For Individuals For Coaches Features Lab Results
Get Early Access

Privacy Policy

Last updated: April 19, 2026

This Policy explains what OwnHealth.FIT collects, how we use it, and the choices you have.

1. Introduction

This Privacy Policy describes how OwnHealth.FIT ("we," "us," or "our") collects, uses, and discloses information when you use our website, application, and related services (collectively, the "Service"). By using the Service, you acknowledge the practices described here.

We take the privacy of your health information seriously. OwnHealth.FIT is a health optimization platform, and much of the data you provide is sensitive. We commit to handling it with care, collecting only what we need, and being transparent about what happens to it.

2. Who we are

OwnHealth.FIT is operated by OwnHealthFit, LLC, a Louisiana limited liability company, with principal contact at the email and postal address listed in Section 15.

3. Information we collect

3.1 Information you provide directly

When you create an account or use the Service, you may provide:

  • Account information: email address, name, password (stored as a salted hash, never in plaintext), display name, sex (optional).
  • Profile information: coaching goals, tier selection, notification preferences.
  • Protocol information: compounds and supplements you are taking, doses, schedules, start dates.
  • Body metrics: weight, body fat percentage, body measurements, and other metrics you log manually.
  • Progress photos: images you upload to track physical changes over time.
  • Journal and check-in entries: daily logs of doses taken, notes, wellness check-ins.
  • Nutrition and workout logs: meals, macros and micronutrients, workout sessions, sets, reps, and related data you log through the Service.
  • Lab results: biomarker values you enter manually or PDFs you upload for AI-assisted extraction.
  • Messages: content you send to your coach or support.
  • Payment information: if and when we introduce billing, payment details are collected and processed by our payment processor (e.g., Stripe) — we do not store full card numbers.

3.2 Information from coaches or team leaders

If you join the Service via a coach invitation, your coach may create your account, assign recommended protocols, assign meal templates or training programs, and log information about your progress. Your coach has access to the data you share with them as described in Section 5.

3.3 Information from connected services

You may connect third-party services to your account. When you do, we receive the data types you authorize. Connected services include:

  • Withings — weight, body composition, blood pressure, heart rate, and sleep data from Withings devices.
  • Oura — sleep sessions (duration, stages, efficiency), readiness scores, heart rate variability, resting heart rate, temperature deviation, and activity data.
  • seca — body composition data imported from CSV files.
  • Nutritionix — we query Nutritionix on your behalf for food search, barcode lookups, and natural-language meal parsing. Nutritionix does not receive your account identity — only the search query.
  • USDA FoodData Central — we import the USDA public food database into our own servers; no personal data flows to USDA.
  • Future connections may include: additional wearable devices (Whoop, Garmin, Fitbit), lab partners, and supplement/e-commerce partners. When we add a new integration, we will update this Policy.

We retain OAuth tokens for connected services. Refresh tokens are encrypted at rest. You can disconnect any integration at any time from your account settings.

3.4 Information collected automatically

Like most web applications, we automatically collect certain technical information:

  • IP address and approximate geolocation (derived from IP).
  • Browser and device type.
  • Pages visited within the Service and timestamps.
  • Session tokens (stored as a cookie and in browser local storage) used to keep you signed in.

We do not currently use third-party analytics, advertising trackers, or marketing cookies. If this changes, we will update this Policy and, where required, present a consent notice.

4. How we use information

We use information to:

  • Provide and operate the Service — display your data, sync with connected services, enable coaching relationships.
  • Personalize your experience — surface relevant research, filter content to your active protocol, generate personalized insights.
  • Enable communication — between you and your coach, between you and our support team, and for transactional emails (account actions, password resets, invitations).
  • Improve the Service — debug issues, understand usage patterns, build new features.
  • Power AI features — your current protocol, recent labs, and journal entries may be included in prompts sent to our AI provider (Anthropic) to generate personalized chat responses and insight reports. AI processing is described in Section 6.
  • Comply with legal obligations and protect rights.

We do not sell your personal information. We do not share your data with advertisers.

5. How we share information

5.1 With your coach

If you are a member on a coach's team, your coach can view the data you choose to share with them. By default this includes your protocol, body metrics, progress photos, lab panels, nutrition and workout logs, journal entries, and messages you send them. You can see what your coach has access to in your account settings. If you do not want a specific data type shared, contact your coach or disable the relevant feature.

5.2 With team members

If you are part of a team led by a coach, the coach and any assistant coaches on that team can see your data as described above. Other team members generally cannot see your data unless a specific team feature explicitly enables that (no such feature exists at the time of this policy).

5.3 With service providers

We use third-party services to operate the platform. These include:

  • Hosting: Render (application hosting).
  • Database and storage: Supabase (Postgres database and file storage).
  • Email delivery: Resend (transactional emails).
  • AI processing: Anthropic (Claude models for chat, insights, lab PDF extraction, and metadata generation).
  • Integration providers: Withings, Oura, Nutritionix, USDA FoodData Central, ExerciseDB (data feeds from these providers).
  • Laboratory services (when lab integration goes live): Our partnered clinical laboratory and its associated billing and order-entry systems. Lab results received through this pipeline are Protected Health Information (PHI) under HIPAA where applicable.
  • Physician oversight network (when lab integration goes live): A licensed medical provider network that reviews and authorizes direct-to-consumer lab orders where required by state law.
  • Payment processor (when billing goes live): Stripe.

Each provider processes data on our behalf under a data processing agreement or Business Associate Agreement (BAA) where applicable to health information.

5.4 For legal compliance and protection of rights

We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of OwnHealth.FIT, our users, or others.

5.5 Business transfers

If OwnHealth.FIT is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.

6. AI and automated processing

The Service uses large language models operated by Anthropic (Claude) to power:

  • The AI chat feature (research-style answers to your questions).
  • AI-generated insight reports (longitudinal analysis of your data).
  • Lab result PDF extraction (converting uploaded PDFs to structured biomarker data).
  • Catalog metadata generation (admin-only feature).

When you interact with AI features, we send contextual information to the AI provider. This may include your current protocol, recent lab panels, journal entries, and the content of your messages. We do not send this data to train Anthropic's models — our API use is covered by Anthropic's commercial data handling terms, which (at the time of this policy) do not train on customer data.

AI outputs are for informational and educational purposes only and are not medical advice. See Section 7.

7. Health information

7.1 HIPAA

HIPAA (the Health Insurance Portability and Accountability Act) applies specifically to "covered entities" (health plans, healthcare providers that transmit health information electronically in connection with covered transactions, and healthcare clearinghouses) and their "business associates." OwnHealthFit, LLC is not a HIPAA-covered entity or business associate, and the health-related information you enter through the Service is not Protected Health Information (PHI) under HIPAA in our current handling of it.

We nevertheless apply the same level of care to your health data that we would apply to PHI, including encryption in transit and at rest, role-based access controls, audit logging of privileged actions, and breach notification practices consistent with federal and state law. All data you enter (protocols, metrics, journal entries, nutrition and workout logs, manually entered labs) is sensitive personal health information, and we treat it accordingly.

If and when we introduce features that would subject portions of the Service to HIPAA — for example, transmitting laboratory orders on your behalf to a clinical laboratory partner and receiving results through that partner — we will implement HIPAA-compliant procedures for those specific portions of the Service, including Business Associate Agreements with relevant service providers, and update this Policy accordingly.

7.2 Lab results and biomarker data

Lab results you enter manually, PDFs you upload, or results received through our lab partner integration are stored in your account and visible to you and your coach (where applicable). Lab results are encrypted at rest and in transit. Raw PDFs are stored in a private file bucket with signed-URL access. We will not disclose your lab data to anyone outside the parties described in this Policy.

7.3 Protocol, compound, and supplement data

The protocols you track (including peptides, supplements, prescription medications, and other compounds) are personal and sometimes sensitive. We treat this data with the same care as other health information. We do not report this information to employers, insurers, or any other third party except as described in Section 5.

7.4 De-identified and aggregated data

We may generate de-identified or aggregated data that cannot reasonably be used to identify you (for example, counting how many users track a particular supplement, or computing average adherence rates across our user base). Such de-identified data is not subject to this Policy and may be used to improve the Service, inform product decisions, or share in summary form.

8. Data retention

We retain your data as long as your account is active. If you close your account, we retain limited data (such as billing records and transactional logs) for as long as required by law or reasonable business purposes, and delete or de-identify the remainder within a reasonable timeframe.

Specific retention practices:

  • Account data: until account closure, then deleted within 90 days.
  • Health data (protocols, metrics, labs, journal, nutrition, workouts): until account closure + 90 days, unless legally required to retain longer.
  • Messages and coach interactions: until account closure + 90 days.
  • Payment records: retained as required by tax and financial regulations (typically 7 years).
  • Server logs: rotated within 90 days.
  • Backups: overwritten on a rolling schedule; deleted data may persist in backups for up to 90 days.

9. Your rights and choices

Depending on where you live, you may have legal rights regarding your personal information:

  • Access — request a copy of the information we hold about you.
  • Correction — ask us to correct inaccurate information.
  • Deletion — request that we delete your information (subject to legal and operational exceptions).
  • Portability — request a machine-readable copy of your data.
  • Opt-out — opt out of non-essential email communications.
  • Disconnect — disconnect any third-party integration from your account settings at any time.
  • Withdraw consent — revoke prior consent for data processing where processing is based on consent.

To exercise any of these rights, email privacy@ownhealth.fit. We will respond within the timeframe required by applicable law (typically 30-45 days).

9.1 U.S. state privacy rights

If you reside in a U.S. state that grants additional consumer privacy rights — including but not limited to California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Iowa, Indiana, Tennessee, Minnesota, Maryland, and Rhode Island — you have the right to:

  • Confirm whether we process your personal information and access that information
  • Request correction of inaccurate personal information
  • Request deletion of your personal information, subject to legal exceptions
  • Obtain a portable copy of your personal information
  • Opt out of the "sale" or "sharing" of personal information and of "targeted advertising" as those terms are defined under your state's law
  • Not be subject to automated decision-making that produces legal or similarly significant effects without meaningful human review
  • Not be discriminated against for exercising these rights

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We do not use automated decision-making that produces legal or similarly significant effects. To exercise any of these rights, email privacy@ownhealth.fit. We will respond within the timeframe required by your state's law (typically 45 days). If we deny your request, you may appeal by replying to our denial message; we will respond to appeals within the timeframe your state requires (typically an additional 60 days).

9.2 European Economic Area, United Kingdom, and Switzerland

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, or the Swiss Federal Act on Data Protection (FADP), as applicable. In addition to the access, correction, deletion, portability, and consent-withdrawal rights described above, you may object to our processing of your personal information in certain circumstances and request that we restrict processing. You also have the right to lodge a complaint with your local data protection supervisory authority.

The legal bases on which we rely to process your personal information include:

  • Your consent — for optional features such as AI-powered chat and insight reports, where you actively opt in
  • Performance of a contract — to provide the Service you signed up for (operating your account, syncing your connected services, displaying your data, enabling coaching relationships you request)
  • Our legitimate interests — to secure the Service, prevent fraud, understand aggregate usage, and improve the product, balanced against your rights and freedoms
  • Compliance with legal obligations — where processing is required by applicable law

You may withdraw consent at any time from your account settings or by contacting privacy@ownhealth.fit. Withdrawing consent does not affect the lawfulness of processing based on consent before the withdrawal, nor does it affect processing we carry out under other legal bases.

10. Security

We use administrative, technical, and physical safeguards to protect your information, including:

  • TLS encryption in transit.
  • Encryption at rest for files stored in Supabase Storage.
  • Encryption of OAuth refresh tokens.
  • Session-based authentication with bearer tokens.
  • Role-based access controls (member, coach, admin, super admin).
  • Audit logging of privileged actions.
  • Regular security reviews of third-party service providers.

No system is perfectly secure. If we become aware of a breach affecting your information, we will notify you in accordance with applicable law.

11. International users

OwnHealth.FIT is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and other countries where our service providers operate.

12. Children

The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal information, contact privacy@ownhealth.fit and we will delete it.

13. Third-party links and services

The Service may link to websites or services operated by third parties, including research articles, supplement partners, and laboratory providers. This Policy does not apply to third-party sites. Review the privacy policies of those sites before providing them with information.

14. Changes to this policy

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top. For material changes, we will take reasonable steps to notify you (for example, by email or an in-app notice). Continued use of the Service after an update constitutes acceptance of the revised Policy.

15. Contact us

Questions, requests, or concerns about this Policy: