Fysigo Legal
Privacy Policy
Version 1.1 · Effective June 26, 2026
Esta Política se proporciona en inglés; la versión en inglés prevalece.
1. Scope
This Privacy Policy (“Policy”) describes how Guten Group US Holdings Inc., doing business as “Fysigo” (“Fysigo,” “we,” “us”), collects, uses, stores, shares, and protects information when you use the Fysigo marketplace and software platform — the websites, mobile apps, and APIs at fysigo.com, app.fysigo.com, coach.fysigo.com, and related domains.
Fysigo is a neutral technology platform that connects independent wellness, fitness, nutrition, bodywork, massage, and coaching professionals (“Providers”) with individuals who book them (“Clients”). Fysigo is not a healthcare provider and does not deliver the services Providers offer.
2. What we collect
We collect only what we need to operate the platform. Categories include:
- Account and profile information. Name, email address, password hash, role (Client, Provider, or admin), profile photo, locale, timezone, and optional demographic fields you choose to provide (for example date of birth, sex, height, or weight).
- Booking and marketplace information. Engagements between Clients and Providers, session times, booking notes, service selections, delivery mode, pricing snapshots, cancellation and payment status, and consent records (including marketplace terms and recording consent).
- Payment information. Fysigo does not store full payment-card numbers. Stripe Connect processes payments and payouts on our behalf; we receive transaction identifiers, amounts, and payout status — not card data.
- Health-related information you provide. Intake answers, contraindication attestations, conditions or goals you disclose to a Provider, lab results and biomarkers you upload, wearable readings you authorize (for example Oura sleep and recovery data), nutrition logs, supplements, protocols, coach-authored programs and notes, and medical questionnaire responses. This information may qualify as sensitive personal information or consumer health data under applicable law.
- Session recordings and transcripts. When you and the other participant have each given affirmative recording consent, video and audio of online coaching sessions may be cloud-recorded and transcribed. See Recording & transcription terms and Section 10 below.
- Communications. Messages sent through the platform, support requests, and marketing-email engagement when you opt in.
- Device and usage data. IP address, browser user-agent, error reports, and operational logs used to secure and improve the platform.
- Integrations you authorize. OAuth tokens and sync metadata for services you connect (for example Oura, Dropbox, or Google Drive for import/export). Connected cloud storage remains under your control unless you explicitly export data there.
3. Health information
Fysigo facilitates bookings and collaboration between Clients and Providers. Information you share — including intake forms, health conditions, lab results, wearable metrics, session notes, and transcripts — may relate to your health.
- How we use it. To deliver the service you booked, enable your Provider to prepare for and conduct sessions, operate safety and consent workflows (for example massage intake and contraindication gates), provide session recaps and collaboration tools, resolve disputes, and comply with law.
- Who sees it. Your engaged Provider sees the Client information relevant to your booking and ongoing engagement, subject to platform permissions. Fysigo personnel and subprocessors access health-related data only as needed to operate, secure, and support the platform — not for unrelated marketing.
- Fysigo is not a healthcare provider. We do not diagnose, treat, or provide medical advice. Providers are independent businesses responsible for their own professional obligations.
- Consumer health data. Where applicable, we handle self-directed health information under explicit consent and applicable consumer-health and privacy laws (including state laws such as the FTC Health Breach Notification Rule where relevant).
4. How we use information
- To create and manage your account and authenticate you.
- To list, discover, book, and deliver Provider services.
- To process payments and Provider payouts through Stripe.
- To host video sessions and, when consented, record and transcribe them.
- To send transactional messages (confirmations, security alerts, booking updates).
- To operate, secure, monitor, and improve the platform.
- To send marketing communications — only when you opt in.
- To train and improve AI features you choose to use or consent to — see AI training terms.
- To comply with legal obligations and enforce our terms.
5. Marketplace data sharing
When a Client books a Provider, Fysigo shares identifying information, booking details, and relevant intake or health information with that Providerso they can deliver the booked service. The Provider is an independent business with its own privacy practices and legal obligations; how the Provider uses Client information outside the platform is the Provider's responsibility.
Fysigo does not sell your personal information. We share information only as described in this Policy, with subprocessors that help us operate the platform, when required by law, or in connection with a business transition subject to notice.
6. Where data is stored
- Supabase (primary application database). Profiles, bookings, engagements, messages, consents, and operational data live in Postgres with row-level security, encrypted at rest, in a US-hosted region.
- Health-data storage. Lab artifacts, session recordings, transcripts, biomarkers, and related health records may be stored in Fysigo-controlled private storage and, where enabled, a dedicated health-data environment with server-only access and audit logging.
- Object storage. Uploaded files and recording artifacts are stored in private buckets; access uses time-limited signed URLs.
- Vercel. Application hosting and edge delivery. Application code and short-lived operational logs only — not the canonical home of health records.
7. Sub-processors
We use trusted service providers to run the platform. They process data only under our instructions and contractual safeguards:
- Supabase — database, authentication, and file storage.
- Stripe — payment and payout processing (operational metadata only; we do not send health content to Stripe).
- Daily.co — live video, cloud recording, and transcription for consented sessions.
- Vercel — application hosting.
- Resend — transactional email (booking and account notifications; message bodies are operational, not clinical records).
- Anthropic — AI features you invoke in the product.
- DeepL / OpenAI — message translation when enabled.
- Oura — wearable data sync when you connect your account.
- Dropbox / Google Drive — optional import/export to storage you control.
We may update this list as our stack evolves. Sub-processors that receive health-related data are engaged with data-protection terms appropriate to the data they handle.
8. HIPAA and Business Associate Agreements
Fysigo is not a HIPAA covered entity. Some Providers may be covered entities or their business associates under HIPAA. Where a Provider is a covered entity and Fysigo processes protected health information (“PHI”) on the Provider's behalf, a Business Associate Agreement (“BAA”) governs that PHI.
Providers who require a BAA may request one at legal@fysigo.com. Until a BAA is executed, do not treat the platform as HIPAA-certified infrastructure. Fysigo does not make “HIPAA-compliant” marketing claims unless and until appropriate agreements and safeguards are in place.
9. Security and breach notification
We use industry-standard technical and organizational measures: encryption in transit (TLS), encryption at rest, row-level security, scoped service credentials, and audit logging on sensitive operations. No system is perfectly secure.
If we become aware of a breach of security affecting personal information, we will investigate, mitigate harm, and notify affected individuals and regulators as required by applicable law, including the Florida Information Protection Act of 2014 (Fla. Stat. §501.171) for Florida residents when notification thresholds are met. Notifications will be made without unreasonable delay and will describe what happened, what information was involved, and steps you can take.
Report suspected security issues to legal@fysigo.com.
10. Recordings and transcripts
Online coaching sessions are not recorded by default. Recording and transcription occur only when both the Client and the Provider have given affirmative, separate consent under the Recording & transcription terms. Consent is captured as its own step — not bundled into general Terms acceptance — and may be revoked in Account settings; future sessions will not be recorded after revocation.
- Storage. Daily.co processes the live session and delivers recordings; Fysigo stores artifacts in private, access-controlled storage linked to the booking.
- Access. The Client and engaged Provider for that session can review transcripts in the app when recording was enabled for both parties.
- Retention and deletion. Transcripts remain available in session recap while your account is active unless deleted. To delete stored recordings or transcripts, contact
privacy@fysigo.com. Revoking consent stops new recordings; it does not automatically erase prior artifacts.
11. Your choices
Depending on where you live, you may have rights to access, correct, delete, export, or restrict processing of your personal information (for example under GDPR, CCPA, or analogous state laws).
- Access, correction, and deletion. Email
privacy@fysigo.comwith your request. We respond within 30 days where required. We will not retaliate for exercising a privacy right. - Recording consent. Toggle in Account settings or contact support.
- Marketing. Unsubscribe via any marketing email or account preferences.
- Integrations. Disconnect Oura, Dropbox, or Google Drive in settings; synced data already stored may be deleted on request.
- Account closure. Contact
privacy@fysigo.comto close your account.
12. Retention
- Active accounts — data retained while your account is active and as needed to provide services and meet legal obligations.
- Closed accounts — personal information deleted or anonymized after a reasonable wind-down period, subject to legal hold, tax, audit, or dispute requirements.
- Consents and audit logs — retained to demonstrate what terms and consents were in effect when you accepted them.
- Operational logs — typically retained up to 30 days unless implicated in a security investigation.
- Backups — rolling backup windows; deleted data may persist in backups until those cycles expire.
13. International transfers
Fysigo operates primarily from the United States. Your information may be processed in the U.S. and other countries where our subprocessors operate. Where required, we use appropriate transfer mechanisms such as Standard Contractual Clauses.
14. Children
The platform is intended for adults 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If we learn we have collected information from a minor, we will delete it. Providers affirm that Clients they invite are adults.
15. Changes
We may update this Policy. Material changes are communicated via in-app notice and, where required, a re-acceptance step. The version and effective date at the top of this page are the authoritative record.
16. Contact
Privacy questions and rights requests: privacy@fysigo.com.
General legal and BAA inquiries: legal@fysigo.com.