Privacy Policy

1. Information we collect

Account & profile. Email, password hash, display name, age, sex, height, weight, unit preference, goal mode, time zone.

Health & logging data you submit. Food logs, water, fasting windows, training sessions and sets, sleep, energy, body metrics, supplements, vice/gut signals, and any photos you upload.

Medical documents you choose to upload. Lab results, doctor notes, or other PHI documents you opt to share with the Service. We treat these with HIPAA-grade security practices, although Fursan Core is not itself a HIPAA Covered Entity.

Device & integration data. Apple Health, Fitbit, Garmin, WHOOP, and Oura data only when you explicitly connect those integrations.

Operational metadata. IP address, user-agent, timestamps, security events, and usage events used to operate, secure, and improve the Service.

2. How we use it

To provide the Service to you (your dashboard, AI Coach, trends, planners), to keep accounts secure, to investigate abuse and incidents, and to improve the product. We do not sell your personal information.

3. Sharing

We share data only with service providers we need to operate the Service: hosting/database, email delivery, AI providers (configurable per feature), and wearable integrations you choose to enable. We require these providers to use your data only to deliver the contracted service.

We may disclose data when required by law, to protect rights and safety, or to investigate fraud and abuse.

4. AI features & PHI

When you use AI features (Coach chat, Vice Plan, Report analysis, Food Decision), the prompt you send and relevant context from your account is transmitted to the configured AI provider. Settings → Privacy will display the active provider and let you opt out of AI features that may receive medical context.

5. Security

We use HTTPS-only transport with HSTS preload eligibility, bcrypt-class password hashing, server-side session controls, anti-clickjack and anti-CSRF mitigations, and rate limiting on auth endpoints. Production data stores enforce encryption at rest. We restrict employee access to user data on a least-privilege basis.

6. Your rights

You can:

• Access & export your data: Settings → Privacy → Export my data, or call GET /account/export via the API.
• Delete your account: Settings → Privacy → Delete account. This permanently erases your User Content.
• Manage active devices: Settings → Privacy → Active devices.
• Withdraw AI/PHI processing consent at any time.

If you are in the EEA / UK, you have GDPR rights of access, rectification, erasure, restriction, portability, and objection. If you are in California, you have CCPA Rights to Know, Delete, and Opt Out of Sale (we do not sell). Email the support channel to exercise any right.

7. Children

Fursan Core is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has used the Service, contact us so we can delete the data.

8. Retention

We keep account & logging data while your account is active. When you delete your account, we wipe your User Content within seven days, except minimal records needed for legal, audit, or fraud-prevention purposes.

9. Changes

We will announce material changes in-product and update the effective date.

10. Contact

Fursan Health, LLC. Send privacy questions and rights requests through the support channel listed in the Service.