Privacy Notice
Last updated: July 9, 2026
This Privacy Notice explains how Vicente's project ("we", "us", "our"), operator of the H-E Fitness application and website (the "Service"), collects, uses, shares, and protects your personal data. For the purposes of data protection law, we act as the data controller of the personal data we collect through the Service.
1. Personal data we collect
- Account data: name or display name, email address, hashed login credentials, sign-in provider identifiers (e.g. Google), account creation date.
- Profile & fitness data: age, height, weight, goal, activity level, workouts, meals, macros, water intake, mood, weight history, and other in-app entries you make.
- User-submitted media: form-check videos, meal photos, and any other content you upload.
- AI interactions: messages you send to the AI coach and outputs generated for you.
- Support communications: messages you send us and their metadata.
- Usage & telemetry: pages viewed, features used, error logs, device type, browser, operating system, approximate location derived from IP address.
- Device identifiers & IP address.
Payment card details are collected and processed directly by our reseller Paddle and are not stored by us.
2. Purposes and legal bases
- Providing the Service (performance of a contract): creating your account, generating workouts and macros, saving your progress, powering the AI coach and form check.
- Payments & subscription management (performance of a contract): via Paddle as Merchant of Record.
- Security, fraud prevention, and abuse detection (legitimate interests / legal obligation).
- Product improvement and analytics (legitimate interests): understanding aggregated usage and diagnosing issues.
- Customer support (performance of a contract / legitimate interests).
- Marketing communications (consent, where required): you can withdraw consent at any time.
- Legal compliance (legal obligation): tax, accounting, responding to lawful requests.
3. Sharing your data
We share personal data only with:
- Service providers and subprocessors who help us run the Service — including hosting and database (Supabase / Lovable Cloud), Cloudflare (edge & CDN), AI model providers (via the Lovable AI Gateway) for generating workouts, coaching, and form-check outputs, food-data providers (USDA, FatSecret) for nutrition lookups, and analytics/error-monitoring tooling.
- Paddle, our Merchant of Record, for order processing, subscription management, payments, tax compliance, and invoicing.
- Professional advisers (legal, accounting) as needed.
- Authorities and other third parties where required by law, to enforce our Terms, or to protect the rights, safety, or property of anyone.
We do not sell your personal data.
4. International transfers
Some of our subprocessors are located outside the UK / EEA. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or applicable adequacy decisions.
5. Data retention
We retain personal data for as long as your account is active and for a limited period afterward as needed to comply with legal obligations, resolve disputes, and enforce our agreements. When data is no longer needed, we delete or anonymise it. You can request deletion at any time (see "Your rights" below).
6. Your rights
Depending on where you live, you may have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request erasure of your data ("right to be forgotten");
- restrict or object to certain processing;
- request data portability;
- withdraw consent where processing is based on consent; and
- lodge a complaint with your local data-protection authority.
To exercise any of these rights, contact us using the details below. We will respond within one month, or as required by applicable law.
7. Security
We use appropriate technical and organisational measures to protect your personal data, including encryption in transit, access controls, row-level authorisation in our database, and least-privilege server functions. No system is completely secure — please use a strong, unique password and enable available security features.
8. Cookies and similar technologies
We use a small number of cookies and local storage entries. Strictly necessary cookies keep you signed in and remember your preferences (e.g. theme, cookie choice). Analytics cookies help us understand aggregated usage and improve the Service. Where required, we ask for your consent via an in-app banner and you can change your choice at any time by clearing site data in your browser.
9. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.
10. Changes to this notice
We may update this Privacy Notice from time to time. Material changes will be communicated in-app or by email. The "Last updated" date at the top reflects the latest revision.
11. Contact us
For privacy questions or to exercise your rights, contact us in-app via the support screen or through the contact method listed in the app's settings. Data controller: Vicente's project.