Consumer Health Data Privacy Policy

V2 — March 23, 2026

Effective Date: March 23, 2026

This Consumer Health Data Privacy Policy is provided in compliance with the Washington My Health My Data Act (MHMDA) and supplements our general Privacy Policy. It describes how Refactor Fitness ("we", "us", "our") collects, uses, and shares consumer health data through the Refactor Fitness application (the "Service").

1. Categories of Consumer Health Data Collected

We collect the following categories of consumer health data:

Body measurements: Height, weight, age, goal weight, and BMR calculations.
Biological sex: Optional self-reported sex (male or female), used to estimate how many calories your body burns at rest (basal metabolic rate). You may decline to provide this.
Health platform data: Weight and body composition (body fat percentage) imported from Apple Health or Google Health Connect, when you grant permission to connect those services.
Nutrition and dietary data: Food entries, meal photos, calorie intake, macronutrient tracking (protein, carbs, fat, sugar, sodium), water intake, and alcohol consumption tracking.
Fitness and exercise data: Workout logs, exercise sets and reps, personal records, workout templates, cardio sessions, and workout streaks.
Fasting data: Fasting start/end times, duration, and history.
Progress photos: Front, side, and back body photos uploaded for personal progress tracking.
Health-related goals: Calorie targets, macro targets, weight goals, water goals, and activity level preferences.
Allergy and dietary restriction data: Food allergies, dietary restrictions, and cooking skill level provided for AI-personalized meal suggestions.
Injury and limitation data: Self-reported injuries or physical limitations, used to personalize workout recommendations.
AI conversation data: Messages exchanged with Spot, the in-app AI assistant, which may include discussions about health goals, dietary needs, and fitness concerns. Conversations are stored locally on your device and synced to the cloud.

2. Purpose of Collection

We collect consumer health data solely for the following purposes:

To provide the core functionality of the fitness and nutrition tracking application.
To sync your data across your devices.
To calculate fitness-related metrics (BMR, macro breakdowns, personal records).
To display your progress over time.
To generate personalized AI-powered workout and nutrition recommendations through Spot, the in-app AI assistant (Pro subscribers only).

We do not collect consumer health data for any purpose beyond providing the Service's functionality.

3. Categories of Third Parties with Access

The following categories of third parties may process your consumer health data:

Cloud infrastructure provider (Amazon Web Services): AWS provides the servers, databases, and storage where your synced data is stored. AWS acts as a data processor and does not access your data for its own purposes. Data is stored in the us-west-2 (Oregon) region.
AI model provider (Anthropic Claude via AWS Bedrock): Your fitness profile data and conversation messages are processed by an AI model to generate personalized workout and nutrition suggestions through Spot, the in-app AI assistant. This processing occurs within AWS infrastructure. No consumer health data is retained by the AI model after processing.
Subscription management (RevenueCat): Receives your anonymous user identifier and purchase information for payment and entitlement verification. RevenueCat does not receive your health data.
Food database providers (Open Food Facts, USDA FoodData Central): Public food composition databases used for nutrition facts lookup and barcode scanning. Search queries and barcodes are sent to these services. No consumer health data or personal identifying information is shared with these providers.

We do not share, sell, or otherwise disclose your consumer health data to advertisers, data brokers, or analytics providers.

4. Sale of Consumer Health Data

We do not sell consumer health data. We have never sold consumer health data. We will not sell consumer health data without obtaining your prior opt-in consent.

5. Geofencing

We do not use geofencing technology around healthcare facilities or any other locations for the purpose of collecting consumer health data, advertising, or any other purpose.

6. Your Rights

Under the MHMDA, you have the right to:

Access: You can view all of your health data within the app and export it using the Export Data feature in Profile settings.
Delete: You can permanently delete all of your consumer health data by using the "Delete Account" option in Profile > Settings. Deletion is processed promptly and permanently removes all health and fitness data — including workouts, nutrition logs, progress photos, body measurements, fasting records, and AI conversation history — from our servers. The only record retained after deletion is a minimal fraud-prevention entry containing your user ID, a one-way cryptographic hash of your email address (not the email itself), and account timestamps. This record contains no health or fitness data and is automatically deleted after one year.
Withdraw consent: You may withdraw your consent to the collection of consumer health data by deleting your account.

7. How to Exercise Your Rights

To exercise your rights regarding your consumer health data:

In the app: Go to Profile > Settings > Delete Account to delete all data, or Profile > Export Data to access your data.
By email: Contact us at support@refactorfitness.app with your request.

We will respond to data rights requests within 15 calendar days.

8. Contact Us

If you have questions about this Consumer Health Data Privacy Policy, please contact us at:

Email: support@refactorfitness.app