Your Body Is Not a Business Model.
This is not a slogan. It is the design constraint behind every decision we make about your data.
We built ZonalFit because the women's health technology category has a trust problem. Period-tracking apps have been fined by the FTC for sharing intimate health data with advertisers. Cycle apps have stated in their own terms that they may disclose user data to law enforcement. Pregnant women have deleted their data and switched to paper calendars because they no longer trust software with their biology.
This page tells you, in plain language, what ZonalFit does with your data, what we will never do with your data, and what rights you have to control it.
The Short Version
- We collect what we need to generate your training, and nothing more.
- We never sell your data. Not to advertisers. Not to data brokers. Not to anyone.
- We never share your cycle, pregnancy, postpartum, or health data with third parties for marketing.
- We never voluntarily disclose your reproductive health data to law enforcement.
- You can delete your data at any time. Deletion is real, not a soft archive.
- You can export your data at any time in a portable format.
- We do not use AI or machine learning to build your workouts. The engine is rules-based and deterministic.
- AI is used only for post-workout coaching conversations and re-engagement messages, and you can opt out of those.
The rest of this page is the long version. Read what matters to you. Use the table of contents below to jump.
Contents
- 1. Who we are
- 2. What we collect
- 3. Why we collect it
- 4. Who inside ZonalFit has access
- 5. Service providers we use
- 6. What we never do with your data
- 7. Post-Roe reproductive health protections
- 8. Law enforcement requests
- 9. How we compare to other health apps
- 10. University research access (opt-in only)
- 11. Cookies and analytics on our marketing site
- 12. How long we keep your data
- 13. Your rights and how to use them
- 14. Security
- 15. Age limit
- 16. International users
- 17. Changes to this policy
- 18. Contact us
1. Who we are
ZonalFit is operated by ZonalFit Technologies Inc., a Delaware C-Corporation. References to "ZonalFit," "we," "our," and "us" in this policy refer to ZonalFit Technologies Inc.
We operate two web properties: www.zonalfit.com (this marketing site) and app.zonalfit.com (the training platform). This policy covers both. Where a section applies only to one, we name it.
Our headquarters is in Dallas, Texas. Our infrastructure is located in the United States and operated by US-based service providers.
2. What we collect
We collect five categories of data. Each is used only for the purposes stated in Section 3.
2.1 Account information
- Email address (required to create an account and receive transactional emails)
- Password (stored as a one-way salted hash; we cannot read your password)
- First name (optional; used for personal greeting in the platform)
- Country (required for currency, tax, and regional compliance)
2.2 Health and training inputs you provide
The platform asks you for the inputs it needs to build adaptive programming. You choose what to share. Common inputs include:
- Date of birth or age (used for age-appropriate programming)
- Current lifecycle state (cycling, pregnant, postpartum, perimenopausal, post-menopausal, surgically menopausal)
- If cycling: cycle phase information you choose to share
- If pregnant: weeks of pregnancy, trimester, any complications you choose to disclose
- If postpartum: weeks postpartum, delivery type, medical clearance status, perineal injury history if you choose to share, breastfeeding status
- Active conditions you choose to disclose: PCOS, endometriosis, GLP-1 medication use, celiac disease, pelvic floor history, injury zones
- Equipment available to you
- Training experience and goals
You can decline to share any input. Some inputs will result in more conservative programming if not shared.
2.3 Daily check-in inputs
Each session, you complete a brief pre-workout check-in covering sleep, energy, stress, symptoms, and any condition-specific signals (for example, cycle symptoms, postpartum pelvic floor signals, or endometriosis flare severity). These inputs are used to generate today's session and to detect trends across recent weeks.
2.4 Training history and performance
The platform records exercises prescribed, sets, reps, loads used, rate of perceived exertion (RPE), session completion, and any in-session feedback you provide. This history is used to progress your programming.
2.5 Technical and billing data
- Device type, operating system, browser, IP address, and basic usage analytics (page views, session duration, feature usage). Used to operate the platform and detect security issues.
- Billing data: name on payment card, billing address, and card details. Card details are processed by Stripe and are never stored on ZonalFit infrastructure. We retain only Stripe's customer ID and a record of your subscription state.
3. Why we collect it
We collect each category of data for one or more of these purposes:
- To deliver the platform. Your account, health inputs, daily check-ins, and training history are used to generate your adaptive programming and to operate the platform you signed up for.
- To bill you. Billing data is used to process subscription payments and to send subscription-related transactional emails.
- To support you. If you contact support, we use your account information and recent platform history to answer your question accurately.
- To improve the platform. Aggregated usage data (where you tap, what features get used) helps us improve the platform. This data is aggregated and de-identified before any team member outside engineering sees it.
- To send you product updates. You can unsubscribe from any non-transactional email at any time.
We do not use your data for any purpose other than these. We do not use your data for advertising. We do not use your data to train AI models. We do not share your data with partners for their own purposes.
4. Who inside ZonalFit has access
Access to your data inside ZonalFit is restricted by role:
- Engineering team: needs access to the database to operate the platform. Engineering accesses individual user data only when investigating a specific support ticket or technical incident, logged and auditable.
- Support team: accesses your account when you contact support, limited to information needed to resolve your issue.
- Leadership and product team: sees only aggregated, de-identified usage statistics. Leadership does not have routine access to individual user data.
- Advisors and contractors: have no routine access to user data. Clinical advisors review system logic and aggregated outcomes, not individual user accounts.
All team members and contractors with access to user data are bound by written confidentiality agreements and access policies.
5. Service providers we use
We use a small set of service providers to operate the platform. Each is contractually limited to processing your data for the purpose listed. None has the right to use your data for their own purposes.
| Provider | Purpose | Data accessed |
|---|---|---|
| Stripe | Payment processing | Card details, billing address, subscription state |
| Railway | Application hosting (US infrastructure) | All platform data, encrypted in transit and at rest |
| MongoDB Atlas | Database hosting (US infrastructure) | All platform data, encrypted at rest |
| SendGrid | Transactional and product emails | Email address, first name, message content |
| Sentry | Error monitoring | Technical error logs (no health data) |
| OpenAI | Post-workout coaching conversations only | Conversation text only when the coaching feature is used; processed under OpenAI's enterprise data handling terms (not used to train models) |
| Flex | HSA/FSA reimbursement processing (optional) | Name, email, and Letter of Medical Necessity if you choose to apply for HSA/FSA reimbursement |
| Google Analytics | Aggregate marketing site analytics only (www.zonalfit.com) | Anonymized page views and traffic source. Not enabled on the training platform (app.zonalfit.com) |
The OpenAI integration is opt-in. You can use the entire training platform without ever using post-workout coaching conversations. When you do use coaching, the conversation is processed by OpenAI under terms that prohibit using your content to train their models.
We add new service providers only when necessary. When we add one, we update this list and the effective date at the top of this page before the change takes effect.
6. What we never do with your data
This list is the operational meaning of "Your Body Is Not a Business Model." Each item is a contractual commitment, not a marketing claim.
- We never sell your data. Not to advertisers. Not to data brokers. Not to insurance companies. Not to pharmaceutical companies. Not to anyone.
- We never share your cycle data, pregnancy data, postpartum data, or condition data with third parties for marketing purposes.
- We never use your data to train AI models for ZonalFit or for any third party. The workout engine is rules-based and deterministic. Training data is not a competitive moat we are building.
- We never run targeted advertising inside the platform. There are no ads in the app.
- We never share your data with employers, even if your employer pays for your subscription (a future B2B model, if introduced, will include this commitment in writing).
- We never share your data with your insurance company without your explicit, separate written consent (relevant if you choose to pursue HSA/FSA reimbursement through Flex).
- We never voluntarily disclose your reproductive health data to law enforcement. See Section 8 for our process when law enforcement makes a formal demand.
7. Post-Roe reproductive health protections
Since the Dobbs v. Jackson decision in 2022, reproductive health data has carried legal risk in the United States that did not previously exist. ZonalFit was built with this in mind.
The following protections apply to all data that touches reproductive health, including cycle data, pregnancy status, pregnancy loss, postpartum status, and any data that could indicate any of these:
- This data is never voluntarily disclosed to any third party for any reason other than to operate the platform on your behalf.
- This data is encrypted in transit and at rest using current industry-standard encryption.
- You can delete this data at any time. Deletion is permanent and propagates through backups within 30 days.
- You can choose not to share this data with the platform. The platform will operate, with reduced programming specificity, without it.
- We will resist subpoenas, warrants, and other law enforcement demands to the maximum extent permitted by law, including by engaging outside counsel where appropriate.
- We will notify you of any law enforcement demand for your data unless we are legally prohibited from doing so.
If you are in a state with laws that criminalize aspects of reproductive healthcare, we encourage you to consider what data you choose to enter into any platform, including ours. The protections above represent our commitment to making ZonalFit the most defensible option available. They are not a substitute for your own judgment about what to share.
8. Law enforcement requests
If law enforcement requests data about you, our process is:
- We do not provide data based on informal requests, phone calls, or unverified emails. We require formal legal process.
- We evaluate every formal demand (subpoena, warrant, court order, or other valid legal process) for legal sufficiency and for overbreadth.
- We push back on demands that are not narrowly tailored to a specific, lawful purpose.
- We engage outside counsel where the demand involves reproductive health data, where the scope is unusual, or where state laws conflict.
- We notify you of any demand for your data, unless we are prohibited by law from doing so.
- We produce only the specific data the demand legally requires, and nothing more.
We publish annual transparency reports starting with calendar year 2026, summarizing the number of law enforcement requests received and our responses.
9. How we compare to other health apps
The category sets a low bar. Below is a factual comparison of common practices across health and training apps against what ZonalFit does. Citations link to publicly available sources.
| Practice | Common in the category | ZonalFit |
|---|---|---|
| Sharing health data with advertisers | Flo Health agreed to a $56 million class action settlement in 2025 over sharing user data with Meta and others | Never |
| Stating in terms of service that data may be disclosed to law enforcement | A 2022 Mozilla review found 16 of 25 reviewed period-tracking apps included such language | Never voluntarily; legal process required and contested |
| Using user health data to train machine learning models | Common in apps that use machine learning for recommendations | Never. Engine is rules-based, not model-trained |
| Selling or licensing aggregated data to third parties | Standard practice across consumer health apps | Never sold or licensed for commercial use; opt-in academic research only (Section 10) |
| Running targeted ads inside the app | Common in free-tier health apps | No ads in the platform |
| Indefinite data retention after account deletion | Common; many apps retain "soft-deleted" data indefinitely | Deletion propagates through backups within 30 days |
Sources for the "common in the category" column: FTC press release on Flo Health (2021), Flo Health class action settlement filings (2025), Mozilla Foundation Privacy Not Included reviews of period-tracking apps (2022 and 2023 updates). We are happy to provide additional citations on request.
10. University research access (opt-in only)
We believe women's health research has been historically underfunded and that aggregated, anonymized training data could materially contribute to it. We also believe that should never happen without your explicit, separate, opt-in consent.
If we offer participation in university research in the future, the offer will:
- Be presented as a separate consent, not bundled with these terms or signup
- Be limited to accredited academic institutions, not commercial entities
- Require Institutional Review Board (IRB) approval before any data access is granted
- Be limited to de-identified, aggregated, population-level data, never individual records
- Require the researcher to publish findings within 24 months
- Be revocable by you at any time, with revocation propagating before the next research cycle
We have not yet offered this. When we do, you will be invited to read the specific research protocol and decide.
11. Cookies and analytics on our marketing site
This marketing site (www.zonalfit.com) uses Google Analytics 4 to understand which pages visitors read. The data Google Analytics receives is limited to anonymized page views, referrer information, and approximate geographic location at the country level. We do not enable Google Analytics on the training platform itself (app.zonalfit.com).
We do not run Facebook Pixel, TikTok Pixel, or any other third-party advertising or remarketing trackers on either property.
If you prefer not to be measured by Google Analytics, you can install a browser extension that blocks it, use private browsing mode, or use a privacy-focused browser. Our site works fully without analytics.
12. How long we keep your data
| Data category | Retention while account is active | After account deletion |
|---|---|---|
| Account information | Retained until you delete or close your account | Deleted within 30 days, including from backups |
| Health and training inputs | Retained while needed for programming, max 36 months of inactive history | Deleted within 30 days, including from backups |
| Daily check-in data | Retained while needed for trend analysis, max 24 months | Deleted within 30 days, including from backups |
| Training history (sets, reps, loads) | Retained for the life of the account | Deleted within 30 days, including from backups |
| Billing records | Retained as required by tax and accounting law | Retained for the period required by US tax law (currently 7 years), then deleted |
| Support communications | Retained for 24 months | Deleted within 30 days, including from backups |
13. Your rights and how to use them
You have the following rights over your data. These rights apply regardless of where you live; we treat them as universal because we think they should be.
- Right to access. You can request a copy of the data we hold about you in a portable format. Request via the email below; response within 30 days.
- Right to correct. You can correct any inaccurate data through your account settings or by contacting support.
- Right to delete. You can delete your account and all associated data from your account settings. Deletion is real and propagates through backups within 30 days.
- Right to export. You can export your data in a portable format at any time, before or after deletion.
- Right to restrict processing. You can ask us to suspend non-essential processing of your data (for example, suspend product emails while keeping your account active).
- Right to object. You can object to any specific processing of your data. If we cannot honor your objection, we will explain why in writing.
- Right to lodge a complaint. If you believe we have mishandled your data, you may complain to your local data protection authority. We would prefer you contact us first so we can investigate and respond.
Residents of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut, Utah, and other states with privacy statutes have the rights described above, including the right to know what categories of personal information we collect, the right to delete, and the right to opt out of any "sale" of personal information. We do not sell personal information.
Residents of Canada have rights under PIPEDA, residents of Australia under the Privacy Act 1988, and residents of New Zealand under the Privacy Act 2020. We honor these rights for residents of those jurisdictions.
To exercise any right, email privacy@zonalfit.com. We respond within 30 days.
14. Security
We protect your data with industry-standard technical and organizational measures, including:
- TLS encryption for all data in transit
- AES-256 encryption for data at rest in the database
- One-way hashing of passwords with current industry-standard algorithms
- Role-based access controls inside ZonalFit, audited periodically
- Mandatory two-factor authentication for all team members with access to user data
- Periodic security review of our infrastructure and service providers
- Sentry-based error monitoring that does not record health data
No system is perfectly secure. If we ever identify a breach affecting your data, we will notify you and the relevant authorities as required by applicable law, and we will tell you what happened, what data was affected, and what we are doing about it.
15. Age limit
ZonalFit is not intended for users under 18. We do not knowingly collect data from users under 18. If you believe a user under 18 has created an account, please contact us and we will investigate and delete the account.
16. International users
ZonalFit currently operates in the United States, English-speaking Canada, Australia, and New Zealand. Data is processed and stored on US infrastructure regardless of your location. By using the platform, you consent to your data being transferred to and processed in the United States. We apply the protections described in this policy to all users regardless of jurisdiction.
17. Changes to this policy
If we change this policy in a way that materially affects how we handle your data, we will notify you by email at least 30 days before the change takes effect. The current version, with its effective date, is always at the top of this page.
Routine clarifications (typo fixes, clarifications of existing practice, additions to the table of service providers that do not change the practice) are made without notice but are reflected in the effective date.
18. Contact us
Questions about this policy, requests to exercise your rights, security reports, and any other privacy-related correspondence:
- Email: privacy@zonalfit.com
- General contact: hello@zonalfit.com
- Mail: ZonalFit Technologies Inc., Dallas, Texas (full mailing address provided on request to verified correspondents)
We aim to respond to all privacy correspondence within 5 business days, and to formal requests under applicable privacy laws within 30 days.
"Your Body Is Not a Business Model" is more than a slogan. It is the test we apply to every product, engineering, and partnership decision. If a proposal would compromise this commitment, we say no. We would rather lose a deal than break this promise.