Privacy Policy

Last updated: April 28, 2026

Zero Deficit LLC

This Privacy Policy describes how Zero Deficit LLC ("Company", "we", "us", "our") collects, uses, and protects your personal information when you use the Apex Fitness application ("App").

1. Information We Collect

We collect the following types of information when you use Apex Fitness:

• Personal Information: Email address, display name, and authentication credentials (password hash, Google ID, Apple ID).
• Health & Fitness Data: Age, sex, height, weight, body fat estimates, mobility/injury flags you select, workout logs, cardio logs (including optional GPS routes), recovery metrics (sleep hours/quality, soreness, energy, stress, mood, custom metrics), food diary entries, scanned barcode history, and biometric calculations (BMR, TDEE, macro targets, Recovery Score).
• Workout History (read for prefill): When you log a set in Quick Log, the per-set Logbook, the Speed Run flow, or the Start Workout tracker, we look up your most recent weight_lifted and reps_completed for that exercise from your own past lifting logs to pre-populate the input fields. This is an internal convenience feature only — your exercise history is never shared with third parties.
• Cosmetic Preferences: If you switch between alternate iOS home-screen app icons (Default, Pro Gold, Streak Master, Launch Edition, Founder), we store your selection on your user record so the choice syncs across devices. Eligibility is computed from existing data (subscription tier, max workout streak, signup date, waitlist referrals) — no new data is collected.
• Camera Data (on-device only): When you use the Barcode Scanner, your device camera captures a live video stream to decode product barcodes locally via @zxing/browser / BarcodeDetector. No camera images, video, or frames are uploaded, stored, or transmitted off-device. Only the decoded numeric barcode string is sent to our servers.
• Location Data (GPS Cardio — opt-in): When you start a cardio session of type Run, Walk, Hike, or Ride and tap "Track with GPS", we request "While Using the App" location and record timestamped lat/lon, speed, and altitude points to compute distance, pace, and elevation gain. Location is only collected while the session is active and is stopped when you pause or end. Location data lives inside your own private cardio_sessions record; it is never shared with advertisers or third parties.
• Apple HealthKit Data (iOS, opt-in): If you enable HealthKit, we read step count, heart rate, active energy, workouts, sleep, and body-mass samples on-device and write completed Apex workouts back to Health. HealthKit samples never leave your device except when you explicitly sync a derived metric into your Apex recovery log.
• Health Connect Data (Android, opt-in): Same model — on-device reads/writes via the Android Jetpack Health Connect SDK. Only metrics you explicitly sync into your Apex recovery log are transmitted.
• Push Notification Tokens: Opt-in. APNs device token (iOS), FCM registration token (Android), or Web Push subscription for workout reminders, PR celebrations, weekly summaries, and recovery insights.
• Payment Information: Subscription tier, billing cycle, and payment identifiers. We do NOT store credit card numbers, CVV codes, or bank account details. All payment processing is handled by third-party processors:
  • Stripe, Inc. (web purchases) — We store only your Stripe customer ID
  • Apple In-App Purchase (iOS) — We store only transaction IDs for verification
  • Google Play Billing (Android) — We store only purchase tokens for verification
• Local Storage (browser / WKWebView): JWT auth tokens, theme/units preferences, the "Always show scroll bar" preference (zd_always_show_scroll_bar), dismissed-tip flags, scanner permission hint state, and onboarding step progress. No third-party tracking cookies are used.
• Usage Data: App interaction, feature usage patterns, push notification preferences, per-IP rate-limit counters, and performance metrics.

2. How We Use Your Information

• To provide personalized fitness and nutrition tracking
• To calculate your BMR, TDEE, macro targets, and Recovery Score
• To track progressive overload and workout performance
• To prefill weight, reps, and sets in Quick Log / Logbook / Speed Run / Start Workout flows from your own past lifting history
• To auto-finish a workout when the last set of the last exercise is logged (Workout Complete drawer)
• To generate AI-powered workout programs, meal plans, and recipes
• To suggest injury-aware exercise swaps based on the mobility issues you select in your profile
• To look up scanned barcodes against public food databases (Open Food Facts, USDA FoodData Central)
• To compute distance, pace, and elevation during GPS cardio sessions you start
• To process subscription payments via Stripe (web), Apple IAP (iOS), or Google Play Billing (Android)
• To compute eligibility for cosmetic perks (alternate iOS home-screen app icons) from existing data — no new data is collected
• To send transactional and notification emails via Resend, including the optional 5-step launch waitlist drip campaign
• To send opt-in push notifications via Apple APNs, Firebase Cloud Messaging (Android), and Web Push (VAPID)
• To improve app functionality and user experience

3. Permissions We Request

The App requests the following device permissions only when you actively use the feature. Declining a permission disables that feature but does not affect the rest of the app.

• Camera (NSCameraUsageDescription): Required to scan food barcodes from your Food Diary. Camera frames are processed on-device only; no images are uploaded.
• Location While In Use (NSLocationWhenInUseUsageDescription): Required to track distance, pace, and route during a GPS cardio session. Location is only used while the session is active. We do NOT request background or always-on location.
• Notifications: Optional. Used to deliver workout reminders, PR celebrations, weekly summaries, and recovery insights.
• Apple HealthKit (Share / Update): Optional. Lets Apex read your existing health metrics and write completed workouts back to Apple Health.
• Health Connect (Android): Optional. Lets Apex read your existing health metrics from the Android Health Connect aggregator and write completed workouts back. Requires explicit per-data-type consent in the Health Connect app.
• Vibration / Haptics (Android): Used by the native Android wrapper to fire short haptic taps on number-entry steppers, scroll wheels, and set-logging buttons. No data is collected.

4. Data Storage & Security

Your data is stored securely using industry-standard encryption. We use MongoDB with encrypted connections for data persistence. All API communications use HTTPS/TLS. Passwords are hashed using bcrypt and are never stored in plaintext. Barcode scanner camera frames are processed entirely on-device and are not transmitted or stored.

5. Third-Party Services

We integrate with the following third-party services:

• Stripe, Inc.: Processes web subscription payments. Subject to Stripe's Privacy Policy. We store only your Stripe customer ID.
• Apple In-App Purchase: Processes iOS subscription payments. Subject to Apple's Privacy Policy. We store only transaction IDs for verification.
• Google Play Billing: Processes Android subscription payments. Subject to Google's Privacy Policy. We store only purchase tokens for verification.
• OpenAI (via Emergent): Powers AI workout generation, AI meal plan generation, recipe generation, and the conversational workout editor (GPT-4o). Workout/meal prompts and user biometrics are sent for processing but are not retained by OpenAI for training.
• Apple HealthKit: If enabled, supplies health metrics on-device only. Apple does not receive any of your Apex data.
• Android Health Connect: If enabled, supplies health metrics on-device only via the Android Jetpack Health Connect SDK. Google does not receive any of your Apex data through this channel.
• Apple APNs: Delivers iOS push notifications; receives only anonymous device token and payload.
• Firebase Cloud Messaging (Android): Delivers Android push notifications; receives only your FCM registration token and the notification payload. Subject to Google's Privacy Policy.
• Resend: Delivers transactional and notification emails, including the optional 5-step launch waitlist drip campaign. Subject to Resend's Privacy Policy. Only your email address and first name are shared.
• Open Food Facts: Public food database. When you scan a barcode we send only the numeric barcode string; no personal data is shared.
• USDA FoodData Central: U.S. government food database used as a fallback for barcode lookups. Only the numeric barcode string is sent; no personal data is shared.
• Google OAuth: If you choose to sign in with Google, we receive your email and profile name only.
• Apple Sign In: If you choose to sign in with Apple, we receive your email (or relay email) and name only.

6. Data Retention & Soft-Delete

We retain your data for as long as your account is active. When you delete your account, we perform a 30-day soft-delete: your account is immediately signed out and hidden, and all personal data is scheduled for permanent purge 30 days later. During that window you may sign back in to restore the account. After 30 days, all personal data — including workout logs, food logs, cardio sessions (GPS routes included), scan history, recovery metrics, and biometrics — is permanently purged and cannot be recovered. You may also perform an immediate "Delete My Data" action that wipes all fitness data while keeping your account.

7. Your Rights

• Access your personal data (Settings > Export My Data)
• Request data correction (Settings > Edit Profile)
• Request data deletion (Settings > Delete Account or Delete My Data)
• Restore a soft-deleted account within 30 days
• Export your data in machine-readable format (JSON)
• Opt out of push notifications (Settings > Notifications)
• Revoke camera / location / HealthKit / Health Connect permissions at any time via iOS Settings or the Android system settings
• Opt out of non-essential data processing

8. Children's Privacy

Apex Fitness is not intended for users under 16 years of age. We do not knowingly collect data from minors.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or via email.

10. Contact Us

For privacy-related inquiries, contact Zero Deficit LLC at: privacy@apexfitness.ai

Terms of Service | Delete Account | Back to App