Privacy Policy — The Body School Mobile Application
1. Introduction
This Privacy Policy ("Policy") describes how Sofiia Rozhko, registered as an individual entrepreneur (FOP) in Ukraine, State Register Entry #2 073 000 0000 023098 of 26 October 2010, acting at 164 Kyivska Street, apt. 204, Obukhiv, Kyiv Oblast 08703, Ukraine (the "Provider," "we," "us," or "our"), collects, uses, stores, and discloses Personal Data of users ("you," "your," "User") of The Body School mobile application (the "App").
This Policy applies exclusively to the App. The privacy practices for our website (thebody.school) are described in our separate web Privacy Policy available at https://thebody.school/policy/.
By downloading, installing, or using the App, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the App.
2. Data Controller
The Data Controller for the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Ukrainian Law "On Personal Data Protection" is:
Sofiia Rozhko (FOP)
Address: 164 Kyivska Street, apt. 204, Obukhiv, Kyiv Oblast 08703, Ukraine
Email: thebodyschool.manager@gmail.com
For all questions regarding this Policy or your Personal Data, please contact us at the email above.
3. Personal Data We Collect
3.1. Information You Provide Directly
- Account Information: name, email address, date of birth, gender, country
- Profile Information: preferred language, profile photo (optional)
- Health and Wellness Data (special category data under GDPR Article 9):
- Body measurements (weight, height, waist, hips, chest, etc.)
- Food diary entries (meals, ingredients, portions)
- Body photos (before/after, progress tracking — optional, uploaded by you)
- Subjective wellness markers (mood, sleep quality, energy)
- Voice Recordings: when you use the voice-recognition feature to log a meal, the audio you record is transmitted to our AI provider for transcription; the resulting text is then used for food recognition.
- Communication Content: messages you send to support or coaches via in-app chat
3.2. Information Collected Automatically
- Device Information: device model, operating system version, language, time zone, and a vendor-scoped device identifier (Apple's IDFV on iOS or an analogous identifier on Android). We do not collect Apple's IDFA or any cross-app advertising identifier.
- App Usage Data: screens visited, features used, session duration, crash reports
- Push Notification Token: to deliver reminders and updates
3.3. Information from Third Parties
- In-App Purchase Data: transaction confirmations from Apple App Store and Google Play Store (we do not receive your payment card details)
4. How We Use Your Personal Data
We process your Personal Data for the following purposes and on the following legal bases under GDPR Article 6 (and Article 9 for health data):
| Purpose | Legal Basis |
|---|---|
| Providing the App and its core features (nutrition tracking, body measurements logging, content access) | Contractual necessity (Art. 6(1)(b)) |
| Processing health and wellness data | Your explicit consent (Art. 9(2)(a)) |
| Managing your subscription and billing via Apple/Google | Contractual necessity (Art. 6(1)(b)) |
| Sending push notifications and reminders | Your consent (Art. 6(1)(a)); withdrawable at any time |
| Improving the App and analyzing usage patterns | Our legitimate interest (Art. 6(1)(f)) |
| Customer support and responding to inquiries | Contractual necessity (Art. 6(1)(b)) |
| Detecting and preventing fraud, abuse, or violations of Terms | Our legitimate interest (Art. 6(1)(f)) |
| AI-assisted food recognition from meal photos and voice descriptions you submit | Your consent (Art. 6(1)(a) and Art. 9(2)(a)); the photo or audio recording is sent only when you actively use the feature |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your Personal Data for automated decision-making or profiling with legal effects on you.
5. Third-Party Service Providers
We work with the following third-party service providers ("Processors") that may process your Personal Data on our behalf. Each of them is bound by data processing agreements that include GDPR-compliant safeguards.
| Service Provider | Purpose | Data Categories | Location | Privacy Policy |
|---|---|---|---|---|
| Google LLC (Firebase Analytics) | App usage analytics, crash reporting | Device data, app usage events, vendor-scoped device identifier (IDFV) | USA | policies.google.com/privacy |
| Google LLC (Firebase Cloud Messaging) | Delivering push notifications to Android devices | Push token, device data | USA | policies.google.com/privacy |
| Apple Inc. (Apple Push Notification Service) | Delivering push notifications to iOS devices | Push token | USA | apple.com/legal/privacy |
| Google LLC (Gemini API) | AI-assisted food recognition from meal photos and voice descriptions you submit | Submitted meal photos, audio recordings of your spoken meal descriptions and their resulting transcripts, image and audio data, model prompts. Photos and audio are sent only when you actively use the relevant feature. | USA | ai.google.dev/gemini-api/terms |
| RevenueCat, Inc. | Managing in-app subscriptions, validation of purchases | App User ID, purchase events, device data | USA | revenuecat.com/privacy |
| Amazon Web Services, Inc. (S3) | Secure storage of body photos uploaded via our backend | Uploaded photos, encrypted at rest | USA / EU | aws.amazon.com/privacy |
| Apple Inc. (App Store) | Processing in-app purchases for iOS users | Payment data handled directly by Apple — we do not access it | Global | apple.com/legal/privacy |
| Google LLC (Google Play Billing) | Processing in-app purchases for Android users | Payment data handled directly by Google — we do not access it | Global | policies.google.com/privacy |
International Data Transfers: Some of our service providers are located outside Ukraine and the European Economic Area (EEA), primarily in the USA. Where data is transferred, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures as required by GDPR Articles 44-49.
6. App Permissions
The App requests the following device permissions. You may grant or deny each, and you may revoke them at any time in your device settings.
| Permission | Purpose | Mandatory? |
|---|---|---|
| Camera | To take body progress photos within the App | Optional |
| Photo Library / Gallery | To upload existing body photos from your device | Optional |
| Microphone | To record voice descriptions of meals for AI-assisted food recognition | Optional |
| Notifications | To send you nutrition reminders, coach messages, programme updates | Optional |
| Network access | To synchronise your data with our servers and stream educational content | Required |
Denying optional permissions will not prevent you from using core features of the App, but related features (photo tracking, reminders) may be unavailable.
7. Apple App Tracking Transparency (ATT)
On iOS devices, the App does not use Apple's App Tracking Transparency framework because we do not collect Apple's IDFA (Identifier for Advertisers) and we do not track you across other companies' apps or websites for advertising purposes. Firebase Analytics is configured to use only vendor-scoped, privacy-safe identifiers (IDFV) that cannot be linked to your activity in other apps.
8. Data Retention
We retain your Personal Data only as long as necessary for the purposes set out in this Policy:
- Account data: while your account is active, plus 3 years after deletion for legal compliance and tax purposes
- Health and wellness data: while your account is active; deleted within 30 days of account deletion request
- Body photos: while your account is active; deleted within 30 days of account deletion request
- App usage analytics: aggregated and anonymised after 14 months; raw event data deleted after 14 months (Firebase default)
- Transactional data: retained for 7 years for tax and accounting purposes (Ukrainian and EU law)
9. Your Rights
Under the GDPR and Ukrainian Law, you have the following rights regarding your Personal Data:
- Right of access (Art. 15): request a copy of the Personal Data we hold about you
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure / "right to be forgotten" (Art. 17): request deletion of your Personal Data
- Right to restriction of processing (Art. 18): request that we limit how we use your data
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting prior lawful processing
- Right to lodge a complaint: file a complaint with your local data protection authority (e.g., Ukrainian Ombudsperson, Spanish AEPD, German BfDI)
To exercise any of these rights, email us at thebodyschool.manager@gmail.com. We will respond within 30 days. To request account deletion, you may also use the in-app option: Profile → Settings → Delete Account.
10. Children
The App is not intended for children under 16. We do not knowingly collect Personal Data from individuals under 16. If you become aware that a child has provided us with Personal Data without parental consent, please contact us at thebodyschool.manager@gmail.com and we will delete such data promptly.
11. Security
We implement appropriate technical and organisational measures to protect your Personal Data, including:
- Transport Layer Security (TLS) encryption for all data in transit
- Encryption at rest for stored health data and body photos
- Access controls and authentication for our team
- Regular security reviews of our infrastructure and service providers
However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee absolute security.
12. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you through the App (in-app notice) at least 14 days before the changes take effect. The "Last Updated" date at the top reflects the most recent revision.
Continued use of the App after the effective date of the updated Policy constitutes your acceptance of the changes.
13. Contact
For questions, requests regarding your Personal Data, or to file a complaint:
Sofiia Rozhko (FOP)
Email: thebodyschool.manager@gmail.com
Address: 164 Kyivska Street, apt. 204, Obukhiv, Kyiv Oblast 08703, Ukraine
This Privacy Policy is compliant with the EU General Data Protection Regulation (Regulation 2016/679), the UK Data Protection Act 2018, the Ukrainian Law "On Personal Data Protection" of 1 June 2010 #2297-VI, the California Consumer Privacy Act (CCPA), Apple App Store Review Guidelines, and Google Play Developer Programme Policies.