Privacy Policy — Zodiac Fit

Last Updated: October 9, 2025
Effective Date: October 9, 2025
Owner/Publisher: ToughWing
Contact: support@toughwing.app

At ToughWing, we respect your privacy and are committed to protecting your personal data. This Privacy Policy explains what information we collect when you use the Zodiac Fit mobile application ("App"), how we use it, and your rights.

For relevant Terms of Use, please see the Terms of Use section.

---

1. Data We Collect

When using the Zodiac Fit app, we collect the following information:

1.1 Account and Identity Information

• Email address: For account creation and communication
• User ID: Unique identification
• OAuth identifiers: If you sign in with Google Sign-In
• Name: For personalization
• Profile information: User preferences and app settings

1.2 Health and Physical Data ⚕️

• Age: For calorie requirement calculation
• Gender: For metabolism calculation
• Birth date and time: For age calculation and zodiac sign determination
• Weight (current and target): For progress tracking
• Height: For BMI and calorie calculation
• Zodiac sign: For personalized motivation messages (entertainment purposes)
• Rising sign: (Optional) For extra personalization

1.3 Nutrition and Lifestyle Data

• Dietary preferences: Vegetarian, vegan, keto, etc.
• Goal: Weight loss, weight gain, maintenance, muscle building
• Activity level: Daily movement routine
• Meal preferences: Breakfast, lunch, dinner, snack habits
• Late night snacking: Habit tracking

1.4 Daily Tracking Data

• Calorie tracking: Daily calorie intake
• Meal records: Food name, meal type, nutritional values
• Macronutrients: Carbohydrates, protein, fat values
• Last 7 days history: For graphs and progress tracking

1.5 AI Chat Data

• Question and answer history: Conversations with AI assistant
• Context data: Previous chats for personalized responses
• Last 8 messages: For in-app display

Note: AI chat data is processed through OpenAI API. See Section 4.3 for details.

1.6 Subscription and Purchase Information

• Subscription status: Free, Plus, Pro, Trial
• Purchase history: Through Apple App Store / Google Play Store
• AI question usage limits: Monthly/weekly question count

1.7 Technical and Device Information

• Device ID: For app performance and security
• IP address: For security and fraud prevention
• Operating system: iOS/Android version info
• App version: For compatibility and debugging
• Language preference: For localization

1.8 Analytics and Usage Data

• In-app behaviors: Which features you use
• Crash reports: To fix app crashes
• Session durations: For usage statistics

Anonymous usage data collected via Firebase/Google Analytics:

• Screen views
• Feature usage
• Device type and model

2. Location Data

• No GPS location tracking
• No location history stored
• No gym or restaurant suggestions

3. Data Use Purposes

We use the data we collect for the following purposes:

3.1 Service Provision

• Calculate personalized calorie and macronutrient targets
• Display zodiac-based motivation messages
• Provide diet and nutrition advice via AI assistant
• Display progress graphs and statistics

3.2 AI Responses (OpenAI API)

• Process user questions
• Provide context-based personalized nutrition recommendations
• Remember chat history (last 8 messages)

3.3 Subscription Management

• Control access to premium features
• Track AI question limits
• Purchase verification (Apple App Store / Google Play Store)

3.4 Security and Fraud Prevention

• Ensure account security
• Detect abuse
• Block spam and fake accounts

3.5 Analytics and Improvement

• Analyze app performance
• Improve user experience
• Review and fix crash reports

3.6 Communication

• Notify about important updates
• Subscription and billing notifications
• Respond to support requests

4. Data Sharing and Third Parties

4.1 Personal Data Sales

4.2 Service Providers

We use the following trusted third-party service providers:

4.2.1 Database and Infrastructure

Supabase (EU—Frankfurt):

• User profiles and health data
• Meal records and calorie tracking
• AI chat history
• Data location: European Union (Frankfurt, Germany)
• Security: End-to-end encryption, RLS (Row Level Security)

4.2.2 AI Services

OpenAI API:

• AI assistant chats
• Nutrition and diet recommendations
• Data processing: Subject to OpenAI's privacy policy
• Retention: OpenAI API logs retained for 30 days
• Link: https://openai.com/policies/privacy-policy

4.2.3 Authentication

Google Sign-In:

• Secure login via OAuth
• Email and basic profile information
• Link: https://policies.google.com/privacy

4.2.4 Notifications

Firebase Cloud Messaging:

• Push notifications
• Zodiac-based reminders (3 notification times)
• Link: https://firebase.google.com/support/privacy

4.2.5 Food Database

OpenFoodFacts API:

• Food search and nutritional values
• Community database (open source)
• Link: https://world.openfoodfacts.org/privacy

4.2.6 Analytics

Google Analytics / Firebase Analytics:

• Anonymous usage statistics
• App performance metrics
• Data anonymization: IP addresses anonymized
• Link: https://firebase.google.com/support/privacy

4.3 Data Sharing with OpenAI (Detailed)

When you use the AI assistant feature:

1. Data Sent:

• User question
• Profile information (name, goal, zodiac sign, dietary preference)
• Physical data (weight, height, age, gender)
• Current calorie target
• Last 8 message history (for context)

2. OpenAI's Use:

• Generate personalized nutrition recommendations
• Improve response quality
• Model improvement (anonymous)

3. Security:

• Transmission via HTTPS encryption
• OpenAI API logs deleted after 30 days
• No sensitive health data processed (only general nutrition advice)

4. User Control:

• AI assistant use is completely optional
• Requires premium subscription
• You can delete chat history (see Section 14)

4.4 Legal Obligations

We may share data only in the following situations:

• Legal requirement (court order, subpoena)
• To protect our rights
• To prevent fraud or security threats
• If public safety requires it

5. Cookies and Tracking Technologies

5.1 Cookies Used

• Session cookies: Maintain login state
• Preference cookies: Language and app settings
• Analytics cookies: Firebase Analytics (optional)

5.2 Cookie Control

• iOS: Settings → Privacy → Tracking → "Allow Apps to Request to Track" off
• Android: Settings → Privacy → Ads → "Reset advertising ID"

5.3 Third-Party Cookies

• Google Analytics (anonymous)
• Firebase (app performance)

Note: You can disable analytics cookies, but this may affect some features.

6. Automated Decision Making and Profiling

6.1 AI Algorithms

We use the following automated processes:

• Calorie calculation: Based on age, weight, height, gender, activity level
• Macronutrient distribution: Based on goal and dietary preference
• Zodiac-based motivation: Randomly selected messages (entertainment purposes)
• AI responses: Nutrition advice via OpenAI GPT model

6.2 User Control

• You can manually edit automatic calculations
• AI assistant use is optional
• You can change your goals anytime

6.3 Profiling

For personalization, we use:

• Dietary preferences (vegetarian, vegan, etc.)
• Goal (weight loss, gain, maintenance)
• Zodiac sign (for motivation only)
• Past AI chats (for relevant suggestions)

Profiling does not create any legal or similarly significant effects.

7. Marketing Communications

7.1 Email Notifications

We may send emails for the following purposes:

• Account verification and security
• Subscription and billing
• Important app updates
• Promotional emails (with consent only)

7.2 Push Notifications

• Zodiac-based diet reminders (3 notifications per day)
• Subscription status notifications
• New feature announcements

7.3 Preference Management

Email settings:

• Use the "Unsubscribe" link at the bottom of each email
• Email support@toughwing.app with "Stop emails"

Push notification settings:

• iOS: Settings → Zodiac Fit → Notifications
• Android: Settings → Apps → Zodiac Fit → Notifications

Note: You cannot unsubscribe from account security and billing emails.

8. User Rights (GDPR and KVKK)

8.1 Right to Access

You can view all data we've collected about you:

• In-app Settings → Account Information
• Email support@toughwing.app with "I want to see my data"

8.2 Right to Rectification

You can correct incorrect or incomplete data:

• In-app profile editing
• Contact support team

8.3 Right to Erasure ("Right to be Forgotten")

You can delete all your data:

• Email support@toughwing.app with "Delete my account and data"
• Deleted within 30 days after verification
• May remain in backups for limited time (90 days)

Data deleted:

• Profile information
• Health and physical data
• Meal records and calorie history
• AI chat history
• Subscription history (except billing records - legal requirement)

8.4 Right to Restriction

You can restrict certain data processing:

• Stop AI assistant use
• Reject analytics data collection
• Opt out of marketing communications

8.5 Right to Portability

You can request your data in structured format (JSON):

• Email support@toughwing.app with "I want to export my data"
• Sent via email within 30 days

8.6 Right to Object

You can object to:

• Marketing communications
• Profiling and personalization
• Third-party data sharing (except service providers)

8.7 Right to Freedom from Automated Decision Making

You don't have to rely on AI recommendations:

• Manual data entry always possible
• You can edit calculations yourself
• AI assistant is completely optional

8.8 Right to Complain

For data protection concerns:

• Turkey: Personal Data Protection Authority (KVKK) - https://www.kvkk.gov.tr
• EU: Relevant Data Protection Authority - https://edpb.europa.eu

9. Data Retention Periods

9.1 Active Accounts

Data Type	Retention Period
Profile information	Until account deleted
Health data	Until account deleted
Meal records	All history retained
AI chat history	Until account deleted
Analytics data	26 months (Google Analytics)

9.2 Inactive Accounts

• If you don't log in for 2 years, we'll send an email about closing your account
• If no response to email, account and data deleted after 30 days

9.3 Deleted Accounts

• Deleted from active systems within 30 days
• May remain in backups for 90 days (security and legal obligation)
• Billing records retained for 7 years (tax laws)

9.4 OpenAI API Logs

• Retained at OpenAI for 30 days
• Automatically deleted afterwards

10. Data Security

10.1 Technical Measures

• HTTPS encryption: For all data transmission
• AES-256 encryption: When stored in database
• Row Level Security (RLS): User-based access control in Supabase
• End-to-end encryption: For sensitive health data
• 2FA support: (In future update)

10.2 Organizational Measures

• Limited employee access (need-to-know principle)
• Regular security audits
• Incident response plan
• Non-disclosure agreements (NDA) with all staff

10.3 Third-Party Security

• Supabase: SOC 2 Type II certified
• OpenAI: ISO 27001 certified
• Firebase: Google Cloud security standards

10.4 Data Breach Notification

In case of data breach:

• Notification to authorities within 72 hours (GDPR/KVKK requirement)
• Email notification to affected users
• Transparency about breach details and measures taken

11. International Data Transfers

11.1 Data Locations

Service	Data Location	Transfer Mechanism
Supabase	EU (Frankfurt)	Local storage, EU law compliant
OpenAI API	USA	Standard Contractual Clauses (SCC)
Firebase	USA/EU	Google Cloud Privacy Shield alternative

11.2 Non-EU Transfers

For data transfers outside EU, we use the following safeguards:

• Standard Contractual Clauses (SCC): EU Commission approved
• Data Processing Agreements (DPA): With all US providers
• Adequacy Decisions: EU-approved countries when possible

11.3 Users in Turkey

• Your data is primarily stored on EU (Frankfurt) servers
• Transfer to USA may occur for OpenAI API use (protected by SCC)
• Done with your explicit consent under KVKK Article 9

12. Children's Privacy

12.1 Age Ratings by Region

Zodiac Fit has different age ratings depending on your region:

• Age 9+: 173 Countries or Regions (including most territories)
• Age 10+: Brazil
• All Ages: Korea, Republic of

12.2 Children Under 13

While the app is available for users 9 and older in most regions, we take children's privacy seriously:

• Parent/guardian consent is strongly recommended for users under 13, as the app collects health and nutrition data
• Parents can request access to or deletion of their children's data at any time
• We comply with COPPA (Children's Online Privacy Protection Act) requirements

12.3 Ages 13-18

• Parent/guardian awareness is recommended due to health data collection
• Parents can request deletion of their children's data

12.4 Parental Rights

Parents and guardians can:

• Review their child's personal information
• Request deletion of their child's data
• Refuse further collection or use of their child's information

If you are a parent/guardian and have concerns about your child's data, please contact support@toughwing.app.

13. Policy Changes

13.1 Update Process

• We may update this policy periodically
• For significant changes, 30 days advance email notification
• For minor changes, in-app notification

13.2 Notification Channels

• Email (to your registered address)
• In-app pop-up
• Website (toughwing.app/privacy)

13.3 Objecting to Changes

• You can close your account within 30 days
• If you don't accept new terms, stop using the app

13.4 Version Control

• Each update is dated and archived
• To view old versions: support@toughwing.app

14. Account and Data Deletion

Deletion methods

You can delete your account and data using the following methods:

1. In-App (Recommended)

• Open the app
• Go to Profile or Settings
• Tap "Delete Account"
• Confirm your deletion request

Processing time: Your request is initiated immediately and your data will be permanently deleted within 30 days.

2. Email (Alternative Method)

If you cannot access the app or experience technical issues, email support@toughwing.app:

• Subject: Delete my account
• Content: Your registered email and "I want my account deleted"
• Processing time: Manually processed within 7 business days

Data to be deleted

• Account information (email, credentials)
• Profile data
• Health and nutrition data
• Meal records and calorie history
• AI chat history
• In-app settings and preferences

Data that may be retained (Legal requirement)

Due to tax and financial regulations, transaction and billing records may be retained for the legally required period (typically 5-10 years). This data is not linked to your personal identity and is kept for legal records only.

Backup systems

Your data is removed from active systems immediately, but will be completely purged from backup systems within 30 days.

Subscriptions

To cancel your subscription:

• iOS: Settings → [Your Name] → Subscriptions → Zodiac Fit → Cancel Subscription
• Android: Google Play Store → Profile → Payments & subscriptions → Subscriptions → Cancel

Reversal

Deletion is irreversible. Your data is permanently deleted and cannot be recovered. We recommend backing up important data (meal records, health data) before requesting deletion.

Contact

For questions about account deletion: support@toughwing.app

For detailed information: Account Deletion Page

15. Contact and Data Controller

15.1 Data Controller

ToughWing
Email: support@toughwing.app
Web: https://toughwing.app

15.2 Contact Channels

General Questions:

• Email: support@toughwing.app
• Response time: 48 hours

Data Deletion/Access Requests:

• Email: support@toughwing.app
• Subject: "KVKK/GDPR Request"
• Response time: 30 days (legal period)

Security Concerns:

• Email: security@toughwing.app (in future)
• Currently: support@toughwing.app
• Emergency response: 24 hours

15.3 Complaints and Objections

Direct Application:

1. Email support@toughwing.app
2. Explain your concern in detail
3. Response within 30 days

Regulatory Authority Application:

Turkey:

• Personal Data Protection Authority (KVKK)
• Web: https://www.kvkk.gov.tr
• Application Form: https://www.kvkk.gov.tr/Icerik/6654/Basvuru-Formlari

European Union:

• Relevant Data Protection Authority
• List: https://edpb.europa.eu/about-edpb/board/members_en

16. Special Cases and Clarifications

16.1 Health Data Processing

Under KVKK Articles 6 and 9:

• Your health data is considered special category personal data
• Processed with your explicit consent
• Used not only for health purposes but for nutrition recommendations
• Not sold to third parties or used for marketing

16.2 AI and Automated Decision Making

• AI recommendations are not binding
• You can always manually control
• AI responses are not medical advice
• About OpenAI API use: https://openai.com/policies/privacy-policy

16.3 Zodiac Information and Profiling

• Zodiac information is for entertainment purposes
• Motivation messages are not scientifically based
• You can turn off zodiac feature anytime

16.4 OpenFoodFacts Use

• Uses community database (open source)
• Nutritional values are estimates
• If you have allergies or sensitivities, consult your doctor
• OpenFoodFacts privacy: https://world.openfoodfacts.org/privacy

16.5 Cookie and Tracking Opt-Out

You can completely opt out of:

• Analytics cookies (Firebase)
• Advertising ID (IDFA/GAID)
• Third-party tracking

Cannot opt out of (required):

• Session cookies (security)
• Subscription verification (Apple App Store / Google Play Store)

---

Quick Reference Table

Data Type	Purpose	Retention Period	Third Party
Email	Account, communication	Until account deletion	Supabase (EU)
Health data	Personalization	Until account deletion	Supabase (EU)
AI chat	Recommendations	Until account deletion	OpenAI (USA)
Meal records	Progress tracking	Until account deletion	Supabase (EU)
Analytics	Improvement	26 months	Firebase (USA/EU)
Subscription	Payment	7 years (legal)	Apple / Google (USA)
IP address	Security	1 year	Supabase (EU)

---

Final Notes

• This policy is compliant with GDPR (EU) and KVKK (Turkey)
• Health data processing requires explicit consent
• AI use is completely optional
• You can delete your data anytime
• There is no sale of data to third parties

For questions: support@toughwing.app

Last Updated: October 9, 2025