Health Data Privacy Policy

Last updated: March 22, 2026

Introduction

This Health Data Privacy Policy supplements our General Privacy Policy and provides additional details about how MyTrainerOS collects, uses, and protects your health and fitness data. This policy is designed to comply with the Washington My Health My Data Act (MHMDA), the California Consumer Privacy Act (CCPA/CPRA), and other applicable health data privacy regulations.

Health data is among the most sensitive information we process, and we are committed to transparency and user control over this data.

Definitions

For purposes of this policy:

  • "Health Data" means personal information that identifies or is reasonably linkable to a consumer and relates to physical or mental health, including but not limited to fitness metrics, nutrition intake, body measurements, wearable device data, wellness assessments, and AI-generated health insights
  • "Consumer" means any individual whose health data is collected, processed, or shared by MyTrainerOS
  • "Consent" means a clear, affirmative act signifying freely given, specific, informed, and unambiguous agreement to the collection and processing of health data

Health Data We Collect

MyTrainerOS collects the following categories of health data, each requiring separate consent:

Workout Performance Data

  • Exercise type, sets, reps, weight, RPE (Rate of Perceived Exertion), RIR (Reps in Reserve)
  • Workout duration, rest periods, tempo prescriptions
  • Training volume, frequency, and intensity metrics
  • Exercise form analysis results (when using computer vision features)
  • Program effectiveness scores and plateau detection

Nutrition & Hydration Data

  • Food intake logs (manual and AI-assisted from photo recognition)
  • Macronutrient breakdown (protein, carbohydrates, fat)
  • Caloric intake and adaptive TDEE estimates
  • Hydration tracking
  • Dietary preferences, restrictions, and allergies

Body Composition Data

  • Body weight (daily logs and EWMA trends)
  • Body measurements (waist, hips, chest, arms, etc.)
  • Progress photos (before/after comparisons)
  • AI-estimated body composition (from progress photos)

Wearable Device Data

  • Resting heart rate and heart rate variability (HRV)
  • Sleep duration and quality metrics
  • Daily step counts

Note: We intentionally do not display wearable calorie burn estimates due to research demonstrating significant inaccuracy in consumer devices.

Wellness & Recovery Data

  • Wellness check-in responses (sleep quality, energy, soreness, stress, mood)
  • Readiness scores (composite of sleep, HRV, training load, mood, recovery)
  • Injury risk assessments (monotony, strain, ACWR flags)
  • Habit completion data (streaks, consistency patterns)

AI-Generated Health Insights

  • Personalized coaching recommendations
  • Workout program suggestions and periodization plans
  • Nutrition periodization and macro recommendations
  • Churn risk and engagement predictions
  • Sentiment analysis of client communications

Purposes for Processing Health Data

We process health data exclusively for the following purposes:

  • Service Delivery: Providing personalized fitness coaching, workout recommendations, and nutrition guidance
  • Trainer Collaboration: Sharing relevant health data with your assigned trainer to enable effective coaching
  • AI Coaching: Generating AI-powered workout programs, readiness assessments, and proactive health interventions (JITAI)
  • Progress Tracking: Calculating trends, plateaus, effectiveness scores, and milestone achievements
  • Safety: Detecting injury risk factors, training overload, and providing volume warnings

Purposes We Do NOT Process Health Data For

  • Advertising or marketing targeting
  • Sale to third parties
  • Insurance underwriting or risk assessment
  • Employment decisions
  • Training general-purpose AI models
  • Any purpose not disclosed in this policy

Consent Requirements

We obtain your explicit consent before collecting or processing any health data. Our consent process includes:

Granular Consent

You may consent to individual categories of health data collection independently:

  • Workout performance data
  • Nutrition and hydration data
  • Body composition data (measurements and photos)
  • Wearable device data
  • Wellness and recovery data
  • AI-generated health insights

Withdrawing Consent

You may withdraw consent for any category at any time through Settings > Privacy & Consent. Upon withdrawal:

  • We immediately stop collecting new data in that category
  • Previously collected data is retained for 30 days unless you request immediate deletion
  • Some features may become unavailable (e.g., withdrawing wearable consent disables readiness scores)
  • Your trainer will be notified that certain data is no longer available

Third-Party Sharing of Health Data

We share health data only with the following categories of recipients, and only as necessary to provide our services:

Your Trainer

Your assigned trainer can view health data you have consented to share, including workout performance, nutrition logs, body measurements, wearable data, and wellness check-ins. Trainers are bound by our Trainer Terms of Service to maintain client confidentiality.

AI Processing Partners

  • Anthropic (Claude): Processes coaching conversations and generates program recommendations. Data is sent in real-time and not retained by Anthropic for model training
  • Deepgram: Transcribes voice recordings for workout/nutrition logging. Audio is processed and immediately discarded
  • Stripe, Inc.: Processes subscription payments and trainer payouts. Handles billing data subject to PCI-DSS compliance. Financial records subject to legal retention requirements

Wearable Data Providers

When you connect a wearable device, health data flows from the device to MyTrainerOS via:

  • Apple HealthKit (on-device only, never transmitted to Apple)
  • Google Health Connect (on-device only)
  • Garmin Connect, Oura, WHOOP (via OAuth, revocable at any time)
  • Terra API (aggregation layer, fallback only)

No Sale of Health Data

We do not sell, rent, lease, or trade your health data to any third party for any purpose.

Data Retention & Deletion

Health data retention periods:

  • Active accounts: Health data is retained as long as your account is active and you have not withdrawn consent
  • Account deletion: All health data is permanently deleted within 30 days of account deletion, with a 72-hour cooling-off period for cancellation
  • Consent withdrawal: Data for withdrawn categories is deleted within 30 days unless you request immediate deletion
  • Anonymized data: Aggregated, de-identified health data (not linkable to any individual) may be retained for platform improvement

Right to Delete

You may request deletion of specific health data categories or all health data at any time. Deletion requests are processed within 30 days. You will receive confirmation when deletion is complete.

Data Export

You may request a complete export of your health data in a machine-readable format (JSON) at any time through Settings > Privacy & Consent.

Geofencing

MyTrainerOS does not use geofencing technology to identify, track, collect data from, or send notifications to consumers based on their proximity to health care facilities, mental health facilities, or any location that could reveal health-related information.

Location data, when collected with your explicit consent, is used solely for optional gym check-in features and is never correlated with health data categories.

Security Measures for Health Data

We implement enhanced security measures for health data, including:

  • Encryption at rest and in transit (AES-256, TLS 1.3)
  • Row-level security (RLS) policies ensuring users can only access their own health data
  • Trainer access scoped to their assigned clients only
  • Progress photos stored in isolated, access-controlled buckets with signed URLs
  • Audit logging for all health data access and modifications
  • Regular security assessments and penetration testing
  • AI processing partners bound by data processing agreements prohibiting data retention

Your Rights

You have the following rights regarding your health data:

  • Access: Request a copy of all health data we hold about you
  • Correction: Request correction of inaccurate health data
  • Deletion: Request deletion of any or all health data
  • Export: Request your health data in a portable, machine-readable format
  • Consent Management: Grant or withdraw consent for individual data categories at any time
  • Restriction: Limit the use of sensitive health data to service delivery only

To exercise these rights, visit Settings > Privacy & Consent in the app, or contact us at privacy@mytraineros.com.

Contact Us

For questions or concerns about our health data practices, please contact our Privacy Team:

We will respond to all health data inquiries within 30 days.