How we handle your data
At Fysis we treat your data with the care it deserves. This document explains what we collect, why we need it, who we share it with, and what control you have. It's written in plain language on purpose — if anything is unclear, write to hello@fysis.app.
1. Who is the data controller
The data controller is Fysis, based in Mexico. For privacy-related matters reach us at:
- Email: hello@fysis.app
- Site: https://fysis.app
2. What data we collect
2.1 Account data
- Email or Apple/Google identifier when you sign in.
- Your name (if you provide it).
- Unique user ID generated by Supabase.
2.2 Health and training data you provide
- Physical metrics: height, weight, age, biological sex (for calorie and volume calculations).
- Training goals, experience level, frequency, available equipment.
- Injuries and restrictions you voluntarily report.
- Menstrual cycle data if you log it (optional, encrypted at rest).
- Workout logs: exercises, sets, reps, weight, RPE, notes.
- Daily check-ins: energy, soreness, stress, sleep, weight, tags, free-text notes.
- Meals and macros if you log them.
- Other sports activities you report (swimming, CrossFit, etc.).
2.3 App usage data
- Audio dictated to the coach (processed in real time, not stored raw — only the transcribed text is kept).
- Subscription and trial state (managed by RevenueCat and our server).
- Push notification token (if you opt in).
- Basic crash diagnostics if the app fails (no personal content included).
2.4 What we do NOT collect
- We do not access your location.
- We do not access your camera unless you explicitly enable it for meal photo logging.
- We do not access contacts, general photos, calendar, or files.
- We never sell data to advertisers.
- We do not track you across other apps or websites (no IDFA, no third-party tracking).
3. How we use your data
- Run the app: show your plan, log workouts, calculate recovery.
- Personalize AI coaching: generate your weekly plan and insights from your history.
- Process your subscription: validate trial and PRO subscription via RevenueCat and Apple.
- Improve the product: aggregated, anonymous metrics to understand what works.
- Meet legal obligations: tax retention, responses to lawful authority requests.
We do not use your data to train third-party AI models. Calls to AI providers are made under commercial agreements that prohibit them from training on your content.
4. Who we share data with (data processors)
We work with the following vendors. All are contractually bound to protect your data:
- Supabase Inc. (USA) — database, authentication, and storage. supabase.com/privacy
- Apple Inc. (USA) — App Store, Apple Sign-In, push notifications, In-App Purchase. apple.com/legal/privacy
- Google LLC (USA) — Google Sign-In (only if you choose to sign in with Google). policies.google.com/privacy
- RevenueCat Inc. (USA) — subscription management. revenuecat.com/privacy
- Anthropic PBC (USA) — Claude model for plan and insight generation. Your content is NOT used to train models. anthropic.com/legal/privacy
- OpenAI Inc. (USA) — Whisper model for voice transcription. Audio is processed and discarded; not stored. openai.com/policies/privacy-policy
Some processors handle your data in the USA. By using Fysis you accept that transfer. We take reasonable measures to ensure protection equivalent to your country of residence.
5. Data retention
- While your account is active: we keep your full history so the coach works properly.
- On account deletion: we delete your personal data within a maximum of 30 days.
- Anonymized data (with no possibility of re-identification) may be kept for product improvement.
- Legally required data (payment records) may be kept as long as the law requires.
6. Your rights
Under the GDPR in Europe, the LFPDPPP in Mexico, CCPA in California, and equivalent laws in other jurisdictions, you have the right to:
- Access the personal data we hold about you.
- Rectify incorrect or outdated data.
- Erase your data when no longer necessary.
- Object to specific uses of your data.
- Portability: receive a copy of your data in a readable format.
- Withdraw consent previously given.
To exercise any of these rights, write to hello@fysis.app with subject "Data Rights Request". We respond within 30 days.
You can also delete your account directly from the app at Me → Delete account.
7. Security
Data travels encrypted in transit (TLS 1.2+) and is stored encrypted at rest on Supabase infrastructure. Passwords are never stored in plaintext. We apply Row-Level Security so each user can only read and write their own data.
Despite all reasonable measures, no system is 100% inviolable. In the event of a breach affecting your data, we will notify you as soon as technically and legally feasible.
8. Children
Fysis is not directed at children under 13 (under 16 in the EU). We do not knowingly collect data from minors in that range. If you discover that a minor has provided us with information, write to us and we will delete it.
9. Health disclaimer
Fysis is a personal coaching tool, not a medical device. The recovery score, training plans, and insights are guidance, not prescriptions. If you have a medical condition, an injury, or are pregnant, consult a healthcare professional before following the app's recommendations.
10. Changes to this policy
If we update this policy, we'll change the "last updated" date above and, if changes are material, notify you within the app before they take effect.
Questions? Write to hello@fysis.app. A human replies.