Privacy Policy
Last updated: June 28, 2026
This Privacy Policy explains how DZ LLC ("Myto," "we," "us," or "our") collects, uses, shares, and protects personal data when you use the Myto mobile application and related services (collectively, the "Service"). It also describes your rights and choices.
If you do not agree with this Policy, please do not use the Service.
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
DZ LLC
2108 N St, Ste N, Sacramento, CA 95816
Email: privacy@mytofitness.com
For questions about this Policy or your personal data, contact us at privacy@mytofitness.com.
2. Personal data we collect
We collect the following categories of personal data:
2.1 Account and identity data
- Email address — when you sign in using an email one-time code.
- Apple account identifier and name — if you use Sign in with Apple. Apple may provide your name and either your real email or a private-relay email, depending on your choice.
- Display name (optional).
- Timezone and unit preference (metric/imperial).
2.2 Health and fitness data (sensitive data)
With your permission via Apple Health (HealthKit), we access and store:
- Workouts and activity history (type, date, duration, distance, energy burned).
- Heart rate (average, maximum, and samples over time).
- Cycling power and cadence, running stride length, and similar performance metrics.
- Elevation gain/loss and speed.
- GPS workout routes (latitude/longitude coordinates and altitude) for outdoor activities.
- Body weight, maximum heart rate, and derived fitness thresholds (FTP, threshold pace, critical swim speed) that you provide or that we estimate from your activities.
- Personal records, streaks, training plans, sessions, goals, events, and your subjective feedback (perceived exertion, energy, soreness, enjoyment, notes).
We treat this as sensitive personal data and handle it accordingly (see Sections 5 and 6).
2.3 Coaching conversation data
- The content of messages you exchange with the AI coach, and context we derive from them (e.g., extracted preferences and constraints such as "I travel on Tuesdays").
2.4 Device and technical data
- Push notification device token (to deliver notifications).
- App and device information collected through crash reporting and analytics, such as device model, operating system version, app version, and crash diagnostics.
2.5 Usage and analytics data
- Product analytics events (e.g., screens viewed, features used, counts such as number of workouts synced) and user properties (e.g., primary sport, unit preference, whether Health is connected), associated with a pseudonymous user identifier.
- We do not include raw health values (such as heart-rate readings, GPS coordinates, body weight, or message text) in analytics or crash-reporting data.
We do not collect payment information. The Service does not currently process payments (see the Terms of Service).
Notice at Collection (California residents)
At or before the point of collection, we provide this summary of the categories of personal information we collect:
| Category (CCPA) | Examples | Purpose | Sold/Shared? | Retention |
|---|---|---|---|---|
| Identifiers | Email, Apple ID, device/push token, user ID | Account, authentication, notifications | No | Until account deletion |
| Customer records (Cal. Civ. Code §1798.80) | Display name (optional) | Personalization | No | Until account deletion |
| Health & fitness (sensitive) | Workouts, heart rate, weight, GPS routes, thresholds | Provide and personalize the Service | No | Until account deletion |
| Geolocation | GPS workout routes | Route display and analysis | No | Until account deletion |
| Internet/usage activity | Analytics events, app interactions | Analytics, reliability | No | Up to 14 months (analytics) |
| User content | Chat messages, goals, notes | AI coaching | No | Until account deletion |
We do not sell or share personal information, and we do not use sensitive personal information beyond what is necessary to provide the Service.
3. How we collect personal data
- Directly from you — when you create an account, enter profile details, set goals, or chat with the coach.
- From your device, with your permission — Apple Health (HealthKit) data is read only after you grant permission in the app, and can include background updates when you record a new workout. You can revoke this at any time in iOS Settings → Privacy & Security → Health.
- Automatically — analytics and crash diagnostics while you use the app.
4. How and why we use your data, and our legal bases
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the Service: accounts, training plans, workout tracking, dashboards | Account and health/fitness data | Art. 6(1)(b) performance of a contract |
| Provide AI coaching and feedback | Conversation data, goals, plan, fitness context | Art. 6(1)(b) contract; Art. 9(2)(a) explicit consent for health data |
| Send push notifications you enable (coaching, reminders, summaries) | Device token, activity data, notification preferences | Performance of a contract; consent |
| Authenticate you and secure the Service | Account data, tokens | Performance of a contract; legitimate interests |
| Improve reliability and the product (analytics, crash reporting) | Usage and technical data | Legitimate interests; consent where required |
| Prevent abuse and enforce our Terms | Account data, message classification | Legitimate interests; legal obligation |
| Comply with legal obligations | As required | Legal obligation |
For EEA/UK users, we rely on a lawful basis under GDPR Article 6 for each purpose above. Because health and fitness data are special-category data, we process them only on the basis of your explicit consent under Article 9(2)(a), which you give in the app when you enable Apple Health and AI coaching. Where we rely on consent (including for health data and, where required, for analytics), you may withdraw it at any time without affecting processing already carried out.
5. AI coaching and automated processing
The Service uses Google's Gemini API (paid service) to generate coaching responses and feedback. To do this, we send Google the content of your coaching conversation together with relevant context — your goals, training plan, scheduled sessions, fitness thresholds (e.g., max heart rate, FTP, threshold pace), events, and inferred preferences. We do not send your password, authentication tokens, or raw GPS coordinates to Google for this purpose.
Under Google's terms for paid Gemini API services, Google does not use your prompts or the model's responses to improve its products, but may process and temporarily retain prompts and responses to provide the service, detect abuse, maintain safety and security, and comply with legal obligations.
This processing produces coaching suggestions and informational content. It does not make legal or similarly significant automated decisions about you. AI-generated content may be inaccurate and is not professional medical, health, or fitness advice (see the Terms of Service).
6. Apple Health (HealthKit) data
We access Apple Health data only with your explicit permission and only to provide and personalize the Service (training analysis, coaching, plan adherence). Specifically:
- We read health and workout data; we do not write data back to Apple Health.
- We never use Apple Health data for advertising or marketing, and we never sell it.
- We do not share Apple Health data with third parties except service providers that host or process it to operate the Service, as described in Section 7, and never for their own purposes.
- Where your workout and fitness context is used to generate AI coaching, it is processed by our AI provider (Google) solely to produce your coaching responses — never for advertising or marketing. We ask for your permission in the app before enabling Health access and AI coaching.
- Health data is excluded from our analytics and crash-reporting tools.
- You can revoke Health access at any time in iOS Settings; this stops future syncing but does not, by itself, delete data already stored — use the in-app deletion or contact us (Sections 9 and 10).
7. How we share your data (service providers and third parties)
We do not sell your personal data. We share it only with the following categories of recipients, who act as our processors/service providers or as independent controllers where noted. We primarily process Service data in the United States; some providers (or their subprocessors) may process limited data in other countries where they operate, subject to applicable safeguards.
| Recipient | Role | Data shared | Purpose |
|---|---|---|---|
| Google Cloud Platform (Google LLC) | Processor | All Service data (hosting/database) | Host and operate the Service (region: us-central1, USA) |
| Google Gemini API (Google LLC) | Processor | Conversation content + coaching context (Section 5) | Generate AI coaching |
| Google Firebase — Analytics & Crashlytics (Google LLC) | Processor | Usage events, user properties, crash diagnostics, pseudonymous user ID | Product analytics and crash reporting |
| Resend (Resend, Inc.) | Processor | Email address, one-time login code | Send authentication emails |
| Apple — Sign in with Apple & Push Notifications (Apple Inc.) | Independent controller / processor | Apple identifier, name, email (sign-in); device token and notification content (push) | Authentication and notification delivery |
We may also disclose personal data if required by law, to protect our rights or the safety of others, or in connection with a merger, acquisition, or sale of assets (with notice where required).
Each third party processes data under its own privacy policy:
- Google: https://policies.google.com/privacy
- Apple: https://www.apple.com/legal/privacy/
- Resend: https://resend.com/legal/privacy-policy
8. International data transfers
We operate the Service from the United States and primarily process Service data there. Our service providers may process data in the United States and in other countries where they or their subprocessors operate. If you access the Service from outside the United States (e.g., the EEA or UK), your data will be transferred to and processed in the United States and potentially other countries. Where required, such transfers are made under appropriate safeguards (such as the EU Standard Contractual Clauses with our processors).
9. Data retention
We retain personal data for as long as your account is active or as needed to provide the Service, then delete or anonymize it, except where longer retention is required by law. Specific periods:
- Account and Service data (profile, workouts, goals, plans, chat history): retained until you delete your account.
- Authentication codes (email one-time codes): expire after 10 minutes.
- Session tokens: access tokens expire after 48 hours; refresh tokens after 30 days.
- Analytics data (Firebase Analytics): retained according to our configured retention setting (up to 14 months) before being aggregated or deleted.
- Crash diagnostics (Firebase Crashlytics): retained for approximately 90 days.
- Backups: residual copies may persist in encrypted database backups for up to 7 days after deletion before being overwritten.
Data processed by our service providers (e.g., content sent to Google to generate a coaching response) may be retained by those providers according to their applicable terms, data-processing agreements, and retention practices.
10. Your rights and choices
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data (much of which you can edit in the app).
- Delete your data ("right to erasure").
- Port your data to another service.
- Object to or restrict certain processing, and withdraw consent.
- Opt out of certain analytics.
How to exercise these rights:
- Delete your account and associated data directly in the app: Settings → Delete Account. This permanently deletes your account and the personal data associated with it from our active systems. Residual copies in encrypted backups are overwritten within a limited period (see Section 9).
- Analytics: You can limit analytics and ad-related identifiers through your device settings (iOS Settings → Privacy & Security), and you may object to analytics processing by contacting us.
- Revoke Apple Health access at any time in iOS Settings → Privacy & Security → Health.
- For any other request, contact us at privacy@mytofitness.com. We will respond within the timeframe required by applicable law.
California residents (CCPA/CPRA): To the extent these laws apply to us, we do not "sell" or "share" personal information as those terms are defined under California law, and we do not use sensitive personal information for purposes other than providing the Service. You have the rights described above and the right not to be discriminated against for exercising them.
EEA/UK residents: You may lodge a complaint with your local supervisory authority.
11. Children's privacy
The Service is intended for adults and is not directed to minors. You must be at least 18 years old to use the Service. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected such data, we will delete it. If you believe someone under 18 has provided us personal data, contact privacy@mytofitness.com.
12. Security
We use technical and organizational measures to protect your data, including encryption in transit (HTTPS), authentication controls, rate limiting, and storage of secrets in a managed secrets system. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
If we become aware of a security incident affecting your personal data, we will investigate and notify you, and regulators, where required by applicable law (including, where applicable, the FTC Health Breach Notification Rule and U.S. state breach-notification laws).
13. Changes to this Policy
We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice through the app or by email. Your continued use of the Service after changes take effect constitutes acceptance.
14. Contact us
DZ LLC
2108 N St, Ste N, Sacramento, CA 95816
Email: privacy@mytofitness.com