explicit device-level permission.
• Health data is only synced when you actively use the sync feature in the app.
• Your health data is visible only to you, unless you are connected to a trainer who has access through an approved profile view request or a client relationship.
• Institutions can see check-in attendance but do not have access to your personal health data.
• You can revoke health data permissions at any time through your device settings.
• Health data used for AI-powered insights is processed without sharing personally identifiable information with AI providers.

FitNexus uses minimal local storage:

• Authentication Tokens — Supabase session tokens stored securely in HTTP-only cookies (web) or secure storage (mobile) to keep you signed in.
• Preferences — Local storage of user preferences (theme, onboarding completion).

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track your browsing behavior across websites.

FitNexus is not intended for use by children under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will take steps to delete such information promptly.

If you are between 13 and 18, you should review these terms with a parent or guardian before using the Platform.

We retain your personal data for as long as:

• Your account is active and you are using our Services.
• Necessary to fulfill the purposes described in this Privacy Policy.
• Required by applicable laws (tax records, billing data).

After account deletion, we may retain anonymized, aggregated data that cannot be used to identify you. Notification data is automatically cleaned up (read notifications after 30 days, all notifications after 90 days).

We may update this Privacy Policy from time to time. When we make material changes, we will update the version number and effective date at the top of this page. We may also notify you through the Platform or via email for significant changes.

Your continued use of FitNexus after changes are posted constitutes your acceptance of the revised Privacy Policy.

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:

Grievance Officer / Data Protection Contact
Email: info@fitnexus.net
Website: fitnexus.net

We will respond to your request within 30 days, or as required by applicable law.