Privacy Policy

Last updated: May 16, 2026

Zera Fit ("we," "us," "our") respects your privacy. This policy explains what data we collect, how we use it, and your rights.

Who we are

Zera Fit is an online fitness coaching service operated by Gabby, a NASM-Certified Personal Trainer with 15+ years of experience. Our website is zera.fit. You can contact us at support@zera.fit for privacy questions.

What data we collect

Information you provide directly

Email address when you subscribe to our newsletter or submit an intake form.

Intake information when you submit the intake form to become a client:

• Name, age, and contact information
• Fitness goals and preferences
• Exercise equipment available
• Injury history and relevant health information (menopause stage, pain levels)
• Movement preferences and schedule
• Any notes you choose to share

Ongoing coaching data (once you become a client):

• Messages between you and Gabby
• Payment information (processed by Stripe; see below)

Coaching activity (active clients, through the client portal):

• Workout logs — which exercises you completed, how they felt, any notes or questions you add
• Check-ins — Gabby asks a few short questions on a regular cadence; your answers are visible only to her
• Progress tracking — measurements and notes you choose to record over time, visible on your progress page

All of the above stays between you and Gabby. Every row is protected by row-level security in our database: no other client can see it, and we do not use it for marketing, AI training, or any purpose outside your coaching.

Information collected automatically

• Usage data: pages visited, features used, time on site (via Vercel Analytics, privacy-respecting, no cookies)
• Technical data: browser type, device type, approximate location (country/region)
• Authentication: session tokens via Supabase Auth
• Rate limiting: temporary hashed identifiers stored in Redis (Upstash) to prevent abuse, automatically deleted within 15 minutes

Information from third parties

We do NOT purchase, rent, or otherwise obtain your data from third parties.

How we use your data

• To provide coaching services: generate your program, communicate with you
• To process payments: via Stripe (we never see your full card details)
• To send transactional emails: welcome messages, intake confirmations, coaching communications
• To send newsletters (only if you've subscribed): tips and updates
• To improve our service: aggregate, non-identifying analytics
• To comply with legal obligations

Data we do NOT use

• We do not sell your data to third parties, ever
• We do not share your data for advertising purposes

AI and your data

Zera Fit uses AI tools (Anthropic's Claude API) to assist Gabby in drafting coaching communications and generating training program recommendations. Here is exactly how your data is used:

What is shared with the AI:

• Your age, menopause stage, fitness goals, available equipment, injury history, training preferences, and preferred coaching tier
• Free-text notes you provide in your intake form (presented to the AI as quoted data, not instructions)

What is NOT shared with the AI:

• Your name
• Your email address
• Your phone number
• Your payment information

How the AI is used:

• Gabby personally reviews and adjusts every AI-generated draft before you receive it
• The AI provider (Anthropic) processes your data under their data processing terms and does not retain it for model training
• AI outputs are checked for medical-scope compliance before delivery
• You can request that Gabby generates your program manually instead. Contact support@zera.fit

Where your data is stored

• Database: Supabase (Postgres), encrypted at rest, hosted in the United States
• Email delivery: Resend
• Payments: Stripe (PCI-compliant; we never store card numbers)
• Analytics: Vercel Analytics (privacy-respecting, no cookies, no personal data)
• Error monitoring: Sentry. We scrub personally identifiable information (email addresses, IP addresses, authentication tokens, request bodies) from error reports before they are sent to Sentry. Sentry is used for technical debugging only.
• Rate limiting: Upstash Redis (temporary hashed identifiers only, auto-deleted)
• Bot protection: Cloudflare Turnstile (no personal data stored)

All data is stored on servers in the United States.

Data retention

• Subscribers (non-clients): email retained until you unsubscribe
• Active clients: data retained for the duration of your service
• Canceled clients: personal information (name, email, phone, emergency contact, date of birth, intake free-text, message content) is automatically scrubbed 12 months after subscription cancellation. Aggregate non-identifying data (subscription dates, tier, anonymized workout completion patterns) is preserved for analytics. Payment records retained for 7 years for tax compliance.
• You can request deletion at any time (see "Your rights" below)

Automated retention enforcement is in place via a scheduled daily process. Eligible cancellations are processed within 24 hours of crossing the 12-month threshold. The Founder receives a weekly summary of retention events for accountability.

Two months after that 12-month scrub — 14 months total after your subscription ends — we permanently delete your account record from our database, along with all connected records. This step is irreversible. If you want a copy of your data before that window closes, you can download it at any time from your portal settings.

Your rights

Regardless of where you live, you have the right to:

• Access your data (request a summary of what we have)
• Correct inaccurate data
• Delete your data (we will process deletion requests within 30 days, except payment records retained for tax compliance)
• Opt out of marketing communications at any time (every email includes an unsubscribe link)
• Object to processing based on legitimate interest
• Withdraw consent at any time
• Export your data — download a complete copy at any time directly from your portal settings

To exercise any of these rights, email support@zera.fit. We will respond within 30 days.

Your data in your portal: Active clients can act without emailing us. In your portal, go to Settings → Your data. From there you can download your data immediately as a JSON file — your intake responses, program history, workout logs, check-ins, messages, and progress metrics. You can also submit an account deletion request from the same screen if you want to delete your account before the automatic 12-month timeline. Gabby personally confirms every deletion request within 30 days, and you can cancel the request before it's processed if you change your mind.

What deletion covers: When you request deletion, we remove your data from our database (intake records, client records, subscriber records, email logs, and related records), including any files associated with your account (e.g. message attachments, program documents). We also request removal from third-party processors where applicable, including marketing email lists like our newsletter audience. Some data may persist in encrypted backups for a limited period before automatic rotation.

Deletion record retained: An internal record of the deletion request itself (admin who fulfilled it, date, target email, reason) is retained indefinitely for accountability and audit purposes. This record contains only metadata about the deletion event, not the deleted client's personal data.

What deletion does not cover: Payment records retained for tax compliance (7 years). Sentry error logs are scrubbed of PII before storage, so they do not contain your personal information.

Service availability

Zera Fit is currently available to US residents only. We do not serve EU customers at this time. If you are accessing our intake form from outside the United States, we may decline your sign-up to maintain compliance with regional regulations. We will re-evaluate broader availability as we mature.

Additional rights for California residents (CCPA)

• Right to know what categories of personal information are collected
• Right to opt out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights

Data security

We use industry-standard security measures:

• All data transmitted over HTTPS with HSTS enforcement
• Content Security Policy headers restricting script and resource origins
• Row-level security on all database tables
• Authentication via magic link (clients) or password (admin only)
• Bot protection on all public forms via Cloudflare Turnstile
• Rate limiting and brute-force protection on login
• Regular security audits via automated testing (500+ tests)
• Incident response plan in place
• PII scrubbed from error monitoring before transmission

If we become aware of a data breach that affects you, we will notify you within 72 hours.

Admin access to your data

Authorized Zera Fit staff (currently the Founder and the Technical Co-founder) may view your information to provide coaching services and to operate the platform. Every such view of sensitive health information is recorded in an append-only audit log for accountability. This log is retained indefinitely and is not editable or deletable — even by the staff who created the entries.

If a client account is removed, the audit-log entries that reference it are preserved as the durable record of who viewed what data and when, with the entity itself shown as deleted on internal admin views.

Cookies

We use minimal cookies:

• Essential cookies for authentication (Supabase session tokens)
• No third-party tracking cookies
• No advertising cookies

You can configure your browser to block cookies, but this may affect your ability to sign in.

Children's privacy

Zera Fit is not intended for use by anyone under 18. We do not knowingly collect information from children. If you believe we have inadvertently collected such information, contact us immediately.

Changes to this policy

We will update this policy as needed. The "Last updated" date at the top reflects the most recent change. For material changes, we will notify active clients by email.

Contact

For privacy questions: support@zera.fit