Privacy Policy

1. Introduction

QBod LLC ("QBod," "we," "us," or "our") is committed to protecting your privacy while providing personalized fitness and wellness services. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use the QBod mobile application, website, and related services (collectively, the "Services").

BY USING THE SERVICES, YOU CONSENT TO THE COLLECTION, USE, AND DISCLOSURE OF YOUR INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY.

This Privacy Policy operates in conjunction with the QBod Terms of Service, End User License Agreement (EULA), Medical Disclaimer, Security & Data Protection Policy, and AI Transparency Addendum. For technical security controls, see the Security & Data Protection Policy. For AI-specific data processing, see the AI Transparency Addendum.

1.1 Changes to Privacy Policy

QBod may update this Privacy Policy at any time by posting a revised version. Material changes will be communicated via in-app notification or email. Continued use of the Services after changes constitutes acceptance of the updated Privacy Policy.

2. Information We Collect

Information You Provide

• Account Information: Name, email, age, height, weight, biological sex
• Fitness Data: Workout history, exercise preferences, fitness goals, equipment access
• Nutrition Data: Meal logs, dietary restrictions, calorie tracking
• Health Metrics: Data from imported sources (Apple Health on iOS, Health Connect on Android, Fitbod, MyFitnessPal), screenshot data from health apps
• Communications: Messages with our AI coach, feedback, support requests

Automatically Collected Information

• Usage Data: App features used, session duration, interaction patterns
• Device Information: Device type, operating system, app version

Health Connect Integration (Android)

On Android devices, QBod integrates with Google Health Connect to sync your health and fitness data. When you connect Health Connect, we may access:

• Activity Data: Steps, distance, calories burned, exercise sessions
• Body Measurements: Weight, body fat percentage, height
• Vitals: Heart rate, heart rate variability, blood pressure, blood oxygen
• Sleep: Sleep duration and stages
• Nutrition: Dietary intake (if logged in other apps)

This data is used to calculate your Q-Scores, provide personalized coaching, track progress, and display insights. We do not sell or share your Health Connect data with third parties for their own purposes.

Revoking Access: You can disconnect Health Connect at any time in Settings → Connected Apps. This stops future syncing but does not delete previously synced data.

3. How We Use Your Information

We use your information to:

• Provide personalized fitness and nutrition coaching through our AI system
• Generate customized workout and meal plans
• Track your progress toward fitness goals
• Improve our AI coaching algorithms
• Send you important updates about your account
• Respond to your requests and support needs

4. Data Storage and Security

• All data is encrypted in transit and at rest
• We use industry-standard security measures including TLS/SSL encryption
• Data is stored on secure cloud servers (AWS and Supabase)
• We regularly review and update our security practices

QBod implements reasonable administrative, technical, and physical safeguards to protect your personal information from unauthorized access, use, or disclosure. In the event of a security incident, we will take reasonable steps to investigate and remediate the issue in accordance with applicable law, including compliance with Texas Business & Commerce Code Chapter 521 regarding the security of sensitive personal information.

FTC Health Breach Notification: In the event of a breach involving your health data, we will notify affected individuals and the Federal Trade Commission in accordance with the FTC Health Breach Notification Rule (16 CFR Part 318) within 60 days of discovery. If the breach affects 500 or more individuals in a single state, we will also notify prominent media outlets in that state as required by the Rule.

5. Third-Party Services

We share data only with services essential to app functionality:

• Google Gemini: Anonymized health and fitness data for AI coaching (anonymization described in Section 6 and the AI Transparency Addendum)
• Supabase: Cloud database hosting (data processor)
• Amazon Web Services (AWS): Secure cloud storage
• Firebase Analytics: Screen views and app interaction events (no health-specific data values; workout types and goal categories are logged for product analytics)
• Firebase Crashlytics: Crash reports with error context for app stability
• Firebase Performance: Network latency metrics for app optimization
• RevenueCat: Subscription status, transactions, and device identifiers for billing management

6. AI Processing & Data Use

AI Technology Disclosure

QBod uses Google Gemini to power our coaching features. This section explains how your data is processed when you use AI features.

Data Sent to Google Gemini

When you interact with our AI coach or use AI-powered features, we send the following information to Google Gemini for processing:

Fitness & Health Data:

• Your fitness goals and current physical stats (height, weight, age, biological sex)
• Recent workout history and performance data (exercises, sets, reps, weights)
• Nutrition logs and dietary preferences
• Sleep, stress, and recovery metrics (if provided)
• Progress tracking data and body composition measurements
• Health device images: When you photograph health devices (glucose meters, DEXA scan printouts, smart scales) for automatic data extraction, these images are sent to Google Gemini for AI-powered metric recognition

Conversational Data:

• Questions you ask the AI coach
• Chat history to maintain conversation context
• Feedback on AI recommendations

Context for Personalization:

• Equipment access and workout preferences
• Dietary restrictions and meal planning preferences
• Time constraints and scheduling information

Data Protection Measures

To protect your privacy, we implement these safeguards:

Anonymization:

• We remove or anonymize personal identifiers (name, email, precise location) before sending data to Google Gemini
• Your data is processed with a unique identifier that cannot be traced back to your identity

Contractual Protections:

• No Model Training: Google Gemini does not use your data to train their AI models per our Data Processing Agreement
• 30-Day Deletion: Google Gemini is required to delete your data within 30 days after processing
• Standard Contractual Clauses: EU-approved contract terms ensure GDPR compliance for data transfers

Encryption:

• All data transmission uses TLS 1.3 encryption (industry-standard secure protocol)
• Data is encrypted both in transit and at rest

Third-Party AI Processing Details

Google Gemini Service Information:

• Location: Google Gemini is based in the United States
• Privacy Policy: Google Gemini's Enterprise Privacy Policy governs their data handling
• EU-US Transfers: Google Gemini is certified under the EU-US Data Privacy Framework for lawful cross-border data transfers
• Data Residency: Your data may be processed on servers in the United States

Why We Use Google Gemini:

Google Gemini provides natural language processing and personalization capabilities that enable:

• Conversational AI coaching tailored to your goals
• Intelligent workout and nutrition recommendations
• Real-time analysis of your progress and adaptive planning

Your AI Choices and Control

Opt-In Required:

• AI features require explicit consent during signup
• You must check the "I consent to AI features" box to enable AI coaching
• Without AI consent, core tracking features remain available but AI coaching is disabled

Settings Control:

• Navigate to Settings > AI Features to manage your AI preferences
• Toggle AI features on/off at any time without losing your account or data

What Happens When You Disable AI:

• Stops New Processing: No new data is sent to Google Gemini after disabling
• Preserves Your Data: All workout history, goals, and progress remain intact
• Limited Functionality: AI coaching chat and AI-generated workouts become unavailable
• Re-Enable Anytime: You can turn AI features back on whenever you want

Data Deletion Options:

• Disable AI: Stops new processing but keeps historical AI conversation logs in your account
• Delete Chat History: Option to delete specific AI coaching conversations (coming soon)
• Full Account Deletion: Permanently removes all data including AI interactions (Settings > Account > Delete Account)

AI-Specific Data Retention

Our Retention:

• AI Coaching Conversations: Retained while your account is active to provide conversation history
• AI-Generated Plans: Retained as part of your fitness history (workout plans, meal recommendations)
• AI Processing Logs: Technical logs retained for 90 days for service improvement and debugging
• Deleted Account: All AI data permanently deleted within 30 days of account deletion

Google Gemini Retention:

• Processing Data: Deleted within 30 days after processing per our Data Processing Agreement
• No Long-Term Storage: Google Gemini does not retain your data for training or long-term analysis

Legal Basis for AI Processing (GDPR)

For EU residents, we process your data for AI features under these legal bases:

• Consent (Article 6(1)(a)): Your explicit consent to use AI features, provided during signup
• Legitimate Interest (Article 6(1)(f)): Service improvement, debugging, and security (for technical logs only)

You can withdraw consent at any time by disabling AI features in Settings. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.

International Data Transfers

EU to US Transfers:

If you are located in the European Union, your data is transferred to the United States for AI processing. We ensure adequate protection through:

• EU-US Data Privacy Framework: Google Gemini is certified, providing lawful transfer mechanism
• Standard Contractual Clauses: EU Commission-approved contract terms for data protection
• Adequacy Assessment: We continuously monitor Google Gemini's compliance with EU data protection standards

Your Rights Regarding Transfers:

• Request information about safeguards for your data: support@qbod.fit
• Object to transfers (will disable AI features)
• Lodge complaints with your local data protection authority

Transparency and Accountability

What We Monitor:

• AI response quality and accuracy
• User satisfaction with AI coaching
• Compliance with data processing agreements
• Security incidents or data breaches

What We Report:

• Any data breaches involving AI systems: Reported to affected users and authorities within 72 hours (GDPR requirement)
• Annual transparency reports on AI data processing (available upon request)

Your Right to Information:

You can request detailed information about:

• Specific data sent to Google Gemini for your account
• AI processing logs for your interactions
• Data Processing Agreement terms with Google Gemini

Contact support@qbod.fit with subject line "AI Data Inquiry"

7. Your Rights and Choices

You have the right to:

• Access: Request a copy of all your data
• Correct: Update inaccurate information
• Delete: Request deletion of your account and all associated data
• Export: Download your data in a portable format
• Opt-out: Disable specific features or data collection

To exercise these rights, contact us at support@qbod.fit. We will respond to your data rights requests within 30 days for GDPR requests and 45 days for CCPA requests, as permitted by law. In cases requiring additional time due to complexity or volume, we will notify you and may extend the response period as allowed by applicable law.

8. California Privacy Rights (CCPA/CPRA)

California residents have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to Know: Request disclosure of personal information collected, used, and shared in the past 12 months
• Right to Delete: Request deletion of your personal information (subject to legal exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale: Opt out of the "sale" of personal information. QBod does NOT sell your personal information.
• Right to Limit Use of Sensitive Information: Direct us to limit the use of sensitive personal information to what is necessary to provide the Services
• Right to Non-Discrimination: QBod will not discriminate against you for exercising your CCPA/CPRA rights

To submit a CCPA request, email: support@qbod.fit with subject line "CCPA Request"

9. US State Privacy Rights

QBod respects the privacy rights of all US residents. Regardless of your state of residence, QBod grants you the following rights with respect to your personal data. You do not need to live in a specific state to exercise these rights:

• Right to Confirm and Access: You may confirm whether we are processing your personal data and request access to it
• Right to Correct: You may request that we correct inaccuracies in your personal data
• Right to Delete: You may request that we delete your personal data
• Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format
• Right to Opt-Out of Sale: You may opt out of the sale of your personal data. QBod does NOT sell your personal data.
• Right to Opt-Out of Targeted Advertising: You may opt out of the processing of your personal data for targeted advertising
• Right to Opt-Out of Profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you
• Right to Appeal: If we deny your privacy rights request, you may appeal our decision
• Right to Know Third-Party Recipients: You may request a list of the specific third parties to whom we have disclosed your personal data
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights

How to Exercise Your Rights

Email support@qbod.fit with subject line "Privacy Rights Request." We will verify your identity before processing your request. We will respond within 45 days of receiving your request. If we need additional time due to the complexity or volume of requests, we will notify you and may extend the response period by an additional 45 days.

Universal Opt-Out Signals

QBod honors Global Privacy Control (GPC) signals and other universal opt-out mechanisms. When we detect a GPC signal from your browser or device, we will treat it as a valid opt-out request for the sale of personal data and targeted advertising.

States Covered

These rights meet or exceed the requirements of privacy laws in Texas, Virginia, Colorado, Connecticut, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, and other states as their laws take effect.

Sensitive Data

QBod treats all health, fitness, nutrition, and body measurement data as sensitive personal data. We obtain your affirmative consent before processing sensitive data. This consent is specific and granular — it is not buried in our general Terms of Service.

10. State-Specific Supplements

The following supplements address requirements that are unique to specific states and not fully covered by the omnibus US State Privacy Rights section above.

Texas (TDPSA)

QBod LLC is incorporated in Texas. We comply with the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541). Texas residents have all of the rights described in Section 9 above. In addition:

• No Sale of Sensitive Data: QBod does not sell sensitive personal data, including health and fitness data
• Cure Period: In the event the Texas Attorney General identifies a compliance concern, we will cure it within 30 days of written notice as provided under the TDPSA
• Breach Notification: In the event of a data breach affecting Texas residents, QBod will provide notification in accordance with the Texas Identity Theft Enforcement and Protection Act (Tex. Bus. & Com. Code § 521.053) without unreasonable delay

Washington (MHMDA)

Washington residents have enhanced rights under the My Health My Data Act (RCW Ch. 19.373). Because QBod collects consumer health data as defined under the MHMDA, we maintain a separate Consumer Health Data Privacy Policy as required by Washington law. Please see our Consumer Health Data Privacy Policy for the full disclosure required under the MHMDA, including categories of health data collected, purposes, sources, sharing practices, and how to exercise your rights.

Maryland (MODPA)

QBod complies with the Maryland Online Data Privacy Act (Md. Code Ann., Com. Law § 14-4601 et seq.). In addition to the rights described in Section 9:

• Data Minimization: QBod collects only personal data that is strictly necessary to provide or maintain the specific products and services you have requested. We do not process sensitive data for secondary purposes beyond delivering the features you use.
• No Sale of Sensitive Data: QBod does not sell sensitive personal data under any circumstances, regardless of consent.

New Jersey (NJDPA)

New Jersey residents have all of the rights described in Section 9. In addition:

• Consent Revocation: If you revoke your consent for the processing of sensitive personal data, QBod will cease processing as soon as reasonably practicable and no later than 15 days after receiving your revocation request.
• Material Changes: If we make material changes to this Privacy Policy that affect how we process your data, we will notify you via in-app notification or email at least 30 days before the changes take effect, giving you the opportunity to review and withdraw consent.

Minnesota (MCDPA)

Minnesota residents have all of the rights described in Section 9. In addition, Minnesota residents have enhanced profiling rights:

• Question Profiling Results: If automated profiling produces legal or similarly significant effects on you, you may question the results
• Right to Be Informed of Reasoning: You may request an explanation of the reasoning behind a profiling decision
• Corrective Actions: You may ask what steps you can take to change future profiling outcomes
• Right to Reevaluation: You may request reevaluation of a profiling decision after correcting your data

11. Data Retention

We retain your data for as long as:

• Your account is active
• Necessary to provide our services
• Required by law

You can request deletion at any time through Settings. Upon account deletion request, we will permanently delete your data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements, complying with legal obligations). Backup copies may persist for up to 90 days before automatic deletion from backup systems.

12. Children's Privacy

QBod is not intended for users under 18 years of age. We do not knowingly collect information from children under 18. If we learn we have collected information from a child under 18, we will delete it immediately.

13. Legal Basis for Processing (EU/GDPR)

For users in the European Union, we process your personal data under these legal bases:

• Consent: When you provide explicit consent for AI coaching, analytics, or marketing communications
• Contract Performance: To provide fitness services, subscription management, and core app functionality
• Legitimate Interest: For app improvement, security, fraud prevention, and customer support
• Legal Obligation: When required by applicable law or regulation

You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

14. Additional Rights for EU Residents

If you are located in the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

Enhanced Data Subject Rights:

• Right to Restrict Processing: Limit how we process your data in certain circumstances
• Right to Object: Opt out of processing based on legitimate interests or for direct marketing
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Lodge Complaints: File complaints with your local supervisory authority

Supervisory Authority Contact:

You can contact your local data protection authority if you have concerns about our data processing. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

Exercising EU Rights:

To exercise any of these rights, contact us at: support@qbod.fit

We will respond within 30 days as required by GDPR.

15. International Data Transfers

Data Processing Locations:

Your data may be transferred to and processed in countries outside your region, including:

• United States (AWS, Google Gemini)
• Other countries where our service providers operate

Safeguards for EU Data:

For EU residents, we ensure adequate protection through:

• EU-US Data Privacy Framework: For transfers to certified US companies
• Standard Contractual Clauses: EU-approved contract terms for data protection
• Adequacy Decisions: Transfers only to countries with EU-recognized adequate protection

Your Rights Regarding Transfers:

You can request information about safeguards for your data transfers by contacting support@qbod.fit

16. Cookies and Tracking Technology

Essential Cookies Only:

QBod uses only essential cookies necessary for app functionality:

• Authentication Cookies: Keep you securely logged in
• Preference Cookies: Remember your app settings and language preferences
• Session Cookies: Maintain your app session and security

Analytics and Diagnostics:

To improve app quality and stability, QBod uses third-party services for:

• Crash Reporting: Automatic collection of crash logs and error reports to identify and fix bugs
• Performance Monitoring: App performance metrics to optimize speed and responsiveness
• Usage Analytics: Anonymous usage patterns to understand which features are most valuable

This data is collected automatically and includes: device type, operating system version, app version, crash logs, and anonymized usage patterns. This data is not linked to your personal identity and is used solely for troubleshooting and product improvement.

No Advertising or Cross-Site Tracking:

We do not use:

• Third-party advertising cookies or tracking
• Social media tracking pixels
• Cross-site tracking technology
• Data brokers or marketing analytics

Managing Cookies:

• EU residents can manage cookie preferences through device settings
• Essential cookies cannot be disabled as they are necessary for app functionality
• You can clear cookies through your device browser settings

17. Limitation of Liability

The Services are provided on an "AS IS" and "AS AVAILABLE" basis without warranties of any kind, either express or implied, to the maximum extent permitted by applicable law. To the maximum extent permitted by Texas law, QBod's total liability for any claims arising from or related to this Privacy Policy or your use of the Services shall not exceed the amount you paid to QBod in the twelve (12) months preceding the claim, or $100 USD, whichever is greater.

QBod shall not be liable for any failure or delay in performance due to circumstances beyond our reasonable control, including but not limited to: acts of God, natural disasters, infrastructure failures, internet outages, cyberattacks, or any other similar events. QBod reserves the right to modify, suspend, or discontinue any aspect of the Services at any time, with reasonable advance notice (minimum 30 days) for material changes that significantly affect your ability to use the Services.

Except as expressly stated in this Privacy Policy, QBod makes no warranties or representations about the accuracy, reliability, completeness, or timeliness of the Services, content, or data. All implied warranties, including but not limited to merchantability, fitness for a particular purpose, and non-infringement, are hereby disclaimed to the maximum extent permitted by law. This limitation of liability shall be governed by and construed in accordance with Texas law.

18. Contact Us

For questions, requests, or concerns about this Privacy Policy or your personal data:

Email: support@qbod.fit Copy

Mailing Address: QBod LLC, 539 W. Commerce St #2754, Dallas, TX 75208

Subject Line Guidelines:

• For US State Privacy Rights Requests: Use subject line "Privacy Rights Request"
• For GDPR Inquiries: Use subject line "GDPR Request"
• For CCPA Requests: Use subject line "CCPA Request"
• For Washington Health Data Requests: Use subject line "Washington Health Data Request"
• For AI Data Inquiries: Use subject line "AI Data Inquiry"
• For General Privacy Questions: Use subject line "Privacy Question"

19. Acknowledgment

BY USING THE SERVICES, YOU ACKNOWLEDGE THAT:

• You have read and understood this Privacy Policy
• You consent to the collection, use, and disclosure of your information as described
• You understand your privacy rights and how to exercise them
• You consent to international data transfers (including to the United States)
• You understand QBod's use of AI processing and third-party services
• You agree to the limitations of liability and disclaimers described herein
• You consent to the jurisdiction of Texas courts for any disputes arising from this Privacy Policy