FitCall AI Privacy Agreement

I. Introduction

FitCall AI (hereinafter also referred to as “we”) deeply understands the importance of user privacy, particularly the protection of sensitive information such as personal exercise data and health preferences in fitness and wellness scenarios. This Privacy Policy clearly outlines how we collect, use, disclose, and protect your personal information when you use the “FitCall AI” mobile application and its related services (the “Services”). We are committed to complying with stringent global and regional data protection laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to provide you with a secure and reliable fitness assistance service experience.

(I) Scope of Application

This Agreement applies to all services you use through this APP, including but not limited to registration and login, selecting a fitness AI partner, chatting with the fitness AI, AI voice call reminders, workout calendar & journal tracking, and custom workout reminder settings.

Please note that if you access third-party platforms (such as sports equipment stores, third-party fitness course platforms, or sports data synchronization tools) via this APP to use related services, those services will be governed by the third party's privacy policy. We recommend you carefully review the third party's privacy policy to understand how they handle your personal information.

(II) Agreement Acceptance

By using this service, you acknowledge that you have fully read, understood, and agreed to the information processing methods described in this agreement. If you disagree with any part of this agreement, please cease using our services. Upon agreement updates, your continued use of the service after the updated agreement takes effect constitutes your acceptance of the revised terms.

(III) Contact Us

If you have any questions, comments, or suggestions regarding this Privacy Agreement, or wish to exercise your rights under this Agreement, please contact us via the methods provided below (see the end of this document for details). We will contact you and address your concerns within [7] business days of receiving your feedback.

II. Information We Collect

We collect only the information necessary to provide fitness assistance services and do not gather redundant data unrelated to fitness scenarios. This includes the following categories:

(1) Personal Identifying Information

Registration Information: When you register an account, you may voluntarily provide us with your name, email address, and profile picture (optional). This information is used to create your dedicated account, ensuring you can log in smoothly and synchronize your fitness data (e.g., view your fitness calendar and selected AI partner information across devices). It also enables us to send you service notifications when necessary (e.g., account security alerts, fitness goal achievement notifications).

Third-Party Account Login Information: If you choose to log in using a third-party account (e.g., Google, Apple ID, WeChat, Alipay), we will obtain the basic information authorized for sharing by that third-party account, such as nickname, email address, profile picture (if authorized), etc. The specific information obtained is subject to the prompts on the third-party authorization page. This method aims to provide you with a convenient login experience and reduce the registration process. We use this information solely to create linked accounts within our services and enable quick login functionality, not for any additional purposes.

(2) Exercise-Related Information

Actively Entered Content: Exercise-related information you actively input while using our services, including but not limited to:

Exercise preferences and goals, used to match you with a personalized Exercise AI Partner;
Chat content with your Exercise AI Partner (e.g., “How to adjust running posture to avoid knee injuries,” "Recommended yoga poses for beginners"), used to obtain targeted exercise recommendations;
Content recorded in the exercise calendar & diary (e.g., daily exercise activities, duration, estimated calories burned, exercise experience), used to track exercise progress;
Custom exercise reminder settings (e.g., reminder time “7:00 AM daily”, reminder content “Complete 30 minutes of aerobic training today”), used to ensure precise triggering of reminder functions.

This information forms the core basis for our personalized fitness assistance. We strictly safeguard it and use it solely for service optimization and feature implementation.

Automatically associated data: Exercise-related data automatically linked or generated during service based on your actions, including:

Type of selected AI companion (e.g., “Running Coach AI,” “Yoga Companion AI”) and timestamps of chat sessions with AI companions;
Periodic exercise statistics automatically compiled in the exercise calendar (e.g., “This week's total exercise duration: 120 minutes,” “This month's yoga sessions: 8”);
Trigger records for AI voice call reminders (e.g., “Running reminder successfully pushed at 7:00 AM on June 1”);
If you authorize the “Fitness and Health” permission for your device, automatically synced basic exercise data (e.g., step count, exercise duration—used solely to correct manual recording discrepancies, not forcibly collected).

(3) Device and Usage Information

Device Information: To ensure service functionality and compatibility, we automatically collect basic device details including IP address, device model (e.g., iPhone 15, Huawei Mate 60 Pro), operating system version (e.g., iOS 18, Android 15), unique device identifiers (e.g., iOS IDFV, Android AAID), network status (e.g., Wi-Fi/5G/4G), and basic permission statuses for built-in sensors (e.g., whether “Fitness & Health” and “Notifications” permissions are enabled). This information is solely used for:

Adapting interface display and functional compatibility across different devices (e.g., optimizing the exercise diary editing interface for foldable phones);
Troubleshooting service issues (e.g., identifying AI voice reminder delivery failures on specific device models);
Ensuring proper operation of workout data synchronization and reminder features when you grant relevant permissions.

Usage Data: We collect behavioral data during your app usage, including:

App open/close times, access frequency of functional modules (e.g., daily average entries into “Chat with Workout AI,” viewing frequency of “Workout Calendar”);
Preferred AI companion selections (e.g., “percentage of running-type AI companions chosen”) and custom workout reminder modification frequency;
Function operation logs (e.g., number of times “modifying workout goals,” “switching AI companion types,” or “marking workout logs as ‘completed’”).

This data is solely used to analyze user habits and optimize service experience (e.g., adjusting interface entry points based on high-frequency features) and is not analyzed individually in association with personal identity.

III. Purpose of Information Use

The information we collect is solely used for the following legitimate purposes and not for scenarios unrelated to sports assistance:

(1) Providing Core Sports Services

Functionality: Based on your fitness-related information, we deliver tailored services including:

Matching and recommending personalized AI fitness companions based on your preferences and goals (e.g., recommending “Beginner Running Coach AI” for new runners);
Storing chat logs with your AI companion for easy access to past conversations (e.g., reviewing previous exercise correction suggestions);
Sending AI voice reminders at scheduled times with customized content (e.g., “10 minutes until your run—remember to warm up”);
Synchronizing workout calendars & log data for cross-device viewing, editing, and statistics (e.g., real-time mobile updates after editing workout logs on tablets).

Personalized Assistance: Tailoring support to your exercise habits and history, including:

AI fitness companion offering tailored suggestions based on your activity logs (e.g., “Based on your note about ‘knee soreness after running,’ we recommend adjusting your stride and adding wall squats to your routine”);
Generating personalized weekly summaries from cyclical activity data (e.g., “Your running frequency met goals this week, but session duration was insufficient. We suggest extending future runs to 35 minutes”);
Optimized custom workout reminder logic (e.g., adjusting notification timing based on your historical “ignore reminder” patterns).

(2) Service Quality Enhancements

Functional Optimization: Analyzing device information and usage data to improve service stability and convenience, including:

Enhanced feature compatibility across operating system versions (e.g., resolving workout calendar sync delays on Android 15);
Adjusting feature design based on user habits (e.g., placing the frequently used “Workout Diary Check-in” button prominently on the home screen);
Enhancing AI companion dialogue logic (e.g., expanding the conversation library with topics like “Beginner Yoga Breathing Techniques” and “Running Gear Selection” based on common user inquiries).

Service Iteration: Based on statistical analysis of fitness-related data (e.g., common exercise types, primary reasons for missed goals, AI reminder response rates), we iterate service content, including:

Adding new AI companion types tailored to user needs (e.g., introducing a dedicated recovery guidance AI for “postpartum recovery” scenarios);
Optimizing workout calendar templates (e.g., adding “Equipment Usage Log” and "Training Area Marking" fields).

(3) Essential Service Notifications

Account & Activity Alerts: Deliver necessary service notifications via your provided email or in-app messages, including:

Account login anomaly alerts (e.g., verification emails sent upon detecting logins from non-usual devices);
Activity-related reminders (e.g., “You've completed 60% of this week's fitness goal—keep it up!”; “Tomorrow's custom running reminder is scheduled—prepare in advance”);
Major Service Update Notifications (e.g., “Our AI fitness companion now features ‘Heart Rate Sync’ to provide personalized recommendations based on your device's heart rate data”).

Compliance Communications: We will contact you via email in compliance scenarios requiring your cooperation (e.g., account deletion confirmation, fitness data export authorization) to ensure your rights remain protected.

(IV) Compliance Obligations

Record Retention: Retain necessary information as required by laws and regulations, including:

Transaction records for paid services (if applicable, such as “Unlocking Premium Sports AI Companion” or “Customized Exclusive Exercise Plans”), including order amounts and payment timestamps, to meet tax and audit requirements;
Account registration details and fitness data (e.g., workout logs, AI conversation records) to assist with lawful regulatory inquiries (e.g., preventing fake accounts from abusing services, providing factual evidence when handling user complaints).

Risk Prevention: Based on device information and usage data, we identify and prevent abnormal usage patterns (e.g., bulk account registrations, malicious tampering of fitness data to obtain fraudulent achievements) to ensure service fairness and security.

IV. Information Sharing and Disclosure

We strictly control the scope of information sharing and only collaborate with third parties in the following necessary scenarios, ensuring your information security:

(1) Third-Party Service Providers

We only partner with third parties essential to delivering service functionality and clearly stipulate their information protection obligations through agreements. This includes:

Cloud Service Providers: We partner with compliant cloud providers like AWS, Alibaba Cloud, and Tencent Cloud to store your account information and fitness-related data (e.g., activity calendars, AI conversation logs) on their encrypted servers. These providers are authorized solely for data storage and prohibited from using it for other purposes. They implement security measures including AES-256 encryption and access controls (e.g., multi-factor authentication, IP whitelisting).
Payment Processors: If you use paid services (if applicable), we share necessary transaction information (e.g., order amount, account email, order number) with professional payment processors (e.g., Stripe, PayPal, WeChat Pay, Alipay) to complete the payment process. We do not transmit your sensitive fitness-related information (e.g., workout diary content, AI conversation logs) to payment processors. Payment information processing adheres to the payment provider's privacy policies and security standards (e.g., PCI DSS Payment Card Industry Data Security Standard).
Data Analytics Service Providers: We may share anonymized usage data (e.g., “average daily app engagement time for users in a specific region,” “percentage of 25-35 year-old users selecting yoga-themed AI companions”) with analytics providers like Firebase and Baidu Analytics. This data has been de-identified (e.g., hiding the last two digits of IP addresses, removing account association information) and cannot be linked to specific users. Data analytics providers are solely used to provide us with service optimization recommendations (e.g., “Low activation rate for exercise reminders; suggest optimizing reminder messaging”) and are prohibited from reverse-engineering user identities.
Device Data Synchronization Providers: If you authorize “Fitness & Health” permission and choose to sync data from third-party fitness devices (e.g., Apple Watch, Xiaomi Mi Band), we will share your voluntarily authorized fitness data (e.g., step count, heart rate, activity routes) with the corresponding device service provider (e.g., Apple HealthKit, Xiaomi Sports). This data is solely used to integrate into your activity calendar and for no other purposes. The sharing process adheres to the service provider's privacy policy and data security standards, and requires your separate authorization confirmation.

(II) Legal and Security Requirements

Legal Disclosure Requirements: Upon receiving lawful requests from government agencies or judicial authorities (such as subpoenas, court orders, or regulatory compliance inquiries), we will disclose necessary information in accordance with the law. We rigorously review the legitimacy and necessity of such requests, providing only information within the scope permitted by law (e.g., disclosing account registration details relevant to the case without additionally revealing exercise log content) to prevent excessive disclosure.

Disclosure for Rights Protection: To safeguard your or other users' legitimate rights and interests (e.g., preventing fraud using accounts, addressing account theft, resolving disputes caused by exercise data errors), we may disclose relevant information within reasonable and necessary limits. For example:

If we detect unauthorized use of your account to alter fitness goals or fabricate activity records, we may disclose device information (e.g., model, IP location) associated with the suspicious activity to assist you in recovering your account.
If disputes arise between you and another user regarding AI-partner recommendations, we may disclose relevant conversation records to verify facts, provided both parties consent.

(3) Prohibition on Data Sales

We solemnly commit to never selling any of your personal information, including personal identity information, fitness-related information, device information, etc. This commitment strictly complies with the “no sale of data” requirements under regulations such as the CCPA, GDPR, and the Personal Information Protection Law of the People's Republic of China. Control over your information remains solely with you.

V. Data Security and Storage

We implement multi-layered security measures to protect your information while strictly controlling data retention periods to ensure information is retained only for necessary durations:

(1) Security Protection Measures

Data Encryption:

Transmission: Utilizes SSL/TLS 1.3 encryption technology to prevent interception or tampering of your information (e.g., exercise diary content, account login credentials) during transmission between mobile devices and servers.
Storage Process: Sensitive fitness-related information (e.g., fitness goals, AI conversation logs) is stored using AES-256 encryption algorithms. Account passwords are encrypted with irreversible hash algorithms (e.g., bcrypt). Only authorized technical personnel may access and decrypt data after passing multi-factor authentication (e.g., password + dynamic token).

Access Control:

An internal access permission system is established adhering to the “least privilege” principle: Only personnel performing essential tasks like functional maintenance, troubleshooting, or customer support are permitted to access data. Access scopes are strictly segregated by role (e.g., customer service agents can only view basic account information and consultation records, not exercise diary details).
Third-party service provider access requires strict approval and is limited to the minimum privileges necessary for service delivery (e.g., cloud service providers can only read stored data without modification or export; data analytics providers receive anonymized statistical data without access to raw personal information).

Security Monitoring and Emergency Response:

Conduct regular security vulnerability scans (e.g., monthly) and penetration tests (quarterly), inviting third-party security agencies to evaluate data protection systems and promptly address potential risks (e.g., SQL injection, XSS cross-site scripting vulnerabilities).
Establish an anomaly detection mechanism to provide real-time alerts for risky activities such as bulk data access, unusual IP logins, or high-frequency data exports (e.g., immediately trigger account freezing and manual review if multiple accounts are accessed from the same IP within a short timeframe);
Develop a data breach contingency plan. In the event of a data leak, immediately activate emergency procedures (e.g., block the source of the leak, assess the scope of the breach, notify affected users, and patch vulnerabilities), and report to regulatory authorities as required by law.

Please note: Despite our stringent security measures, internet transmission and electronic storage cannot guarantee 100% security. We cannot eliminate the risk of data breaches caused by force majeure events (such as hacker attacks breaching defenses or security vulnerabilities in third-party service providers). Should such an incident occur, we will notify you promptly as stipulated in this agreement.

(II) Data Retention Period

Personal Identifiable Information and Exercise-Related Data:

We will retain this information for the duration of your account to ensure normal service operation (e.g., storing exercise calendar data for your long-term review).
If you request account deletion, we will delete all personal identifiable information (e.g., name, email address) and exercise-related sensitive information (e.g., exercise diary content, AI conversation records) within [15] business days.
Transaction records for paid services and compliance records prior to account closure (e.g., customer service communications) will be retained for the period required by applicable laws and regulations (e.g., 5 years for tax compliance purposes) and deleted immediately upon expiration.

Device Information and Usage Data:

Device information is retained during your service usage period. If you remain inactive for [12] consecutive months (i.e., your account enters “dormant” status), we will delete associated device identifiers (e.g., IDFV/AAID), retaining only anonymized device model statistics.
Usage data will be retained long-term for service optimization after anonymization (removing all personal identifiers, e.g., converting “User A accessed the Sports AI feature 10 times” to “The average number of times a user group accessed this feature is 8 times”). It will only be used in aggregated statistical form and will not be linked to specific users.

(3) Cross-Border Data Transfer

If cross-border data transfer is necessary for business operations, we will strictly comply with relevant laws and regulations. We will ensure data security and compliance during cross-border transfers through compliant methods such as executing standard contractual clauses, safeguarding your personal information rights. Prior to cross-border transfer, we will conduct a comprehensive assessment of the recipient's security capabilities to ensure they maintain adequate data protection standards.

VI. Your Rights

Under regulations such as GDPR and CCPA, you have the following rights within our services:

(1) Correction and Deletion

Information Correction: If you discover errors in your account information, you may directly modify it within the app's settings to conveniently update your personal information and ensure its accuracy.

Record Deletion: To delete all records, you may contact our customer service team (contact details provided at the end of this text) at any time. After verifying your identity, we will promptly delete relevant records according to your request, safeguarding your control over your personal information.

(2) Account Cancellation

You may conveniently request account cancellation via the “Settings - Account Security” section within the app. After submitting your cancellation request, we will process all your data in accordance with the data retention period specified in Section 5.2 of this policy. Please note that once an account is canceled, it cannot be restored. Throughout the cancellation process, we will ensure your personal information is properly handled and will not be subject to further improper use.

(3) Obtaining a Copy of Your Information

If you wish to obtain a copy of your personal information stored in our services, please contact our customer service (details provided at the end of this text). After verifying your identity, we will provide you with a copy of your personal information in a secure and convenient manner, fulfilling your right to know and control your personal information.

(IV) Withdrawal of Consent

You have the right to withdraw your consent at any time for the collection and use of your personal information based on such consent. You may withdraw your consent through relevant settings within the APP or by contacting customer service. Please note that withdrawing consent may affect your continued use of certain service features that rely on that authorization. We will clearly explain the scope of potentially affected features when you withdraw your consent.

(V) Account Security

Should the platform detect a user data or privacy breach (only under high-risk circumstances), we will notify the user within 72 hours (via the contact method provided at the end of this text) and report the incident to relevant authorities.

VII. Child Protection

This service is explicitly not intended for minors under the age of 13. We comply with COPPA and GDPR. Users must confirm they meet the age requirement during registration, and we will display age-appropriate labels in app stores.

If we discover during operation that a user is a minor, we will immediately cease collecting their personal information and delete stored data pertaining to that minor in accordance with relevant laws and regulations (unless legal requirements mandate retention of certain information).

If a guardian discovers unauthorized use of this service by a minor, they may contact our customer service at any time. We will fully assist in addressing the matter to safeguard the minor's personal information security. Regarding the protection of children's personal information, we strictly adhere to relevant laws and regulations, taking all necessary measures to ensure adequate protection of children's personal data.

VIII. Policy Updates

(1) Update Notification

Should this policy undergo changes, we will promptly notify you via app pop-ups, email (if you have provided an email address), or other means. For significant changes (such as expanding the scope of information collection or altering information sharing methods that may substantially impact your rights), we will obtain your explicit consent before the changes take effect. For non-significant changes, we will also notify you in a timely manner so you may understand the latest adjustments to our personal information processing practices.

(2) Effective Date of Changes

Revised policy provisions shall take effect after a reasonable period following notification. Your continued use of our services after the effective date constitutes your acceptance of the updated Privacy Policy. Should you disagree with the revised policy, you may choose to discontinue our services and exercise your rights under this policy, such as account cancellation or information deletion.