APX
  • Features
  • How it works
  • FAQ
  • EN / RU
EN / RU Download

APX AI Fitness Trainer Privacy Policy

Version: 1.2 Last updated: 09.06.2026 Contact e-mail: support@apxtrainer.com


Privacy Principles

If you read only this section:

Information about your workouts, nutrition, health, and physical parameters is private. We apply the maximum technical and organizational measures to protect it.

We do not sell your personal data to third parties for any purpose.

You are the owner of your personal data. You may at any time request a copy, correction, or deletion of your data.

Health and fitness data is processed solely to provide the Service, never for advertising, marketing, or sale to third parties without your explicit consent.


1. What Information We Collect

1.1 User Information

When you download and start using APX AI Fitness Trainer, we ask questions about you, your current fitness and nutrition habits, goals, and preferences. If you choose to provide this information, we will store: - Name or alias - E-mail - Age / year of birth (for proper age-gating) - Country (determined automatically by App Store account and/or IP) - Interface language - Additional information when contacting support

Authentication via third-party services: If you use Sign in with Apple or Google Sign-In, we receive authorization tokens and related identifiers from these providers in accordance with their privacy policies.

1.2 Information You Enter Into the App

  • Workout plans (created by you or by the AI assistant)
  • Nutrition and calorie data (manual input or integrations)
  • Data on workouts, exercises, weight, and other physical parameters
  • Responses and messages in conversations with the AI assistant
  • Support chat history
  • App settings and preferences
  • Notes and comments (if the feature is available)

1.3 Photos: Body Scan, Progress, Food

Depending on the features you use, the App may handle three categories of photos. All photos are processed automatically without human involvement, used solely to provide the Service to you, and not shared with third parties for advertising or marketing.

(a) Body scan photos

  • What is collected: photos of your body (front / side / back) that you take in the body scan feature for body composition assessment (% body fat, muscle mass, etc.).
  • Where processed: photos are uploaded to our own servers [specify country and hosting provider] for AI processing and metric calculation.
  • Storage: the original photo is stored as long as your account is active (for future comparisons and progress tracking) or until you delete it manually. Derived numerical metrics (% body fat, etc.) are stored in your profile.
  • Encryption: data is transmitted via HTTPS/TLS 1.2+ and encrypted at rest on our servers.
  • Internal access: only automated processing systems have access to your photos. Employees do not view your photos in normal operations (only in exceptional technical support cases, and only at your explicit request).
  • AI training: we do not use your body scan photos to train our or third-party AI models.

(b) "Before/after" progress photos

  • What is collected: photos that you voluntarily upload to the App to track your progress.
  • Where processed: stored on our own servers [specify country/provider] for display in your personal account.
  • Storage: stored as long as your account is active or until you delete them manually. These photos are visible only to you.
  • Internal access: only automated processing; employees have no access.
  • AI training: we do not use these photos to train models.

(c) Food photos (calorie recognition)

  • What is collected: photos of food that you take for automatic dish recognition and calorie calculation.
  • Where processed: on our own servers [specify country/provider] for AI recognition.
  • Storage: the original photo may be stored along with the meal entry in your nutrition diary as long as your account is active. If you don't need this feature, you can disable photo storage in App settings; in that case, the photo is deleted immediately after recognition.
  • Internal access: only automated processing.
  • AI training: we do not use your food photos to train models without your separate explicit consent.

Photo deletion: you can delete any photo via the App at any time. When you delete your account, all your photos are permanently deleted from our servers within the timeframes specified in Section 6.

Biometric status: body photos and derived metrics may qualify as biometric data in certain jurisdictions (Illinois, BIPA, Texas, CUBI, Washington). See Section 10 for details.

1.4 Data from Apple Health, Apple Watch, Google Fit, Health Connect

We may receive data from Apple HealthKit, Apple Watch, Google Fit, or Health Connect (heart rate, steps, calories, sleep, workouts, etc.), only with your explicit permission. This data is used solely to provide health, movement, and fitness features in connection with the App. See Section 9 for details.

1.5 Device Information

  • Device type, model, operating system
  • IP address, regional settings, device identifiers
  • Push notification tokens
  • Crash reports and performance data
  • Advertising identifiers (IDFA on iOS, AAID on Android), only with your consent (via Apple App Tracking Transparency on iOS / Android Privacy Sandbox)

1.6 App Usage Data (Analytics) and Session Replay

We collect analytics to understand how to improve the Service: - App usage events - Retention, funnel, A/B test, free trial, and subscription performance metrics - Interactions with push notifications, e-mail (if you have consented), and advertising campaigns

Analytics providers: we use Amplitude (USA), PostHog (USA), Adjust, and Adapty for all users. For users in the Russian Federation we additionally use AppMetrica (Yandex, hosted in Russia), and the first recording of personal data is performed using databases located in the Russian Federation in accordance with Russian Federal Law No. 152-FZ. For users in the Russian Federation, the use of Amplitude and PostHog involves a cross-border transfer of data to the United States and is carried out on the basis of your consent (see Sections 5 and 17.1).

Session Replay (PostHog): to diagnose technical issues and improve usability, the App may record how you interact with its screens, including screen views, taps, navigation, and interface events. These recordings are reconstructed from screen snapshots. They are not video from your camera, and we do not record audio or any activity outside the App.

Protection of your data in Session Replay: - Sensitive fields are automatically masked, including name, e-mail, age, weight, body measurements, progress photos, and body scan photos, as well as payment fields. All text input fields and images are masked by default. - We do not record passwords or bank card data. Purchases are handled by the App Store and Google Play. - Provider: PostHog (USA). Recordings are stored for up to 30 days. - Session Replay applies to all users, including the Russian Federation, where it relies on your consent to cross-border transfer (see Section 17.1). - Legal basis: your consent.

1.7 Payment and Transactional Data

  • Information about purchases via the App Store, Google Play, or Web (currency, country of purchase, transaction identifiers, status)
  • Technical events from Adapty (including Refund Saver, App Store Server Notifications V2)
  • For Web purchases, processing via Stripe and/or PayPal (we do not receive card numbers)
  • Important: we do not store bank card details, this is handled by the payment platform

Refund Handling (Apple Refund Saver): when you submit a refund request through the App Store, we use Adapty's Refund Saver feature to share aggregated consumption data with Apple to help Apple decide on the refund. The shared data may include:

  • Time since app install
  • Total app usage time
  • An anonymous account identifier
  • Whether the in-app purchase was fully consumed
  • Trial period information
  • Aggregate totals of your spend and refund history within the app

Recipient: Apple Inc. (USA), via Adapty.
Purpose: assisting Apple in evaluating refund requests and reducing fraudulent refunds.
Legal basis: legitimate interest (fraud prevention) and contract performance.
Opt-out: you may opt out of consumption data sharing by emailing support@apxtrainer.com. Opting out does not affect your right to request a refund through Apple.

1.8 Referral and Social Functionality

If you use the referral or share feature, we collect: - Referrer identifier - Referral install source - Share action metadata (without the content of personal messages)


2. How We Use Your Information

2.1 Providing the Service

  • Creation of personalized workout plans and recommendations
  • Operation of the AI assistant (see Section 11)
  • Calorie counter and nutrition tracking
  • Integration with Apple Health, Google Fit, Apple Watch, wearables
  • Processing of subscriptions, free trials (3 or 7 days depending on offer/cohort), one-time purchases, and refunds via Adapty
  • Push notifications for workouts and reminders
  • E-mail notifications (only with consent)

2.2 Understanding and Improving the Product

Analysis of aggregated usage data to identify problems and improve functionality.

2.3 Responding to Feedback

Use of your contact information to resolve your inquiry.

2.4 Marketing and Promotion (only with consent)

  • Marketing e-mails and push notifications
  • Personalization of offers
  • Effectiveness of advertising campaigns (Meta, TikTok, Apple Search Ads, Google Ads)

You may opt out of marketing communications at any time via the app settings, the unsubscribe link in the e-mail, or in writing to support@apxtrainer.com.

2.5 Security and Fraud Prevention

Protection of accounts, detection of abuse, fraud, and violations of the Terms of Use.

2.6 Compliance With Legal Obligations

Tax reporting, responding to requests from regulators and law enforcement authorities.


3. Legal Bases for Processing (GDPR / UK GDPR / EU equivalents)

Item Legal basis
Provision of Service features Performance of contract (Art. 6(1)(b))
Processing of medical/health data Explicit consent (Art. 9(2)(a))
Analytics and product improvement Legitimate interest (Art. 6(1)(f)) with balancing of rights
Marketing communications Consent (Art. 6(1)(a))
Use of IDFA/AAID Consent (Art. 6(1)(a) + ATT)
Biometric processing (body scan) Explicit consent (Art. 9(2)(a))
AI processing of personal data Consent + contract
Compliance with the law Legal obligation (Art. 6(1)(c))

For users in the Russian Federation, processing is carried out on the basis of consent under Russian Federal Law No. 152-FZ.


4. With Whom We Share Information (Sub-processors)

4.1 List of Sub-processors

AI - OpenAI Inc. (USA), generation of recommendations and chat. Transfer under SCCs + consent; Zero Data Retention possible. In certain regions, Azure OpenAI EU may be used.

Analytics and Attribution - Amplitude (USA): behavior, retention, funnels, for all users. SCCs + consent. - PostHog (USA): product analytics, funnels, feature usage, and Session Replay (screen interaction recordings with masking of sensitive fields), for all users. SCCs + consent. - Adjust (Germany, EU): install attribution. EU adequacy. - AppMetrica (Yandex, Russia): analytics for users from Russia, hosted in Russia, 152-FZ compliant. - Sentry / Crashlytics (USA): crash reports. SCCs + limited collection.

Subscriptions and Payments - Adapty (USA), subscription management, refund flow. SCCs + consent. - Apple App Store / Google Play, in-app purchases. Per platform rules. - Stripe and/or PayPal (USA / EU), Web paywall. SCCs + consent. We do not receive card numbers.

Health Platforms - Apple HealthKit / Apple Watch, health/fitness data on iOS. On-device + Apple servers, per Apple's rules. - Google Fit / Health Connect, health/fitness data on Android. On-device + Google, per Google's rules.

Advertising - Meta Ads, TikTok Ads, Google Ads, attribution and advertising. SCCs + consent (after ATT/cookie consent). - Apple Search Ads, ASA campaigns, per Apple's rules.

Communications and Support - SendGrid / Postmark / Mailgun (USA / EU), transactional and marketing e-mail. SCCs + consent. - Zendesk / Intercom (USA / EU), support. SCCs + consent.

Infrastructure - AWS / GCP / DigitalOcean, cloud hosting. SCCs where applicable.

The list may be updated. Material changes will be published and (where we have your e-mail) communicated to you by notification.

4.2 When We Share Data

  • With your consent, for specific purposes
  • With sub-processors, under data processing agreements (DPAs), under our instructions
  • For compliance with the law, in response to mandatory requests from regulators and law enforcement authorities
  • In the event of business reorganization, merger, sale of assets (see Section 20)
  • Aggregated/de-identified data, for research, including with academic partners

4.3 What We Do NOT Do

  • We do not sell personal data to third parties for any consideration
  • We do not transfer data from Apple HealthKit / Google Fit / Health Connect for advertising or marketing
  • We do not use biometric data for purposes other than providing the Service
  • We do not transfer children's data without parental consent
  • We have not authorized any third parties to collect your consumer health data across websites

5. International Data Transfers

When we transfer your personal data outside your jurisdiction, we apply appropriate legal mechanisms:

  • From the EU/EEA, Standard Contractual Clauses (SCCs) 2021/914, Transfer Impact Assessment, and/or your explicit consent. Where applicable, our US providers are certified under the EU-US Data Privacy Framework (DPF), current list: https://www.dataprivacyframework.gov/list
  • From the UK, UK Addendum to SCCs; UK Extension to DPF where applicable
  • From Switzerland, Swiss-US Data Privacy Framework where applicable
  • From the Russian Federation, for users from Russia, the first recording of personal data takes place using databases located within the territory of the Russian Federation via AppMetrica. Transfer of data to foreign states, including to the United States for analytics and Session Replay (Amplitude, PostHog), is carried out only on the basis of your consent to cross-border transfer under Art. 12 of Russian Federal Law No. 152-FZ
  • From the UAE, based on contractual safeguards and consent (UAE PDPL Art. 22)

If you wish to obtain a copy of the applicable SCCs or learn more about transfer mechanisms, write to support@apxtrainer.com.


6. Data Retention and Deletion

6.1 Retention Periods

  • Active account and its content (profile, workouts, nutrition, history, tokens): for as long as the account is active + a 30-day grace period
  • Health data from HealthKit / Google Fit: for as long as your permission is active
  • Photos (body scan, before/after, food): stored on our servers as long as your account is active or until you delete them manually. Upon account deletion, permanently deleted within 30 days grace period.
  • Body scan derived metrics (% body fat, muscle mass, etc.): stored alongside progress history as long as your account is active
  • AI chat history: up to 90 days (or until deletion by you); prompts to OpenAI, not retained by the provider when Zero Data Retention is enabled
  • Analytics events and crash logs: up to 24 months (analytics), 90 days (crash logs)
  • Session Replay recordings (PostHog): up to 30 days
  • Payment documents: 7 years (tax obligation)
  • Support tickets and DSR request logs: 2-5 years (proof of compliance)
  • Marketing consent log: 3 years after opt-out

6.2 Account Deletion

You may delete your account: - From the app settings (Account → Data → Delete Account) - By writing to support@apxtrainer.com

After your request, we will irretrievably delete your personal data from our systems, except where we are required to retain data by law or to defend our rights.


7. Your Rights and How to Exercise Them

7.1 Universal Rights (apply globally subject to local law)

You have the right to: - Access your data and obtain a copy (data export) - Correct inaccuracies or update information - Delete data / account (subject to lawful exceptions) - Restrict or object to certain processing (e.g., marketing) - Port data in a structured, machine-readable format - Withdraw consent at any time (e.g., disable HealthKit, advertising IDs) - Lodge a complaint with a regulator

7.2 How to Exercise

  • E-mail support@apxtrainer.com (or via the app settings: Account → Data)
  • Acknowledgement, within 10 business days
  • Full response, within 30 calendar days (we may extend up to 90 days for complex cases, with notice)
  • Free of charge (except for manifestly unfounded or repetitive requests)
  • We may ask you to verify your identity

7.3 Right to Lodge a Complaint

  • EU: your national supervisory authority (Data Protection Authority); list: edpb.europa.eu/about-edpb/about-edpb/members_en
  • UK: ICO (ico.org.uk)
  • California: California Privacy Protection Agency (cppa.ca.gov) or AG Office
  • Washington (CHD): atg.wa.gov/file-complaint
  • Nevada (CHD): ag.nv.gov
  • Russia: Roskomnadzor (RKN) (rkn.gov.ru)
  • UAE: UAE Data Office (data.gov.ae)
  • Canada: Privacy Commissioner (priv.gc.ca); Quebec, CAI (cai.gouv.qc.ca)
  • Australia: OAIC (oaic.gov.au)

8. Data Security

We use commercially reasonable technical and organizational measures: - Encryption of transmission channels (HTTPS/TLS 1.2+) - Encryption of data at rest for sensitive categories - Restriction of employee access on a least-privilege basis - Anomaly monitoring and logging - Regular sub-processor audits - Two-factor authentication for administrative accounts

Use of unsecured Wi-Fi or unsecured networks is not recommended. No digital service can guarantee absolute security.

8.1 Breach Notification

In the event of a breach involving a risk to the rights and freedoms of data subjects: - We will notify the competent regulator within 72 hours of detection (in accordance with GDPR Art. 33-34, UK GDPR, and analogous laws in other jurisdictions) - We will notify you by e-mail without undue delay if the breach involves a high risk - For users in the United States (where applicable to health data), also pursuant to the FTC Health Breach Notification Rule


9. Apple HealthKit, Apple Watch, Google Fit, Health Connect

Data obtained from Apple HealthKit, Apple Watch, Google Fit, or Health Connect is processed under the following mandatory rules:

  • We will not use HealthKit/Health Connect data for advertising or other use-based data mining purposes other than improving health, movement, and fitness management.
  • We will not disclose any data collected via HealthKit/Health Connect to any third party without permission from the user, even in deidentified or aggregated form.
  • We will not write false or incorrect data into HealthKit/Health Connect.
  • We do not transfer data from HealthKit / Google Fit / Health Connect to third-party servers without your explicit consent for the specific purpose of providing health/fitness features.

You may revoke permission to access this data at any time through your device's operating system settings.


10. Biometric Data and Body Scan

10.1 How Body Scan Works

When you use the body scan feature, photos of your body (front / side / back) are transmitted via secure connection (HTTPS/TLS 1.2+) to our own servers [specify country/provider] for AI processing and calculation of body composition metrics (% body fat, muscle mass, etc.).

10.2 Derived Metrics

The processing produces numerical metrics (e.g., body fat percentage estimate, muscle mass). These metrics:

  • Are stored in your profile on our servers
  • Are synchronized between your devices via your account
  • Are used to track progress and compare with previous scans

In certain jurisdictions (including Illinois, BIPA, Texas, CUBI, Washington), such derived metrics and the photos themselves may qualify as biometric data.

10.3 Retention and Deletion

  • Original body scan photos are stored as long as your account is active or until you delete them
  • Derived metrics are stored alongside progress history as long as your account is active
  • Upon account deletion, all photos and metrics are permanently deleted from servers within a 30-day grace period
  • You may request deletion at any time via support@apxtrainer.com or the app settings

10.4 Security and Access

  • Transmission, only over HTTPS/TLS 1.2+
  • Storage, encryption at rest
  • Internal access, only automated processing systems. Employees do not view your photos in normal operations (only in exceptional technical support cases, and only at your explicit request).
  • We do not use your photos and biometric metrics to train our or third-party AI models.

10.5 Disclosure to Third Parties

Biometric data (photos and derived metrics) are not transferred to any third parties, neither for advertising, nor for marketing, nor in deidentified form, without your separate explicit consent for a specific purpose.

10.6 Your Rights (BIPA Section 15 for Illinois Users)

You have the right to:

  • Obtain a copy of the written policy regarding biometric data (this section)
  • Request deletion
  • Receive information about the purpose of processing, retention period, and destruction procedure

11. AI Assistant

11.1 How AI Works

When you interact with the AI assistant (receive a workout plan, nutrition advice, answers to questions), your inputs (text of the question + relevant profile data) are transmitted to the AI provider, at the time of publication, OpenAI Inc. (USA), for processing via the API.

In certain regions, we may use alternative configurations (e.g., Azure OpenAI with EU hosting), current information will be reflected in Section 4.

11.2 Data Processing by the AI Provider

  • OpenAI processes data as our sub-processor under a Data Processing Addendum (DPA)
  • By default, OpenAI does not use API data to train its models
  • For health-related queries, we strive for Zero Data Retention (ZDR), OpenAI does not retain your inputs and responses after generation
  • Transfer to the United States is carried out under SCCs and your explicit consent

11.3 Regional Limitations

For users from the Russian Federation, certain AI features may be unavailable or operate in a limited mode (e.g., without sending prompts to foreign services) in order to comply with the requirements of Russian Federal Law No. 152-FZ.

11.4 Automated Processing (GDPR Art. 22)

  • AI generates recommendations but does not make decisions for you with legal or similarly significant effects
  • All decisions on whether to follow a recommendation remain with you
  • You may request human review via support@apxtrainer.com
  • You may opt out of AI features in the app settings

11.5 Transparency of AI-Generated Content

In accordance with EU AI Act Article 50 (applicable from 02.08.2026), AI-generated content is labeled in the app interface. You always know when you are interacting with AI rather than with a human.

11.6 Your Data Is Not Used for Training

We do not use your inputs to train our or third-party AI models. If in the future we wish to use data for model training, this will require your separate explicit consent.


12. apxtrainer.com Website, Cookies, SDKs, App Tracking Transparency

12.1 What Is Collected on the apxtrainer.com Website

The apxtrainer.com website is an informational (landing) site about the App. The site does not accept payments and has no user account, it only redirects you to the App Store to download the App.

The site collects:

  • Cookies, see the list below
  • Technical visit data: IP address, browser type and version, operating system, referring page (Referer), visit timestamps
  • Behavioral data: pages viewed, time on page, scrolling, clicks, collected via Google Analytics 4 and Yandex.Metrica (only with consent)
  • Session recordings (Yandex.Metrica Webvisor): may include mouse movements, scrolling, clicks. Contents of form fields with sensitive information and passwords are not recorded. Only with consent.

The site does not collect: personal data via forms (no registration/login/checkout on the site), payment data (purchases happen in App Store), health data, photos, biometric data (all of that happens only in the App).

Site data retention: server access logs (Tilda), 30-90 days; GA4 events, 14 months; Yandex.Metrica data, 25 months; Webvisor recordings, 15 days.

12.2 Cookies on the Website

The apxtrainer.com website uses cookies in three categories:

  • Strictly Necessary, site operation, DDoS protection. No consent required (legal exception).
  • Performance / Analytics, understanding how the site is used. Requires consent for users in the EU/UK.
  • Marketing / Advertising, at the time of this policy version, marketing cookies (Meta Pixel, TikTok Pixel, etc.) are not installed on the site. If installed in the future, this policy will be updated.

12.3 Full List of Cookies on the Website

Cookie Category Purpose Provider Retention
__ddg1_ Strictly Necessary DDoS protection, identification of legitimate visitor DDoS-Guard / Tilda 1 year
__ddg8_, __ddg9_, __ddg10_ Strictly Necessary DDoS protection, temporary technical cookies DDoS-Guard / Tilda 20 minutes to session
tilda_* Strictly Necessary Session identifier, technical site settings Tilda Session
_ga Analytics Unique user identifier for Google Analytics 4 Google LLC 2 years
_ga_<ID> Analytics Session state preservation for Google Analytics 4 Google LLC 2 years
_ym_uid Analytics Unique visitor identifier for Yandex.Metrica Yandex LLC 1 year
_ym_d Analytics Date of first visit Yandex LLC 1 year
_ym_isad Analytics Ad-blocking detection Yandex LLC 1 day
_ym_visorc_* Analytics Recording user actions for Webvisor (scroll maps, heat maps) Yandex LLC 30 minutes

The list may be updated alongside analytics settings. The current version is in this section.

12.4 Cookie Banner and Consent Management

On your first visit to the site, a cookie banner is shown with the option to:

  • Accept all, gives consent to all categories of cookies (including analytics)
  • Necessary only, disables analytics and marketing cookies; only Strictly Necessary cookies are active
  • Customize, choose which categories to enable (by consent)

You can change or withdraw your consent at any time:

  • Via the "Cookie settings" link in the site footer
  • Via your browser settings (delete cookies, block third-party cookies)
  • By writing to support@apxtrainer.com

12.5 SDKs in the Mobile App

The app integrates SDKs from the providers listed in Section 4. Activation of most analytics and advertising SDKs for users in the EU/UK requires your consent via consent management.

12.6 App Tracking Transparency (iOS)

On iOS, Apple requires explicit consent before using the advertising identifier (IDFA). If you decline the ATT prompt:

  • We will continue to use data for first-party analytics (without cross-app/web tracking)
  • Campaign attribution operates only in SKAdNetwork mode (without device identification)
  • No cross-app identifiers leave your device

12.7 Android Privacy Sandbox / AAID

Similarly, we honor the user's choice in system settings.


13. Marketing Communications

13.1 Channels

  • E-mail (only with consent)
  • Push notifications (only with consent for marketing pushes; transactional, without separate consent)
  • In-app messages

13.2 Compliance by Region

  • EU/UK: consent under GDPR / PECR (opt-in)
  • USA: CAN-SPAM (clear from/subject, physical address, working unsubscribe within 10 business days)
  • Canada: CASL (express consent + identification + unsubscribe)
  • Russia: consent under Art. 9 of Russian Federal Law No. 152-FZ + separate consent under Art. 18 of the Federal Law "On Advertising"
  • Australia: Spam Act 2003 (consent + identification + unsubscribe)

13.3 How to Opt Out

  • Unsubscribe link in every marketing e-mail
  • App settings → Notifications
  • By writing to support@apxtrainer.com

14. Children's Privacy

14.1 Age Thresholds by Region

Item Minimum age without parental consent
USA (COPPA) 13
United Kingdom 13
EU, Ireland, Germany, Netherlands, Luxembourg, Hungary, Slovakia, Lithuania, Croatia 16
EU, France, Greece, Czech Republic, Slovenia 15
EU, Spain, Bulgaria, Italy, Cyprus, Austria 14
EU, Belgium, Denmark, Estonia, Finland, Latvia, Malta, Poland, Portugal, Romania, Sweden 13
Canada 13 (PIPEDA, meaningful consent)
Australia 13 (Privacy Code 2026)
Russia 14
UAE 18 (FDL 26/2025, special rules for children)

14.2 What We Do

  • During onboarding, age-gate tied to the device's country
  • We do not accept registration of users under the national minimum without verifiable parental consent (VPC)
  • For teens 13-17 in the USA (Connecticut, Maryland), opt-in for targeted advertising
  • In the UK / Australia, high privacy by default for users under 18 (Children's Code)

14.3 If You Are a Parent and Discover

If a child has provided information without your consent, write to support@apxtrainer.com. We will delete the data.


15. Regional Rights, EU / EEA / United Kingdom / Switzerland

If you use APX while located in the EU, EEA, the United Kingdom, or Switzerland, you have rights under the GDPR / UK GDPR / Swiss FADP: - Access, correction, deletion - Restriction and objection to processing - Data portability - Withdrawal of consent - Lodging a complaint with a DPA

Contact: support@apxtrainer.com or our EU/UK representative (see Section 0).

Legal bases for processing, see Section 3.


16. Regional Rights, United States

16.1 Rights of California Residents (CCPA / CPRA)

You have the right to: - Learn what categories of personal information we have collected, the sources, purposes, and categories of third-party recipients - Obtain a copy of your data - Delete personal information - Correct inaccurate data - Limit the use of Sensitive Personal Information (SPI), health data, biometric, precise geolocation - Opt out of sale or share for cross-context behavioral advertising (we do not sell; for share, see below) - Designate an authorized agent

Honoring Global Privacy Control (GPC): we treat the GPC signal as an opt-out request for sale/share.

"Share" categories under CPRA: we may "share" certain categories for cross-context behavioral advertising with advertising networks (Meta, TikTok, Google, Apple), only with your consent. You may opt out via the cookie banner / ATT / Account settings.

Notice at Collection (short version) is presented at first launch of the app.

Financial incentives (CCPA): we do not provide financial incentives in exchange for personal information.

Minors: we have no actual knowledge of "selling" personal information of persons under 16.

16.2 Rights of Residents of Other US States

We comply with the comprehensive privacy laws of the following states: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Florida (FDBR), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Tennessee (TIPA), Minnesota (MCDPA), Maryland (MODPA), Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RICDPA).

Universal set of rights: access, deletion, portability, opt-out from targeted advertising / sale / profiling, appeal. For states with opt-in regulation of sensitive data (Colorado, Connecticut, Oregon, Montana, Delaware, NH, NJ, Minnesota, Maryland, Indiana, Kentucky, Rhode Island), the collection of health/biometric data requires your consent.

Maryland MODPA, the strictest: data minimization + prohibition on the sale of sensitive data.

Universal opt-out signal (GPC): we honor the signal in most of the listed states.

To exercise your rights, support@apxtrainer.com indicating your state of residence.

16.3 Consumer Health Data (Washington MHMDA / Nevada SB 370 / Connecticut CHD / Maryland MODPA)

What constitutes Consumer Health Data (CHD): - Information about your physical or mental health status (past, present, or future) - Body measurements, fitness metrics, calorie tracking - Information from Apple HealthKit / Google Fit / Health Connect - Information about medications, allergies, dietary preferences - AI chats on health-related topics - Biometric derived metrics (body scan)

Sources of CHD: - Direct entry into the app - Apple HealthKit / Google Fit / Health Connect (with your permission) - Support / e-mail / interviews

Purposes for using CHD: - Personalization of workout and nutrition plans - AI generation of recommendations - Customer service

With whom we share CHD: - Sub-processors from Section 4 that have a DPA obliging them not to use the data for other purposes - No third parties for advertising or marketing without your separate explicit consent - We have not authorized any third parties to collect your consumer health data over time and across different websites or online services

Opt-in consent: the collection and processing of CHD is based on your explicit consent given when enabling the relevant features.

Geofencing: we do not establish geofences within a 2,000-foot radius of any healthcare facility (MHMDA Section 9 requirement).

Your rights: - Access, correction, deletion of CHD - Withdrawal of consent - Lodging an appeal, support@apxtrainer.com with the subject "CHD Appeal"; if the response is unsatisfactory, contact: - Washington: atg.wa.gov/file-complaint - Nevada: ag.nv.gov - Connecticut: ag.ct.gov - Maryland: marylandattorneygeneral.gov

Notice of changes: material changes in the processing of CHD will be sent to you by e-mail in advance.

16.4 BIPA (Illinois) and Analogous Biometric Laws

See Section 10. For users from Illinois, Texas, and Washington, before the first use of body scan, we request separate written consent in accordance with BIPA Section 15 / CUBI / Washington biometric law.

16.5 FTC Health Breach Notification Rule

As an app technically capable of collecting or transmitting data from multiple sources of health information, we comply with the FTC HBNR. In the event of a breach affecting health data, we will notify the affected users, the FTC, and (where ≥500 are affected) the media within the prescribed timeframes.


17. Regional Rights, Russia and the CIS

17.1 Russian Federation

Operator: [insert after registration; the operator processing personal data of users from Russia]

Operator's representative in Russia: see Section 0.

Localization: the recording, systematization, accumulation, storage, modification, retrieval, and updating of personal data of citizens of the Russian Federation are carried out using databases located within the territory of the Russian Federation (Art. 18, part 5 of Russian Federal Law No. 152-FZ). The first recording of personal data of users from Russia is performed via AppMetrica (Yandex, RU hosting). In addition, on the basis of your consent to cross-border transfer, we use Amplitude (USA) and PostHog (USA), including Session Replay, for analytics and product improvement.

Purposes of processing: - Provision of the App's functionality - Analytics and product improvement - Marketing (only with consent) - Compliance with the law

Legal basis: consent of the data subject, the service contract, performance of statutory obligations.

Retention period: see Section 6.

Consent to cross-border transfer (Art. 12 of Russian Federal Law No. 152-FZ): the use of certain features of the App, including analytics and Session Replay via Amplitude (USA) and PostHog (USA), requires the transfer of your personal data to foreign states, in particular the United States. By using these features you give your consent to such cross-border transfer. The list of recipient countries and the adequacy of protection are available upon request to support@apxtrainer.com. You may withdraw this consent at any time by writing to support@apxtrainer.com.

Consent for marketing communications: issued separately under Art. 18 of the Federal Law "On Advertising", opt-in checkbox.

Roskomnadzor notification: the operator has notified Roskomnadzor (RKN) of its intent to process personal data (link / registry number, TBD after registration).

Right to withdraw consent: written request to support@apxtrainer.com. Time for fulfillment, up to 30 calendar days.

Complaint: Roskomnadzor (RKN) (rkn.gov.ru).

17.2 Kazakhstan, Belarus, Uzbekistan

For users from Kazakhstan (Law 94-V), Belarus (Law 99-Z), and Uzbekistan, the requirements of local data protection legislation apply, including the localization of certain categories of data and (where applicable) registration of the database owner.

For users from Ukraine (Law 2297-VI), Ukrainian data protection legislation applies.

Details and the exercise of rights, support@apxtrainer.com.


18. Regional Rights, Canada, Australia, UAE

18.1 Canada (PIPEDA + Quebec Law 25)

  • Right to access, correction, withdrawal of consent, complaint to the Privacy Commissioner
  • Quebec, French language requirement; a French version of the Privacy Policy is available for Quebec residents
  • Person in charge of protection of personal information: support@apxtrainer.com

18.2 Australia (Privacy Act 1988 + APP)

  • Access, correction, complaint to the OAIC
  • Applies to us automatically due to the processing of health information (regardless of revenue)

18.3 United Arab Emirates (UAE PDPL / DIFC DPL / ADGM DPR)

  • Applicable data regime, corresponds to the legal entity registration (mainland / DIFC / ADGM)
  • Cross-border transfer, based on contractual safeguards and consent
  • Health data in mainland UAE is governed by Federal Law No. 2 of 2019 (see also Section 0)

19. Changes to This Policy

We may update this Policy from time to time. We will notify you of material changes: - Through the app / e-mail at least 30 days before they take effect - For particularly material changes, we will request your explicit consent again - The "Last updated" date at the top of the document is always current

An archive of previous versions is available upon request to support@apxtrainer.com.


20. Merger, Sale, Bankruptcy

In the event that the operator is acquired or merged with a third party, we reserve the right to transfer or assign the information collected from users as part of such reorganization. We will notify users of such changes and applicable rights.

In the event of bankruptcy, insolvency, reorganization, appointment of a receiver, or assignment for the benefit of creditors, we may not be able to control how your information is processed, transferred, or used, but we will use reasonable efforts to comply with this Policy.


21. Contacts

E-mail: support@apxtrainer.com
Postal address: Signature Tower 1, Canal Lawn, Dubai, United Arab Emirates

APX

Advanced personal training intelligence for the modern athlete.

Product

  • Features
  • How it works
  • FAQ

Legal

  • Privacy Policy
  • Terms of Use
© 2026 APX Fitness AI. All rights reserved. English (US)