Privacy Policy

ZenFitness is a personal fitness tracking web application operated by Adam Lamprecht, an individual based in the Republic of South Africa ("ZenFitness", "we", "us", "our"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use the ZenFitness application and any related services (the "Service").

This policy is designed to comply with the Protection of Personal Information Act 4 of 2013 (POPI Act) of South Africa.

For the purposes of the POPI Act, the responsible party — the person who determines the purpose and means of processing your personal information — is:

• Name: Adam Lamprecht
• Operating as: ZenFitness
• Country: South Africa
• Contact Email: adam@zenfitness.pro

To exercise any rights under this policy or to raise a privacy concern, please contact us at the email address above.

We collect only what is strictly necessary to provide and operate the Service.

A. Information You Provide Directly

• Email Address: Required to create your account, authenticate you on login, and send essential service communications (e.g., password resets and important policy notices).
• Password: If you register with email and password, your password is immediately and irreversibly hashed before storage. We never store or have access to your plaintext password.
• Display Name (Optional): Used to personalise your in-app experience.
• Profile Photo (Optional): Used to personalise your user profile.

B. Information From Google Sign-In

If you choose to sign in with Google, we receive your name, email address, and Google profile photo from Google as part of the OAuth 2.0 authentication flow. This information is used solely to create and manage your ZenFitness account. You should review Google's Privacy Policy to understand how Google handles your data before and during the sign-in process.

C. User-Generated Content

• Workout Plans & Logs: Exercises, sets, reps, weight, notes, and other training data you record. This is core to how the Service functions.
• Fitness Journey Progress: Your active journey, current rank, trial results, and progression history.
• Uploaded PDF Content: If you upload a PDF workout plan, the text extracted from that document is sent to our AI service to parse workout data. We do not permanently store the original PDF file on our servers.

D. Automatically Generated Data

• User ID (UID): A unique, anonymous identifier assigned upon account creation to link your data to your account without exposing your personal details in internal references.
• Exercise Scores: Numerical values calculated from your logged workout data to visualise your progress over time.
• Session Tokens: Short-lived authentication tokens used to keep you securely logged in.

E. What We Do Not Collect

We do not collect payment information (the Service is free to use), sensitive health data (such as medical records, biometric data, or body measurements), or any special categories of personal information as defined by the POPI Act. We do not run third-party behavioural advertising or analytics services.

We use your personal information only for the following lawful purposes:

• To create and manage your account and verify your identity on login.
• To provide the core features of the Service — workout logging, AI scoring, and journey progression.
• To personalise your in-app experience using your display name and profile photo.
• To send essential service communications such as password resets and policy updates.
• To operate AI-powered features (PDF extraction, exercise scoring) using the minimum data necessary, as described in Section 5.
• To monitor and improve the reliability and performance of the Service.

We will not use your personal information for marketing, advertising, or any purpose not listed above, and we will never sell your data to any third party.

We rely on the following trusted third-party services ("Operators" under the POPI Act) to deliver the Service. Each processes your data only to the extent necessary for the stated purpose.

Neon — Database & Authentication

• Purpose: Secure user authentication (Neon Auth), storage of all application data (workout plans, logs, profile information, journey progress), and session management.
• Data processed: Email address, hashed password, display name, profile photo URL, all user-generated fitness data, session tokens.
• Privacy Policy: neon.tech/privacy-policy

Google — Sign-In & AI Services

• Google Sign-In (OAuth 2.0): Used to authenticate users who choose to sign in with their Google account. Google receives your consent and shares basic profile information (name, email, photo) with us.
• Google AI / Gemini: Used to (1) extract workout plans from uploaded PDF documents and (2) assign scoring multipliers to exercises by analysing their names. We do not send any of your personal information (email address, name, or User ID) to Google AI models. Only anonymised exercise names or non-personal text from your uploaded PDF is transmitted.
• Privacy Policy: policies.google.com/privacy

Vercel — Application Hosting

• Purpose: The ZenFitness application is hosted and served via Vercel. Vercel may process request metadata (such as IP addresses and request paths) for the sole purpose of serving the application and monitoring uptime and performance.
• Privacy Policy: vercel.com/legal/privacy-policy

We implement appropriate technical and organisational measures to protect your personal information, consistent with the requirements of the POPI Act:

• All data is transmitted exclusively over HTTPS using TLS encryption.
• Passwords are hashed using a strong, industry-standard one-way algorithm before storage — we cannot retrieve or read your password.
• Authentication is managed by Neon Auth using secure, HttpOnly session cookies.
• Database access is restricted to the application backend only — there is no direct public access to the database.
• Access controls ensure that your data is only accessible to you and to the minimal automated systems required to operate the Service.

While we take these precautions, no method of electronic transmission or storage is 100% secure. In the event of a data breach that affects your personal information, we will notify you and the Information Regulator as required by the POPI Act.

We retain your personal information for as long as your account remains active and for a reasonable period thereafter to fulfil any legal obligations. If you delete your account, we will permanently delete all your associated personal information and user-generated data from our production systems within 30 days. Note that residual copies may remain in encrypted database backups for a short additional period before those backups are overwritten.

As a data subject under the POPI Act, you have the following rights:

• Right of Access: Request a copy of the personal information we hold about you.
• Right to Rectification: Correct inaccurate or incomplete information via your in-app profile settings, or by contacting us directly.
• Right to Erasure: Delete your account and all associated data at any time via the profile settings section of the app, or by emailing us.
• Right to Object: Object to the processing of your personal information for certain purposes by contacting us.
• Right to Lodge a Complaint: If you believe we are not handling your personal information in compliance with the POPI Act, you have the right to lodge a complaint with the Information Regulator of South Africa.

The Information Regulator (South Africa):

• Website: inforegulator.org.za
• Email: complaints.IR@justice.gov.za

To exercise any of the above rights, please contact us at adam@zenfitness.pro. We will respond within a reasonable timeframe.

Our third-party service providers (Neon, Google, Vercel) operate infrastructure outside South Africa, which means your personal information may be stored and processed in other countries. We ensure that such transfers are carried out only with providers that maintain adequate levels of data protection, consistent with the requirements of Section 72 of the POPI Act and internationally recognised privacy frameworks (including GDPR-equivalent standards).

By using the Service, you acknowledge and consent to the transfer of your personal information to these countries as described in this policy.

The Service is not directed at children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has registered for an account or submitted personal information without appropriate parental consent, please contact us at adam@zenfitness.pro and we will delete that information promptly.

We may update this Privacy Policy periodically. If we make material changes, we will update the "Last Updated" date at the top of this page and, where appropriate, send a notification to your registered email address. Your continued use of the Service after any changes are posted constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal information, please contact:

• Adam Lamprecht (ZenFitness)
• Privacy & legal: adam@zenfitness.pro
• General support: support@zenfitness.pro