ACTUS

Privacy Policy

Last updated: April 25, 2026

1. Who We Are

Actus ("we," "us," or "our") is an AI-powered fitness training application. Actus is operated as an independent product. For questions about this policy, contact us at dpo@actusapp.io.

2. Data We Collect

We collect data you provide directly and data generated through your use of the app.

2.1 Account Data

  • Email address — used for authentication and account recovery
  • Display name — shown in your profile (optional)

2.2 Body & Health Data

  • Body measurements — height, weight, body fat percentage, muscle mass
  • Demographics — age, gender (optional)
  • Injury information — injury areas, injury details, monitor/exclude flags
  • Pain reports — per-exercise pain tracking during workouts (area, notes)
  • Strength baselines — estimated one-rep max for bench press, squat, deadlift

2.3 Fitness & Training Data

  • Workout logs — sets, reps, weight, RPE (Rate of Perceived Exertion), completion timestamps
  • Training preferences — goals, frequency, schedule, equipment, gym type, session duration
  • Workout plans — AI-generated training programs and split configurations
  • Coach conversations — messages exchanged with the AI coach (not persisted across sessions currently)

2.4 Usage & Analytics Data

  • App interactions — feature usage events (e.g., workout started, set completed, analytics viewed)
  • Device information — device type, operating system, browser type
  • Performance data — page load times, error events

We do not collect location data, contacts, photos, financial information, or any data from other apps on your device.

3. How We Use Your Data

We use the information we collect for the following purposes:

3.1 Service Delivery

  • Workout generation — your body metrics, experience level, goals, and injury data are used to generate safe, personalized training programs
  • AI coaching — your profile and workout history are included as context when you interact with the AI coach
  • Workout adaptation — your training logs are analyzed to recommend program adjustments (weekly batch analysis)
  • Safety — injury and pain data are used to exclude unsafe exercises and trigger safety alerts
  • Account management — to create, maintain, and manage your account and subscription
  • Communication — to send service-related notifications such as workout reminders, account updates, and system announcements

3.2 Marketing & Improvement

  • Product analytics — to review and analyze trends, usage patterns, and your interactions with our services in order to improve and personalize the Actus experience
  • Marketing activities — to develop and improve our marketing efforts, including analyzing how users discover and engage with Actus, measuring the effectiveness of our content, and personalizing communications about features that may be relevant to you
  • Research & development — to test new features, improve our AI models' recommendation quality, and develop new functionality based on aggregated usage insights

You can opt out of marketing communications at any time by contacting us at dpo@actusapp.io. Opting out of marketing will not affect service-related communications.

3.3 Security & Fraud Prevention

  • Threat detection — to detect, investigate, prevent, and protect against potential security threats, unauthorized access, and other malicious, deceptive, or fraudulent activity
  • Abuse prevention — to enforce our Terms of Service, prevent misuse of the platform, and protect the integrity of our systems
  • Monitoring — to monitor system health, identify errors, and ensure the reliability and performance of our services

3.4 Legal & Compliance

  • Legal obligations — to comply with applicable laws, regulations, legal processes, or governmental requests
  • Rights protection — to protect the rights, privacy, safety, or property of Actus, our users, or the public as required or permitted by law
  • Dispute resolution — to resolve disputes, enforce our agreements, and respond to lawful requests from public and governmental authorities

4. Third-Party Services

We share data with the following service providers who process it on our behalf:

ServiceData SharedPurpose
SupabaseAll user dataDatabase hosting, authentication, file storage
OpenAIPseudonymous user identifier (UUID), profile context, workout history, coach messages. We do not send your email, name, or contact information to OpenAI.AI workout generation, exercise matching, coaching
PostHogUsage events, device metadataProduct analytics (autocapture disabled)
VercelRequest logs, IP addressesApplication hosting, serverless functions

We do not sell, rent, or trade your personal or health data to any third party. We do not use your data for advertising or ad targeting.

5. Health & Fitness Data

Actus processes health and fitness data with special care:

  • Health data is used exclusively for generating safe workout programs and providing fitness guidance
  • Pain and injury data trigger automatic exercise exclusions to protect your safety
  • Health data is never sold or shared for advertising purposes
  • Health data sent to OpenAI for workout generation is not used by OpenAI to train their models (per their API data usage policy)

Important: Actus is not a medical device and does not provide medical advice. Always consult a healthcare professional before starting any exercise program or if you experience pain during training.

6. Data Retention

  • Active accounts: Data is retained for as long as your account is active
  • Account deletion: When you request account deletion, your personal data is anonymized immediately. All remaining data is permanently deleted within 90 days
  • Analytics data: Aggregated, de-identified analytics data may be retained indefinitely for product improvement

7. How We Disclose Your Data

We may disclose your information in the following circumstances:

  • Service providers — to third-party processors who help us operate the Service (see Section 4 above)
  • Legal requirements — when required by law, regulation, legal process, or governmental request
  • Safety & rights protection — to protect the rights, property, or safety of Actus, our users, or others, including to prevent fraud and enforce our Terms of Service
  • Business transfers — in connection with a merger, acquisition, reorganization, or sale of assets (see Section 10 below)
  • With your consent — when you direct us to share your information with a third party

We do not sell your personal information. We do not share your data with data brokers, advertising networks, or any third party for their own marketing purposes.

8. Data Security

We implement commercially reasonable technical, administrative, and organizational safeguards designed to protect your data:

  • Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS/HTTPS
  • Encryption at rest — data stored in our database is encrypted at rest by our infrastructure provider (Supabase)
  • Authentication — secure JWT tokens with automatic expiration; OAuth 2.0 with PKCE for Google sign-in
  • Access control — Row-Level Security (RLS) policies ensure each user can only access their own data
  • API protection — all API routes are protected by authentication middleware; cron jobs are secured with separate secret tokens
  • Monitoring — we monitor for unauthorized access, anomalous activity, and system errors

While we take reasonable steps to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

9. International Data Transfers

Your data may be transferred to, stored, and processed in countries other than your country of residence. Our service providers operate infrastructure in the following regions:

  • Supabase — database hosted in the United States (US-East)
  • OpenAI — API servers in the United States
  • PostHog — analytics infrastructure in the United States (US Cloud)
  • Vercel — edge network with global distribution; primary infrastructure in the United States

When we transfer data internationally, we rely on appropriate legal mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-U.S. Data Privacy Framework, to ensure your data receives an adequate level of protection regardless of where it is processed.

10. Business Transfers

If Actus is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice in the app before your data is transferred and becomes subject to a different privacy policy.

11. Your Rights

Regardless of where you live, you have the following rights:

  • Access: You can view all your data within the app (Profile, Analytics, Workout History)
  • Correction: You can update your profile, metrics, and preferences at any time
  • Deletion: You can delete your account and all associated data from Profile > Delete Account
  • Portability: Data export functionality is planned for a future release

11.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information — we do not sell your data
  • Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at dpo@actusapp.io.

11.2 European Union Residents (GDPR)

If you are in the EU/EEA, our lawful bases for processing are:

  • Consent — for health data processing (you provide this data voluntarily during onboarding)
  • Contract performance — to deliver the fitness training service you signed up for
  • Legitimate interest — for analytics and product improvement

You have additional rights to: restrict processing, object to processing, and lodge a complaint with your local data protection authority.

11.3 Brazilian Residents (LGPD)

If you are in Brazil, you have rights under the LGPD including: confirmation of processing, access to your data, correction, anonymization, portability, deletion, and information about third parties with whom data is shared. Contact us at dpo@actusapp.io.

12. Children's Privacy

Actus is not directed at children under 16 years of age. We do not knowingly collect personal information from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at dpo@actusapp.io.

13. Cookies & Tracking

  • Authentication cookies: Essential cookies to maintain your login session
  • Analytics: PostHog analytics with autocapture disabled — only manually tracked events are collected
  • No third-party advertising cookies — we do not use ad trackers

14. Third-Party Links & Services

Actus may contain links to third-party websites, services, or content that are not owned or controlled by us. This includes links to our service providers' privacy policies (Supabase, OpenAI, PostHog, Vercel) and external exercise resources.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through Actus. Your interactions with third-party services are governed by their respective terms and privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you within the app. Your continued use of Actus after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact our Data Protection Officer (DPO):

  • Email: dpo@actusapp.io
  • For LGPD-specific requests, please write "LGPD" in the subject line so we can prioritize within statutory response windows.