This Privacy Policy describes how Zyno ("we", "our", or "us") collects, uses, and protects your information when you use the Zyno mobile application (the "App"). We respect your privacy and are committed to protecting it. By using Zyno, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information you provide directly
Account information: Name and email address (from Apple, Google, or email sign-in). Phone number is optional.
Profile information: Date of birth, height, weight, biological sex, and fitness goals (cut, bulk, recomp, maintain) entered during onboarding.
Activity logs: Workouts, sets, reps, weights, meals, water intake, and any notes you choose to record.
Coach messages: Messages you send to the in-app AI coach.
1.2 Health and fitness data (Apple HealthKit)
With your explicit permission, Zyno reads the following data types from Apple HealthKit:
Heart rate variability (HRV)
Resting heart rate
Sleep analysis
Active energy / calories burned
Step count
Workouts
HealthKit data handling:
Raw HealthKit samples are read on-device and used to compute your daily readiness score locally.
We do not store your raw HealthKit samples on our servers.
We only transmit aggregated, derived metrics (e.g. your computed readiness score, daily averages) to provide coaching context — never the underlying raw samples.
You can revoke HealthKit access at any time via iOS Settings → Health → Data Access & Devices → Zyno.
Health data is never used for advertising, marketing, or shared with third parties for their own purposes.
Health data is never sold.
1.3 Information collected automatically
Device identifiers: Apple Push Notification token (only to deliver coach replies and reminders to your device).
App-internal identifiers: Firebase UID and our backend user ID, used to associate your data with your account.
2. How We Use Your Information
To provide core app functionality (readiness scoring, workout tracking, nutrition logging).
To personalise the AI coach's responses based on your goals, recent training, and current readiness.
To send you notifications you have opted into (workout reminders, coach replies, hydration nudges).
To respond to your support requests.
To diagnose and fix bugs and improve app stability.
3. Third-Party Services
3.1 AI coach (Google Gemini)
The in-app AI coach is powered by Google's Gemini API. When you send a message to the coach, we send your message along with a small context block (your first name, current readiness summary, recent workouts, and goals) to Google's API to generate a response. We do not send Apple HealthKit raw samples, your full name, email address, phone number, or any other directly identifying information beyond your first name. Google's processing is governed by the Gemini API Terms.
3.2 Authentication and infrastructure
Apple Sign in with Apple, Google Sign-In: Used for authentication. Each provider receives only the information needed to authenticate you (your Apple/Google ID, name, and email — Apple lets you hide your real email).
Firebase (Google): Used for authentication.
Hetzner Cloud (Helsinki, Finland, EU): We host our backend servers and database here. Data is encrypted at rest and in transit.
Apple Push Notification service: Used to deliver push notifications.
We do not share, sell, rent, or trade your personal information with any other third parties for their own marketing purposes.
4. Data Storage and Security
Data is stored on encrypted servers in the European Union (Helsinki, Finland).
All data in transit is protected with TLS 1.2 or higher.
Passwords (where applicable) are hashed with industry-standard algorithms.
Access to production systems is restricted to authorised personnel only.
5. Data Retention and Deletion
We retain your information for as long as your account is active.
You can delete your account at any time from Settings → Privacy & data → Delete account within the app.
Account deletion triggers a 30-day soft-delete (in case of accidental deletion), after which all your data is permanently and irreversibly removed from our systems.
Signing out of the app removes the local cache from your device.
6. Your Rights
Depending on your jurisdiction (including the European Union under GDPR, the United Kingdom under UK GDPR, India under the Digital Personal Data Protection Act 2023, California under CCPA/CPRA, and other regions), you may have the following rights:
Access: Request a copy of the personal information we hold about you.
Correction: Correct inaccurate or incomplete information.
Deletion: Request deletion of your personal information.
Portability: Receive your data in a structured, machine-readable format.
Objection / Restriction: Object to or restrict certain processing of your data.
Withdraw consent: Withdraw consent at any time where we rely on consent to process your data.
Zyno is not intended for children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
8. International Data Transfers
If you are accessing Zyno from outside the European Economic Area, please be aware that your data is processed and stored on servers located in the European Union (Helsinki, Finland). By using Zyno, you consent to this transfer.
9. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated through the app or by email before they take effect.
10. Contact Us
If you have any questions about this Privacy Policy, our practices, or want to exercise your rights: