AhrensFit

Privacy Policy

Last updated: June 3, 2026

AhrensFit ("AhrensFit", "we", "us", "our") provides a personal fitness, nutrition, and wellness tracking application available at ahrensfitness.com and related subdomains (the "Service"). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. By using the Service you agree to this Policy.

1. Summary

  • We collect only what we need to run the Service and the data you choose to log.
  • We do not sell your personal data, ever.
  • We do not use your health data for advertising.
  • You can export or permanently delete your account and all associated data at any time.
  • Health data is treated as sensitive personal information regardless of jurisdiction.

2. Information we collect

2.1 Information you provide directly

  • Account information: email address, password (stored only as a salted hash), display name.
  • Profile and goals: sex, age, height, weight, activity level, training days per week, goal type, target weight, reasons for using the app, dietary preferences. All optional fields can be left blank.
  • Logged activity: meals and foods, water intake, mood ratings, sleep, weight measurements, workouts (sport, duration, distance, calories, notes), and any other metrics you record.
  • Challenges and social: challenges you create or join, your display name as shown to other participants, and your aggregate progress within those challenges.
  • Communications: messages you send us via email or support channels.

2.2 Information from third-party integrations

When you connect a third-party fitness service, we receive only the data scopes you authorize and use it solely to populate your own dashboard, goals, and challenges:

  • Strava: athlete profile (first name, last name, athlete ID), and your activities (type, start time, duration, distance, calories, average heart rate). Required scopes: read, activity:read_all.
  • Oura Ring: daily sleep, activity, readiness, and heart-rate summaries. Scopes: daily, heartrate, personal, session, workout.
  • Peloton (unofficial): workout history pulled with the credentials you provide. See Section 7 for additional disclosures specific to this integration.
  • Apple Health (via iOS Shortcuts webhook): the specific metrics you choose to send from the Health app on your iPhone (e.g. steps, sleep, heart rate, workouts). We never read your Health database directly; only the values your Shortcut posts to our endpoint are stored.

We never receive — and never request — your social graph, contacts, photos, location history outside of recorded workouts, or any data unrelated to your fitness and wellness tracking.

2.3 Information collected automatically

  • Authentication events: sign-in attempts, sign-outs, and password changes, with timestamps. Retained for security auditing.
  • Diagnostic logs: minimal server-side error logs (route, error type, timestamp). We do not log request bodies or your health data in our error stream.
  • Cookies and local storage: a session cookie/JWT for authentication and a small amount of local storage for client-side preferences. We do not use third-party advertising or cross-site tracking cookies. See our Cookie Policy for the full list.

3. How we use your information

We use your information only to:

  • Provide, maintain, and personalize the Service (dashboards, plans, badges, charts).
  • Compute progress toward your goals and challenges.
  • Sync data from third-party integrations you have connected.
  • Send you transactional emails (password reset, security alerts, account changes).
  • Diagnose bugs, prevent abuse, and improve reliability.
  • Comply with legal obligations.

We do not use your data to train external machine-learning models, to build advertising profiles, or to sell to data brokers.

4. Legal bases (EEA / UK users)

  • Contract: processing necessary to provide the Service you signed up for.
  • Consent: for connecting third-party integrations and for processing special-category health data. You may withdraw consent at any time by disconnecting the integration or deleting your account.
  • Legitimate interests: securing the Service, preventing abuse, and basic diagnostics.
  • Legal obligation: responding to lawful requests.

5. Sharing and disclosure

We share personal data only with the following categories of recipients:

  • Other challenge participants: when you join or create a challenge, your display name and aggregate progress toward that challenge are visible to other participants. Your raw logs, meals, weight, mood, and connected-integration data are never shared with other users.
  • Infrastructure providers (sub-processors): Supabase (managed Postgres + auth), Cloudflare (edge runtime and DNS), and Lovable (hosting platform). These providers process data on our behalf under written data-processing agreements and may not use the data for any other purpose.
  • Third-party integrations you connect: outbound only — e.g. OAuth handshakes with Strava or Oura. We do not push your data to any service you have not explicitly authorized.
  • Legal and safety: if required by valid legal process, or to protect rights, safety, or property. We will notify you unless legally prohibited.
  • Business transfers: if AhrensFit is acquired, your data may transfer to the successor subject to the same protections in this Policy. We will notify you of any material change.

We do not sell or rent personal information.

6. Data security

  • All traffic is encrypted in transit with TLS 1.2+.
  • Data is encrypted at rest by our infrastructure provider.
  • Passwords are stored as salted bcrypt hashes — never in plaintext.
  • Row-Level Security is enforced at the database layer so a user can only access their own rows.
  • OAuth access and refresh tokens are stored in a server-only table that is not readable from any client; only signed-in server processes with elevated privileges can decrypt them.
  • HMAC-derived sub-keys are used to sign OAuth state parameters and ingestion tokens so that a compromise of one secret does not compromise others.

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you without undue delay and, where required, within 72 hours of discovery.

7. Special note: Peloton credentials

If you choose to connect Peloton, we store your Peloton email and password in encrypted form so that our server can authenticate against Peloton's private API on your behalf. Because this encryption is reversible (we must be able to decrypt to log in), it is not as strong a protection as a one-way hash. By enabling the Peloton integration, you acknowledge:

  • Peloton does not offer an official API; this integration uses unofficial endpoints and may break at any time without notice.
  • Peloton may suspend your account for use of unofficial clients.
  • You should use a password that is unique to Peloton and not reused on any other service.
  • You can revoke this integration at any time on the You → Integrations page, which permanently deletes the stored credentials.

8. Data retention

  • Profile and logged data: retained for as long as your account is active.
  • Authentication and security event logs: up to 24 months.
  • Server error logs: up to 30 days.
  • Backups: up to 30 days after deletion, after which records are fully purged.
  • When you delete your account, all personal data is removed within 30 days, except where we are legally required to retain it (e.g. tax or fraud records).

9. Your rights

Regardless of where you live, you may:

  • Access, correct, or update your profile at any time from the You page.
  • Export your data in a portable JSON or CSV format on request.
  • Permanently delete your account and all associated data from the You page or by emailing us.
  • Disconnect any third-party integration, which deletes the stored tokens and stops the sync.
  • Object to or restrict certain processing (EEA/UK).
  • Lodge a complaint with your local data-protection authority (EEA/UK), or with the California Privacy Protection Agency (California residents).

California residents have specific rights under the CCPA/CPRA, including the right to know, delete, correct, and limit the use of sensitive personal information. We honor "Do Not Sell or Share My Personal Information" requests automatically — we do not sell or share for cross-context behavioral advertising in the first place.

10. Children

The Service is not intended for children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. International transfers

Our infrastructure is hosted in the United States. By using the Service from outside the U.S., you consent to the transfer of your data to the U.S. and to the use of standard contractual clauses where required by law.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be announced in-app and, where we have your email, by email at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.

13. Contact

Questions, requests, or complaints? Email privacy@ahrensfitness.com.

Terms of ServiceCookie PolicyHome