FITRA360

Privacy Policy

Effective Date: May 1, 2025 | Last Updated: March 2026 | Version: 1.0

Your health data is among the most sensitive information you can share. This Privacy Policy explains clearly what we collect, why we collect it, how it is protected, and what rights you have. Please read it in full.

1. Who We Are

Fitra360 (“we”, “us”, “our”) is an AI-powered personalized wellness platform operated from the State of Florida, United States. We are the data controller for the personal information you provide through our mobile application and associated services (collectively, the “Platform”).

Contact for all privacy matters:

• Email: hello@fitra360.com

• Subject line for data requests: “Privacy Request”

• Subject line for GDPR requests: “GDPR Data Request”

• Subject line for CCPA requests: “California Privacy Rights Request”

2. The Data We Collect

Because Fitra360 delivers genuinely personalized health insights, we collect a broader range of data than most wellness apps. Every category below is collected only to generate, improve, and deliver your personalized wellness plan. We do not collect data for advertising purposes.

2.1 Account & Identity Data

• Full name and email address

• Date of birth and biological sex (required for accurate health modeling)

• Profile photo (optional)

• Account credentials (password stored in hashed, salted form — never in plain text)

2.2 Sensitive Health & Medical Data

The following categories are classified as sensitive personal data under GDPR, CCPA/CPRA, and other applicable laws. We collect them only with your explicit, informed consent.

• Methylation data and genetic markers you voluntarily upload or connect. Used to personalize supplement suggestions, nutrition guidance, and identify metabolic patterns. DNA & Genetic Data:

• Lab reports, bloodwork panels, and biomarker data you upload. Used to identify deficiencies, hormonal imbalances, and health trends. Blood Work & Lab Results:

• Self-reported symptoms, pain locations, severity, and duration. Used to decode health signals and recommend relevant testing or adjustments. Symptoms & Pain Data:

• Digestive patterns, microbiome reports, and gastrointestinal information you provide. Used to tailor nutrition and supplement recommendations. Gut Health Data:

• Dental procedures, existing conditions, and oral health inputs. Used to identify hidden inflammatory stressors. Dental & Oral Health History:

• Self-reported stress levels, mood, and energy. Used to calibrate nervous system and recovery recommendations. Well-being & Stress Indicators:

2.3 Wearable & Device Data

In future releases, Fitra360 may integrate with wearable device platforms (such as Apple HealthKit, Google Fit, Fitbit, or Garmin) and nutrition tracking applications. When such integrations are activated by you, we may collect:

• Sleep duration, quality, and circadian rhythm data

• Heart rate, heart rate variability (HRV), and blood oxygen levels

• Step count, activity type, and caloric expenditure

• Stress and recovery scores

No third-party integrations are active in the current release. When they are introduced, you will be asked for explicit consent before any data is shared between platforms.

2.4 Nutrition & Lifestyle Data

• Food logs entered manually, photographed, or synced from third-party apps (future feature)

• Meal timing and dietary preferences or restrictions

• Supplement usage and self-reported effects

• Hydration, alcohol, and caffeine intake

2.5 Location & Environmental Data

• General geographic location (city/region level) — used to factor in environmental toxin exposure, seasonal light cycles, and local health context

• Precise location is not collected unless explicitly enabled by you for a specific feature

2.6 Technical & Usage Data

• Device type, operating system, and app version

• IP address and general network information

• App usage patterns, feature interactions, and session duration

• Crash reports and diagnostic logs

• Push notification preferences

2.7 Communications Data

• Emails or messages you send to our support team

• Feedback, survey responses, and waitlist submissions

2.8 Derived & Inferred Data

As you use Fitra360, we generate additional data derived from your inputs. This includes wellness scores, AI-generated health insights, behavioral patterns inferred from your usage, recommendation histories, and health trend analyses. This derived data is considered personal data where it can be linked to you and is treated with the same level of protection as your original inputs. You may request access to or deletion of your derived data in the same way as any other personal data we hold.

3. How We Use Your Data

We use your data exclusively for the following purposes. We do not use your health or genetic data for advertising, profiling for commercial sale, or any purpose beyond what is listed here.

3.1 Delivering Your Personalized Wellness Plan

• Generating AI-powered health insights, supplement suggestions, nutrition guidance, movement plans, and sleep recommendations tailored to your biology

• Continuously recalibrating your wellness plan as you upload new data or report symptoms

• Identifying nutrient deficiencies, hormonal imbalances, and health trends from your lab and DNA data

3.2 AI & Machine Learning Processing

Fitra360 uses artificial intelligence and machine learning to analyze your health data and generate personalized recommendations. Currently, this involves sending relevant portions of your data to third-party AI model providers (see Section 7). This processing is governed by data processing agreements with those providers, who are contractually prohibited from using your data to train their general models without your separate, explicit consent.

As our platform evolves, we may transition to different AI providers or build proprietary models. Any such change that affects how your data is processed will be communicated to you in advance, and where required, we will seek fresh consent.

3.3 Platform Improvement (De-identified Only)

We may use de-identified, aggregated data — from which all personal identifiers have been removed — to improve our AI models, product features, and health algorithms. This data cannot be used to identify you. We will only use individually identifiable data for platform improvement with your separate, explicit opt-in consent.

3.4 Safety, Security & Legal Compliance

• Detecting and preventing fraud, unauthorized access, and security incidents

• Complying with applicable laws, regulations, and lawful government requests

• Enforcing our Terms of Service

• Protecting the rights, property, or safety of Fitra360, our users, or the public

3.5 Communications

• Sending you account-related notifications (e.g., account confirmation, password reset)

• Delivering your wellness plan updates and health insights

• Sending product updates, new feature announcements, and wellness content (only with your consent; unsubscribe available at any time)

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:

• For all sensitive health data, genetic data, and any processing beyond strict service delivery. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Explicit Consent (Article 6(1)(a) and Article 9(2)(a) GDPR):

• To deliver the Fitra360 wellness service you have signed up for. Performance of a Contract (Article 6(1)(b) GDPR):

• Where we are required by law to process or retain certain data. Legal Obligation (Article 6(1)(c) GDPR):

• For platform security, fraud prevention, and improving our services — only where these interests are not overridden by your rights and interests. Legitimate Interests (Article 6(1)(f) GDPR):

For each sensitive data category (health data, genetic data, biometric data), the legal basis is always explicit, granular consent. You may withdraw this consent at any time through your account settings or by contacting us at hello@fitra360.com.

5. Genetic & Biometric Data — Special Protections

Genetic and biometric data receive the highest level of protection within our platform, beyond what is required for general health data.

• You must provide affirmative, explicit consent specifically for genetic data processing. This is separate from your general account consent. Separate consent required:

• All genetic data is encrypted using industry-standard encryption both during transmission and in storage. Encryption at rest and in transit:

• Your genetic data will never be sold, shared for advertising, or disclosed to insurance companies, employers, or any third party for commercial purposes. No sale or commercial sharing:

• If we ever use genetic data for research or platform improvement, it will be fully de-identified first, and only with your separate opt-in consent. De-identification before any research use:

• You may request permanent deletion of your genetic data at any time. We will complete deletion within 30 days and confirm upon request where feasible.Right to deletion:

• If you are a resident of Illinois, Texas, Washington, or another jurisdiction with specific biometric or genetic data laws (e.g., BIPA, TBIA), your additional statutory rights apply and we will honor them. State law compliance:

• Fitra360 is designed to align with the Genetic Information Nondiscrimination Act (GINA). We do not use genetic data in any manner that could affect health insurance or employment eligibility determinations. GINA alignment:

6. How We Store & Protect Your Data

6.1 Storage Infrastructure

Fitra360 stores user data using cloud infrastructure operated by reputable cloud providers selected based on their ability to support strong security and compliance standards, including security best practices commonly associated with healthcare-grade systems. Our cloud provider has not yet been finalized; we will update this section with specific provider information prior to launch.

All data is stored in encrypted form. We use:

• Encryption in transit: TLS 1.2 or higher for all data transmitted between your device and our servers

• Encryption at rest: AES-256 or equivalent encryption for all stored personal and health data

• Access controls: Role-based access controls limiting who within Fitra360 can access your health data

• Audit logging: Access to sensitive health data is logged and periodically reviewed

6.2 Data Minimization

We collect only the data necessary to deliver your personalized wellness plan. You are never required to provide genetic data or lab results — these are optional inputs that enhance the depth of your plan. The Platform will function with less data; it will simply be less personalized.

6.3 Retention Periods

• Active account data: Retained for the duration of your account plus 30 days after deletion request

• Health and genetic data: Deleted within 30 days of account closure or deletion request, unless retention is required by applicable law

• Technical and usage logs: Retained for up to 12 months for security and diagnostic purposes, then deleted

• Support communications: Retained for up to 24 months for quality and legal purposes

• De-identified, aggregated data: May be retained indefinitely as it cannot be linked to you

6.4 Security Incident Response

In the event of a data breach or security incident affecting your personal data, Fitra360 will notify affected users without unreasonable delay and in accordance with applicable law. We will provide information about the nature of the incident, data affected, steps taken to contain it, and recommended actions for you to protect yourself.

7. Third-Party AI Providers

Fitra360’s personalized health insights are generated using artificial intelligence. Currently, we use third-party AI model providers to process your health inputs and generate recommendations. This is a core part of how the Platform works.

When you submit health data for analysis, relevant portions of that data are transmitted to our AI providers in encrypted form. Our AI providers are contractually bound not to use your data to train their general-purpose models.

Current AI provider(s):

• OpenAI (GPT models) — currently used for health data analysis and recommendation generation. OpenAI’s data processing is governed by their API Data Processing Addendum, under which they do not use API inputs to train their models by default.

Future AI providers may include other model providers (such as Google Gemini, Anthropic Claude, or proprietary models). Any change to AI providers that affects how your health data is processed will be disclosed in an updated Privacy Policy, and where required by law, we will seek your renewed consent.

Data shared with AI providers is:

• Limited to the minimum necessary to generate your specific recommendation

• Transmitted over encrypted connections

• Not linked to your full identity by the AI provider (we use pseudonymized identifiers)

• Not used for advertising or sold to any third party by our AI providers

8. Third-Party Integrations & Data Sharing

8.1 Current Integrations

Fitra360 does not currently integrate with any third-party health platforms, wearable devices, or nutrition applications. All data in the current release is entered directly by you.

8.2 Future Integrations

Future releases of Fitra360 may offer integrations with platforms such as Apple HealthKit, Google Fit, wearable device manufacturers (Fitbit, Garmin, Oura, etc.), and nutrition tracking apps. When such integrations become available:

• You will be asked to grant explicit permission before any integration is activated

• You will be informed exactly what data will be accessed and why

• You may revoke integration permissions at any time from your account settings

• This Privacy Policy will be updated to identify each integration and the data involved

8.3 When We May Share Your Data

We do not sell your personal data. We share it only in the following limited circumstances:

• As described in Section 7, to generate your personalized health insights. AI Providers:

• To host, store, and operate the Platform securely. Cloud Infrastructure Providers:

• De-identified, aggregated usage data only — never your health data — to understand how the Platform is used and improve it. Analytics Providers:

• If required by law, court order, or lawful government request. We will notify you of such requests where legally permitted to do so. Legal Requirements:

• In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. You will be notified in advance and, where required, asked for consent. Business Transfers:

• For any sharing not listed above, we will ask for your specific consent first. With Your Explicit Consent:

8.4 Healthcare Practitioners (B2B)

Healthcare practitioner and B2B functionality is planned for a future release of Fitra360. When available, professional use involving client or patient data will be governed by a separate Business Associate Agreement (BAA) and additional terms. If you are interested in professional use, contact hello@fitra360.com to be notified when this becomes available.

9. Apple App Store & Google Play — Platform-Specific Disclosures

9.1 Apple HealthKit

If and when Fitra360 integrates with Apple HealthKit, the following rules apply in accordance with Apple’s developer guidelines:

• HealthKit data will not be used for advertising or sold to data brokers

• HealthKit data will not be shared with third parties without your explicit permission, except as required to provide the service or as required by law

• HealthKit data will not be used for any purpose other than improving your health and wellness within Fitra360

9.2 Google Fit

If and when Fitra360 integrates with Google Fit, we will comply with Google’s Fit API Developer and Distribution Agreement, including restrictions on use of fitness and health data for advertising purposes.

9.3 App Store Data Nutrition Labels

Apple App Store and Google Play require disclosure of data collection practices. The data types collected by Fitra360 include (but are not limited to): Health & Fitness data, Identifiers, Usage Data, and Sensitive Information. Our app store listings are updated to reflect our current data collection practices.

10. Your Privacy Rights

Depending on where you live, you have the following rights regarding your personal data. We honor all applicable rights regardless of jurisdiction.

10.1 Universal Rights (All Users)

• Right to Access: Request a copy of the personal data we hold about you

• Right to Correction: Request correction of inaccurate or incomplete data

• Right to Deletion: Request permanent deletion of your account and all associated data

• Right to Withdraw Consent: Withdraw consent for any data processing at any time, without affecting prior lawful processing

• Right to Data Portability: Request your data in a structured, machine-readable format

• Right to Complain: Lodge a complaint with the relevant data protection authority in your jurisdiction

To protect your data from unauthorized access, we may require verification of your identity before fulfilling any data access, correction, or deletion request. We will use the minimum information necessary to verify your identity and will not use it for any other purpose.

We reserve the right to refuse or charge a reasonable fee for requests that are excessive, repetitive, or manifestly unfounded, where permitted by applicable law.

10.2 GDPR Rights (EEA & UK Users)

In addition to the universal rights above, EEA and UK residents have:

• Right to Restrict Processing: Request that we limit how we use your data in certain circumstances

• Right to Object: Object to processing based on legitimate interests

• Rights Related to Automated Decision-Making: The right not to be subject to solely automated decisions that produce significant legal or similarly significant effects. Fitra360’s AI generates recommendations for your review — it does not make binding decisions about you.

10.3 California Rights (CCPA/CPRA)

California residents have the following additional rights:

• Right to Know: What personal information we collect, use, share, or disclose

• Right to Delete: Personal information we have collected from you

• Right to Correct: Inaccurate personal information

• Right to Opt-Out: Of the sale or sharing of personal information (Fitra360 does not sell personal information)

• Right to Limit Use: Of sensitive personal information, including health, genetic, and precise location data

• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise any of these rights, contact hello@fitra360.com with the appropriate subject line. We will respond within 30 days (GDPR) or 45 days (CCPA), with one possible extension where permitted.

11. Children’s Privacy

Fitra360 is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are between 13 and 17, you may only use Fitra360 with verifiable parental or guardian consent.

If we become aware that we have inadvertently collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe we may have collected data from a child under 13, please contact us at hello@fitra360.com.

This policy is designed to comply with the Children’s Online Privacy Protection Act (COPPA) in the United States and equivalent legislation in other jurisdictions.

12. International Data Transfers

Fitra360 is operated from the United States. If you access the Platform from outside the United States, your personal data will be transferred to and processed in the United States, which may have different data protection laws than your country of residence.

For users in the EEA or UK, we rely on the following mechanisms to ensure adequate protection for international data transfers:

• Standard Contractual Clauses (SCCs): Approved by the European Commission, incorporated into our agreements with data processors

• Data Processing Agreements: With all third-party providers who receive your personal data, including AI providers and cloud infrastructure providers

By using Fitra360, you acknowledge that your data may be processed in the United States and other countries where our service providers operate. We take appropriate steps to ensure your data is treated securely and in accordance with this Privacy Policy regardless of where it is processed.

13. Cookies & Tracking Technologies

The Fitra360 mobile application does not use browser cookies. However, we and our service providers may use the following technologies:

• To understand how users interact with the app (e.g., which features are used, session duration). Data collected is aggregated and de-identified where possible. Analytics SDKs:

• To identify and fix technical issues. These collect device information and app state at the time of a crash. Crash Reporting SDKs:

• To deliver health plan updates and reminders. You may opt out at any time from your device notification settings. Push Notification Services:

If a web version of Fitra360 is released, a separate Cookie Policy will be published and you will be presented with a cookie consent mechanism before any non-essential tracking is activated.

14. AI Transparency

Because AI plays a central role in how Fitra360 works, we believe in being transparent about how it is used:

• Analyzes your combined health inputs (DNA, labs, symptoms, lifestyle, etc.) to generate personalized wellness recommendations. What AI does:

• Make binding clinical decisions about your health, replace a licensed healthcare provider, or take any action without presenting its output to you first. What AI does not do:

• Your data is sent (in pseudonymized form) to an AI model that identifies patterns and generates suggestions. These are reviewed and formatted by Fitra360 before being presented to you. How recommendations are generated:

• AI-generated recommendations are probabilistic. They depend on the quality and completeness of your input data and may not be accurate for your specific situation. Always consult a qualified healthcare professional before acting on any recommendation. Accuracy limitations:

• Fitra360 does not use AI to make automated decisions that have legal or similarly significant effects on you without human review. No automated decision-making with legal effect:

• When we change AI providers or significantly update our models, we will disclose this and, where required, seek renewed consent. Model changes:

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time as our Platform evolves, integrations are added, or laws change. When we do:

• We will notify you via email and/or in-app notification at least 14 days before material changes take effect

• For changes that materially affect how we process your sensitive health or genetic data, we will seek your active, affirmative consent — not rely on continued use as acceptance

• The updated policy will always display its effective date at the top

• Previous versions of this policy will be archived and available upon request

If you do not agree to a material change, you may delete your account before the change takes effect. Continued use after the effective date of a non-material update constitutes acceptance of that update.

16. Contact & Data Protection Inquiries

For all privacy-related questions, data requests, or concerns:

Fitra360

Email: hello@fitra360.com

Website: www.fitra360.com

For GDPR requests: hello@fitra360.com (Subject: GDPR Data Request)

For CCPA requests: hello@fitra360.com (Subject: California Privacy Rights Request)

For genetic data deletion: hello@fitra360.com (Subject: Genetic Data Deletion Request)

We aim to respond to all privacy inquiries within a reasonable timeframe, and to fulfill verified data requests within the legally required timeframes (30 days under GDPR, 45 days under CCPA).

Fitra360 is a wellness platform, not a medical service. Your data is used exclusively to help you understand and optimize your health. We will never sell it, exploit it, or use it in ways you have not consented to. Your biology is yours.