Privacy Policy

This policy explains what personal data Oryx Fitness collects, why, and how we handle it. It is written to align with the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the DIFC Data Protection Law where applicable.

Data controller

The data controller is the entity operating Oryx Fitness. For data requests or complaints, contact privacy@oryxfitness.app.

What we collect

•  Account data: email, hashed password, optional name and display name, language preference, role.

•  Onboarding data: age range, gender (optional), height, weight, fitness level, running history, primary goal, preferred run time, running surface, health concerns you choose to disclose.

•  Workout data: training plans, scheduled workouts, completed runs (GPS traces, distance, duration, pace, heart rate if you connect a device), strength sessions, body check-ins, milestones.

•  Coaching content: messages with AI Coach, FAQ chats, buddy messages.

•  Subscription data: Apple In-App Purchase transaction identifiers, product purchased, status, environment (sandbox or production). We do not see your card details — Apple processes payments.

•  Device data: device push notification tokens, app version, locale, time zone.

•  Diagnostic data: error reports, performance traces, and product analytics events used to fix bugs and improve the app. These do not include precise location or message content.

Why we use it (lawful basis)

•  Contract performance — to deliver coaching, track your runs, and adapt your plan.

•  Consent — for push notifications, optional health metrics, and AI-generated coaching content. You can withdraw consent at any time in Settings.

•  Legitimate interest — fraud prevention, security monitoring, and product improvement using aggregated diagnostics.

•  Legal obligation — record retention required by applicable law.

Who we share with

Oryx Fitness uses a small number of carefully chosen processors. Each processes data only on our instructions:

•  Apple Inc. — App Store payments, push notifications, App Store Server Notifications.

•  Google LLC — Generative AI (Gemini) for coaching tips, plan generation, and post-run analysis. AI requests do not include direct identifiers; user content is sent under Google's enterprise terms.

•  Resend, Inc. — transactional email delivery (welcome, plan-ready, password reset, weekly summary).

•  Mapbox, Inc. — map tiles. Mapbox does not receive your account identity.

•  OpenWeatherMap — weather context for plan adaptation. We send a coarse location, not your route.

•  Sentry, Inc. — server and client error tracking. We configure Sentry to omit personally identifiable information.

•  PostHog Inc. — product analytics (events). Hosted on PostHog's EU region. We disable session recording.

We do not sell personal data. We do not share data with advertisers.

Cross-border transfers

Some processors above operate outside the UAE. Where required, we rely on Standard Contractual Clauses or equivalent safeguards. You may request the list of processor locations from privacy@oryxfitness.app.

How long we keep it

•  Account and workout data: while your account is active, plus 12 months after account deletion to satisfy refund and dispute windows.

•  Diagnostic logs: up to 30 days.

•  Subscription records: kept for 7 years for tax and accounting purposes.

Your rights

You have the right to:

•  access the personal data we hold about you;

•  correct inaccurate data;

•  delete your account and associated data;

•  export your data in a machine-readable format;

•  object to or restrict processing based on legitimate interest;

•  withdraw consent for any consent-based processing without affecting processing already done;

•  lodge a complaint with the UAE Data Office or the DIFC Commissioner of Data Protection.

Most rights can be exercised in Settings. For others, email privacy@oryxfitness.app. We respond within 30 days.

Security

We encrypt data in transit (TLS) and at rest. Passwords are hashed (bcrypt). Database access is restricted by role and audited. We use isolated environments for sandbox versus production. No system is perfectly secure; we will notify you of incidents that affect your data within the timeframes required by law.

Children

Oryx Fitness is not directed to children under 13. If you believe a child has created an account, contact privacy@oryxfitness.app and we will delete it.

Health disclaimer

Coaching content in Oryx Fitness is educational. It is not a substitute for medical advice, diagnosis, or treatment. Stop running and consult a qualified professional if you experience pain, dizziness, chest tightness, or any other concerning symptom.

Changes to this policy

We will notify you of material changes by email or in-app at least 30 days before they take effect. Continued use after the effective date means you accept the changes.