Privacy Policy — Rebirth of Fitness

Effective date: 1 May 2026 · Last updated: May 2026

Rebirth of Fitness ("we", "our", or "us") is committed to protecting your personal information. This Privacy Policy explains what data the Rebirth of Fitness mobile application and website (rebirthapp.co.za) collect, why we collect it, how it is used, who it is shared with, how long we keep it, and the rights you have over it.

1. Information We Collect

We only collect data that is necessary to deliver the service. The categories below describe everything the App can collect when you use it.

Account & Profile

Name, email address, password (stored as a salted hash — never in plain text), gender, date of birth, training level, days per week available, equipment access, fitness goals, physique goals, body weight, height, and a unique device identifier used to keep your data in sync across re-installs.

Workout, Run & Training Logs

Sets, reps, weights lifted, RPE, rest time, completed programs, custom workout templates, run distance, duration, pace, splits, treadmill flag, and notes you add to a session. Used to build your training history, generate the Rebirth Score, and personalise future programming.

GPS & Location Data

If you grant location permission, the App records GPS coordinates, route paths, distance, elevation, pace, speed, and split times during outdoor runs. Routes are stored so you can replay, share, and export them as GPX. Location is requested only during a run session — we never track you in the background.

You can revoke location permission at any time in your device settings
Route data is never sold and never shared with advertisers
Routes can be hidden from share cards via the in-app privacy toggles

Daily Readiness & Recovery

Sleep, soreness, stress and energy ratings, pain flags, optional mood notes, and the readiness score derived from them. Used to adjust your strength, run, and HYROX/race-sim programming day-to-day.

Wearable & Third-Party Sync

If you connect a wearable, we store the OAuth tokens needed to call that provider's API and the metrics they return. Tokens are encrypted at rest with AES-256-GCM. Supported providers and the data they return:

Strava — OAuth token, athlete name, and activity uploads we push to your Strava feed when you finish a run or ride
Garmin Connect — OAuth token, watch model name, sleep score, sleep duration, HRV, body battery, training load, VO₂ max, and daily wellness metrics
WHOOP — OAuth token, recovery score, strain, sleep performance, and HRV (when feature flag enabled in your region)
Apple Health / HealthKit — only the metrics you explicitly grant access to (typically sleep, resting heart rate, and active energy)

You can disconnect any provider at any time from the Profile screen. Disconnecting revokes our access at the provider and deletes the locally stored tokens.

Women's Hub Data

Menstrual cycle phase, cycle start date, cycle length, symptoms, and pregnancy/postpartum flags if you choose to use the Women's Hub. This is sensitive health data and is used only to adjust the training programs and readiness score we present to you. It is never sold, never used for advertising, and never shared with any third party.

Nutrition & Body Tracking

Daily calorie and macro logs, meals chosen from the recipe library, custom food entries, weekly check-ins (bodyweight, notes, optional progress photos taken with your camera or chosen from your library), and body measurements (chest, waist, hips, arms, thighs).

AI Coach Conversations

Messages you send to the in-app AI coach are stored on your device and on our servers so the conversation persists across re-installs and devices. Your message — together with a snapshot of your recent training context (active program, recent workouts, recent runs, today's check-in, cycle phase, training streak) — is sent to our AI provider to generate a reply.

You may delete your coach history at any time from within the chat
We do not use your conversations to train external AI models
The AI provider is contractually prohibited from using prompts for model training

Social Features (Leagues, Groups, Share Cards)

If you opt into social features we store your display name, league tier and ranking, points history, group memberships and roles, group and challenge activity feed entries, GPS validation results for challenge entries, and any messages you post inside a group. Universal share cards composed inside the App are rendered locally on your device using your existing run/workout data — only what you choose to share leaves the device.

Monthly Rewards & Merch Claims

If you win a monthly merch reward and claim it, we collect the postal address, contact phone number, and size selection you submit so we can ship the item. Voucher codes you redeem are tied to your account and marked as used.

Push Notifications

If you enable notifications, we store the Expo / Apple / Google push token assigned to your device so we can send workout reminders, streak milestones, league updates, and challenge alerts you have opted into. Tokens are deleted when you disable notifications or uninstall the App.

Subscription & Payment

We do not see or store your payment card details at any point. Subscription purchases are processed by Apple App Store, Google Play, or RevenueCat (our subscription manager). We receive only an anonymised purchase token, your subscription status, the product purchased, and the renewal/expiry date.

Technical & Diagnostic Data

Device type, operating system version, App version, IP address (for rate-limiting and abuse prevention), session timestamps, crash reports, error stack traces, and basic feature usage counters. This data is used solely to keep the platform secure, debug failures, and prioritise improvements.

2. How We Use Your Information

To create and personalise your training programs, run plans, hybrid/HYROX schedules, race-simulation pacing, Women's Hub programming, and AI coaching
To track your workouts, runs, check-ins, and Rebirth Score over time
To generate adaptive recommendations from your readiness, ACWR, and wearable data (see Section 3)
To run social features — league standings, monthly reward cycles, group challenges, and share cards
To deliver push notifications you have opted into (workout reminders, streaks, league updates, challenge ranks)
To activate, manage, and validate your subscription via RevenueCat / App Store / Google Play
To moderate the platform, investigate suspected fraud or abuse, and act on integrity flags
To respond to support and coaching enquiries
To maintain platform stability, fix bugs, and improve features

3. Automated Recommendations & AI Coaching

Rebirth of Fitness uses algorithmic systems and a third-party large language model to analyse your training history, readiness scores, wearable signals, and the inputs you provide in order to produce personalised training recommendations and AI coaching insights. These recommendations are generated automatically from the information available about you.

Automated recommendations and AI coach replies are intended to assist your training and are not a substitute for medical or professional advice. You are free to follow, modify, or ignore any recommendation. If you have health concerns, consult a qualified healthcare professional before acting on guidance from the App.

4. Data Sharing & Third Parties

We do not sell your personal information. We share data only with the following service providers, strictly to operate the App:

RevenueCat — subscription and in-app purchase management. RevenueCat Privacy Policy
Apple App Store / Google Play — app distribution and payment processing
OpenAI — generates AI coach replies from the prompt and training context we send. Data submitted is governed by OpenAI's API data policy and is not used to train OpenAI's models.
Strava, Garmin Connect, WHOOP, Apple HealthKit — only when you explicitly connect them. We send and receive only the data described in Section 1.
Replit Inc. — cloud infrastructure, database hosting, and runtime for our backend
Apple Push Notification Service / Firebase Cloud Messaging — delivery of push notifications you have opted into

All third-party providers are contractually required to handle your data securely and only for the purposes we specify. We do not share your data with advertising networks or data brokers.

5. Health & Sensitive Data

Fitness data, GPS routes, wearable biometrics, and Women's Hub cycle information are treated as sensitive personal data. They are stored securely, never sold, never used for advertising, never shared with third parties except where strictly necessary to deliver the service (e.g. backing up to our secure servers, or pushing a completed run to Strava when you have explicitly connected it).

You are responsible for ensuring that the health and fitness information you enter into the App is accurate. Inaccurate data may affect the quality of recommendations the App generates.

6. International Data Transfers

Some of the providers used to operate the App (notably our cloud infrastructure provider Replit Inc. and our AI provider OpenAI) process data in the United States and other jurisdictions outside South Africa. Where this occurs, we rely on contractual safeguards (including Standard Contractual Clauses where applicable) to ensure your data continues to receive a level of protection consistent with the Protection of Personal Information Act, 2013 (POPIA), the EU GDPR, and the UK GDPR. By using the App you consent to your data being processed in those jurisdictions as described in this policy.

7. Data Retention

We retain your personal information for as long as your account is active. If you delete your account — either from inside the App (Profile → Danger Zone → Delete account) or by emailing us — we will permanently erase your personal data within 30 days, except where we are required by law to retain certain records (for example, financial records relating to subscription payments).

Anonymised, aggregated metrics that cannot be linked back to you (for example, "average weekly run distance across the platform") may be retained indefinitely for analytics and product improvement.

8. Data Security

We use industry-standard security measures to protect your data, including TLS encryption in transit, encryption at rest for sensitive fields, AES-256-GCM encryption for stored OAuth tokens, hashed and salted passwords, role-based access controls for our own staff, and rate-limiting / fraud detection on every API endpoint. No system is 100% secure, but we take reasonable steps to protect your information from unauthorised access, disclosure, alteration, or loss. For full details, see our Data Security Policy.

9. Data Breach Notification

In the event of a data breach that may compromise your personal information, we will:

Notify affected users as soon as reasonably practicable through the App and by email
Report the breach to the Information Regulator of South Africa within the timeframes required by POPIA, and to other regulators (e.g. EU/UK supervisory authorities) where required
Take immediate steps to contain and remediate the breach
Provide clear information about what data was affected and what steps you should take

10. Cookies & Website Analytics

Our website (rebirthapp.co.za) uses a minimal set of cookies for session management and basic analytics. The mobile App itself does not use browser cookies — it stores data locally on your device and communicates with our servers over encrypted connections. We do not use cookies or tracking pixels for advertising or cross-site tracking. Full details are in our Cookie Policy.

11. Your Rights

You have the right to:

Access the personal data we hold about you
Correct inaccurate data — most fields can be updated directly in Profile settings
Request a machine-readable export of your personal data
Delete your account and all associated data ("right to be forgotten")
Withdraw consent for optional features (notifications, location, wearable sync, AI coach, social features) at any time
Object to or restrict certain processing activities
Lodge a complaint with the Information Regulator of South Africa, or — if you are in the EU/UK — your local data protection authority

To exercise any of these rights, contact us at support@rebirthapp.co.za. We will respond within 30 days.

12. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information for cross-context behavioural advertising. To exercise your CCPA rights, contact us using the details in Section 16.

13. Children's Privacy

The Rebirth of Fitness App is intended for users aged 16 and over. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us immediately and we will delete it.

14. South African POPIA Compliance

We process personal information in compliance with the Protection of Personal Information Act, 2013 (POPIA). Our lawful basis for processing is your consent (given during onboarding) and the performance of our contract with you (delivering the subscription service). You may withdraw consent at any time by contacting us or deleting your account.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top, and — for material changes — we will notify you in the App. Continued use of the App after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

Rebirth of Fitness

Email: support@rebirthapp.co.za
Website: rebirthapp.co.za
Information Officer: Neo Chimanyi, Rebirth of Fitness, South Africa