🔒 Privacy Policy

Effective: 2026-05-15 · Last updated: 2026-05-15

This Privacy Policy explains how Carian Solutions, Inc. ("Carian Solutions", "we", "us", "our"), which operates Fit-PA (the "Service"), collects, uses, shares, and protects your information. We've written this in plain English. If anything is unclear, use our contact form.

📋 The short version. We collect your account information and the fitness data you generate or sync. We use it to run the Service, generate insights, and power the AI coach. We do not sell your personal information. We do not send your name, email, account ID, or exact GPS coordinates to our AI providers. You can delete your chat history, reset your app memory, or remove individual activities directly from your profile; account deletion and full data exports are handled by request through our contact form.

1. Who we are

Fit-PA is operated by Carian Solutions, Inc., a corporation incorporated in the State of California, United States. For questions about your data or this policy, use our contact form.

2. What we collect

To run the Service, we collect:

Account information: email address, name, profile photo (optional), authentication identifiers (e.g., Google sign-in tokens), and password hash. We never store passwords in plaintext.
Profile information you provide: birth date, gender, height, weight, location, time zone, training preferences, unit settings, training zones, and personal records.
Activity data: workouts, GPS tracks, heart rate, power, pace, elevation, lap data, and other metrics imported from your fitness device or uploaded as FIT files.
Wellness data (only if you sync a device): sleep duration and stages, heart-rate variability (HRV), resting heart rate, recovery score, stress, and similar metrics from connected devices.
Health context you choose to share: injuries, soreness, or health notes you add to inform the coach. This is optional.
Coaching conversations: messages you send to the in-app AI coach and the responses generated by it.
Goals and training plans: goals you set, training plans generated for you, and planned/completed sessions.
Derived insights ("app memory"): short summaries we store on our servers about your training so future coaching conversations are coherent (e.g., "training for a half-marathon", "prefers morning runs"). The AI provider does not store this — we do, and you can delete it at any time.
Device connection metadata: when you connect Garmin, Coros, Polar, or Suunto, we store the OAuth tokens needed to sync your data. Tokens are encrypted at rest.
Usage and log data: pages visited, features used, timestamps, IP address, browser and device type, error logs, and similar log data. Used for security, debugging, and product improvement.
Communications: support messages, feedback you submit through the in-app widget, and email replies.

3. What we don't collect

Payment card numbers — when we introduce paid plans, payments will be handled by a PCI-compliant processor (e.g., Stripe). We will never see or store your full card number.
Government-issued ID numbers, social security numbers, or driver's licence numbers.
Precise real-time location outside of activities you record. We do not track your location in the background.
Contents of your phone's contacts, calendar, photos (other than a profile photo you choose to upload), or messages.
Microphone or camera input.
Data from third-party advertising trackers — we don't use any.

4. How we use your data

To provide the Service: store your activities, compute analytics, generate training plans, respond in the AI coach, and sync with connected devices.
To personalise your experience: adapt analytics, training-load calculations, and coaching to your goals and fitness state.
To improve the Service: understand which features are used, diagnose bugs, and prioritise development. Where possible we use aggregated or anonymised data for this.
To communicate with you: send transactional emails (account, security, billing), respond to support requests, and — only if you opt in — send product updates.
To keep the Service secure: detect abuse, rate-limit requests, and investigate suspicious activity.
To comply with legal obligations: respond to lawful requests from authorities, enforce our Terms, and protect our rights and the rights of others.

5. Legal bases for processing (EU/UK users)

If you are in the European Economic Area or the United Kingdom, our legal bases under GDPR are:

Contract: processing necessary to provide the Service you signed up for.
Legitimate interests: improving the Service, securing it, and operating our business — balanced against your rights.
Consent: optional features such as device integrations, marketing emails, and analytics cookies. You can withdraw consent at any time.
Legal obligation: retaining records we're required to keep, or responding to lawful requests.

6. How AI is used with your data

Fit-PA uses third-party AI providers (currently Anthropic and OpenAI) to power the coaching assistant and training-plan generation. We want to be specific about what is sent and what is not:

What we send to AI providers:

Training metrics: durations, distances, pace, heart rate, power, training load (TSS / CTL / ATL / TSB), zones.
Activity context: sport, sub-sport, date, weather (if available), and high-level location category (e.g., city/country if the activity has GPS) — never raw GPS coordinates.
The text of your coaching messages.
Summaries of your training context: recent activities, active goals, planned sessions, recovery status, and AI-memory insights you've accumulated.

What we do not send to AI providers:

Your name or email address.
Your account ID or any internal identifier that could re-identify you.
Exact GPS coordinates of your activities.
Payment information.
Any other personal identifier we are not required to send to fulfil your specific request.

AI provider data handling. Anthropic and OpenAI process each request under their own terms. We use their commercial APIs and rely on their published commitment not to train foundation models on API inputs. They may briefly retain request payloads for safety / abuse monitoring per their published retention policies — but they do not keep a persistent profile of you. The AI provider sees a snapshot of relevant context to answer each message and then it's gone from their side.

App memory (stored by us, not by the AI). The persistent memory the coach uses across conversations — short summaries like "training for a half-marathon" or "prefers morning runs" — lives entirely in our database. The AI provider never stores this; we build it from your conversations and we hold it on our servers. You can review and delete this app memory at any time from your profile, and you can delete your full chat history separately without affecting your activity data.

AI-generated content is not medical advice. See the disclaimer in our Terms of Service.

7. How we share your data

We do not sell your personal information. We share data only in these situations:

With service providers (sub-processors) who help us operate the Service — see Section 8.
With device integrations you explicitly connect (Garmin, Coros, Polar, Suunto) — and only to sync your data from those services.
For legal reasons: when we believe in good faith that disclosure is required by law, to enforce our Terms, to protect our rights, or to address a safety issue.
In a business transfer: if we are involved in a merger, acquisition, or sale of assets, your data may be transferred — subject to this Privacy Policy. We'll notify you before your data becomes subject to a different policy.
With your consent: for any other purpose, with your explicit consent.

8. Categories of sub-processors

We work with reputable service providers to operate the Service. The categories below describe what each type of provider does. We name AI providers and the device-integration partners by name because that's where transparency matters most for you.

Category	Purpose	Data processed
AI providers — Anthropic, OpenAI	AI coaching, training-plan generation	De-identified training metrics, message text, and training context — see Section 6
Cloud hosting & managed database providers	Application hosting, data storage, backups	All Service data, encrypted at rest and in transit
Transactional email provider	Account, security, and support emails	Your email address and the content of the message being sent
Device-integration partners — Garmin, Coros, Polar, Suunto	Device sync — only if you choose to connect	OAuth tokens, activity and wellness data from that device
Google Sign-In & Analytics	Optional authentication; aggregate usage analytics	Authentication identifiers; page views and anonymised usage
Weather & geocoding providers	Enrich your activities with weather and location names	Activity location and date — no user identifier sent

We review sub-processors before onboarding and require contractual safeguards appropriate to the data they handle. If we add a material new category of sub-processor, we will update this list.

If you would like the specific names of the providers in any category above for compliance or due-diligence reasons, use our contact form.

9. Cookies and similar technologies

Cookie	Purpose	Type
auth_token	Keeps you signed in. httpOnly and Secure.	Strictly necessary
CSRF token	Protects form submissions from cross-site request forgery.	Strictly necessary
_ga, _ga_*	Google Analytics — aggregate usage measurement.	Analytics

We do not use cross-site tracking, advertising cookies, or third-party retargeting pixels. You can block analytics cookies with any standard browser privacy extension; the Service will continue to function.

10. How long we keep your data

Account & profile data: for as long as your account is active. Deleted within 30 days of account deletion.
Activity & wellness data: for as long as your account is active, unless you delete individual records sooner. Deleted within 30 days of account deletion.
Coaching messages: retained for as long as your account is active, unless you clear chat history. You can delete this at any time.
App memory (derived coaching insights, stored by us): retained until you reset it.
Server logs: typically 30 days, longer if required for security investigation.
Email records: support and legal correspondence retained up to 3 years for record-keeping.
Backups: encrypted database backups may retain data for up to 35 days after deletion, after which they are rotated out.
Legal retention: if we are required to retain data for legal, tax, or compliance reasons, we will retain it only as long as necessary for those purposes.

11. Your California privacy rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act). The following disclosures apply to the preceding 12 months:

Categories of personal information collected:

Identifiers: name, email, account ID, IP address.
Customer records: profile information you provide.
Internet / network activity: page views, feature usage, log data.
Geolocation data: activity GPS tracks (only for activities you record or upload).
Health-related data: heart rate, HRV, sleep, training metrics, and similar — to the extent these qualify under California law.
Inferences: AI-derived training insights and patterns.

Sources: directly from you, from your connected fitness devices and apps, and automatically from your use of the Service.

Business purposes for which we use it: see Section 4.

Disclosure to third parties: see Sections 7 and 8.

Sale or sharing of personal information: we do not sell or share your personal information for cross-context behavioural advertising, and we have not done so in the preceding 12 months. We also do not knowingly sell or share the personal information of consumers under 16.

Sensitive personal information: we collect health and geolocation data, which may qualify as sensitive personal information under California law. We use it only for the purposes described in this policy and do not use it to infer characteristics about you for marketing.

Your rights:

Right to know what personal information we collect, use, and disclose.
Right to delete personal information we have collected about you.
Right to correct inaccurate personal information.
Right to limit the use and disclosure of sensitive personal information.
Right to opt out of the sale or sharing of personal information (we do neither — so this is automatic).
Right to non-discrimination for exercising your rights.

To exercise these rights, submit a request through our contact form. We may need to verify your identity before responding — typically by confirming control of the email address on your account. You may also designate an authorised agent to submit a request on your behalf; we will require written proof of the authorisation.

"Shine the Light" (Cal. Civ. Code §1798.83): we do not share your personal information with third parties for their direct marketing purposes.

12. Your European and UK privacy rights (GDPR / UK GDPR)

If you are in the EU/EEA or UK, you have the following rights:

Right of access to your personal data.
Right to rectification of inaccurate data.
Right to erasure ("right to be forgotten").
Right to restrict processing.
Right to data portability.
Right to object to processing based on legitimate interests.
Right to withdraw consent at any time (for processing based on consent).
Right to lodge a complaint with a supervisory authority in your country.

To exercise these rights, submit a request through our contact form. We respond within 30 days as required by GDPR.

13. How to exercise your rights

Some of these rights can be exercised directly in the app:

Access: most of your data is visible in your profile, activity list, and analytics pages.
Correction: edit your profile or individual activities.
Deletion (self-service): delete individual activities; clear chat history; reset app memory — all from your profile.

The following are handled by request through our contact form — we respond within 30 days (45 days for CCPA, with possible extension where permitted):

Full data export — we'll send you a copy of your account, profile, activities, wellness data, and coaching history.
Account deletion — we'll permanently delete your account and associated data, subject to any retention required by law.
Restriction or objection to processing (EU/EEA/UK users).
Anything else not covered above.

For anything else, use our contact form. We will respond within 30 days (45 days for CCPA requests, with a possible 45-day extension where permitted).

14. Security

We protect your data with industry-standard measures:

HTTPS / TLS for all data in transit.
Encryption at rest for stored data, OAuth tokens, and backups.
Password hashing with modern algorithms (we never store plaintext passwords).
Strict access controls — only personnel who need access for operations can access production data, and access is logged.
Security review of code changes and dependency management.
Rate limiting and intrusion detection at the application layer.

No system is perfectly secure. If you suspect a security issue, please report it through our contact form and select "Security" as the topic. We support responsible disclosure and won't pursue legal action against good-faith security research that respects user privacy.

15. Data breach notification

If we experience a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay — generally within 72 hours of becoming aware — and provide information about what happened, what data was affected, and what steps we and you can take to mitigate the impact. We will also notify supervisory authorities as required by law.

16. International data transfers

Our infrastructure is primarily located in the United States. If you are outside the United States, your data will be transferred to and processed in the U.S. Where required, we rely on appropriate safeguards — such as Standard Contractual Clauses — to transfer data from the EU/UK to the United States.

17. Children

Fit-PA is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

18. Do Not Track

We do not currently respond to "Do Not Track" browser signals because no industry standard for honouring them has been established. We do, however, respect the Global Privacy Control (GPC) signal as an opt-out of sale/sharing — though, as noted, we do not sell or share your personal information.

19. Third-party links

The Service may contain links to third-party sites we don't operate. We are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party site you visit.

20. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by email and/or a prominent notice in the app before the change takes effect. The "Last updated" date at the top will always reflect the most recent revision. We encourage you to review this policy periodically.

21. Contact

The way to reach us is our contact form. The form lets you pick a topic (privacy, security, support, legal, other) and your message is routed to the right team internally.

Fit-PA