SEVRA.

Privacy Policy

Draft — pending legal review. Last updated 2026-06-15.

This Privacy Policy explains how Sevra (“Sevra,” “we,” “us,” “our”) collects, uses, shares, retains, secures, and lets you delete your information when you use the Sevra mobile app for iOS and Android, our website at sevrafit.com, our API at api.sevrafit.com, and related services (together, the “Service”).

Sevra is a premium, trainer-grade AI fitness coaching app. It generates individualized training programs, supports one-tap workout logging and progress tracking, and gives trainers a console for coaching the clients on their roster. Because we handle health and fitness information, we treat that data with particular care, as described below.

The organization responsible for your information (the data controller) is [LEGAL ENTITY / JURISDICTION — TBD]. Contact details are in the Contact us section.

Health, not medical, context. Sevra is not a medical provider, and the Service does not provide medical advice. AI-generated plans are advisory, pass an automated medical-safety check, and are not a substitute for professional medical guidance. Please consult a physician before starting any exercise program. This Privacy Policy describes how we handle data; it is not medical or legal advice.

Contents

1. Information we collect

We collect the information described below. Most of it you provide directly; some is generated as you use the Service.

Account information

  • Your email address.
  • Your password, stored only as a secure cryptographic hash — we never store it in plain text.
  • Email-verification status and the records needed to confirm your account (you verify your email with a 6-digit code at sign-up).

Profile & health-screening information

  • Training goals and experience level.
  • Available equipment and training preferences.
  • Injuries and the answers you give to our medical-safety screening (medical-screening answers).

Some of this is health-related information, which we treat as sensitive and use only to operate the Service and run safety screening.

Coaching & activity data

  • Workout logs (the sets, reps, and exercises you record).
  • Body measurements and personal records.
  • AI-generated training plans created for you.
  • Weekly check-ins — your weight and, optionally, energy, sleep, and recovery inputs.
  • Progress data we derive from the above, such as strength trends and personal-record history.

Coaching relationships

  • If you are a coached client, the connection between you and your trainer, and the plans, logs, and check-ins shared within that relationship.
  • If you are a trainer, the roster of clients connected to you and the coaching information needed to run your console.

Technical & diagnostic information

  • Basic technical logs needed to operate the Service (for example, request timestamps and error events).
  • Limited diagnostic data captured by our error-monitoring provider when something goes wrong in the app, so we can find and fix problems. See Cookies & analytics.

Payments

  • If the Service offers paid subscriptions, they are processed by the Apple App Store or Google Play. We do not receive or store your full payment-card details; we may store a subscription identifier to manage your access.

2. How we use your information

  • To create and secure your account, verify your email, and sign you in.
  • To generate and personalize your AI training plans.
  • To run the medical-safety check that gates plan generation, using your injuries and medical-screening answers so we avoid recommending exercise that may be unsafe for you.
  • To power one-tap workout logging and progress tracking (personal records, strength trends, body metrics).
  • To run weekly check-ins and adapt coaching over time.
  • To enable the trainer→client coaching relationship and the trainer console.
  • To send service communications, such as your verification code, password resets, and plan-ready notices, and — if you allow it — reminders.
  • To provide support, maintain security, prevent abuse, debug errors, and meet legal obligations.

We do not sell your personal data, and we do not use your health data for advertising.

3. Legal bases for processing

Where a legal basis is required for our use of your information, we rely on the following.

  • Contract. To provide the Service you have signed up for — creating your account, generating and storing your plans, logging workouts, tracking progress, and running the coaching relationship — we process the information needed to perform that agreement with you.
  • Consent. For health-related and other sensitive information (such as your injuries and medical-screening answers) and for optional features like push reminders, we rely on your consent, which you agree to at sign-up and can withdraw at any time (for example, by changing the relevant inputs, turning off a feature, or deleting your account). Withdrawing consent does not affect processing already carried out.
  • Legitimate interests. To keep the Service secure, prevent abuse and fraud, diagnose and fix errors, and improve reliability, where those interests are not overridden by your rights.
  • Legal obligation. To comply with applicable laws and respond to lawful requests.

The exact legal bases and the specific rights available to you depend on the privacy framework that applies to you. [LEGAL ENTITY / JURISDICTION — TBD] — the controlling framework and governing law are pending and will be confirmed before publication.

4. AI plan generation (Azure OpenAI)

To build and personalize your training plan, relevant parts of your profile and medical-screening inputs are sent to Microsoft Azure OpenAI, which generates the plan on our instructions as a data processor acting on our behalf. The plan is then returned to Sevra, checked by our automated medical-safety gate, and stored in your account.

  • AI plans are advisory and are not medical advice. They do not replace guidance from a qualified physician or healthcare professional.
  • We send the AI provider only what is needed to generate a relevant, safe plan.
  • The AI provider processes this information under our instructions and is not permitted to use it for its own purposes.

Plan generation and the medical-safety gate are automated. They support, but do not replace, your own judgment and that of your physician or trainer. The specifics of how the AI provider handles plan-generation inputs (including data residency and retention by the provider) are being confirmed as part of our pre-launch legal review.

5. Service providers (sub-processors)

We rely on a small set of trusted providers to run the Service. They process your information only on our instructions and under confidentiality and data-protection obligations. We do not sell your data to anyone. The table below lists each provider, what they do, and the region in which they process data for us.

Processor Purpose Region
Microsoft Azure OpenAI AI training-plan generation Confirm
Supabase Primary database (your account and coaching data) Mumbai, India
Upstash Cache and background job queue Confirm
Resend Transactional email (verification codes, password resets, service notices) Confirm
Sentry Error monitoring and crash diagnostics (in the app) Confirm
Railway Application and API hosting Confirm
Vercel Website hosting (sevrafit.com) Confirm

Only the Supabase database region (Mumbai, India) is confirmed at this time. The processing region for the other providers is being verified and will be finalized before publication.

6. How information is shared

  • With your trainer. If you are a coached client connected to a trainer, that trainer can see the training information needed to coach you — your plans, workout logs, progress, and check-ins. If you train solo, your data is not shared with any trainer.
  • With service providers. Only as needed to operate the Service, as listed in the sub-processors table, under confidentiality and data-protection obligations.
  • For legal reasons. If required by law, or to protect the rights, safety, and integrity of Sevra, our users, or the public.
  • In a business transfer. If Sevra is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to this policy.

We do not sell or rent your personal data.

7. Data retention

We keep your information for as long as your account is active and as needed to provide the Service. When you delete your account, we erase your personal data after the 30-day grace period described in Deleting your account & erasure.

Some records may be retained for longer where we are required to keep them by law, to resolve disputes, to enforce our agreements, or to maintain security and audit integrity. Records that form part of another person’s history (such as a coaching relationship and the programs created within it) and internal audit logs may be retained with every link to your identity removed, so they can no longer identify you. Backups are purged on a rolling schedule.

8. Deleting your account & erasure

You can delete your Sevra account and personal data at any time, directly in the app (Profile → Delete account). If you cannot access the app, you can email support@sevrafit.com from the address on your account and we will process the deletion for you. Our deletion model is:

  • Immediate lock-out. When you request deletion, your account is locked and all of your sessions and sign-ins are revoked right away. You can no longer log in.
  • 30-day grace period. For 30 days the account is held in a locked state and can be restored only by contacting support. There is no self-service in-app restore.
  • Permanent erasure. After 30 days, your personal data is permanently erased. This includes your email, your profile and medical-screening answers, your workout logs, body measurements, personal records, AI-generated plans, check-ins, your password hash, and any coaching connections tied to you.
  • What is retained, anonymized. Records that are part of another person’s history (such as a coaching relationship and the programs created within it) and internal audit logs are kept, but with every link to your identity removed so they can no longer identify you.

Erasure is permanent and cannot be undone once complete, and the deletion is itself audit-logged. Deleting your account does not cancel an Apple- or Google-billed subscription; manage those in your app-store account settings.

9. Your rights and choices

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data — most of which you can update directly in the app.
  • Delete your account and personal data, as described above.
  • Export a copy of your data in a portable form.
  • Object to or restrict certain processing, and withdraw consent where we rely on it.

You can exercise most of these directly in the app, or contact us at support@sevrafit.com. We will respond within the timeframe required by applicable law. You also have the right to lodge a complaint with your local data-protection authority. The exact scope of these rights depends on the controlling privacy framework, which is pending confirmation — see Legal bases for processing.

10. Security

We protect your information with industry-standard measures, including:

  • Encryption in transit — connections between the app, our website, and our API are protected with encrypted (HTTPS/TLS) connections.
  • Hashed passwords — passwords are stored only as secure cryptographic hashes, never in plain text.
  • Access controls on the systems that hold your data, and prompt session revocation on logout or deletion.

No method of transmission or storage is perfectly secure, but we work to protect your data and to detect, investigate, and respond to incidents.

11. International data transfers

Sevra serves users in the United States, while our primary database is hosted in India (the Mumbai region of Supabase), and some of our other providers may process data in other countries (see the sub-processors table). This means your information may be transferred to, stored in, and processed in countries other than the one in which you live, which may have different data-protection laws.

Where such transfers occur and a safeguard is required, we put appropriate measures in place to protect your information. The specific transfer mechanism (for example, standard contractual clauses or another lawful basis) is being confirmed as part of our pre-launch legal review — [LEGAL ENTITY / JURISDICTION — TBD].

12. Children (18+ only)

Sevra is intended only for adults aged 18 or older, which you confirm at sign-up. The Service is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us personal data, contact support@sevrafit.com and we will remove it.

13. Cookies & analytics

Our website (sevrafit.com) is a static site. It does not use cookies for advertising or set tracking cookies to profile you across other sites. Our hosting provider may process limited technical request data needed to serve and secure the site.

Inside the app, we use Sentry for error monitoring and crash diagnostics. When the app encounters an error, limited diagnostic information is sent to Sentry so we can find and fix the problem. We use this only to keep the Service reliable, not for advertising.

14. Changes to this policy

We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, for material changes, provide a more prominent notice.

15. Contact us

For privacy questions or requests, contact us at:

The legal entity responsible for your information, its registered address, and the governing law are not yet finalized: [LEGAL ENTITY / JURISDICTION — TBD]. These will be inserted before this policy is published.