Privacy Policy

Effective Date: April 6, 2026

Resilio Health LLC ("Company," "we," "us," or "our") respects your privacy and is committed to protecting the personal information you share with us. This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use the Resilio Health application and related services (collectively, the "Service").

This Privacy Policy applies to all users of the Service. For information specifically about our collection and processing of consumer health data, please also review our standalone Consumer Health Data Privacy Policy.

1. Information We Collect

1.1 Information You Provide Directly

We collect information you voluntarily provide when you create an account, complete onboarding, use the Service, or contact us:

• Account Information: First name, email address, and authentication credentials (managed through Supabase Auth via magic link).
• Onboarding Information: Your wellness goal (longevity, injury prevention, or return from injury), sport type(s), preferred session duration, reminder preferences, and equipment availability.
• Body Map Selections: Body regions you designate as focus zones (areas to strengthen) or avoid zones (areas to avoid heavy loading), as displayed in the app. These selections may change daily.
• Daily Check-In Responses: Training status, sport type for the day, self-reported workout intensity, and any temporary avoid overrides.
• Debrief Responses: Your subjective assessment of routine difficulty after each session (easy, just right, or tough).
• Chat Messages: Messages you send to the AI Coach, including questions about your routine, your body, or the Service.
• Support Communications: Information you provide when contacting us for support.

1.2 Information Generated Through Your Use

We automatically generate and store the following data as you use the Service:

• Exercise History: Routines generated for you, including exercise selections, duration, and completion status.
• Progression Data: Your difficulty level per exercise, consecutive debrief history, and whether progression has been paused due to a safety event.
• Streak and Completion Data: Current streak, longest streak, total completions, and total minutes of routines completed.
• Safety Event Records: If the AI Coach surfaces a safety card (e.g., a recommendation to consult a healthcare provider), we log the event, its severity, and your response.
• AI Coach Responses: The AI-generated routine selections, explanations, and coaching messages produced in response to your inputs.
• AI-Derived Inferences: Exercise preferences, progression levels, body region resilience trends, and engagement state derived from your use of the Service. These inferences may constitute consumer health data under applicable law.

1.3 Information Collected Automatically

When you use the Service, we may automatically collect:

• Device Information: Device type, operating system, app version, and platform (iOS, Android, or web).
• Push Notification Tokens: Device tokens for delivering push notifications, if you have granted notification permissions.
• Timezone: Your device's timezone, used to schedule reminders and display date-appropriate content.
• Analytics Events: If analytics collection is enabled, we may collect usage events such as screens viewed, features used, and session timing. We do not use third-party advertising trackers. You may opt out of analytics collection by contacting us at privacy@resiliohealth.com. Opting out will not affect the core functionality of the Service.

1.4 Information We Do Not Collect

We do not collect:

• Precise geolocation data (GPS coordinates)
• Contacts, photos, or files from your device
• Biometric identifiers (fingerprints, facial recognition data)
• Social Security numbers, government-issued identification numbers, or financial account numbers

1.5 Information from Third-Party Health and Fitness Platforms

If you choose to connect Apple Health or Strava, we collect the following data with your explicit permission:

• Workout type (e.g., running, cycling, swimming)
• Workout duration
• Workout distance (if available)
• Activity timestamps

We access this data solely to pre-fill your daily check-in and to provide context for AI-generated routine recommendations. We do not access contacts, photos, location, or any health data beyond workout activity records. Apple Health data is read via the HealthKit API; when you complete a routine, we write a summary workout record (activity type and duration) back to Apple Health so your training log stays complete. Strava data is received via webhook when new activities are recorded. You may disconnect either integration at any time through the app's Settings.

HealthKit data is not used for advertising, marketing, or data mining purposes. We do not sell HealthKit data to data brokers or any third parties. HealthKit data is not stored in iCloud. HealthKit data is used solely for the purpose of personalizing your exercise routines within the Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To Provide the Service: Generating personalized exercise routines, processing your check-in responses, managing your progression, and delivering AI coaching.
• To Improve the Service: Analyzing aggregated, de-identified usage patterns to improve exercise selection, progression algorithms, and user experience. We do not use your personal data to train third-party AI models.
• To Communicate With You: Sending push notifications (daily reminders, post-workout nudges, subject to rate limits and your preferences), transactional emails (account verification, password resets), and responding to support inquiries.
• To Process Payments: Facilitating subscription billing through our payment processors.
• To Ensure Safety: Logging safety escalation events to improve the AI's safety detection and to maintain an audit trail.
• To Comply With Law: Responding to legal process, enforcing our Terms of Service, and protecting the rights, property, or safety of the Company, our users, or others.

3. How We Share Your Information

We do not sell your personal information. We do not share your personal information with third parties for their own marketing or advertising purposes. We share information only in the following limited circumstances:

3.1 AI Processing Provider (Anthropic, PBC)

To generate personalized routines and coaching responses, we transmit your check-in data, body region selections, exercise history, safety event context, and chat messages to Anthropic, PBC, which provides the Claude large language model. Anthropic processes this data solely to generate responses on our behalf, pursuant to our data processing agreement. Under the terms of our agreement, Anthropic is contractually prohibited from using API inputs to train its models. Anthropic retains API inputs and outputs for a maximum of thirty (30) days for safety and abuse monitoring purposes, after which they are automatically deleted.

3.2 Infrastructure and Hosting (Supabase / Amazon Web Services)

Your data is stored on Supabase (hosted on Amazon Web Services), which provides our database, authentication, and serverless function infrastructure. Supabase processes data on our behalf pursuant to a data processing agreement.

3.3 Payment Processors (RevenueCat / Apple / Google)

Subscription payments are processed by RevenueCat (which integrates with Apple and Google billing) and may in the future include Stripe for web subscriptions. These processors receive only the payment information necessary to process your subscription. We do not have access to your full payment card details.

3.4 Push Notification Delivery (Apple APNs / Google FCM / Expo)

Push notifications are delivered through Apple Push Notification service (APNs) for iOS devices, Google Firebase Cloud Messaging (FCM) for Android devices, and Expo's push notification service as an intermediary. These services receive only your device push token and the notification content. No consumer health data is transmitted through push notification channels.

3.5 Legal Obligations

We may disclose your information if required by law, subpoena, court order, or other legal process, or if we reasonably believe disclosure is necessary to: (a) comply with applicable law; (b) protect the rights, property, or safety of the Company, our users, or the public; or (c) detect, prevent, or address fraud or security issues.

3.6 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of the transaction. We will provide notice before your information becomes subject to a different privacy policy.

4. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Active Account Data: Retained for the duration of your active subscription and account.
• Post-Cancellation: If you cancel your subscription but do not delete your account, we retain your data in read-only form so you can access your history. You may request full deletion at any time.
• Account Deletion: Upon a valid deletion request, we will remove your personal data from our active production systems within twenty-four (24) hours of the deletion request being executed (following a 24-hour cancellation grace period). Data in automated backups and disaster recovery systems will be purged in the normal backup rotation cycle, which does not exceed thirty (30) days. During the backup retention period, backup data is encrypted, access-controlled, and not used for any purpose other than disaster recovery.
• Security and Legal Retention: We may retain limited data beyond the periods described above where necessary to comply with legal obligations, resolve disputes, enforce our agreements, or protect against fraud. In particular, safety event records (which document instances where the Service recommended that you stop an exercise or consult a healthcare provider) may be retained for up to three (3) years after account deletion to defend against potential claims. Any such retention will be limited to the minimum data necessary.
• Aggregated Data: We may retain aggregated, de-identified data that cannot reasonably be used to identify you for analytical and product improvement purposes indefinitely.

Per-Category Retention Periods:

• Account information (name, email): duration of account; removed from active systems within 24 hours of deletion, purged from backups within 30 days.
• Check-in responses and exercise history: duration of account.
• Progression and streak data: duration of account.
• Safety event records: duration of account plus up to 3 years post-deletion for legal defense purposes.
• AI-derived inferences (progression levels, engagement state): duration of account.
• AI Coach chat messages: duration of account (stored for session continuity; deleted upon account deletion).
• Push notification tokens: until token invalidation or account deletion.
• Analytics events (if collected): 24 months rolling, then aggregated and de-identified.
• Apple Health and Strava activity data: duration of account or until integration is disconnected.
• Anthropic API logs: maximum of 30 days (controlled by Anthropic per our data processing agreement).

5. Data Security

We implement commercially reasonable administrative, technical, and physical safeguards to protect your personal information, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256);
• Row-level security policies on all database tables, ensuring users can only access their own data;
• Authentication via secure, passwordless methods (magic link);
• Server-side API key management (AI and database credentials are never exposed to client applications); and
• Regular security reviews of our infrastructure and access controls.

No method of electronic transmission or storage is completely secure. While we strive to protect your information, we cannot guarantee its absolute security.

6. Data Breach Notification

In the event of a security breach that affects your personal information, we will:

• Investigate and take reasonable steps to contain and remediate the breach;
• Notify affected users without unreasonable delay and no later than thirty (30) business days after discovering the breach, through at least two channels (email to the address associated with your account, plus in-app notification or other reasonable means);
• Provide information about the nature of the breach, the categories of information involved, the approximate number of individuals affected, steps we are taking to address the breach, and steps you can take to protect yourself;
• For breaches affecting 500 or more individuals, provide concurrent notification to the Federal Trade Commission and, where required, prominent media notice, as required by applicable law; and
• Comply with all applicable breach notification statutes, including but not limited to the California data breach notification statute (Cal. Civ. Code § 1798.82), the Washington data breach notification statute (RCW 19.255.010), the Virginia breach notification statute (Va. Code § 18.2-186.6), and, where applicable, the FTC Health Breach Notification Rule (16 CFR Part 318).

7. Your Rights and Choices

7.1 Access and Portability

You may access your personal information through the Service at any time. You may request a portable copy of your data in JSON format through the Service's Settings or by contacting us at privacy@resiliohealth.com.

7.2 Correction

You may update your profile information (name, sport type, time budget, equipment, and preferences) through the Service at any time.

7.3 Deletion

You may request deletion of your account and all associated data through the Service's settings or by contacting us at privacy@resiliohealth.com. The deletion process is described in Section 4 above.

7.4 Notification Preferences

You may disable push notifications at any time through the Service's settings or your device's notification settings. Disabling notifications will not affect your ability to use the Service.

7.5 Analytics Opt-Out

You may opt out of analytics collection by contacting us at privacy@resiliohealth.com. Opting out will not affect the core functionality of the Service.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA") provide you with additional rights regarding your personal information.

8.1 Categories of Personal Information

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: First name, email address, device identifiers, IP address.
• Internet or Network Activity: Interaction with the Service, analytics events (if collected), features used.
• Geolocation (non-precise): Timezone for scheduling purposes only.
• Inferences: Exercise preferences, progression levels, engagement state derived from your use of the Service.
• Sensitive Personal Information: Health-related information (body region selections, exercise history, symptom reports). This information is used solely to provide the Service and is not used for profiling or advertising.

8.2 Your Rights

You have the right to:

• Know what personal information we collect, use, and disclose;
• Request deletion of your personal information;
• Correct inaccurate personal information;
• Opt out of the sale or sharing of your personal information (we do not sell or share personal information as defined by the CCPA);
• Limit the use of sensitive personal information — our use of sensitive personal information (including health-related data) is already limited to providing the Service. You may exercise this right by contacting us at privacy@resiliohealth.com or, when available, through the in-app privacy settings; and
• Not be discriminated against for exercising your privacy rights.

We honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we will treat it as a valid opt-out of the sale or sharing of personal information.

8.3 How to Submit Requests

To exercise your CCPA/CPRA rights, you may:

• Use the applicable features within the Service (e.g., account deletion in Settings); or
• Contact us at privacy@resiliohealth.com.

You may designate an authorized agent to make requests on your behalf. We may require verification of both your identity and your agent's authority before processing such requests. We will respond to verified requests within forty-five (45) days of receipt. If we require additional time, we will notify you of the extension (not to exceed an additional forty-five (45) days) and the reason for the delay.

9. Washington My Health My Data Act

If you are a Washington state resident, or if we collect consumer health data as defined by the Washington My Health My Data Act ("MHMDA"), please review our standalone Consumer Health Data Privacy Policy for detailed information about our collection, use, and sharing of consumer health data, as well as your rights under the MHMDA. That policy is provided as a separate and distinct document in accordance with the MHMDA.

10. Additional State Privacy Rights

10.1 Virginia Consumer Data Protection Act (VCDPA)

If you are a Virginia resident, you have the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of the processing of personal data for targeted advertising or profiling. We classify health-related data as sensitive data and obtain your opt-in consent before processing it. To exercise your rights, contact us at privacy@resiliohealth.com. If we decline your request, you may appeal by contacting us, and if the appeal is denied, you may contact the Virginia Attorney General.

10.2 Nevada SB 370

If you are a Nevada resident, we do not sell your consumer health data. We maintain this Privacy Policy and our Consumer Health Data Privacy Policy in accordance with Nevada SB 370 requirements. We do not use geofencing within 1,750 feet of healthcare facilities for purposes of data collection.

10.3 Maryland Online Data Privacy Act (MODPA)

We collect personal data only as reasonably necessary and proportionate to provide the Service. We do not sell sensitive data (including health data) under any circumstances. If you are a Maryland resident, you may exercise your privacy rights by contacting us at privacy@resiliohealth.com.

10.4 Colorado Privacy Act (CPA)

If you are a Colorado resident, you have the right to access, correct, delete, and obtain a portable copy of your personal data, and the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We classify health-related data as sensitive data and obtain your opt-in consent before processing it. To exercise your rights, contact us at privacy@resiliohealth.com.

10.5 Other State Privacy Laws

We are committed to complying with applicable state privacy laws, including the Connecticut Data Privacy Act, Indiana Consumer Data Protection Act, and other comprehensive state privacy statutes. In all states that classify health data as sensitive personal information, we obtain opt-in consent before processing such data. If you have questions about your rights under your state's privacy law, please contact us at privacy@resiliohealth.com.

11. Artificial Intelligence Disclosure

The Service uses artificial intelligence — specifically Anthropic's Claude large language model — to generate exercise routine recommendations and coaching responses. When you interact with the AI Coach feature, you are interacting with an artificial intelligence system, not a human being. The AI Coach does not prompt, guide, or direct any clinical action or medical management.

AI-generated content may occasionally be inconsistent, incomplete, or based on incorrect interpretation of your inputs. You should exercise independent judgment regarding all recommendations. Your User Data is transmitted to Anthropic solely for real-time routine generation and coaching responses. Anthropic is contractually prohibited from using your data to train, fine-tune, or improve its AI models. Anthropic retains API inputs and outputs for a maximum of thirty (30) days for safety and abuse monitoring, after which they are automatically deleted.

This disclosure is provided in compliance with the Utah Artificial Intelligence Policy Act, the Colorado AI Act (SB 24-205, enforcement beginning June 30, 2026), and Apple App Store Guideline 5.1.2(i).

12. Children's Privacy

The Service is not directed to children under the age of thirteen (13). We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete such information promptly. The Service requires users to be at least eighteen (18) years of age per our Terms of Service.

13. International Data Transfers

The Service is operated from the United States and is primarily intended for users in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you acknowledge this transfer.

We do not currently maintain European Union or United Kingdom-specific compliance mechanisms (such as Standard Contractual Clauses or a UK International Data Transfer Agreement). If you are located in the EU or UK, please be aware that our Service may not meet the requirements of the GDPR or UK GDPR, and you use the Service at your own discretion.

14. Website Tracking and Cookies

Our marketing website at resiliohealth.com does not currently use third-party advertising trackers, cookies for behavioral profiling, or cross-site tracking technologies. We do not sell or share personal information as defined by the CCPA. If we introduce analytics or tracking tools on the website in the future, we will update this Privacy Policy accordingly and provide appropriate consent mechanisms.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the Service or by email at least thirty (30) days before the changes take effect. The "Effective Date" at the top of this policy indicates when it was last revised. We will update this Privacy Policy at least annually.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

Resilio Health LLC
Email: privacy@resiliohealth.com
Legal inquiries: legal@resiliohealth.com
Support: support@resiliohealth.com
Website: https://resiliohealth.com