Fysigo Legal

Privacy Policy

Version 1.0 · Effective 2026-05-31

This Policy describes what information Fysigo collects, why, where it is stored, who has access, and the rights you have over it. It applies to the Fysigo platform globally — the websites, mobile apps, and APIs operated by Fysigo.

1. What we collect

We collect only what we need to operate the platform you signed up for. Categories:

  • Account information. Name, email, password hash, role (client / coach / admin), profile photo, locale, timezone.
  • Health and training data you contribute. Bloodwork uploads, sleep nights, training sessions, nutrition entries, supplements, protocols, recovery markers, weight, body composition. This includes information often classified as sensitive under GDPR Article 9 and CCPA §1798.140.
  • Coach-authored content. Programs, articles, offerings, messages.
  • Connections you authorize. Ouraring (sleep + HRV), Dropbox or Google Drive (your PHI-on-user-cloud archive), Stripe (payments and payouts).
  • Operational data. Logs, IP address, user-agent string, error reports, page-view telemetry. Used to operate and secure the platform.
  • Communications. Messages you send through the platform, support requests, marketing-email engagement (only when you opted in).

2. Where it lives

  • Supabase (primary application database). US-East-1 region. Postgres with row-level security. Encrypted at rest. Backups retained for 7 days.
  • Your cloud (PHI-on-user-cloud architecture). When you connect Dropbox or Google Drive, raw bloodwork and biomarker history live in your account at /Apps/Fysigo/medical/. Fysigo reads through a server proxy at request time. We do not retain copies on our servers.
  • Vercel. Application hosting and edge caching. Code, build artifacts, and short-lived edge logs only.

3. Why we process your data

  • To provide the features you signed up for.
  • To share data with your coach during an active engagement.
  • To operate, secure, monitor, and improve the platform (legitimate interest under GDPR Art. 6(1)(f); business purpose under CCPA).
  • To process payments and payouts (contractual necessity).
  • To send transactional messages (account, security, booking confirmations).
  • To send marketing communications — only when you opted in.
  • To comply with legal obligations (tax, audit, lawful information requests).

4. Who we share with

We do not sell your personal information. We share it only:

  • With your coach, for as long as you have an active engagement with them, and only the data your role permits.
  • With service providers we depend on to run the platform: Supabase (database), Vercel (hosting), Stripe (payments), Resend (transactional email), Anthropic (the agent briefs and AI features you choose to use), and Ouraring or Dropbox / Google Drive when you connect them.
  • When required by law, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We push back on overly broad requests.
  • In a business transition. If Fysigo is acquired, merges, or transfers assets, user data may move to the successor entity subject to a privacy notice.

5. Your rights

Depending on where you live, you have rights to access, correct, delete, export (data portability), and restrict the processing of your data. EEA / UK residents have rights under GDPR; California residents under CCPA; other jurisdictions analogous.

To exercise these rights, contact privacy@fysigo.com. We respond within 30 days. We will not retaliate or deny service for exercising a right.

Marketing opt-out: every marketing email includes an unsubscribe link. You can also toggle preferences in your account settings.

6. Retention

  • Active accounts— data retained while your account is active and as needed to provide the service.
  • Closed accounts— 30-day soft-delete window for recovery, followed by permanent deletion of personal information, subject to legal-hold or audit requirements.
  • Backups— aggregate backups expire on a 7-day rolling window.
  • Operational logs— retained 30 days unless implicated in a security investigation.

7. Security

We use industry-standard technical and organizational measures to protect your data: encryption in transit (TLS 1.2+), encryption at rest, row-level security in the database, scoped service accounts, audit logging on sensitive operations. No system is perfectly secure; if we become aware of a breach involving personal information, we will notify affected users without undue delay consistent with applicable law.

8. International transfers

The Fysigo platform operates primarily from the United States. Data may be transferred to and processed in countries outside your country of residence. Where required by law, we rely on Standard Contractual Clauses or other valid transfer mechanisms.

9. Children

Fysigo is not directed to children under 18 and we do not knowingly collect data from anyone under 18. If we learn we have collected information from a minor, we will delete it. Coaches affirm that the clients they invite to the platform are adults.

10. Changes

We may update this Policy. Material changes are surfaced via an in-app notice and a re-acceptance gate on next sign-in. The version and effective date at the top of this page are the authoritative record.

11. Contact

Privacy questions: privacy@fysigo.com. General legal questions: legal@fysigo.com.