Contact Us
Contact Us

Privacy Policy

Privacy Policy - Hybrid Fitness

Privacy Policy

Effective Date: February 5, 2026

Hybrid Fitness ("we", "our", "the app") is a coach-oriented training application for HYROX and functional fitness. This policy explains what data we collect, how we use it, and your rights.

Summary: We collect only the data needed to run the app. We do not sell your data. We do not serve ads. Health and biometric data stays on your device and your private cloud database.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Display name
  • Email address
  • Password (hashed and stored securely by Supabase Auth; we never see or store your plaintext password)

1.2 Athlete Profile Data

Coaches enter athlete information to manage training:

  • Name, age, weight, max heart rate
  • Contact information (optional: email, phone)
  • Training notes

1.3 Health & Biometric Data

With your explicit permission, the app reads health data from Apple HealthKit (iOS) or Google Health Connect (Android):

  • Sleep analysis (duration, stages, sleep score)
  • Resting heart rate
  • Heart rate variability (HRV)
  • VO2 Max
  • Respiratory rate

This data is used solely to inform training recommendations and recovery tracking. It is stored on-device and in your private Supabase database. It is never shared with third parties for marketing or advertising.

1.4 Bluetooth Device Data

The app connects to Bluetooth Low Energy (BLE) fitness devices (heart rate monitors, Concept2 rowers, etc.) to capture:

  • Real-time heart rate and heart rate zones
  • Power, cadence, distance, pace, and calories
  • Device battery level and signal strength

1.5 Camera & Video Data

With your permission, the app uses the device camera for:

  • Face enrollment: Photos are used to generate mathematical face embeddings for automatic athlete identification during group sessions. Original photos and embeddings are stored on your local server only.
  • Workout video capture: Short video clips for movement form analysis. Videos are stored locally on the device and your server.
  • Pose analysis: Real-time body pose estimation for rep counting and form scoring. This processing happens on your local server.

1.6 Workout & Session Data

  • Workout templates, session results, scores, and timestamps
  • Pacing analysis, personal records, and performance tags

1.7 AI Coaching Data (Optional)

If you choose to enable the AI coaching feature and provide your own OpenAI API key:

  • Aggregated athlete context (name, age, weight, recent workout summaries, biometric summaries) is sent to OpenAI's API to generate training recommendations.
  • Your OpenAI API key is stored in secure device storage (iOS Keychain / Android Keystore).
  • This feature is entirely optional. No data is sent to OpenAI unless you configure and use this feature.

2. How We Use Your Data

  • Provide the core app functionality (athlete management, session tracking, performance analytics)
  • Sync data across your devices via your private Supabase database
  • Generate AI training recommendations (only if you opt in)
  • Identify athletes during group sessions via face recognition (local processing only)
We do NOT:
  • Sell your data to third parties
  • Use your data for advertising
  • Share health or biometric data with third parties (except OpenAI, only if you opt in)
  • Track you across other apps or websites

3. Data Storage & Security

3.1 On-Device Storage

All app data is stored locally on your device as the primary data source. Sensitive values (API keys) use the platform's secure storage (iOS Keychain / Android Keystore).

3.2 Cloud Storage

If you create or join a gym for multi-device sync, data is stored in a Supabase (PostgreSQL) database. Supabase provides:

  • Encryption in transit (TLS)
  • Encryption at rest
  • Row-level security policies
  • SOC 2 Type II compliance

3.3 Local Server

Face recognition and pose analysis run on a local server within your network. Face photos, embeddings, and uploaded videos remain on this server and are not transmitted to external services.

4. Third-Party Services

Service Purpose Data Shared
Supabase Authentication & cloud sync Account info, athlete profiles, session data
OpenAI (optional) AI training recommendations Aggregated athlete context (only if you opt in)
Apple HealthKit Health data import (iOS) Read-only; data flows into the app, not out
Google Health Connect Health data import (Android) Read-only; data flows into the app, not out

5. Your Rights

You have the right to:

  • Access your data at any time through the app
  • Export your data using the built-in export feature
  • Delete your account and all associated data by contacting us
  • Revoke health data permissions at any time through your device settings
  • Disable cloud sync by not joining a gym (data stays on-device only)
  • Opt out of AI features by not providing an OpenAI API key

6. Children's Privacy

Hybrid Fitness is intended for use by fitness coaches and trainers who are 18 years of age or older. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete it promptly.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account:

  • Authentication data is removed from Supabase Auth
  • Cloud-synced data is soft-deleted and permanently purged within 30 days
  • On-device data is cleared when you uninstall the app
  • Local server data (face photos, videos) must be deleted manually from the server

8. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. Continued use of the app after changes constitutes acceptance of the updated policy.

9. Contact

If you have questions about this privacy policy or your data, contact us at:

team@Delphitechconsulting.com

Hybrid Fitness © 2026 Delphi Tech Consulting. All rights reserved.