Legal

Consumer Health Data Privacy Policy

V6 - 2026-05-12
Effective Date: May 12, 2026
Supersedes V5. Reflects the removal of stored body, progress, personal-record, and measurement photos; adds Section 1A describing the transient processing of meal-scan photos used for AI macro estimation (deleted after analysis, with a 72-hour lifecycle backstop, and never retained as part of the user record); and adds Section 1B acknowledging that feedback photos voluntarily attached to in-app support submissions are retained with a 7-day TTL and are swept on account deletion or health-data consent withdrawal.

This policy describes how we handle consumer health data — the most sensitive category of information you share with us. It is required by the Washington My Health My Data Act (RCW 19.373) and applies to anyone who uses Refactor Fitness, regardless of where you live. It supplements our general Privacy Policy.

This Consumer Health Data Privacy Policy is provided by BOGERT CSN 443, LLC, doing business as Refactor Fitness ("Refactor Fitness", "we", "us", "our"). It describes how we collect, use, and share consumer health data through the Refactor Fitness application (the "Service").

1. Categories of Consumer Health Data We Collect

"Consumer health data" means personal information that is linked or reasonably linkable to you and that identifies your past, present, or future physical or mental health status. The following are the categories we collect:

  • Body measurements: height, weight, age, goal weight, calculated basal metabolic rate (BMR).
  • Biological sex (optional): self-reported sex, used solely to estimate resting calorie burn. You may decline to provide this.
  • Health-platform data: weight, body composition (body fat percentage), and activity readings imported from Apple Health or Google Health Connect, only when you grant permission.
  • Nutrition and dietary data: food entries, calorie intake, macronutrients (protein, carbs, fat, fiber, sugar, sodium), water intake, and alcohol consumption. Meal-scan photos submitted for AI macro estimation are processed transiently (see §1A below) and are not stored as part of your nutrition record.
  • Fitness and exercise data: workout logs, exercise sets and reps, personal records, workout templates, cardio sessions, and streak data.
  • Fasting data: fasting start and end times, durations, and history.
  • Health-related goals: calorie targets, macro targets, weight goals, water goals, activity-level preferences.
  • Allergy and dietary restriction data: food allergies, dietary restrictions, cooking-skill level, and related coaching preferences.
  • Injury and limitation data: self-reported injuries or physical limitations used to personalize workout recommendations.
  • AI conversation data: messages exchanged with Spot, the in-app AI assistant, which may include discussions about your health goals, dietary needs, and fitness concerns.

Photos we do not collect or store. Refactor Fitness does not collect or store body photos, progress photos, personal-record photos, or measurement photos. The features that previously offered those photos have been removed. The only user-supplied photos that touch our systems are (a) meal-scan photos processed transiently for AI macro estimation (see §1A) and (b) feedback photos you choose to attach when you submit an in-app support request (see §1B).

1A. Transient Processing of Meal-Scan Photos

When you take or upload a meal-scan photo so that Spot can estimate macros for a food entry, the photo is processed transiently as follows:

  • The photo is uploaded to a dedicated, non-versioned, private cloud bucket inside Refactor Fitness's AWS infrastructure (us-west-2, Oregon).
  • An AI model in AWS Bedrock analyzes the photo and returns an estimate of calories and macronutrients.
  • The macro estimate is saved to your food entry. The photo itself is not saved to your food entry, your account, or any user-facing record.
  • The photo is deleted after analysis. The app attempts to delete the photo immediately on the client side, and an automatic server-side lifecycle rule deletes any photo that was not removed by the client as a backstop, within 72 hours.

Meal-scan photos are not retained as part of your account or user record. The photo object is deleted immediately after analysis when possible; if the primary delete does not complete, an automatic lifecycle rule permanently removes the object within 72 hours. Meal-scan photos are not used to train any AI model, are not used for advertising, and are not shared with third parties other than AWS as described in §4.

1B. Feedback Photos

If you submit an in-app support request (for example, a bug report or feature request) and choose to attach a screenshot, that feedback photo is stored in a separate, private S3 prefix solely so that the support team can review and respond to your request. Feedback photos:

  • Are submitted only when you tap "Submit feedback" and voluntarily attach an image.
  • Are retained on a 7-day time-to-live (TTL); S3 lifecycle policy automatically deletes them after 7 days.
  • Are also included in the prefix sweep performed when you delete your account or withdraw your health-data consent, so they are removed at that time even if the 7-day TTL has not yet elapsed.
  • Are not used to train any AI model, are not used for advertising, and are not shared with third parties other than AWS as described in §4.

2. Sources of Consumer Health Data

  • Directly from you when you log a meal, workout, fasting session, weight, body measurement, or chat message, or when you submit a meal-scan photo for transient AI macro estimation.
  • From Apple Health or Google Health Connect when you have explicitly connected those services and granted permission.
  • Derived by us from data you provide (for example, BMR and macro splits calculated from your weight, height, age, sex, and goal).

3. How We Use Consumer Health Data

We use consumer health data only for the following purposes:

  • Provide the core nutrition, workout, fasting, and progress-tracking features you have requested.
  • Sync your data across your devices.
  • Calculate fitness metrics such as BMR, macro targets, personal records, and trends.
  • Generate AI workout, nutrition, and coaching suggestions through Spot, only when you have enabled AI features and only as described in our AI Data Sharing Consent.
  • Maintain the security and integrity of your account and the Service.

We do not use consumer health data for advertising, marketing, profiling, sale, or to train any AI or machine-learning model.

4. With Whom We Share Consumer Health Data

We share consumer health data only with the specific named processors listed below, only as necessary to provide the Service, and only under contracts that prohibit them from using the data for their own purposes:

  • Amazon Web Services, Inc. ("AWS") — cloud infrastructure (DynamoDB for structured data, S3 for data exports, transient meal-scan photos, and feedback photos, Cognito for authentication, Lambda for server functions, CloudFront for content delivery). All consumer health data synced to the cloud is stored on AWS in the us-west-2 (Oregon) region, encrypted at rest with AES-256. Meal-scan photos are held in a dedicated, non-versioned, private S3 bucket only for the duration of AI macro analysis and are then deleted (see §1A). Feedback photos are held in a separate private S3 prefix with a 7-day TTL (see §1B).
  • Large language models hosted within AWS Bedrock — AWS Bedrock is the only recipient of the inputs sent for AI features. AWS hosts a catalog of large language models that runs entirely within AWS infrastructure. When you use an AI feature, the relevant inputs (your chat message and the minimum data needed for the feature) are sent to a model in this catalog. We may use any model in this catalog that we deem appropriate and may change which model handles a given request as we tune AI features for accuracy, safety, and cost. In all cases the data does not leave AWS, is not retained by the model, and is not used to train any model. AI features require your separate, in-app consent and are off by default; see our AI Data Sharing Consent.
  • RevenueCat, Inc. — subscription management. RevenueCat receives a pseudonymous user identifier and purchase / entitlement information. RevenueCat does not receive any consumer health data.
  • Open Food Facts — public food database. When you scan a barcode or search for a food, the barcode or search term is sent. No consumer health data and no personal identifier is shared.
  • USDA FoodData Central — public food composition database maintained by the U.S. Department of Agriculture. Search terms only; no consumer health data and no personal identifier is shared.
  • Google LLC (Firebase Analytics, Firebase Crashlytics) — app telemetry processor. Firebase Analytics receives de-identified app telemetry only when you have opted in to Product Analytics (Profile > Settings > Privacy). Firebase Crashlytics receives crash reports by default as part of providing the Service. Neither service receives consumer health data fields. Specifically, we do not send to Firebase: exercise names, weight values, calorie totals, dietary restriction flags, fasting durations, or health integration readings. This exclusion is enforced at the event level — health-specific fields are scrubbed before any event leaves the app.

    Consent gate: Product Analytics requires your affirmative opt-in and is disabled by default. Crash Reporting is default-on on a service-operation basis — it does not receive health-specific fields — and you may turn it off in Profile > Settings > Privacy.

    Turning off analytics does not delete data already transmitted. Use Delete My Analytics Data (Profile > Settings > Privacy) to request deletion of previously transmitted data.

    MHMDA sub-processor authority: Google LLC is an authorized sub-processor under a Google Data Processing Agreement consistent with our obligations under WA RCW 19.373. Google processes app telemetry solely to provide the app stability and improvement services described in this policy. No consumer health data is processed by Google for any other purpose. See Firebase Privacy Policy.

We do not share consumer health data with advertisers, data brokers, advertising networks, or social media platforms. See Privacy Policy §3 for the complete sub-processor table.

5. Sale of Consumer Health Data

We do not sell consumer health data. We have never sold consumer health data. We will not sell consumer health data without first obtaining your specific, valid authorization, separate from any other consent. The valid-authorization requirements of RCW 19.373.030 will apply.

6. Geofencing

We do not use geofencing around any healthcare facility or any other location for any purpose, including identifying or tracking consumers, collecting consumer health data, or sending advertising or notifications relating to consumer health data.

7. Your Rights

You have the following rights regarding the consumer health data we process about you:

  • Right to confirm and access: confirm whether we are processing your consumer health data and obtain a copy of that data, including the categories of third parties and specific affiliates with whom we have shared it.
  • Right to delete: request that we delete your consumer health data. We will honor this request and pass it on to our processors in compliance with RCW 19.373.030.
  • Right to withdraw consent: withdraw consent for the collection, sharing, or processing of your consumer health data. Withdrawing consent must be at least as easy as granting it. You can withdraw consent in-app at any time (Profile > Settings > Privacy > Withdraw Health Data Consent), without phone calls, paperwork, or contacting support.
  • Right to appeal: if we deny a request, you have the right to appeal. See §9 below.

Disconnecting a health integration vs. withdrawing consent

These are separate actions with different effects:

  • Disconnecting Apple Health or Google Health Connect (Profile > Health Integrations) stops future imports of weight, body composition, and activity data. It does not delete readings that were already imported into Refactor — those remain in your history so your trends and charts stay intact.
  • Withdrawing consent (Profile > Settings > Privacy > Withdraw Health Data Consent) deletes all consumer health data already stored in Refactor — including imported health-platform readings, all logs, and AI conversations — and stops future collection. Withdrawing consent also turns off AI features (which depend on health data being available), which means no further meal-scan photos can be submitted for transient AI macro estimation.

8. How to Exercise Your Rights

You can exercise your rights in any of the following ways:

  • In the app (fastest): Profile > Settings > Privacy > Withdraw Health Data Consent (delete consumer health data only) or Profile > Settings > Delete Account (delete everything). Profile > Export Data lets you download a copy.
  • By email: privacy@refactorfitness.app. Include the email address associated with your account and a brief description of what you are requesting. We will verify your identity by confirming you control the account email.
  • By mail: see Terms of Use §22 (Contact Us).

We will acknowledge your request within 10 days and respond substantively within 45 days. If your request is complex or numerous, we may extend that period by an additional 45 days, in which case we will notify you of the extension and the reason for it.

9. Right to Appeal

If we deny your request, our written response will explain why and will tell you how to appeal. To appeal, reply to that written response or email privacy@refactorfitness.app with the subject line "Privacy Appeal" within 60 days of our decision. We will review the appeal and respond in writing within 45 days, explaining our reasoning and any actions taken.

If we deny your appeal, you may submit a complaint to the Washington State Attorney General at www.atg.wa.gov/file-complaint.

10. Data Retention

We retain consumer health data while your account is active. After you delete your account or withdraw health-data consent, we permanently delete consumer health data from our production systems within 30 days. Encrypted backups age out within 35 days. The only record retained after deletion is a minimal fraud-prevention entry described in our Privacy Policy §5; that record contains no consumer health data.

11. Security

Consumer health data is encrypted at rest (AES-256) and in transit (TLS 1.2 or higher). Access to production systems is limited to authorized personnel acting on a need-to-know basis. See Privacy Policy §4 for additional detail.

12. Changes to This Policy

We may update this policy. The version number and effective date at the top of this page reflect the most recent revision. If we materially change the categories of consumer health data we collect, the categories of recipients with whom we share it, or the purposes of processing, we will notify you and obtain your renewed consent before the change applies to you.

13. Contact Us

BOGERT CSN 443, LLC d/b/a Refactor Fitness
Email: privacy@refactorfitness.app
Mailing address: see Terms of Use §22 (Contact Us).