Privacy Policy

Last updated: 27 May 2026 · Operator: En3rgy · Contact: fit-support.en3rgy.app

1. Who we are

FitEn3rgy is a fitness, nutrition, and habit-tracking app operated by En3rgy ("we", "us"). This policy explains what personal data we process when you use the FitEn3rgy web app (fit.en3rgy.app) and the FitEn3rgy mobile apps on iOS and Android.

2. What we collect

We only collect what FitEn3rgy needs to work. Concretely:

• Account data — email address, username, display name, hashed password, two-factor settings, account creation date.
• Fitness profile — weight, height, age, gender (male / female), fitness level, optional injury notes.
• Activity data — workout logs, food entries, habits, goals, training sessions, Train Together rooms you join.
• Social data — people you follow / who follow you, blocks, in-app chat messages inside Train Together rooms.
• Photos — your profile avatar (optional), photos you take for meal scanning. Avatars are stored in our database; meal-scan photos are sent to OpenAI and not retained after the scan.
• Diagnostics — IP address, basic request logs (used only to debug errors and rate-limit abuse). We do not run third-party analytics.

3. How we use it

• To run the features you use (workouts, nutrition tracking, social, Train Together, AI suggestions).
• To keep your account secure (authentication, rate limiting, abuse detection).
• To moderate uploaded photos for unsafe content (see Sub-processors).
• To send transactional emails (verification, password reset, security alerts) — never marketing.

We never sell your data and we do not show third-party advertising.

4. Sub-processors

FitEn3rgy uses the following providers. They process limited categories of data on our behalf only:

• Railway (USA) — application hosting + PostgreSQL database.
• Cloudflare (USA) — static web hosting, CDN, DNS.
• OpenAI (USA) — generates AI meal plans, training summaries, coach replies. We send the minimum context needed for the requested output. OpenAI does not train on API content.
• Sightengine (France) — automatic image moderation on uploaded avatars. Receives only the image bytes, not your identity.
• Resend (USA) — transactional email delivery.
• Stripe (USA, when applicable) — Pro subscription payments. We never see or store your card.

5. Where data lives

Application data is stored in PostgreSQL on Railway (US region). Static web assets are served from Cloudflare's global network. The mobile app stores some non-sensitive cache (e.g. UI preferences, JWT access token) inside the WebView's local storage on your device.

6. Retention

We keep your account data for as long as your account exists. When you delete your account (Settings → Privacy → Delete account, or via mobile equivalent), your personal data is hard-deleted from the database within 30 days, and your email is added to a one-way block list so we can refuse re-registration requests that are clearly abusive.

7. Your rights

You can:

• Access your data — Settings → Privacy → Export.
• Correct it — Profile edit fields, anywhere in the app.
• Delete it — Settings → Privacy → Delete account. This is irreversible.
• Withdraw consent — by deleting the account.
• Object / restrict processing for legitimate-interest purposes — contact us.
• Lodge a complaint with your local data-protection authority (e.g. CNIL, ICO, your country's equivalent).

8. Children

FitEn3rgy is not directed at children under 13 (or under 16 in the EU). If you believe a minor has created an account, contact us and we will delete it.

9. Security

Passwords are hashed with Argon2id. Network traffic is over HTTPS / TLS. Access tokens are short-lived (15 minutes) and refresh tokens are rotated. Avatar uploads are moderated before they go public.

10. Changes

We may update this policy as the product evolves. The "Last updated" date at the top of this page reflects the most recent change.

11. Contact

Questions or requests: fit-support.en3rgy.app.