Last Updated and Effective: March 7, 2026
Thank you for using FYTT. This Privacy Policy explains how FYTT, Inc. ("FYTT," "we," "us," or "our") collects, uses, discloses, and protects your information when you use our website, mobile applications, and related services (collectively, the "Service").
We understand that your health and fitness data is personal and sensitive. We are committed to protecting your privacy and handling your data responsibly.
Table of Contents
1. Information We Collect
Information You Provide
When you register for and use the Service, we collect information you provide directly, including:
Account Information
Name (first and last)
Email address
Password (stored only as an encrypted hash)
Profile and Demographic Information
Date of birth
Biological sex
Profile photo
Health and Fitness Data
Body measurements (height, weight, body composition)
Injuries and health conditions
Performance metrics (speed, strength, power, and other athletic measurements)
Workout logs and exercise history
Attendance records
Organization Information (for coaches and administrators)
Organization/team name and description
Role and permissions within your organization
Communications
Messages and conversations within the Service
Coach notes and athlete feedback
Support inquiries
Information Collected Automatically
When you access or use the Service, we automatically collect:
Device and Access Information
Device operating system
Device identifiers
Browser type and version
IP address
Usage Information
Sign-in timestamps and frequency
Features accessed and actions taken
Session duration
Referring URLs
Location Information
Facility or station check-ins
General geographic location derived from IP address
Information from Third Parties
We may receive information about you from third-party services you connect to FYTT, such as:
Wearable devices and fitness trackers (e.g., Catapult, Vitruve)
Team management platforms (e.g., Teamworks)
Calendar and scheduling services (e.g., Calendly)
2. How We Use Your Information
We use the information we collect to:
Provide and Operate the Service
Create and maintain your account
Deliver training programs and workout tracking
Enable communication between coaches and athletes
Process transactions and manage subscriptions
Personalize Your Experience
Customize training recommendations based on your profile and history
Display relevant content and features for your role (athlete, coach, administrator)
Improve the Service
Analyze usage patterns to enhance features and performance
Diagnose technical problems and monitor system health
Conduct research and development
Communicate with You
Send transactional emails (account verification, password resets, workout notifications)
Provide customer support
Send product updates and announcements (with your consent where required)
Ensure Safety and Security
Detect and prevent fraud, abuse, and security incidents
Enforce our Terms of Service
Comply with legal obligations
3. How We Share Your Information
We do not sell your personal information.
We share your information only in the following circumstances:
Within Your Organization
If you are part of an organization (team, gym, or training facility) on FYTT:
Athletes: Your coaches and administrators can view your profile, workout data, metrics, and (where authorized) injury information
Coaches: Athletes on your teams can see your name and role; administrators can view your activity
With Service Providers
We engage third-party companies to perform services on our behalf. These providers are contractually obligated to protect your information and use it only for the services we specify.
Category Providers Purpose Infrastructure & Hosting Heroku (Salesforce), Amazon Web Services Application hosting, data storage, computing Database Heroku PostgreSQL Data storage and management Email Delivery Postmark Transactional email sending Push Notifications Firebase Cloud Messaging Mobile app notifications Payment Processing Stripe Subscription billing and payments Customer Support Intercom In-app messaging and support Analytics Segment Usage analytics and event tracking Performance Monitoring New Relic, Scout APM Application performance and reliability Error Tracking Rollbar Error detection and debugging AI Services OpenAI AI-powered features (see Section 4)
A current list of our subprocessors is available upon request.
With Third-Party Integrations
When you or your organization connects third-party services (such as Catapult, Vitruve, or Teamworks), data may be shared with those services according to their privacy policies and your organization's configuration.
For Legal and Safety Reasons
We may disclose information when we believe it is necessary to:
Comply with applicable law, regulation, or legal process
Protect the rights, property, or safety of FYTT, our users, or others
Enforce our Terms of Service
Respond to lawful requests from public authorities
Business Transfers
If FYTT is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or control of your personal information.
4. Artificial Intelligence Features
FYTT offers AI-powered features ("Flex AI") that help coaches create training programs, analyze athlete data, and manage workouts through a conversational interface.
How AI Features Work
When you use AI features, your inputs and relevant data are processed by third-party AI providers (currently OpenAI) to generate responses. The AI operates under strict controls:
Human Review Required: All AI-generated training programs require coach review and approval before athletes receive them
Tool-Based Access: The AI cannot access data directly; all data retrieval goes through our authorization systems
Domain Guardrails: The AI is instructed not to provide medical advice or make return-to-play decisions
No PHI in Training: PHI is not used for training, fine-tuning, reinforcement learning, or model improvement; whether commercial, internal, or derivative purposes.
No PHI Aggregation: PHI is not aggregated into generalized datasets or using de-identified versions of our PHI for AI training, development, or system improvement.
No Data Retention for Training: Prompts, outputs, embeddings, or metadata are not retained for model development purposes.
No PHI Commingle: PHI is not commingled with data from other customers within shared model contexts.
Data Sent to AI Providers
When AI features are used, the following data may be sent to our AI provider:
Data Category When Sent Purpose Coach messages Every AI interaction To understand and respond to requests Conversation history Every AI interaction To maintain context Athlete names When specifically referenced (@mentioned) To identify correct athletes Workout history When coach requests athlete research To provide accurate data Performance metrics When coach requests athlete research To inform recommendations Injury records When coach requests (requires PHI authorization) To consider in programming
AI Provider Commitments
Our agreement with OpenAI includes:
Zero Data Retention: API inputs and outputs are not retained beyond operational and safety needs
No Model Training: Your data is not used to train AI models
Opting Out of AI Features
AI features are optional. Individual coaches can choose not to use AI features without impacting access to other Service functionality.
5. Cookies and Tracking Technologies
We use cookies and similar technologies to operate and improve the Service.
Types of Cookies We Use
Strictly Necessary Cookies
Required for the Service to function. These enable core features like authentication, session management, and security. You cannot opt out of these cookies.
Performance and Analytics Cookies
Help us understand how the Service is used so we can improve it. These collect aggregated, anonymous usage data.
Functionality Cookies
Remember your preferences and settings to provide enhanced features.
Other Tracking Technologies
Log Files: Our servers automatically record information including IP addresses, browser types, and access times
Analytics Identifiers: We use anonymous identifiers to understand usage patterns across sessions
Managing Cookies
Most web browsers allow you to control cookies through their settings. Note that disabling certain cookies may affect the functionality of the Service.
Do Not Track
The Service does not currently respond to "Do Not Track" browser signals, as there is no industry standard for how to respond to such signals.
6. Data Security
We implement comprehensive security measures to protect your information:
Encryption
In Transit: All data transmitted to and from the Service is encrypted using TLS 1.2 or higher (HTTPS)
At Rest: Sensitive personal information (including email, name, birthdate, and biological sex) is encrypted at the application level using AES-256-GCM encryption
Passwords: Stored only as cryptographic hashes; we cannot access your actual password
Access Controls
Role-based access controls ensure users can only access data appropriate to their role
Multi-tenant architecture with strict data isolation between organizations
Administrative access limited to authorized personnel on a need-to-know basis
Infrastructure Security
Hosted on SOC 2-compliant infrastructure
Automated security patching and updates
Regular security assessments and monitoring
Automated backups with encryption
Health Information
For health-related data, we implement additional safeguards consistent with industry standards for protected health information (PHI), including access controls, audit logging, and encryption.
Security Incident Response
In the event of a data breach that affects your personal information, we will:
Investigate and contain the incident promptly
Notify affected users and relevant authorities as required by applicable law
Take steps to prevent future incidents
7. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Policy.
Retention Periods
Data Type Retention Period Account information Duration of account plus 30 days after deletion request Workout and training data Duration of account Health and injury data Duration of account Conversation messages Duration of account Analytics data Aggregated data retained indefinitely; identifiable data retained up to 2 years Server logs 180 days.
Account Deletion
When you request account deletion:
Your personal information will be deleted or anonymized within 30 days
Some information may be retained longer if required for legal, security, or legitimate business purposes (e.g., resolving disputes, enforcing agreements)
Backup copies may persist for a limited time as part of our disaster recovery processes
8. Your Privacy Rights
Depending on your location, you may have certain rights regarding your personal information.
Rights for All Users
Access: View the personal information we hold about you through your account settings
Correction: Update inaccurate information through your account or by contacting us
Deletion: Request deletion of your account and personal information
Data Export: Request a copy of your data in a portable format
California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and third parties with whom we share it
Right to Delete: Request deletion of your personal information, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sharing: We do not sell or share your personal information for cross-context behavioral advertising
Right to Limit Use of Sensitive Personal Information: Request limits on the use of sensitive personal information (such as health data) beyond what is necessary to provide the Service
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
Categories of Personal Information Collected (in the preceding 12 months):
Identifiers (name, email, IP address, device identifiers)
Personal information under California Civil Code Section 1798.80 (name, physical characteristics)
Protected classification characteristics (age, sex)
Commercial information (subscription history)
Internet or network activity (usage data, browsing history within the Service)
Geolocation data (general location from IP, facility check-ins)
Sensory data (photos, videos you upload)
Professional or employment-related information (organization role)
Sensitive personal information (health data)
To exercise your California privacy rights, contact us at [email protected] or submit a request through your account settings.
European Economic Area, UK, and Swiss Residents
If you are in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) or equivalent laws:
Legal Basis: We process your data based on: (a) your consent; (b) performance of a contract with you; (c) compliance with legal obligations; or (d) our legitimate interests (such as improving the Service), balanced against your rights
Right to Access: Obtain confirmation of whether we process your data and receive a copy
Right to Rectification: Correct inaccurate or incomplete data
Right to Erasure: Request deletion of your data in certain circumstances
Right to Restriction: Request that we limit processing of your data
Right to Data Portability: Receive your data in a structured, machine-readable format
Right to Object: Object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time
Right to Lodge a Complaint: File a complaint with your local data protection authority
To exercise your rights, contact us at [email protected].
Exercising Your Rights
To submit a privacy request:
Email: [email protected]
We will verify your identity before processing requests. You may designate an authorized agent to make requests on your behalf.
We will respond to verified requests within 30 days (or 45 days if we notify you of an extension).
9. International Data Transfers
FYTT is based in the United States, and your information is processed and stored in the United States.
If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country.
For transfers from the EEA, UK, or Switzerland, we rely on:
Standard Contractual Clauses approved by the European Commission
Data Processing Agreements with our service providers that include appropriate safeguards
By using the Service, you consent to the transfer of your information to the United States and other countries where we or our service providers operate.
10. Children's Privacy
The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13.
Additionally, users must be at least 18 years old to create an account independently. Users between 13 and 18 may only use the Service when added to an organization by an authorized administrator (such as a coach or school athletic department) with appropriate parental or guardian consent as determined by the organization.
If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child under 13, please contact us at [email protected].
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.
When we make material changes, we will:
Update the "Last Updated" date at the top of this Policy
Notify you by email or through a notice within the Service
Where required by law, obtain your consent to material changes
We encourage you to review this Policy periodically to stay informed about how we protect your information.
12. Contact Us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
Email: [email protected]
Mailing Address: FYTT, Inc. 2701 N Thanksgiving Way Ste 100 Lehi, UT, 84043
For data protection inquiries from the EEA, UK, or Switzerland, you may also contact our data protection representative at [email protected].
Additional Disclosures
Health Information Practices
FYTT processes health and fitness data to provide the Service. For organizations that are covered entities or business associates under HIPAA, we maintain appropriate safeguards and will enter into Business Associate Agreements as required. Contact us at [email protected]. to request a BAA.
Notice to Athletes
If you are an athlete using FYTT through an organization (team, gym, or training facility), please note:
Your organization's coaches and administrators can access your workout data, metrics, and profile information
Your organization may use AI-powered tools to create training programs; coaches review all AI-generated content before it reaches you
Your organization may have its own privacy policies that apply in addition to this Policy
Contact your organization's administrator if you have questions about how your data is used within your organization
