Privacy Policy

Last updated: May 28, 2026

This Privacy Policy explains what information GIGACHAD LLC ("GIGACHAD", "we", "us", or "the app") collects, how we use it, and your choices about it. This policy applies to the GIGACHAD mobile app and the website at gigachadapp.com. If you have questions, email hello@gigachadapp.com.

1. Information we collect

The categories below mirror Google Play's Data Safety form so you can match what you see on the store listing to what's described here. We do not collect precise location, contacts, calendar data, web browsing history, standalone audio recordings, or your device advertising ID. (Form-check videos you choose to submit may include an audio track; those are covered under "Photos and videos" below.)

Personal info

• Account information. Email address, password (stored as a one-way hash), display name. Required to create an account.
• Onboarding responses. Your goal, experience level, equipment access, weekly availability, coach persona preference, gender, and any lifting limitations you choose to share. Required to personalize program recommendations.
• User-generated text content. Messages you exchange with a paired trainer, custom workout names, recipe prompts, support requests. Optional.

Financial info

• Subscription and purchase records. Whether you hold an active Pro subscription, which tier, and a record of consumable credit purchases. Required for billing. Card numbers themselves are never seen by us — payment is handled entirely by the Apple App Store or Google Play.

Health and fitness

• Workout data. Exercises performed, sets, reps, weights, rest times, and timestamps. Optional but core to the product.
• Body metrics. Body weight, body measurements (waist, chest, etc.), age, height, sex — when you log them. Optional.
• Food diary entries. Foods you log, portion sizes, calorie and macro totals, and meal-plan choices. Optional.
• Wearable health data. Heart rate samples, active energy burned, workout sessions, steps, and sleep data — when you connect a wearable. See the "Wearable and health-platform integrations" subsection below for details.

Photos and videos

• Progress photos. Stored per-user, never shared. Optional.
• Body-fat estimation photos. Three photos (front, side, back) you submit when invoking the body-fat estimator. Sent to our AI providers for inference. Optional.
• Form-check videos. Short video clips you upload for AI or human form review. Sent to our AI providers and, if you choose human review, shown to a qualified trainer-reviewer drawn from our reviewer pool. Optional.

Messages

• Trainer messages. The text content of messages you exchange with a paired personal trainer through the in-app chat. Visible to you and your paired trainer only. Optional (only collected if you pair with a trainer).

App activity

• Usage analytics. Anonymized events about how you use the app (screens viewed, workouts started and finished, which articles you open). We do not currently send these events to a third-party analytics provider. If we enable one in the future (for example, PostHog), we will update this policy first. Any such events are designed to exclude your name, email, workout numbers, body metrics, and check-in responses.
• Affiliate click data. If you tap a product link in a Self Care article, we record the tap (which article, which merchant, when). We use this to understand which recommendations are useful. We do not share your click history with merchants beyond the affiliate tracking the merchant uses to credit a sale.
• Preferences. Unit system, notification preferences, theme, and in-app display settings.

App info and performance

• Crash logs and diagnostics. Stack traces, app version, and device model when the app crashes, used to fix stability problems. Crash reporting through the operating system (Apple / Google) is governed by their policies. If we enable a dedicated crash-reporting provider in the future (for example, Sentry), we will update this policy first.

Device or other IDs

• Device information. Operating system version, app version, device model, and an anonymized device identifier generated by the app for crash reporting and analytics. We do not read your device advertising ID.

Wearable and health-platform integrations

We integrate with Apple HealthKit (iOS), Google Health Services (Wear OS), the Fitbit Web API (OAuth 2.0), and the Garmin Health API (in development). When you connect a wearable or grant access to a health platform, we read: heart rate samples and active energy burned (Apple Watch / Wear OS), and steps and sleep data (Fitbit). We do not write data back to those platforms except optionally syncing workout sessions back to HealthKit when you complete one in-app. Apple HealthKit data is never used for advertising and is never shared with third parties for advertising purposes. You can disconnect any wearable at any time from Profile → Connected Devices; doing so immediately deletes the stored OAuth tokens and stops any further reading of your data.

Sensitive personal data

Some of what we collect is classified as "sensitive personal data" under Minnesota's MCDPA (enforcement effective 2026-01-31), Virginia's VCDPA, Colorado's CPA, Connecticut's CTDPA, and California's CCPA, and as "special category data" under UK GDPR Article 9 and EU GDPR Article 9. Specifically: body-fat photos (biometric/health), body measurements (health), heart rate samples (biometric/health), workout and exercise data (health), food-diary entries (health), and gender. We obtain affirmative opt-in consent for processing this data through your affirmative act of creating an account and using the relevant features. You can withdraw consent at any time by stopping use of those features and/or deleting your account.

2. How we use information

• To provide, maintain, and improve the app
• To personalize program recommendations based on onboarding
• To send you the notifications you have enabled
• To monitor for crashes and technical problems, and to improve stability
• To process subscription payments (via the Apple App Store or Google Play)
• To process affiliate commissions when you purchase through a link
• To comply with legal obligations

3. How we share information

We do not sell your personal information. We share information only with:

• Service providers who help run the app: Supabase (database + storage) and RevenueCat (subscriptions), plus the affiliate networks linked below. These providers are bound by their own privacy policies and are restricted to using your data only to provide their services to us. (If we add a dedicated analytics or crash-reporting provider in the future, we will list it here first.)
• AI model providers when you use one of the AI-powered features — specifically Google (Gemini 2.5 Flash) as the primary provider and Anthropic (Claude) as a fallback. The AI features are opt-in and user-initiated: you must explicitly invoke them by tapping a button (for example, "Estimate body fat," "Submit form check," "Generate recipe," or opening the daily coaching screen). By tapping that button you consent to the relevant data being sent to the AI provider for that single inference. You can decline by not using those features. We send only the data needed for that feature: the form-check video clip you submitted, the three body-fat estimation photos you uploaded, the fridge ingredient list you typed in, or the daily-coaching context (your stated goal, recent workout counts and lifts, body-weight trend — not your email, name, or identifiers). Each submission is sent to the provider solely to generate that single result. How a provider may use submitted data is governed by its own API terms (see Google’s Gemini API terms and Anthropic’s API terms), and Google’s media-upload service deletes uploaded files such as form-check videos within roughly 48 hours. We use these providers’ paid API tiers, under which your submissions are not used to train their models.
• Apple and Google for subscription processing, governed by their respective privacy policies.
• Affiliate networks (Amazon Associates, Rakuten, Impact, ShareASale, and similar) when you tap a product link. They receive the tap as part of attributing a sale and the click is subject to their privacy practices.
• Legal authorities if required by law, a valid subpoena, or to protect the rights, property, or safety of GIGACHAD, our users, or others.

4. Personal Trainer feature — data sharing

By entering a Trainer Code to pair with a trainer, you provide explicit opt-in consent under UK GDPR Article 9, EU GDPR Article 9, and applicable US state privacy laws to share health and biometric data with that specific trainer. You can withdraw this consent at any time by ending the relationship from the "My Trainer" screen.

If you pair with a personal trainer on GIGACHAD (either by entering a Trainer Code during onboarding or from the "Add a Trainer" screen on your Profile tab), your paired trainer will be able to view the following data about you for the duration of the coaching relationship:

• Your workout history, including sets, reps, and weights logged
• Your active program and any custom workouts you've created
• Your selected meal plan, calorie target, and macro targets
• Your biometric data (height, weight, age, sex) if you've filled it in
• The text content of messages you exchange with them through the in-app chat
• Workouts and meal plans they push to you (which you can opt out of by ending the relationship)

Your trainer cannot see: your form check videos (unless they're specifically reviewing one for you through the form-check reviewer pool), your progress photos, your AI coaching conversations (Coach Chad / Stacy), or any data about other GIGACHAD users they are not paired with.

You can end the trainer relationship at any time from the "My Trainer" screen. When you do, your trainer immediately loses access to your ongoing data; message history and past pushed workouts remain visible to both parties as historical records.

Trainers operate on GIGACHAD as independent contractors. They are not GIGACHAD employees, and we don't share your data with anyone except the trainer you have explicitly paired with via a Trainer Code. See the Trainer Terms for the responsibilities each Trainer agrees to.

5. Affiliate and sponsor monetization

Some articles in the Self Care section of the app include product recommendations. A small number of those recommendations are affiliate links, meaning if you tap the link and make a purchase on the retailer's website, we may earn a commission at no extra cost to you. As an Amazon Associate we earn from qualifying purchases.

When we recommend a product, we record the tap (the article, the merchant, and the time) so we can understand which recommendations are useful. We do not share your tap history with merchants or advertisers beyond the affiliate tracking that the retailer uses to credit the sale. The retailer's privacy practices are governed by the retailer's own privacy policy, which you accept by visiting their site.

We never accept payment to recommend a product we don't stand behind. Every recommendation must pass an editorial test: if the affiliate program disappeared tomorrow, would we still include it? Paid sponsorships are clearly labeled "Sponsored" and follow the same test.

6. Your choices

• Edit your information. Update your onboarding answers and preferences any time from Profile → Settings.
• Delete your account. Profile → Account → "Delete my account" removes your profile, workouts, body metrics, and progress photos within 30 days. Anonymized analytics events older than 30 days are retained in aggregate.
• Notifications. Turn off workout reminders, weekly check-ins, or any other push notifications from Profile → Notifications.
• Affiliate tracking. If you prefer not to have your clicks recorded, don't tap the product links. The article content is complete without them.

7. Data retention

We retain each category of personal data only as long as needed for the purpose it was collected, plus any period required by law. The table below pairs each category with its specific retention period or criterion (required by California's CCPA as amended effective 2026-01-01 and by analogous state laws).

• Account information (email, hashed password, display name): while your account is active, plus a 30-day grace period after you request deletion.
• Onboarding responses (goal, experience, equipment, availability): while your account is active.
• Workout data (sessions, sets, reps, weights): while your account is active.
• Body metrics (weight, measurements, age, height, sex): while your account is active.
• Progress photos: until you delete them, or until your account is deleted.
• Body-fat estimation photos: retained while your account is active, until you delete them, or until you delete your account — whichever comes first.
• Form-check videos: retained while your account is active, until you delete them, or until you delete your account — whichever comes first.
• Food diary entries: while your account is active.
• Wearable health data (heart rate, calories, workouts, steps, sleep): while your account is active and the wearable remains connected. OAuth tokens are deleted immediately when you disconnect the wearable.
• Trainer messages: 1 year after the trainer relationship ends, then deleted.
• Device info and crash logs: 90 days, then purged from Sentry.
• Anonymized analytics events: up to 24 months, then aggregated or deleted.
• Affiliate click data: 24 months, then deleted or aggregated.
• Subscription and payment records: 7 years (US tax retention requirement), then deleted.

When you delete your account, we remove your personal information within 30 days, except for records we are legally required to retain (subscription/payment records as above).

8. Security

We use industry-standard encryption in transit (TLS 1.2+) and at rest. Passwords are hashed with bcrypt. No method of electronic storage is 100% secure; we cannot guarantee absolute security. If you believe your account has been compromised, email us immediately at security@gigachadapp.com.

9. Age restriction and children's privacy

GIGACHAD is intended for adults aged 18 and over. The Service is not directed to children or minors under 18, and we do not knowingly collect information from anyone under 18. If you become aware that a person under 18 has provided us with personal information, email privacy@gigachadapp.com and we will delete the information.

10. Residents of California, Colorado, Connecticut, Utah, Virginia, and other US states with privacy laws

Depending on your state, you may have the right to request access to the personal information we hold about you, correct it, delete it, or opt out of "sales" or "targeted advertising." We do not sell personal information and we do not use it for targeted advertising as defined by those laws. To exercise any of these rights, email privacy@gigachadapp.com from the email associated with your account and we will respond within the statutory window.

11. Residents of the EEA and UK

If you are in the European Economic Area or the United Kingdom, you have rights under the GDPR and UK GDPR including access, rectification, erasure, restriction, portability, and objection. Our lawful bases for processing depend on the purpose, as follows:

• Account creation, login, password reset, basic app functionality: Performance of a contract (UK GDPR / EU GDPR Art. 6(1)(b)).
• Workout logging, body-metric tracking, food diary: Performance of a contract (Art. 6(1)(b)), plus explicit consent for health data (Art. 9(2)(a)).
• AI-powered features (body-fat estimator, form-check, recipe generator, daily coaching): Explicit consent (Art. 6(1)(a) and, where health data is involved, Art. 9(2)(a)).
• Push notifications and daily coaching emails: Consent (Art. 6(1)(a)).
• Anonymized analytics and crash reporting: Legitimate interests (Art. 6(1)(f)) — service improvement and security.
• Payment processing, tax records, fraud detection: Legal obligation (Art. 6(1)(c)) and performance of contract.
• Trainer-paired data sharing: Explicit consent for health data (Art. 9(2)(a)).
• Wearable and health-platform integrations: Explicit consent (Art. 6(1)(a) and Art. 9(2)(a)).

Contact privacy@gigachadapp.com to exercise your rights or to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office; in the EU, your national data-protection authority).

12. International data transfers

GIGACHAD is operated from the United States. Our primary data home is the United States, where our database (Supabase) and most subprocessors operate. When you use the app from outside the US, your information is transferred to and processed in the US and possibly other countries where our service providers operate.

When personal data leaves the UK or the EEA, we rely on the following transfer mechanisms:

• UK International Data Transfer Addendum to the EU Standard Contractual Clauses (the "UK Addendum") with non-UK subprocessors.
• EU Standard Contractual Clauses ("SCCs") with non-EU subprocessors.
• The EU-US Data Privacy Framework and UK-US Data Bridge where the subprocessor is self-certified under one of those frameworks.

You may request copies of the relevant transfer safeguards by emailing privacy@gigachadapp.com.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy here with a revised "Last updated" date, and where required by law we will provide additional notice. Continued use of the app after an update means you accept the revised policy.

14. Privacy Officer and contact

GIGACHAD's Privacy Officer (the person responsible for privacy compliance, including under Quebec Law 25 and analogous jurisdictions) is Anthony Colby, Member of GIGACHAD LLC. Contact: privacy@gigachadapp.com.

Questions about this Privacy Policy, or to exercise any of your rights described above? Email privacy@gigachadapp.com or write to:

GIGACHAD LLC
c/o Northwest Registered Agent LLC
202 N Cedar Ave, STE #1
Owatonna, MN 55060
United States

This privacy policy is also accessible at any time from within the app at Profile → Legal.