Privacy Policy

ActivePath ("we," "our," or "us") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you use our mobile application, website, and related services (collectively, the "Service").

By using ActivePath, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service. This Privacy Policy is incorporated into and subject to our Terms of Service.

Personal Information

When you create an account, we collect:

• Email address (required for authentication)
• Full name and username
• Profile picture (optional)
• Date of birth and gender (optional)
• Height and weight (optional, for fitness calculations)
• Payment information (processed by Apple App Store or Google Play Store — we do not store payment card details)

Location Data

To provide our core services, we collect:

• Home/default location for route generation
• Saved exploration locations
• Real-time GPS coordinates during active workouts (including timestamp, altitude, accuracy, speed, and heading)
• Complete GPS track data for workout history

Health and Fitness Data (Sensitive Data)

• Workout type (running, walking, cycling, hiking)
• Duration, distance, pace, and calories burned
• Heart rate data (with HealthKit integration enabled)
• Elevation gain/loss during workouts
• Fitness level, goals, and activity preferences
• Route preferences (scenic, flat, hilly, loop, etc.)
• HIIT workout performance data (intervals completed, heart-rate zones, splits)
• Body measurements (height, weight) used for calorie calculations

IMPORTANT: Health and fitness data is classified as sensitive personal data under GDPR (Article 9), CCPA, and other privacy regulations. We collect this data only with your explicit consent and use it solely for the purposes described in this policy. We do not sell your health and fitness data to any third party.

Technical Data

• Device information (model, operating system, version)
• Device identifiers
• IP address and user agent
• Login attempt records for security purposes
• App usage patterns, feature interactions, and crash reports
• Browser type and version (for web access)

Data Collected from Third Parties

• Apple HealthKit data (with your permission): workout history, heart rate, and health statistics
• App store purchase and subscription data from Apple or Google

If you are in the European Economic Area (EEA), United Kingdom, or other jurisdictions that require a legal basis for processing personal data, we rely on the following:

• Consent: For processing sensitive health and fitness data, location data, analytics, and marketing communications. You provide consent when you create an account, enable location services, connect health platforms, or opt in to communications.
• Contract Performance: For processing data necessary to provide the Service you have requested (e.g., route generation, workout tracking, account management).
• Legitimate Interests: For improving our Service, ensuring security, preventing fraud, and conducting anonymized analytics, where these interests are not overridden by your rights.
• Legal Obligations: For retaining and processing data as required by applicable law (e.g., tax records, legal disputes).

You may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal. To withdraw consent, contact privacy@activepath.ai or use the privacy controls within the App.

We use the information we collect to:

• Generate personalized AI-powered routes based on your preferences and fitness level
• Track and record your workouts and fitness progress
• Provide real-time navigation and route guidance
• Calculate statistics such as calories burned, pace, distance, and elevation
• Operate HIIT workouts that use heart-rate, GPS, and movement data
• Enable voice-controlled route creation
• Sync workout data with Apple HealthKit (if enabled)
• Display your achievements on leaderboards (if your profile is public)
• Send you notifications about workouts, routes, achievements, and updates
• Process subscription payments and manage your account
• Improve our Service, develop new features, and fix bugs
• Ensure the security and integrity of our Service
• Comply with legal obligations
• Communicate with you about your account, the Service, and (with your consent) promotional offers

We do not use your personal data for automated decision-making or profiling that produces legal effects or similarly significant effects on you.

We do not sell your personal data, and we are not a "data broker" under the California Consumer Privacy Act (CCPA) or comparable laws. We share your data only in the following circumstances:

Service Providers

• Supabase (Database & Authentication): Stores account information, workout data, and route history. All data is encrypted in transit and at rest.
• Mapbox (Mapping & Navigation): Receives location coordinates for map rendering and route generation.
• VAPI (Voice AI): Processes voice commands and transcripts for route creation.
• OpenAI (AI Mode and AI Conversation): Powers AI Mode and AI-suggested responses. When you use AI Mode, your messages and conversation history are sent to OpenAI's API (currently the GPT-4o-mini model) for response generation. Under our agreement with OpenAI, your AI Mode messages are processed on our behalf for the limited purpose of generating responses and are not used to train OpenAI's models.
• Apple HealthKit: Bidirectional data sync for workout and health metrics (with your permission). HealthKit data is never shared with other third parties or used for advertising.
• RevenueCat or App Store/Play Store: Subscription and payment processing.
• Music streaming providers (Spotify, etc.): If you choose to connect a music streaming account, ActivePath uses OAuth tokens to control playback during workouts. We do not access your full music library or detailed listening history beyond what is necessary for playback control. The streaming provider's own privacy policy governs how it processes your account data.
• Optional fitness integrations (Strava, Garmin Connect, WHOOP, Fitbit, Google Fit, etc.): If and when you enable an optional integration, the data categories transferred are described in Section 12 (Third-Party Health Platform Integrations). You can revoke any integration at any time.

Legal Disclosures

• We may disclose your data if required by law, subpoena, court order, or other legal process.
• We may disclose data to protect the rights, property, or safety of ActivePath, our users, or the public.
• In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity.

Public Information

• If your profile is public, your username, profile picture, and workout statistics may be visible to other users on leaderboards and public profiles.
• You control your profile visibility through the Privacy settings in the App.

We require all third-party service providers to process your data in accordance with applicable data protection laws and only for the purposes for which we have shared it.

We use cookies and similar tracking technologies on our website and in our Service:

• Necessary Cookies: Required for the Service to function properly (always active). These include session cookies, authentication tokens, and security cookies.
• Analytics Cookies: Help us understand how visitors interact with our Service (e.g., page views, feature usage). We use anonymized analytics tools.
• Performance Cookies: Used to optimize route generation, app performance, and user experience.

We do not use advertising or third-party tracking cookies.

On the ActivePath website, where required by applicable law (including the EU ePrivacy Directive and the GDPR), non-essential cookies are loaded only after you grant consent through our cookie consent banner. You can change your cookie preferences at any time using the "Cookie Preferences" link in the website footer.

You can also manage cookie preferences at any time through your browser or device settings. Disabling certain cookies may limit your experience. For mobile apps, similar device-level controls are available through your operating system settings.

Your data is stored and protected as follows:

• Cloud Storage: User data is stored in secure Supabase PostgreSQL databases hosted in the United States
• File Storage: Profile pictures are stored in encrypted Supabase Storage buckets
• Local Storage: Authentication tokens are stored securely on your device using platform-native secure storage
• Encryption: All data transmission uses HTTPS/TLS encryption. Data at rest is encrypted using AES-256 or equivalent
• Authentication: We use passwordless magic link authentication for enhanced security
• Access Controls: Access to production databases is restricted to authorized personnel with multi-factor authentication

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data but will notify you and relevant authorities of any data breach as required by applicable law.

We retain your personal information for as long as your account is active or as needed to provide you services:

• Account data: Retained while your account is active and for up to 30 days after account deletion to process the deletion request
• Workout history and GPS data: Stored indefinitely unless you request deletion
• Analytics data: Anonymized data may be retained indefinitely; identifiable analytics data is deleted within 26 months
• Security logs: IP addresses and login attempts retained for up to 12 months
• Payment records: Retained as required by applicable tax and financial regulations
• Fraud-prevention and security records: If your account is suspended, terminated, or flagged for abuse, fraud, payment chargebacks, or violation of our Terms, we may retain a record of the action and a minimized snapshot of relevant account data for a longer period — potentially indefinitely — to prevent re-registration of the same actor, respond to law-enforcement or regulatory requests, and protect the integrity of our Service. We minimize the data retained for this purpose to what is reasonably necessary

If you delete your account, all associated personal data will be permanently removed from our active systems within 30 days, except for the limited fraud-prevention/security records described above where applicable. Backup copies may persist for up to 90 days before being permanently deleted. Anonymized or aggregated data that cannot be used to identify you may be retained indefinitely.

Under GDPR (EEA/UK Residents)

• Right of Access: Request a copy of all personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request permanent deletion of your data ("Right to be Forgotten")
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time for processing based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority (supervisory authority)

Under CCPA/CPRA (California Residents)

• Right to Know: Request disclosure of what personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We do not sell personal information, but you have the right to opt out if we ever do
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit Use of Sensitive Personal Information: Direct us to limit use of your sensitive data to what is necessary to provide the Service

Under Other Jurisdictions

If you reside in Brazil (LGPD), Canada (PIPEDA), Australia, Japan, South Korea, or other jurisdictions with data protection laws, you may have similar rights. Contact us to exercise your rights under applicable local law.

To exercise any of these rights, contact privacy@activepath.ai. We will verify your identity and respond within 30 days (or such shorter period as required by applicable law). If we need additional time, we will inform you of the reason and extension period.

ActivePath is a consumer fitness and wellness application. We are NOT a "covered entity" or "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). The fitness and health data we collect (such as workout history, heart rate from wearables, and calorie estimates) is not considered Protected Health Information (PHI) under HIPAA.

This means that HIPAA's privacy and security rules do not apply to the data we collect. However, we treat all health and fitness data as sensitive personal information and apply appropriate safeguards as described in this Privacy Policy. If you have concerns about the sensitivity of your health data, we encourage you to review our data storage, security, and sharing practices described herein.

Certain US states, including Illinois (Biometric Information Privacy Act — BIPA), Texas, and Washington, have specific laws governing the collection and use of biometric data such as fingerprints, facial geometry, voiceprints, and retinal scans.

ActivePath does not collect biometric identifiers as defined under these laws. Specifically:

• We do not use facial recognition technology
• We do not collect fingerprint data (device-level biometric authentication such as Face ID or Touch ID is handled entirely by your device operating system — no biometric data is transmitted to ActivePath)
• Voice commands processed by VAPI are used only for route creation and are not used to create voiceprint identifiers
• Heart rate and other physiological data obtained from wearables are treated as health/fitness data, not biometric identifiers

If our data practices change in the future to include biometric data collection, we will update this policy, provide specific disclosures, and obtain consent as required by applicable law.

Apple HealthKit

• Data We Read: Workout history, heart rate data, and health statistics (with your permission)
• Data We Write: Completed workout data including distance, duration, calories burned, and heart rate
• Control: This integration is optional and can be enabled or disabled at any time in the App settings or your device's Health app
• Restrictions: HealthKit data is never shared with third parties, used for advertising, or sold. This is required by Apple's HealthKit guidelines.

Other Optional Integrations (Strava, Garmin Connect, WHOOP, Fitbit, Google Fit, and similar)

• These integrations are optional and disabled by default. You explicitly enable each one and can revoke any of them at any time through the App settings or through the third party's account controls
• When enabled, ActivePath may send completed workout summaries (distance, duration, pace, elevation, calories, heart rate, route GPS) to the integrated platform and may receive activity history from that platform
• You must accept the third party's own terms of service and privacy policy. ActivePath is not responsible for how the third party uses, stores, or shares your data
• Revocation through ActivePath stops further data transfer but does not delete data already shared with the third party — that is governed by the third party's own controls
• If we add new integrations, we will update this Privacy Policy and provide opt-in controls before any data is shared with the new platform

Data received from third-party health platforms is subject to the same protections described in this Privacy Policy. You can revoke access to third-party integrations at any time through your device settings or the App.

On first launch after you sign in, ActivePath asks whether you want to share anonymous usage data to help us improve the Service. We do not collect analytics until you grant consent. Your choice is recorded and can be changed at any time in Settings → Analytics. Analytics data includes:

• Screen views and feature usage patterns
• Route generation preferences and interaction data
• App performance and error metrics
• Workout usage patterns and session data

Analytics data is collected anonymously and does not include your personal location data, workout GPS tracks, health information, or any other personally identifiable information.

You may opt out of analytics at any time by toggling the Analytics setting off in the Settings screen of the App. Opting out does not affect any other functionality.

Beta tester / whitelist program: If you participate in our beta-tester or whitelist program (typically by being added to the whitelist by ActivePath staff), analytics is enabled automatically as part of program participation, since telemetry is part of how we deliver and refine early-access features. You retain the right to opt out at any time in Settings, and your explicit choice will override the auto-grant going forward.

ActivePath provides the following privacy controls within the App:

• Analytics Toggle: Opt out of anonymous usage tracking at any time in Settings
• Public Profile Toggle: Choose whether your profile is visible to other users
• Workout Sharing: Control if completed workouts appear on your public profile
• Notification Preferences: Manage push notifications and communications
• Data Export: Download a complete copy of your data (profile, workouts, routes) in a machine-readable format
• Account Deletion: Permanently delete your account and all associated data
• HealthKit Integration: Enable or disable Apple HealthKit sync at any time
• Location Permissions: Manage through your device settings

ActivePath requires location access to provide core functionality:

• When In Use: Shows your position on the map and tracks active workouts
• Always (Optional): Enables background tracking during workouts so you can use other apps while tracking continues

You can manage location permissions at any time in your device settings. Disabling location access will limit core functionality including route generation and workout tracking.

We collect precise location data only when the App is actively in use or during background workout tracking (if you have granted "Always" permission). We do not track your location when you are not using the App.

ActivePath is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@activepath.ai, and we will take steps to delete that information.

For users between 13 and 17 years of age who use the Service with parental consent, we apply heightened protections to their health and fitness data:

• Their profiles are set to private by default
• Their data is not used for any marketing purposes
• Parental consent can be withdrawn at any time by contacting us

Parental consent verification: When a user indicates they are between 13 and 17 during sign-up, we collect a parent or guardian email address and send that address a verifiable consent request. The minor account is held in a restricted state until the parent or guardian confirms consent through the link in that email. A parent or guardian may at any time email privacy@activepath.ai to: (a) review the personal information we have collected from the minor; (b) request its correction or deletion; or (c) withdraw consent and have the account terminated.

We comply with the Children's Online Privacy Protection Act (COPPA) in the United States and equivalent laws in other jurisdictions. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.

Your information may be transferred to and processed in countries other than your country of residence, primarily the United States, where our servers and service providers are located. These countries may have different data protection laws than your home country.

If you are in the EEA, UK, or Switzerland, we ensure appropriate safeguards for international data transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data processing agreements with all service providers that require compliance with applicable data protection laws
• Where applicable, reliance on adequacy decisions by the European Commission or UK authorities

By using the Service, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions where our service providers operate. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

Some web browsers transmit "Do Not Track" (DNT) signals. We currently do not respond to DNT signals because there is no industry-standard approach to DNT. However, you can control tracking through the privacy controls described in this policy and through your browser or device settings.

In the event of a data breach that affects your personal information, we will:

• Notify affected users without undue delay (and within 72 hours where required by GDPR)
• Notify relevant supervisory authorities as required by applicable law
• Describe the nature of the breach, the data affected, and the measures taken
• Provide recommendations for steps you can take to protect yourself

We maintain incident response procedures to detect, investigate, and respond to data breaches promptly.

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date at the top of this policy
• We will notify you through the App or via email for significant changes
• We will provide a reasonable period for review before material changes take effect
• Where required by law, we will obtain your consent to material changes in how we process your data

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.

If you submit a contact form, feedback message, support ticket, or other communication to ActivePath through the website or App, we collect:

• The information you provide (name if given, email address, message contents, attachments)
• Technical metadata necessary to receive and process the submission (timestamp, IP address, user agent)

Bug Reports

If you submit a bug report through the App, the submission may also include:

• A screenshot of your current screen — please review the screenshot before submitting and avoid including sensitive personal information you do not want shared
• Recent application logs that we use to reproduce and fix the issue. These logs may incidentally include identifiers (such as your account email, user ID, or feature-flag values) and short fragments of the data being processed at the time of the error
• Device and OS metadata, app version, and recent navigation history within the App

We use this information solely to respond to your inquiry, route it to the appropriate team, prevent abuse of the contact channels, debug and fix issues, and (if you opt in) follow up with related product communications. Contact-form and bug-report data is retained for up to 24 months from the date of last interaction unless a longer period is necessary for legal, regulatory, or security purposes, after which it is deleted or de-identified.

This data is not used for advertising, not sold, and not shared with third parties except: (a) our email, support-ticket, and crash-reporting service providers, who process the data on our behalf under written data-processing agreements; and (b) where disclosure is required by law.

EU/UK Data Protection Officer: For privacy questions, GDPR data-subject requests, or other formal data-protection matters, contact our Data Protection Officer at dpo@activepath.ai. The DPO acts independently within ActivePath on data-protection matters and is your primary point of contact for GDPR-related rights.

EU/UK Representative: If we are required to designate an Article 27 representative within the EU or UK, the current contact for that representative is published at activepath.ai/privacy/eu-representative. If you cannot reach the DPO, you may also contact privacy@activepath.ai.

Supervisory Authority: If you are in the EEA, UK, or Switzerland and believe we have not adequately addressed your data-protection concerns, you have the right to lodge a complaint with your local data-protection supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ico.org.uk).

CCPA Data Broker Status: ActivePath is not a "data broker" as defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.99.80 et seq.) or comparable laws in Vermont, Texas, or Oregon. We do not sell personal information, and we do not collect personal information from sources other than the consumer with whom we have a direct relationship for the purpose of selling it.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

If you are in the EEA and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

We aim to respond to all privacy-related inquiries within 30 days. If you are making a formal data subject access request, we will comply within the timeframes required by applicable law.