Privacy Policy
Effective Date: April 20, 2026 · Last Updated: April 20, 2026
Rebuild AI ("we," "our," or "us") is an independent fitness application based in Alberta, Canada. We are the data controller for personal data processed through the Rebuild AI application. This policy explains what data we collect, the legal basis for processing it, who we share it with, how long we keep it, and your rights.
1. Data Controller and Representatives
Data controller
Rebuild AI
Alberta, Canada
Email: contact.rebuildai@gmail.com
UK representative (UK GDPR Article 27)
[UK REP — NAME]
[UK REP — FULL ADDRESS]
Email: [UK REP — EMAIL]
Data Protection Officer
Reachable at contact.rebuildai@gmail.com with "DPO" in the subject line.
2. What We Collect
Personal identification data
- Email address
- First name (optionally full name if you sign in with Apple and choose to share it)
- Account identifier (UUID)
Health and fitness data (UK GDPR Article 9 "special category")
- Body statistics: weight, height, age, biological sex
- Fitness goals, training frequency, experience level, activity level
- Progress photos (onboarding and weekly check-ins)
- Body measurements you choose to log (chest, waist, hips, arms, etc.)
- Workout history: exercises, sets, reps, weights
- Nutrition logs: meals eaten, macros
- Apple Health data you choose to sync: steps, active energy, sleep hours, weight
Payment data
Apple processes all payment information. We receive only a transaction identifier, subscription status, and country code — never your credit card details.
Usage and device data
- Session events (screens opened, features used, buttons tapped)
- Approximate country/region derived from device locale and IP
- Device type, operating system version, app version
- Crash diagnostics
- Push notification token (if you opt in)
Voice data
When you use the voice coach, short audio recordings are sent to our transcription provider and discarded after transcription. No voice recording is stored on our servers.
We do not knowingly collect precise GPS location, contacts, photo library beyond images you upload, microphone data outside the voice coach, or data about other people.
3. Legal Basis for Processing (UK Users)
Under UK GDPR Article 6 we rely on:
- Contract (Art. 6(1)(b)) — delivering the core service: plans, tracking, progress
- Consent (Art. 6(1)(a)) — push notifications, optional analytics, Apple Health integration. You may withdraw at any time in Settings or OS permissions
- Legitimate interest (Art. 6(1)(f)) — fraud prevention, security logging, diagnostic error reports. You may object at any time
- Legal obligation (Art. 6(1)(c)) — tax records from App Store transactions, lawful requests from public authorities
For health and fitness data (UK GDPR Article 9 "special category"), we rely on your explicit consent (Art. 9(2)(a)), given when you complete onboarding. Withdraw consent by deleting your account — this does not affect prior lawful processing.
4. How We Use Your Data
- Generate personalized meal plans and workout programs
- Analyze progress photos and provide AI-generated feedback
- Track progress, streaks, and habits
- Deliver the voice coach and text coach features
- Send workout, trial-end, and check-in notifications you've opted into
- Diagnose crashes, measure performance, improve the product
- Detect and prevent fraud, abuse, or unauthorized access
- Comply with legal obligations
We do NOT sell or rent data, train general-purpose AI models on your data, target you with advertising, or share with data brokers or ad networks.
5. Data Processors and International Transfers
We share personal data with the following processors under a Data Processing Addendum. Transfers of UK user data outside the UK are made under the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner's Office.
- Supabase Inc. (US) — database, auth, storage, edge functions. Privacy policy
- Anthropic PBC (US) — Claude API for plans, coach, progress analysis. Anthropic commits not to train models on API content. Privacy policy
- Apple Inc. — Sign in with Apple, App Store purchases, APNs push. Privacy policy
- RevenueCat, Inc. (US) — subscription management. Privacy policy
- PostHog Inc. (US) — product analytics, enabled only with consent in the UK. Privacy policy
- Sentry (Functional Software, Inc., US) — crash reporting. Privacy policy
- OneSignal Inc. (US) — push notification delivery. Privacy policy
- ElevenLabs Inc. (US) — voice synthesis and transcription. Privacy policy
- Resend Inc. (US) — transactional email delivery. Privacy policy
Copies of the IDTA and transfer impact assessments are available on request at contact.rebuildai@gmail.com.
6. Progress Photos — Ownership and License
You own your photos. All photographs you upload remain your property. We do not claim any ownership interest.
By uploading a photo you grant us a limited, non-exclusive, non-transferable, revocable license to store it, display it in the app to you, and transmit it to Anthropic solely to generate your progress analysis. This license terminates when you delete the photo or your account.
We will never: sell or license your photos; use them for advertising without explicit prior written consent; use them to train AI models; share them beyond the processors listed above; make them publicly visible to other users.
Delete specific photos anytime in the app. Deleting your account permanently deletes all photos within 30 days.
7. Apple Health Data
Apple Health integration is strictly opt-in via Settings > Apple Health.
- Read: weight, step count, active energy burned, sleep analysis
- Write (only when you log the activity in the app): workout sessions, water intake, weight
Apple Health data is used in-app only and is not uploaded to our servers unless you log it as part of a check-in or nutrition entry. Revoke access anytime in iOS Settings > Privacy & Security > Health > Rebuild AI.
8. Data Retention
We retain personal data only as long as necessary:
- Active account: kept while your account is active
- After deletion: personal data permanently deleted within 30 days (profile, health, check-ins, photos)
- Analytics/diagnostics held by PostHog and Sentry: anonymized or deleted within 90 days under each provider's retention schedule
- Encrypted backups: overwritten on a rolling basis within 90 days of deletion
- Tax records (transaction ID, amount, date, country — no personal identifiers): retained up to 7 years as required by Canadian tax law
9. Your Rights
Regardless of where you live, you have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data (editable in Settings and Onboarding)
- Delete your account and all associated data (Settings > Delete Account)
- Withdraw any consent you previously gave
- Opt out of push notifications
Additional rights for UK users
- Access (Art. 15) — free copy of your data in structured, machine-readable format via Settings > Download My Data
- Rectification (Art. 16)
- Erasure / right to be forgotten (Art. 17)
- Restriction of processing (Art. 18)
- Data portability (Art. 20)
- Objection (Art. 21) — including to legitimate-interest processing and direct marketing
- Not to be subject to solely automated decisions with legal or similarly significant effect (Art. 22). Rebuild AI's AI recommendations are advisory and require your voluntary action
Email our UK representative (Section 1) or contact.rebuildai@gmail.com. We respond within one month (extendable to three for complex requests, with notice).
Right to complain (UK)
California residents (CCPA/CPRA)
- Right to know what personal information we collect, use, and disclose
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of "sale" or "sharing" — we do not sell or share for cross-context behavioral advertising
- Right to non-discrimination for exercising these rights
Quebec residents (Law 25)
You may request access, correction, and under certain conditions portability of your data.
10. Automated Decision-Making
Rebuild AI uses AI to generate meal plans, workout plans, and motivational feedback. These are recommendations, not decisions with legal or similarly significant effect on you. You are always free to disregard them. We do not use automated profiling for eligibility, pricing, or access decisions.
11. Data Security
- Encryption in transit (TLS 1.2+) and at rest (AES-256) at Supabase
- Row-level security — users only access their own records
- Secrets stored via Apple Keychain / Android Keystore on-device
- Principle of least privilege for internal access
- Logging and monitoring for anomalous access
In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required under UK GDPR Article 34.
12. Age Requirement
Rebuild AI is intended for users aged 17 or older. By creating an account you confirm you are at least 17. We do not knowingly collect personal information from anyone under 17. If we learn a user is under 17, we delete their account promptly.
The app is not directed at children under 13 and complies with COPPA. Parents or guardians: contact contact.rebuildai@gmail.com.
13. Cookies and Tracking
Rebuild AI is a native mobile app and does not use browser cookies. We do not use cross-app tracking, IDFA-based advertising identifiers, or SDK-based behavioral advertising. We do not integrate with any advertising network.
Analytics from PostHog and Sentry are collected under your consent choice. UK users are asked on first launch whether to enable analytics and may change their choice at any time in Settings > Privacy.
14. Changes to This Policy
We may update this privacy policy. Material changes will be announced in-app and take effect no sooner than 30 days after notice. The "Last Updated" date above reflects the most recent revision.
15. Contact Us
Rebuild AI
Alberta, Canada
Email: contact.rebuildai@gmail.com
UK users: see Section 1 for the contact details of our UK representative. We respond to all privacy inquiries within 30 days.
Rebuild AI