Privacy Policy

FlexForce X provides training, nutrition, recovery, and wellness guidance. This policy explains how we collect, use, disclose, retain, export, and delete information in the web app, iOS app, Android app, and support systems.

FlexForce X is not a medical service. Readiness, movement-caution, recovery, nutrition, and training-load signals are wellness and performance signals. They are not diagnoses, treatments, injury predictions, or substitutes for professional medical advice.

We may collect account details, profile and onboarding answers, training history, workouts, nutrition entries, check-ins, wearable data and Apple Health or Google Health data you choose to connect, location context you permit, device identifiers, billing entitlement state, support requests, consent records, and app usage or error diagnostics.

Some information can be sensitive, including health, fitness, genetic, body-composition, nutrition, psychology, location, and calendar-context data. Optional integrations remain optional and can be disconnected where the app provides that control.

In the iOS and Android apps, FlexForce X may process native app data such as push notification tokens, device tokens used for secure mobile sync, app version/build details, crash and error diagnostics, trial or support tickets, subscription entitlement records, and app settings. Push tokens are used to deliver reminders, nudges, and account or product notifications. We do not use push notification tokens for advertising.

On iOS, Apple may process App Store, StoreKit, Apple Push Notification service, and user-controlled HealthKit permission flows. On Android, Google Play and Firebase Cloud Messaging may process app distribution, billing, purchase verification, push delivery, and related device or entitlement metadata.

Optional connected accounts can include Apple Health/HealthKit, Google Health, Google Calendar, Oura, and WHOOP. These integrations are used only after you connect them or grant the relevant permission. They may provide sleep, readiness, heart-rate, HRV, resting-heart-rate, strain, activity, body-measurement, workout, recovery, and calendar-context records, depending on the provider and permission you approve.

FlexForce X encrypts stored OAuth connection tokens where applicable. Disconnecting an optional integration stops future sync and removes the stored connection. Existing product records derived from an integration are handled through the export, deletion, retention, billing, security, and backup limits described in this policy.

We use information to create and adapt training plans, nutrition guidance, recovery guidance, reminders, safety constraints, account controls, billing access, support workflows, abuse prevention, reliability monitoring, and legally required privacy operations such as export and deletion.

AI systems may process sanitized training, nutrition, recovery, and wellness context to generate app guidance. We do not permit providers to use FlexForce X user data for model training unless a separate reviewed agreement and user-facing disclosure allow it.

We share data with service providers only for product operation, security, support, billing, communication, and reliability. Current active or optional processors include: Apple, Edamam, ExerciseDB (Zylalabs / RapidAPI), Firebase Cloud Messaging, Google Calendar API, Google Health API, Google Mail API, Google Places API, Google Play, OpenAI, Oura, Pinecone, Resend, Sentry, Spoonacular, Supabase, Twilio, Upstash, Vercel, WHOOP, YouTube Data API v3.

In particular, Supabase stores account and app data; Vercel hosts the application; Upstash supports rate limiting and background job coordination; Pinecone stores vector indexes; OpenAI may process sanitized AI prompts and embeddings; Resend processes transactional and lifecycle email; Sentry processes sanitized error and crash diagnostics; Apple and Google Play process app-store purchases and entitlement notifications; Firebase Cloud Messaging and Apple Push Notification service deliver native push notifications; Google APIs process optional Google Health and Google Calendar connections; and Oura and WHOOP process data only when those optional wearable integrations are connected.

Payment card and store payment details are handled by Apple or Google Play for in-app purchases. FlexForce X stores entitlement records such as product IDs, purchase tokens, subscription state, and renewal periods, not full payment card details.

Some features use AI prompts, embeddings, retrieval indexes, and structured decision logs to generate user-facing guidance and keep recommendations consistent. We minimize direct identifiers where practical and exclude raw provider secrets, OAuth token ciphertexts, push-token secrets, and admin-only operational payloads from account exports.

AI and vector-memory features are consent-gated in the app where sensitive health, training, nutrition, recovery, psychology, wearable, or overseas processing context is involved. FlexForce X does not sell personal information or use health data for advertising.

If you choose to connect Google Health, FlexForce X requests read-only Google Health API access to activity and fitness, health metrics and measurements, and sleep data. This can include steps, distance, energy, heart rate, resting heart rate, heart-rate variability, sleep sessions and stages, oxygen saturation, respiratory rate, weight, and body-fat data where those records are available in your Google account.

If you choose to connect Google Calendar, FlexForce X requests Google Calendar event access to read calendar commitments and create, update, or cancel FlexForce X workout events. Calendar data used for scheduling can include event title, start and end time, location, all-day status, reminder metadata, event links, and FlexForce X workout event identifiers.

Google-derived data is used only to provide user-facing FlexForce X features: wearable-informed readiness, recovery, sleep, training context, and calendar-aware scheduling. OAuth tokens are encrypted at rest, and Google-derived data is not sold, used for advertising, or used to train generalized AI models. We share Google user data only with service providers necessary to operate, secure, monitor, and support the product, or where required by law, and our use of Google user data is limited to the practices disclosed in this policy and Google API Services User Data Policy Limited Use requirements.

You can disconnect optional Google integrations in the app. Disconnecting stops future sync and removes the stored OAuth connection. Account export and deletion requests include Google-derived product records, subject to the retention, legal, billing, security, and backup limits described in this policy.

Some providers process information outside Australia, including in the United States. We use contractual, security, minimisation, consent, and operational controls to manage overseas processing of personal and sensitive information.

We retain information for as long as needed to operate the product, meet legal obligations, support safety and auditability, resolve disputes, and enforce agreements. Some derived or operational records may have shorter retention periods than account records.

You can request export or deletion in the app settings. Deletion removes or anonymizes account-linked product records and attempts to remove linked vector and storage data, subject to legal, billing, security, and backup limits.

You can also request account deletion from the web at flexforcex.fitness/account/delete.

Account exports are designed to include user-visible product records, consent records, mobile device state, notification records, connected-account status, wearable records, subscription entitlement records, support tickets, and message records where they relate to your account. Security secrets such as OAuth tokens, push tokens, raw provider payloads, and internal-only admin logs are excluded or redacted.

We use authentication, row-level access controls, encryption where appropriate, secret scanning, rate limiting, service-role isolation, monitoring, and data minimisation. No internet service can be guaranteed perfectly secure.

For privacy requests, export, deletion, correction, or complaints, contact privacy@flexforcex.fitness.