Last updated: April 21, 2026

Privacy Policy

Zealova ("we", "our", or "us") operates the Zealova mobile application and the website at zealova.com (together, the "Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over it. It applies to residents of every country but includes specific provisions for users in the European Economic Area (EEA), United Kingdom, Switzerland, and California.

1. Information We Collect

Personal Information

When you create an account, we collect:

  • Name and email address
  • Age, gender, height, and weight
  • Fitness goals, experience level, equipment, and stated limitations
  • Profile photo (optional)

Health & Fitness Data (Special Category)

To provide personalized coaching, we collect:

  • Workout history and exercise logs (sets, reps, weights, RPE)
  • Body measurements and progress photos
  • Nutrition and meal logs (including photos you upload)
  • Hydration, fasting, and sleep data
  • Heart rate (live and resting) from connected devices
  • Apple HealthKit / Google Health Connect data if you enable sync — limited to weight, body fat, heart rate, resting heart rate, steps, active and total calories burned, sleep, exercise sessions, blood glucose, and water intake
  • Menstrual cycle and hormonal health logs (optional)
  • Exercise form videos you upload for technique feedback

Effective May 2026, we no longer read distance, floors climbed, elevation gained, speed, power, heart rate variability (HRV), respiratory rate, basal metabolic rate, oxygen saturation, or body temperature from Health Connect / HealthKit. Those data types were removed because they were not used by any user-facing feature.

Usage & Device Data

  • Device type, operating system, app version
  • Feature usage, screens visited, session duration
  • Crash reports and performance traces
  • IP address (used only for security and approximate region)

2. How We Use Your Information

  • Generate personalized workout plans, nutrition suggestions, and coach replies
  • Track your fitness progress and produce analytics on your own data
  • Send workout reminders and opt-in push / email notifications
  • Process payments and manage subscriptions
  • Detect fraud, abuse, and security incidents
  • Comply with legal obligations

We do not sell your personal data. We do not use your personal data for third-party advertising, and we do not allow any sub-processor to use your content to train their models.

3. Model-Powered Features & Zero Data Retention

Several features — the coach chat, workout generation, food photo recognition, and exercise form video analysis — rely on large language and vision models hosted by Google Cloud on our behalf. When you use those features, relevant portions of your data (chat messages, the image or video you uploaded, your profile summary, your account ID) are transmitted over TLS to a Google Cloud Vertex AI endpoint we operate.

Production traffic runs under Vertex AI's zero-data-retention(ZDR) configuration. Under that configuration:

  • Your prompts and responses are not retained by Google beyond the request.
  • Your content is not used to train or improve any foundation model.
  • Our backend refuses to initialize in production without this configuration, so the consumer Developer API (which does not offer equivalent guarantees) is never used for your data.

You can pause this at any time in the app under Settings → Privacy & Data → Personalization. When the toggle is off, our backend refuses to forward your chats, photos, or videos to the Vertex AI endpoint. You can also disable "Save chat history" to stop transcripts from being stored on our side.

4. Health Data — Explicit Consent (GDPR Art. 9)

Weight, heart rate, sleep, menstrual cycle, hormonal, and similar physiological measurements are special category data under GDPR Art. 9 and are treated as health information under the California Confidentiality of Medical Information Act (CMIA). We process this data only after you give a separate, explicit opt-in that is not bundled with accepting the Terms of Service.

That opt-in is captured when you first enable Apple HealthKit or Google Health Connect sync; the consent timestamp is recorded server-side so we can honor access and audit requests. You can withdraw consent at any time in Settings → Privacy & Data, which immediately stops health-data ingestion.

HIPAA note for U.S. users: Zealova is a consumer wellness application, not a HIPAA-covered entity or business associate. Health information you submit is protected by this policy and the CMIA but is not subject to HIPAA. Do not submit information obtained from a HIPAA-covered relationship (for example, a medical record from your provider) into Zealova.

5. Sub-Processors (GDPR Art. 28)

We share your data only with the following sub-processors, each under a written data processing agreement. All are located in the United States; transfers from the EEA, UK, or Switzerland rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-U.S. Data Privacy Framework.

  • Supabase Inc. — database, authentication, and user data storage.
  • Google Cloud (Vertex AI) — model hosting for coach chat, workout generation, food photo analysis, and form video analysis. Zero-retention configuration; no model training on your data.
  • Render Services Inc. — backend API hosting (all request traffic passes through Render infrastructure).
  • Vercel Inc. — hosts this website (zealova.com).
  • Amazon Web Services (S3) — storage for food photos and form videos you upload.
  • RevenueCat Inc. — subscription and in-app purchase management.
  • Resend, Inc. — transactional and lifecycle email delivery.
  • Firebase Cloud Messaging (Google LLC) — push notification delivery.
  • Firebase Crashlytics (Google LLC) — mobile app crash reporting (90-day retention).
  • Sentry (Functional Software Inc.) — backend and mobile error monitoring (90-day retention).
  • PostHog Inc. (us.i.posthog.com) — product analytics and feature-flag experiments. Does not receive chat content or health data.
  • ChromaDB Inc. — vector database for exercise and workout search.

You can request a copy of the Standard Contractual Clauses in force with any of these sub-processors by emailing privacy@zealova.com.

6. Data Security

All traffic between your device and our servers uses TLS/HTTPS. Sensitive data is encrypted at rest in our database. We use signed tokens and row-level security for authorization, rotate credentials regularly, and restrict access on a need-to-know basis. No method of electronic storage is 100% secure and we cannot guarantee absolute security, but we will notify affected users without undue delay if a breach materially affects their data.

7. Data Retention

  • Account & fitness data: kept while your account is active, deleted on request.
  • Chat history: up to 12 months, after which a scheduled job automatically deletes transcripts. Turn off "Save chat history" to stop new messages being persisted at all.
  • Health Connect / HealthKit data: retained only while your account is active.
  • Analytics events (PostHog): 24 months. Aggregated, non-identifying counts may be retained indefinitely.
  • Crash / error logs (Sentry, Crashlytics): 90 days.
  • Data-request archives (S3): auto-deleted 8 days after generation.

When you delete your account, we remove or anonymize personal data within 30 days, except where retention is required by law.

8. Your Rights

Wherever you live, you have the right to:

  • Access and download a copy of your data (GDPR Art. 15 / 20)
  • Correct inaccurate information
  • Delete your account and data (GDPR Art. 17)
  • Object to or restrict processing
  • Withdraw consent for optional data collection at any time
  • Opt out of non-essential notifications and marketing email
  • Disconnect Apple HealthKit or Google Health Connect at any time
  • Lodge a complaint with your local data protection authority

You can exercise these rights three ways:

  • In the app: Settings → Privacy & Data → Export / Delete.
  • Out-of-app (no login required): zealova.com/data-request — use this if you cannot sign in. We verify email ownership with a one-time link, then deliver the export or confirm deletion.
  • By email: privacy@zealova.com.

We respond within 30 days as required by GDPR Art. 12(3) and CCPA § 1798.130.

9. GDPR: DPO and EU / UK Representative

If you are in the EEA, UK, or Switzerland, our designated Data Protection Officer can be reached at dpo@zealova.com. Our Art. 27 representatives are reachable at eu-rep@zealova.com (EU) and uk-rep@zealova.com (UK).

Legal bases we rely on: performance of the subscription contract (core workout and coaching features), explicit consent (health data, photos, videos, optional marketing), legitimate interests (security, fraud prevention, service improvement), and compliance with legal obligations.

10. CCPA / CPRA (California)

California residents have additional rights: the right to know what categories of personal information we collect, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing." We do not sell or share personal information for cross-context behavioral advertising.

Submit California requests through any of the channels in Section 8. We may need to verify your identity before fulfilling a request and will never discriminate against you for exercising these rights.

11. Children & Age Requirements

Zealova is designed for users aged 16 and older. It is not directed at children under 16 and we do not knowingly collect personal information from anyone under 16. This age requirement reflects our processing of sensitive health data, automated personalization, and in-app purchases, all of which require a level of legal capacity to consent under COPPA, GDPR, and the California Age-Appropriate Design Code.

If you believe a child under 16 has provided us with personal data, contact privacy@zealova.com and we will delete it and the associated account.

12. International Data Transfers

Our sub-processors are located in the United States. For users in the EEA, UK, or Switzerland we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-U.S. Data Privacy Framework, as described in Section 5.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced in the app and by email where practical, with the "Last updated" date above reflecting the effective date.

14. Contact

Data controller: Zealova, Inc. (Delaware, USA)

Privacy inquiries: privacy@zealova.com

Data Protection Officer: dpo@zealova.com

EU / UK Art. 27 Representatives: eu-rep@zealova.com · uk-rep@zealova.com

General support: support@zealova.com