Privacy Policy

1. Who We Are

Refyuel (“we”, “our”, “us”) is a personal health and performance tracking application operated by Refyuel Innovations, registered in Australia (ABN: 50 306 322 750).

Contact: support@refyuelapp.com
Governing law: New South Wales, Australia

Our role with your data: For your Refyuel account, operating the service, and the analytics and error monitoring described in this Policy, Refyuel Innovations acts as a data controller. Where you connect with an independent coach or club through Refyuel, that party may also act as a controller for personal data arising in the coaching or membership relationship; we may process such data on the platform to provide features and, where applicable, as a processor on documented instructions aligned with your agreements with them.

2. Data We Collect

We collect data in the following categories:

Account data - email address, full name, date of birth, gender, and profile photo (optional). Collected at registration.

Health and body data - body weight, body fat percentage, workout sessions, exercise sets and repetitions, nutrition logs, meal items, calorie and macro data, and health goals. This data is classified as sensitive personal information. We collect it only with your explicit consent, given at onboarding.

Sport and activity data - selected sport, training phase, sport profile, and drill history.

Usage data (PostHog) - when analytics is enabled, we send pseudonymous product analytics: your account user id (the same opaque UUID used in our database), event names (for example session started, meal logged, food search), and coarse properties such as counts, categories (for example meal type), sign-in method, or platform. We do not send free-text notes, individual food item names, body weight values, or other detailed health logs in these analytics events. PostHog may also receive standard technical metadata (such as IP address, device type, app version) as described in PostHog's privacy policy.

Crash and error data (Sentry) - when error monitoring is enabled, we send crash and error reports that can include your pseudonymous user id when you are signed in, device and OS information, app version, stack traces, and limited technical context (for example a component name). We do not deliberately attach your stored health or body metrics to these reports; however, an error payload could in rare cases include fragments of what was on-screen depending on the fault.

Device data - device type, operating system version, and app version. Used for compatibility and support purposes only.

3. Why We Collect It

We collect and process your data for the following purposes:

- To provide the Refyuel service and all features you use
- To personalise your experience based on your goals and sport
- To generate performance insights from your logged data
- To send you transactional emails (account verification, password reset)
- To diagnose and fix technical issues
- To improve the product using pseudonymous and aggregated usage analytics

Lawful basis: All processing of your data is based on your consent, which you provide when you create an account and accept these terms. You may withdraw consent at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

4. Health and Body Data - Special Category

Health and body metric data is treated as sensitive personal information under the Australian Privacy Act 1988, New Zealand Privacy Act 2020, Canada's PIPEDA, India's Digital Personal Data Protection Act 2023, and the UAE Personal Data Protection Law 2021.

We apply the following protections to this data:

- Stored encrypted at rest in Supabase (hosted in a secure cloud environment)
- Transmitted over encrypted connections (TLS 1.2+) at all times
- Not sold to advertisers or data brokers; shared only with service providers listed in this Policy who process it on our instructions
- Never used to train external AI models
- Accessible only to you and, where you explicitly grant access, to coaches you connect with inside the app
- Permanently deleted within 30 days of account deletion

5. Your personal data and plan or role changes

Our commitment: Personal data you create or log in Refyuel - including workouts, nutrition logs, body metrics, habits, preferences, goals, and programme copies stored in your library - is not deleted or forfeited solely because you downgrade or cancel a subscription, end a coach or club relationship, or add or remove a coach or club-related role on your account. You remain the owner of that data, and it stays with your account on the terms in this Policy (including deletion timelines if you choose to close your account).

What may change: Subscription tier, coach, or club status can change which features and views you can use (for example advanced charts, expanded databases, or modules granted through a coach or club). After any applicable notice or in-app grace period, access to those gated features may end. That limits access to tools and views; it does not erase the underlying personal records you already logged unless you delete them yourself or delete your account.

Communications about subscription, coach, or club changes will distinguish changes to access from your ongoing ownership of your stored personal data, consistent with this section.

6. Third-Party Processors

We use the following third-party services to operate Refyuel. Each processes data only as required to provide their service and is bound by their own privacy policies:

Supabase - database hosting and authentication. Your data is stored on Supabase infrastructure hosted in Sydney, Australia (ap-southeast-2). We have a Data Processing Agreement with Supabase governing the handling of your personal data. supabase.com/privacy

We have executed a Data Processing Agreement with Supabase governing the handling of your personal data.

Sentry - error and crash monitoring for the app and website. May process pseudonymous user id, device/OS, app or browser version, URLs or routes, stack traces, and related technical context as described in sentry.io/privacy. We do not use Sentry for advertising.

PostHog - product analytics for the app and, where enabled, the marketing site. May process pseudonymous identifiers, event names, coarse properties as described in section 2, and technical metadata (including IP where PostHog collects it). We do not use PostHog for advertising. posthog.com/privacy

Resend - transactional email delivery (account verification, password reset). resend.com/privacy

Apple App Store / Google Play - app distribution. Subject to Apple and Google's respective privacy policies.

Open Food Facts - community food and nutrition database used to populate nutritional data for packaged foods. Data is sourced under the Open Database Licence (ODbL v1.0). Open Food Facts does not receive your personal data; we query their database to retrieve food nutritional information only. openfoodfacts.org/privacy

AUSNUT 2011-13 (Food Standards Australia New Zealand) - Australian food composition data published by FSANZ. Used to provide nutritional information for Australian foods. This is a publicly available reference dataset; no personal data is transmitted to FSANZ.

Indian Nutrient Databank (INDB) - nutritional reference data for Indian foods published by the National Institute of Nutrition (NIN), Hyderabad. Used to provide nutritional information for Indian foods. This is a publicly available reference dataset; no personal data is transmitted to NIN.

We do not sell your data to any third party.

7. Advertising

The free version of Refyuel may display small banner advertisements provided by Google AdMob. These ads are non-personalised - they are not based on your personal data, health information, browsing history, or advertising profile.

What AdMob receives: When an ad is displayed, Google may collect limited technical signals (such as device type, OS version, IP address for coarse geographic context, and app identifier) to serve and measure ads. This is standard for all apps displaying ads and is governed by Google's Privacy Policy.

What AdMob does not receive: Your health data, workout logs, nutrition data, body metrics, goals, or any other personal information stored in Refyuel is never shared with advertising networks.

Content safety: We configure our ad provider to exclude categories inappropriate for a health and fitness context (including gambling, alcohol, dating, and adult content).

Ad-free experience: Premium (Pro) subscribers do not see any advertisements.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account:

- Your account and all associated data are permanently deleted within 30 days
- Aggregated metrics and pseudonymous analytics held by our processors (for example PostHog, Sentry) may be retained for longer under their retention rules; we configure events to avoid sending detailed health logs as described in section 2
- Backup copies are purged on the same schedule as live data

You can delete your account at any time from the app: Settings → Delete Account.

9. Your Rights

Regardless of your location, you have the following rights in relation to your personal data:

Right to access - you may request a copy of all personal data we hold about you.

Right to correction - you may correct inaccurate data directly in the app, or contact us to request corrections.

Right to deletion - you may delete your account and all associated data at any time from within the app.

Right to portability - you may request an export of your data in a structured, machine-readable format.

Right to withdraw consent - you may withdraw your consent to data processing at any time by deleting your account. This does not affect the lawfulness of processing before withdrawal.

United Kingdom: If the UK GDPR applies to you, you have equivalent rights (including access, rectification, erasure, restriction, objection, and portability in appropriate cases). If you are unsatisfied with our response, you may lodge a complaint with the UK Information Commissioner's Office: ico.org.uk.

California (CCPA / CPRA): If you are a California resident, you may have the right to know what personal information we collect, to delete or correct certain personal information, to opt out of “sale” or “sharing” (we do not sell personal information for money as defined under the CCPA), and not to receive discriminatory treatment for exercising these rights. Submit requests to support@refyuelapp.com; we will verify your request as required by law.

To exercise any of these rights, contact us at support@refyuelapp.com. We will respond within 30 days.

10. Children

Refyuel is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@refyuelapp.com and we will delete it promptly.

11. India - Grievance Officer

In accordance with the Digital Personal Data Protection Act 2023 (India), users in India may direct grievances regarding the processing of their personal data to:

Grievance Officer: Anand Ramakrishnan, Privacy Officer, Refyuel Innovations
Contact: support@refyuelapp.com
Response time: Within 30 days of receipt

12. Security

We implement industry-standard security measures to protect your personal data, including:

- Encryption at rest for all stored data
- TLS 1.2+ encryption for all data in transit
- Row-level security policies restricting data access per user
- Regular security monitoring and error tracking
- Access controls limiting who can access production data

No method of transmission or storage is 100% secure. If you become aware of any security concern, please contact us immediately at support@refyuelapp.com.

13. Automated decisions, profiling, and AI

We do not make decisions based solely on automated processing that produce legal or similarly significant effects about you.

The app may use algorithms or AI-assisted features to generate suggestions, summaries, or scores for personal tracking. These are described in the product and in our Health & Medical Disclaimer; they are not medical advice and you should not rely on them as a clinical diagnosis or treatment plan.

We do not use your stored health or body metrics to train third-party foundation or general-purpose AI models. We do not sell your personal information for AI model training.

14. Personal data breaches

We maintain administrative, technical, and organisational measures to safeguard personal data and procedures to detect and respond to security incidents.

If we become aware of a breach of personal data that poses a risk to your rights and freedoms, we will notify relevant supervisory authorities and affected users without undue delay where required by applicable law (including timelines such as the UK / EU 72-hour regulator notification rule where it applies).

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page.

For material changes, we will notify you via the app and require you to review and accept the updated policy before continuing to use the service. You will not be able to continue using the app until you have acknowledged the new version. For minor changes (such as formatting or clarifications that do not affect your rights), we will update the effective date without requiring re-acceptance.

16. Governing Law

This Privacy Policy is governed by the laws of New South Wales, Australia. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of New South Wales, Australia.

17. Contact Us

For any questions, requests, or concerns about this Privacy Policy or how we handle your data:

Email: support@refyuelapp.com
Response time: Within 30 days