Privacy

Flowstate AI ("Flowstate", "we", "us") is a fitness coaching app. We provide training programs, nutrition guidance, AI conversations, and a place to log workouts, meals, and progress. We are the controller of the personal data described below.

Contact for any privacy question: xavellis4@gmail.com.

We collect what we need to coach you, no more. Categories:

• ·Account — name, email, role (member, client, trainer, master), plan tier, and optional phone. Created when you sign up.
• ·Onboarding intake — what you tell us about your training history, equipment, injuries, dietary style, sleep, stress, and goals. Used to build your program and to brief the AI coach.
• ·Body data — height, weight, sex at birth, age, body-fat % if shared. Used for BMR / TDEE / macro calculations and weight-trend reads.
• ·Activity logs — workout logs, set/rep/load history, RPE, meal logs, hydration, daily check-ins. Used to render your dashboard and progress.
• ·AI conversations— what you ask the coach and the coach's replies. Stored so you can read the thread later and so the coach has memory.
• ·Progress photos — optional. Stored in a private bucket; only delivered to you (and your assigned trainer, if any) via short-lived signed URLs.
• ·Payment — Stripe handles your card directly. We only see the masked details Stripe returns (last 4, brand, customer id, subscription status).
• ·Device + session — browser type, IP, and authentication tokens stored as cookies for sign-in. We use localStorage for non-sensitive UI state (theme, picker positions, last-active role).

• ·Run your account, your program, your nutrition plan, and your coach.
• ·Generate AI coaching responses tailored to your intake and recent activity.
• ·Bill you and process subscription changes through Stripe.
• ·Send transactional email (sign-in links, password reset, important account notices).
• ·Maintain platform safety — rate limits, abuse detection, error monitoring.
• ·Improve the app. We never sell your data. We never share with advertisers.

We only share with the processors required to run the service. Each one is bound by their own terms; we do not give them rights to use your data for anything beyond running our service for you.

We may also share information when required by valid legal process, to protect the rights, property, or safety of users or the public, or as part of a corporate transaction (merger, acquisition, financing). If that ever happens, we will notify you and the new owner will be bound by terms at least as protective as these.

Several parts of Flowstate use AI — the coach chat, the form-check feature, the meal parser, the nutrition planner, and image generation. AI responses are generated, not authored by a human, and may be wrong. They are not medical, legal, or financial advice. See the Disclaimer page for the full scope and your responsibilities when acting on AI output.

Flowstate is not directed at children under 13. If you are a parent and believe your child has signed up, email us and we will delete the account.

• ·Account, intake, and activity logs: for as long as your account is active.
• ·Closed accounts: we retain a minimal record (email, account creation date, subscription history) for up to 24 months for fraud and tax compliance, then delete.
• ·AI conversation history: stored with your account; deleted with it.
• ·Progress photos: stored only while your account exists; deleted on account deletion.
• ·Stripe records: governed by Stripe's retention; we hold a read-only copy of subscription state.
• ·Server logs: scrubbed of identifiers and retained for up to 30 days for operational debugging.

You can — at any time, from your account or by emailing us:

• ·See what we have about you.
• ·Correct anything that's wrong.
• ·Export a copy of your data.
• ·Delete your account and the data tied to it.
• ·Cancel your subscription. Cancellation takes effect at the end of the current billing period.
• ·Withdraw consent for optional features (e.g. the coach avatar video) without losing the rest of the service.

California residents (CCPA / CPRA) and EU/UK residents (GDPR) have additional rights including the right to opt out of profiling, the right to object to processing, and the right to lodge a complaint with a supervisory authority. Email us and we will honor them.

• ·Transport is encrypted (TLS). Data at rest in Supabase is encrypted on disk.
• ·Authentication uses Supabase Auth with secure HttpOnly cookies. Passwords are hashed by Supabase, never stored in plaintext.
• ·Row-level security policies prevent users from reading each other's data.
• ·Server routes are gated by authentication and rate-limited. AI inputs are sanitized to limit injection.
• ·Server logs are scrubbed of email, phone, and IDs before being persisted.
• ·If we ever experience a breach of personal data, we will notify affected users without undue delay.

Our processors (Supabase, OpenAI, Stripe, Resend, Vercel) operate from the United States. If you are outside the U.S., your data will be transferred to the U.S. for processing. By using Flowstate, you consent to this transfer.

We will post material changes here and update the effective date. For significant changes affecting how we use your data, we will also notify you by email or in-app at least 30 days before the change takes effect.

Questions, requests, or privacy concerns: xavellis4@gmail.com. We aim to respond within 5 business days.