Skip to content
NAFA

Legal

Privacy Policy

Last updated · May 17, 2026

NAFA is a precision fitness intelligence service operated by AUGE XR AG, a Swiss stock corporation (“AUGE”, “we”, “us”). This policy explains what data we collect when you use the NAFA website, iOS app, or watchOS companion, why we collect it, how we store it, and the rights you have over it.

Short version: your training, nutrition, and body data stay in your account. We never sell or rent it. You can export everything or delete your account at any time. Questions → privacy@nafa.fitness.

1. Data we collect

Account & profile

  • Email address, name, and authentication identifier (Supabase Auth, Apple Sign-In, Google Sign-In).
  • Optional profile details: date of birth, sex, height, training goals.
  • Subscription state (provided by Apple, RevenueCat, or Stripe — we do not see your card number).

Health, fitness & nutrition data

  • Workouts, sets, reps, RPE, and training volume you log in the app.
  • Meals, macros, calories, hydration, supplements, and meal photos you log.
  • Body composition entries: weight, body fat, lean mass, circumferences, progress photos.
  • HealthKit data you choose to share: steps, heart rate, HRV, sleep, workouts, body metrics.
  • Wearable data you connect (Apple Watch, third-party APIs you authorize).

Device & diagnostic

  • App version, OS version, device model, locale, time zone, and crash logs (via Sentry).
  • Anonymized product analytics events (e.g. screen views, feature usage) via PostHog. You can opt out in Settings → Privacy.
  • Optional precise location: a single location reading at workout start, only if you grant permission, used to auto-select which gym you are training at so per-location weights and equipment stay separate. You can deny or skip the prompt with no loss of core functionality. Location is never collected in the background or used for advertising.

What we do not collect

  • Background or continuous location. NAFA only requests a single location reading at workout start — and only if you allow it — to auto-select your gym. It is never tracked continuously, stored as a location history, or used for advertising.
  • Contacts or microphone. The camera and photo library are used only when you attach a progress photo or meal photo, and the photo is uploaded only after you confirm.
  • Third-party advertising identifiers. NAFA does not run ads and does not use the App Tracking Transparency framework.

2. How we use your data

  • Provide the service: render dashboards, run analytics on your own history, generate explainable recommendations.
  • Improve the product: aggregate, de-identified usage metrics to find rough edges and prioritize features.
  • Customer support: when you email us, we use the email address and any logs you share to reproduce and fix issues.
  • Security & abuse prevention: rate limiting, anomaly detection, and audit logs.
  • Legal compliance: respond to lawful requests, enforce our terms.

NAFA does not use your health, nutrition, or body data to train third-party generative AI models. On-device explanations and any server-side inference run on data scoped to your account.

3. Apple HealthKit

NAFA reads from and writes to Apple HealthKit only with your explicit permission, requested per data type at the moment we need it. HealthKit data is never:

  • used for advertising or marketing,
  • shared with third parties for their own purposes,
  • sold to anyone, ever.

You can revoke HealthKit access at any time in Settings → Health → Data Access & Devices → NAFA. Revoking does not delete data already synced to your NAFA account; use the in-app delete flow for that.

4. Subprocessors we rely on

We use a small, audited set of vendors to operate the service. Each is bound by a data processing agreement.

  • Supabase — authentication, Postgres database, encrypted storage (EU region).
  • Vercel — web hosting and edge runtime.
  • Apple — App Store distribution, push notifications, sign-in.
  • RevenueCat — subscription state mirroring.
  • Sentry — crash and error monitoring.
  • PostHog — product analytics (opt-out available).
  • Resend — transactional email.

5. Storage, encryption & retention

  • All data in transit is encrypted with TLS 1.2 or later.
  • Data at rest in our primary database is encrypted with AES-256.
  • Backups are encrypted and retained for 30 days, then purged.
  • If you delete your account, your personal data is removed from active systems within 30 days and from all backups within 60 days.

6. Your rights

Regardless of where you live, you can:

  • Access & export — download every log, photo, and metric as JSON + media archive from Settings → Data → Export.
  • Correct — edit any entry directly in the app.
  • Delete — Settings → Data → Delete account permanently removes your data.
  • Object — opt out of analytics in Settings → Privacy.
  • Portability — the export is in machine-readable JSON, suitable for re-import elsewhere.

Under GDPR (EEA, UK, Switzerland) and CCPA/CPRA (California) you have additional rights to file a complaint with your local data protection authority. Contact us first at privacy@nafa.fitness — we respond within 30 days.

7. Children

NAFA is not intended for users under 17. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

8. International transfers

Primary data is stored in the EU. Some subprocessors may process data in the US under Standard Contractual Clauses or the EU-US Data Privacy Framework, where applicable.

9. Changes to this policy

We may update this policy. Material changes trigger an in-app notice and an email to your account address at least 14 days before they take effect. The “Last updated” date above always reflects the most recent revision.

10. Contact

AUGE XR AG (operator of NAFA)
Zug, Switzerland
Email: privacy@nafa.fitness