Max AIMax AIBack to app

Privacy Policy

How we handle the data you trust us with.

Effective May 14, 2026·Last updated May 14, 2026

1. Overview

Max AI is a fitness-coaching service that uses artificial intelligence to help you plan workouts, log nutrition, track progress, and chat about your goals. This policy explains what data we collect, why we collect it, who we share it with, and the controls you have over it.

We try to keep this document short and direct. If anything here is unclear, email support@notifications.maxfitness.info and we'll explain in plain language.

2. What we collect

2.1 Account information

  • Name, email address, and (optionally) phone number.
  • Authentication identifiers — either a password we never store directly (we store a one-way hash) or a Google account ID if you sign in with Google.
  • Subscription / billing status and Stripe customer ID if you upgrade to a paid plan.

2.2 Fitness profile

  • Age, gender, weight, height, fitness level.
  • Goals, equipment availability, injuries or physical limitations you choose to share, and workout interests.

2.3 Activity data

  • Workouts you create, schedule, or complete (sets, reps, weight, rest).
  • Nutrition entries you log (food items, photos of meals, macros, calories).
  • Progress photos you upload (only when you explicitly grant consent via the Progress Tracker — see Section 2.5).
  • Programs and challenges you enroll in.

2.4 Conversations

  • Text chat messages you exchange with our AI assistant, including any images you attach for analysis.
  • Voice conversation transcripts when you talk to the assistant (we transcribe your speech to text and the assistant's replies via our voice provider, Vapi).

2.5 Progress Tracker consent

Progress photos are sensitive. We do not store progress photos unless you explicitly opt in via the in-app consent prompt. You can revoke that consent at any time in Settings, and we will remove your stored progress photos within a reasonable period after revocation.

2.6 Technical data

  • IP address, browser type, device type, and approximate location (city/region derived from IP) for security, fraud prevention, and service reliability.
  • Last-active timestamps so we can show inactive-user reminders only to people who haven't logged in for an extended period (and so our trainer-side analytics reflect real engagement).

3. How we use it

  • To provide the service — generate workouts, analyze meals, hold conversations, track progress, and remember your preferences across sessions.
  • To personalize recommendations — your fitness profile shapes what the AI suggests; your activity history shapes future plans.
  • To communicate with you — confirmation emails, password resets, billing notices, and (if you have not opted out) occasional product or coaching updates.
  • To keep the service safe — detect abuse, prevent fraud, enforce our terms, and protect other users.
  • To improve the product — aggregated, de-identified usage data informs roadmap decisions. We do not sell your data and we do not train third-party AI models on your conversations (see Section 4).

4. AI features and your data

Max AI sends your messages and selected profile context to third-party AI providers so they can generate responses on our behalf. Specifically:

  • OpenAI — chat replies, voice-call summaries, meal photo analysis, and workout-recommendation generation. OpenAI processes the data under their API terms; per OpenAI's policy, content submitted via the API is not used to train their models by default.
  • Anthropic — used selectively for certain coaching and analytical tasks. Same default: API content is not used to train Anthropic's models.
  • Vapi, Deepgram, ElevenLabs — voice infrastructure. When you talk to the assistant, your audio is streamed to these services for speech-to-text and text-to-speech. Transcripts of your call are stored on our servers so you can refer back to them.

We pass only the minimum data necessary for each request. Profile context (your first name, fitness goals, equipment) may be included so the assistant can address you correctly and give relevant advice. We do not pass your password, billing details, or progress photos to any AI provider unless they are the explicit subject of the request (e.g. meal-photo analysis, which sends only the food image plus your calorie goal).

4.1 AI is not medical advice

The fitness, nutrition, and recovery suggestions you get from Max AI are general guidance, not medical advice, diagnosis, or treatment. If you have a health condition, are pregnant, or are managing an injury, talk to a qualified professional before acting on what the assistant says.

5. Who we share data with

We share data only with the service providers we need to run the product. We do not sell your data and we do not share it with advertisers.

  • Supabase — primary database and authentication host. Your account, fitness profile, workouts, and chat history live here.
  • Netlify — hosting and serverless function execution. Receives request data while serving the app.
  • OpenAI & Anthropic — AI inference (see Section 4).
  • Vapi, Deepgram, ElevenLabs — real-time voice transcription and synthesis when you use the voice assistant.
  • Stripe — payment processing when you upgrade to a paid plan. We do not see or store your full card number; Stripe handles all card data subject to PCI-DSS.
  • HighLevel (GoHighLevel / GHL) — the CRM your trainer uses to follow up with clients. If your trainer's account is linked to GHL, your name, email, phone, and a weekly activity summary are pushed there. You can ask us to disconnect this at any time.
  • Resend — transactional email delivery (password resets, confirmations).
  • Google — if you choose "Sign in with Google," Google handles authentication and shares only your name, email, and profile picture with us.

We may also disclose data when required by law (subpoena, court order, lawful government request) or when necessary to protect our rights, your safety, or the safety of others.

5.1 Coaches and trainers

If you invite a coach to your account (via the "Invite my coach" feature), that coach can view the sections of your data you explicitly share with them — typically workouts, tracking, and nutrition. They can also build workouts on your behalf. You control what they can see at any time from Settings, and you can remove their access in a single click.

6. Storage and security

Your data is stored on Supabase's managed Postgres infrastructure and Supabase Storage (for files like profile photos and progress photos). Both are encrypted at rest and in transit.

We apply row-level security so that, by default, only you can read and write your own rows. Server-side service-role access is used for legitimate operations (cross-user reports your coach sees, aggregate analytics) and is gated behind authentication checks in every API route.

No system is perfectly secure. We'll notify you (and any regulators required by law) if we ever experience a breach affecting your account.

7. How long we keep data

  • Account & profile data — for as long as your account is active.
  • Workouts, tracking, nutrition entries — retained so we can show you trends. You can delete individual entries any time.
  • Chat history — retained so you can scroll back. You can clear it in Settings.
  • Voice call recordings — we don't store audio; we only keep transcripts.
  • Backups — Supabase keeps point-in-time backups for up to 30 days for disaster recovery.
  • Deleted accounts — when you delete your account, we remove your personal data from our active systems within 30 days. Backups age out within another 30 days.

8. Your rights and choices

Depending on where you live (GDPR for the EU/UK, CCPA for California, and similar laws elsewhere), you have some or all of these rights:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to fix anything inaccurate. Most of your profile is editable directly in Settings.
  • Deletion — request that we delete your account and personal data. You can also delete your account yourself in Settings.
  • Portability — get your data in a structured, machine-readable format.
  • Objection / restriction — ask us to stop or restrict certain processing.
  • Opt out of marketing — every marketing email has an unsubscribe link, and you can also disable in-app reminders in Settings.

To exercise any of these rights, email support@notifications.maxfitness.info from the address tied to your account. We'll respond within 30 days.

9. Cookies and local storage

We use cookies and your browser's local storage for things the app genuinely needs to work:

  • Authentication — your session token is stored client-side so we don't prompt you to log in on every page.
  • Preferences — your theme (light/dark), in-progress workouts, and other UI state.
  • Tenant routing — when you visit a gym subdomain, a short-lived cookie remembers which tenant you're on.

We do not use third-party advertising cookies or behavioral tracking pixels.

10. Children

Max AI is not intended for children under 13 (or under 16 in the EU/UK). We do not knowingly collect data from children. If you believe a child has signed up, contact us and we'll remove the account.

11. International users

Our servers and primary service providers (Supabase, Netlify, OpenAI, Anthropic, Stripe) are based in the United States. If you use Max AI from outside the US, your data is transferred to and processed in the US. By using the service, you consent to that transfer. Where required (GDPR), we rely on the Standard Contractual Clauses our providers have in place.

12. Changes to this policy

We may update this policy as the product evolves. If we make material changes (for example, a new third-party we share data with), we'll notify you in-app or by email before the change takes effect. The "Effective" and "Last updated" dates at the top of this page always reflect the current version.

13. Contact us

Questions, complaints, or requests under any of the rights above:

Privacy Policy