ACTUS

Privacy Policy

Last updated: June 5, 2026

1. Who We Are

Actus ("we," "us," or "our") is an AI-powered fitness training application. Actus is operated as an independent product. For questions about this policy, contact us at privacy@actusapp.io.

2. Data We Collect

We collect data you provide directly and data generated through your use of the app.

2.1 Account Data

  • Email address — used for authentication and account recovery
  • Display name — shown in your profile (optional)

2.2 Body & Health Data

  • Body measurements — height, weight, body fat percentage, muscle mass
  • Demographics — age, gender (optional)
  • Injury information — injury areas, injury details, monitor/exclude flags
  • Pain reports — per-exercise pain tracking during workouts (area, notes)
  • Strength baselines — estimated one-rep max for bench press, squat, deadlift

2.3 Fitness & Training Data

  • Workout logs — sets, reps, weight, RPE (Rate of Perceived Exertion), completion timestamps
  • Training preferences — goals, frequency, schedule, equipment, gym type, session duration
  • Workout plans — AI-generated training programs and split configurations
  • Coach conversations — messages you exchange with the AI coach, including the coach's replies and any actions it takes on your plan. These are saved to your account so your history is available across sessions, and are permanently deleted when you delete your account.

2.4 Usage & Analytics Data

  • App interactions — feature usage events (e.g., workout started, set completed, analytics viewed)
  • Device information — device type, operating system, browser type
  • Performance data — page load times, error events

2.5 AI Response Feedback

When you tap the thumbs-up or thumbs-down icon on a message from the AI Coach or on the explanation accompanying an AI-generated plan adjustment, we store your reaction (positive or negative), the AI output you reacted to, an optional reason category if you tapped thumbs-down (e.g., "not accurate", "unsafe", "medical concern"), any optional context you typed in the dialog (capped at 500 characters, with emails and phone numbers automatically redacted), and a timestamp. We use this feedback to improve the AI safety guardrails and the helpfulness of the Coach. Feedback rows are retained for as long as your account is active and deleted with your account.

2.6 Subscription & Purchase Data

  • Subscription status — whether you have an active Actus Premium subscription, the plan type (monthly or yearly), and renewal or expiry dates
  • We do not collect or store your payment-card or bank details. All payments are processed by the Apple App Store or the Google Play Store; we never see your full payment information.

We do not collect location data, contacts, photos, financial information, or any data from other apps on your device.

3. How We Use Your Data

We use the information we collect for the following purposes:

3.1 Service Delivery

  • Workout generation — your body metrics, experience level, goals, and injury data are used to generate safe, personalized training programs
  • AI coaching — your profile and workout history are included as context when you interact with the AI coach
  • Workout adaptation — your training logs are analyzed to recommend program adjustments (weekly batch analysis)
  • Safety — injury and pain data are used to exclude unsafe exercises and trigger safety alerts
  • Account management — to create, maintain, and manage your account and subscription
  • Communication — to send service-related notifications such as workout reminders, account updates, and system announcements

3.2 Marketing & Improvement

  • Product analytics — to review and analyze trends, usage patterns, and your interactions with our services in order to improve and personalize the Actus experience
  • Marketing activities — to develop and improve our marketing efforts, including analyzing how users discover and engage with Actus, measuring the effectiveness of our content, and personalizing communications about features that may be relevant to you
  • Research & development — to test new features, improve our AI models' recommendation quality, and develop new functionality based on aggregated usage insights

You can opt out of marketing communications at any time by contacting us at privacy@actusapp.io. Opting out of marketing will not affect service-related communications.

3.3 Security & Fraud Prevention

  • Threat detection — to detect, investigate, prevent, and protect against potential security threats, unauthorized access, and other malicious, deceptive, or fraudulent activity
  • Abuse prevention — to enforce our Terms of Service, prevent misuse of the platform, and protect the integrity of our systems
  • Monitoring — to monitor system health, identify errors, and ensure the reliability and performance of our services

3.4 Legal & Compliance

  • Legal obligations — to comply with applicable laws, regulations, legal processes, or governmental requests
  • Rights protection — to protect the rights, privacy, safety, or property of Actus, our users, or the public as required or permitted by law
  • Dispute resolution — to resolve disputes, enforce our agreements, and respond to lawful requests from public and governmental authorities

4. Third-Party Services

We share data with the following service providers who process it on our behalf:

ServiceData SharedPurpose
SupabaseAll user dataDatabase hosting, authentication, file storage
OpenAIPseudonymous user identifier (UUID), profile context, workout history, coach messages. We do not send your email, name, or contact information to OpenAI.AI workout generation, exercise matching, coaching
PostHogUsage events, device metadataProduct analytics (autocapture disabled)
VercelRequest logs, IP addressesApplication hosting, serverless functions
SentryPseudonymous user identifier (UUID), stack traces, device and runtime metadata. We do not send your email, name, IP address, or any health data to Sentry.Error and performance monitoring
RevenueCatPseudonymous user identifier (UUID) and subscription/purchase status. We do not send your email, name, payment details, or health data to RevenueCat.Subscription and in-app purchase management
ResendYour email address and the contents of messages you send us (e.g., support requests).Transactional and support email delivery

We do not sell, rent, or trade your personal or health data to any third party. We do not use your data for advertising or ad targeting.

We share data with these providers solely to operate Actus, under contractual terms (Data Processing Agreements where applicable) that require each provider to apply the same or equal protection of your data as described in this policy, to process it only on our instructions, and not to use it for their own purposes. Before any personal data is shared with our third-party AI provider (OpenAI), Actus first obtains your explicit in-app consent — see Section 4.1.

4.1 AI Processing

Actus uses a large-language-model (LLM) provider, OpenAI, to power three features: AI workout generation, the AI coach, and the weekly workout regeneration rationale. This section consolidates everything we send to OpenAI in one place so you can scan it without piecing together Sections 3, 4, 5, and 9.

Provider and model

OpenAI, accessed via the OpenAI API, using current-generation OpenAI models (the GPT-4o / GPT-5 family). We do not use OpenAI's consumer ChatGPT product for any user data.

Surfaces that call the model

  • AI workout generation — when your training plan is created or refreshed
  • AI coach — when you chat with the coach inside the app
  • Workout regeneration rationale — the short, plain-English explanation that accompanies an updated training block

What we send to OpenAI

  • A pseudonymous user identifier (UUID) — not your email, not your name
  • Body data: height, weight, body fat percentage, muscle mass
  • Demographics: gender and age range (we send age, not your date of birth)
  • Goals, training preferences, equipment, schedule, session duration
  • Workout history: sets, reps, weight, RPE, completion timestamps
  • Injury and pain data (so the model can avoid unsafe exercises)
  • Coach chat messages you send during a coaching session

What we do not send to OpenAI

  • Your email address
  • Your full name or first name
  • Your date of birth (we send age, not DOB)
  • Phone number, postal address, or precise location
  • Payment or subscription information
  • Your IP address (the OpenAI request originates from our backend, not your device)

Training and retention

Per OpenAI's API Data Usage Policies, data sent through the OpenAI API is not used to train OpenAI's models. OpenAI may retain API request data for up to 30 days for abuse and misuse monitoring, after which it is deleted from their systems.

Your consent and how to turn it off

Actus does not send any of the data above to OpenAI until you give explicit consent inside the app. You are asked to consent before your first AI-generated plan (on the final onboarding step) and again before you first use the AI Coach. AI features are optional — the rest of Actus works without them.

You can withdraw consent at any time in Settings > Legal > AI features. Turning it off stops Actus from sending any further data to OpenAI for AI workout generation and the AI Coach. To request deletion of data already processed, see Section 6 (Data Retention) and Section 11 (Your Rights), or contact privacy@actusapp.io.

See also: Section 5 (Health & Fitness Data), Section 9 (International Data Transfers), and Section 11.3 (LGPD rights for Brazilian residents).

5. Health & Fitness Data

Actus processes health and fitness data with special care:

  • Health data is used exclusively for generating safe workout programs and providing fitness guidance
  • Pain and injury data trigger automatic exercise exclusions to protect your safety
  • Health data is never sold or shared for advertising purposes
  • Health data sent to OpenAI for workout generation is not used by OpenAI to train their models (per their API data usage policy)

Important: Actus is not a medical device and does not provide medical advice. Always consult a healthcare professional before starting any exercise program or if you experience pain during training.

5.1 Apple Health (HealthKit)

On iPhone, with your explicit permission, Actus integrates with Apple Health (HealthKit) for two specific purposes:

  • Reading body weight — Actus reads your most recent body-weight sample to prefill your profile and personalize your training plan. This is optional; you can decline and enter your weight manually.
  • Writing completed workouts — when you finish a workout, Actus can save it to Apple Health so it appears alongside your other activity in the Health app and other fitness apps.

These two permissions are requested separately and are both optional. You can grant or revoke either of them at any time in iOS Settings > Health > Data Access & Devices > Actus.

Data obtained from Apple Health is used only to provide the Actus training service. In line with Apple's HealthKit requirements, we never use Apple Health data for advertising or marketing, we never sell it, and we never share it with data brokers or disclose it to third parties for their own purposes. Workouts written to Apple Health remain in Apple Health. A body-weight value read from Apple Health is stored in your Actus profile and, as described in Section 4.1, your profile body data (including weight) is sent to OpenAI to generate your workouts.

6. Data Retention

  • Active accounts: Data is retained for as long as your account is active
  • Account deletion: When you request account deletion, your personal data is anonymized immediately. All remaining data is permanently deleted within 90 days
  • Analytics data: Aggregated, de-identified analytics data may be retained indefinitely for product improvement

7. How We Disclose Your Data

We may disclose your information in the following circumstances:

  • Service providers — to third-party processors who help us operate the Service (see Section 4 above)
  • Legal requirements — when required by law, regulation, legal process, or governmental request
  • Safety & rights protection — to protect the rights, property, or safety of Actus, our users, or others, including to prevent fraud and enforce our Terms of Service
  • Business transfers — in connection with a merger, acquisition, reorganization, or sale of assets (see Section 10 below)
  • With your consent — when you direct us to share your information with a third party

We do not sell your personal information. We do not share your data with data brokers, advertising networks, or any third party for their own marketing purposes.

8. Data Security

We implement commercially reasonable technical, administrative, and organizational safeguards designed to protect your data:

  • Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS/HTTPS
  • Encryption at rest — data stored in our database is encrypted at rest by our infrastructure provider (Supabase)
  • Authentication — secure JWT tokens with automatic expiration; OAuth 2.0 with PKCE for Google sign-in
  • Access control — Row-Level Security (RLS) policies ensure each user can only access their own data
  • API protection — all API routes are protected by authentication middleware; cron jobs are secured with separate secret tokens
  • Monitoring — we monitor for unauthorized access, anomalous activity, and system errors

While we take reasonable steps to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security incidents.

9. International Data Transfers

Your data may be transferred to, stored, and processed in countries other than your country of residence. Our service providers operate infrastructure in the following regions:

  • Supabase — database hosted in the United States (US-East)
  • OpenAI — API servers in the United States
  • PostHog — analytics infrastructure in the United States (US Cloud)
  • Vercel — edge network with global distribution; primary infrastructure in the United States

When we transfer data internationally, we rely on appropriate legal mechanisms such as Standard Contractual Clauses (SCCs) approved by the European Commission, or the EU-U.S. Data Privacy Framework, to ensure your data receives an adequate level of protection regardless of where it is processed.

10. Business Transfers

If Actus is involved in a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. We will notify you via email or a prominent notice in the app before your data is transferred and becomes subject to a different privacy policy.

11. Your Rights

Regardless of where you live, you have the following rights:

  • Access: You can view all your data within the app (Profile, Analytics, Workout History)
  • Correction: You can update your profile, metrics, and preferences at any time
  • Deletion: You can delete your account and all associated data from Profile > Delete Account
  • Portability: Data export functionality is planned for a future release

11.1 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how it is used
  • Request deletion of your personal information
  • Opt out of the sale of personal information — we do not sell your data
  • Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@actusapp.io.

11.2 European Union Residents (GDPR)

If you are in the EU/EEA, our lawful bases for processing are:

  • Consent — for health data processing (you provide this data voluntarily during onboarding)
  • Contract performance — to deliver the fitness training service you signed up for
  • Legitimate interest — for analytics and product improvement

You have additional rights to: restrict processing, object to processing, and lodge a complaint with your local data protection authority.

11.3 Brazilian Residents (LGPD)

If you are in Brazil, you have rights under the LGPD including: confirmation of processing, access to your data, correction, anonymization, portability, deletion, and information about third parties with whom data is shared. Contact us at privacy@actusapp.io.

12. Children & Minors

Actus is intended exclusively for adults. You must be at least 18 years of age to use the Service. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a person under 18, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at privacy@actusapp.io.

13. Cookies & Tracking

  • Authentication cookies: Essential cookies to maintain your login session
  • Analytics: PostHog analytics with autocapture disabled — only manually tracked events are collected
  • No third-party advertising cookies — we do not use ad trackers
  • App Tracking Transparency (iOS): Actus does not track you across other companies' apps or websites. We do not use Apple's advertising identifier (IDFA), and we do not present the App Tracking Transparency prompt, because we perform no such tracking.

14. Third-Party Links & Services

Actus may contain links to third-party websites, services, or content that are not owned or controlled by us. This includes links to our service providers' privacy policies (Supabase, OpenAI, PostHog, Vercel, Sentry, RevenueCat, Resend) and external exercise resources.

We are not responsible for the privacy practices, content, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party services you access through Actus. Your interactions with third-party services are governed by their respective terms and privacy policies.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and notify you within the app. Your continued use of Actus after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights, contact our Data Protection Officer (DPO):

  • Email: privacy@actusapp.io
  • For LGPD-specific requests, please write "LGPD" in the subject line so we can prioritize within statutory response windows.