Privacy Policy

Last updated: June 28, 2026

This Privacy Policy explains how DZ LLC ("Myto," "we," "us," or "our") collects, uses, shares, and protects personal data when you use the Myto mobile application and related services (collectively, the "Service"). It also describes your rights and choices.

If you do not agree with this Policy, please do not use the Service.

1. Who we are (Data Controller)

The data controller responsible for your personal data is:

DZ LLC
2108 N St, Ste N, Sacramento, CA 95816
Email: privacy@mytofitness.com

For questions about this Policy or your personal data, contact us at privacy@mytofitness.com.

2. Personal data we collect

We collect the following categories of personal data:

2.1 Account and identity data

2.2 Health and fitness data (sensitive data)

With your permission via Apple Health (HealthKit), we access and store:

We treat this as sensitive personal data and handle it accordingly (see Sections 5 and 6).

2.3 Coaching conversation data

2.4 Device and technical data

2.5 Usage and analytics data

We do not collect payment information. The Service does not currently process payments (see the Terms of Service).

Notice at Collection (California residents)

At or before the point of collection, we provide this summary of the categories of personal information we collect:

Category (CCPA)ExamplesPurposeSold/Shared?Retention
IdentifiersEmail, Apple ID, device/push token, user IDAccount, authentication, notificationsNoUntil account deletion
Customer records (Cal. Civ. Code §1798.80)Display name (optional)PersonalizationNoUntil account deletion
Health & fitness (sensitive)Workouts, heart rate, weight, GPS routes, thresholdsProvide and personalize the ServiceNoUntil account deletion
GeolocationGPS workout routesRoute display and analysisNoUntil account deletion
Internet/usage activityAnalytics events, app interactionsAnalytics, reliabilityNoUp to 14 months (analytics)
User contentChat messages, goals, notesAI coachingNoUntil account deletion

We do not sell or share personal information, and we do not use sensitive personal information beyond what is necessary to provide the Service.

3. How we collect personal data

4. How and why we use your data, and our legal bases

PurposeData usedLegal basis (GDPR)
Provide the Service: accounts, training plans, workout tracking, dashboardsAccount and health/fitness dataArt. 6(1)(b) performance of a contract
Provide AI coaching and feedbackConversation data, goals, plan, fitness contextArt. 6(1)(b) contract; Art. 9(2)(a) explicit consent for health data
Send push notifications you enable (coaching, reminders, summaries)Device token, activity data, notification preferencesPerformance of a contract; consent
Authenticate you and secure the ServiceAccount data, tokensPerformance of a contract; legitimate interests
Improve reliability and the product (analytics, crash reporting)Usage and technical dataLegitimate interests; consent where required
Prevent abuse and enforce our TermsAccount data, message classificationLegitimate interests; legal obligation
Comply with legal obligationsAs requiredLegal obligation

For EEA/UK users, we rely on a lawful basis under GDPR Article 6 for each purpose above. Because health and fitness data are special-category data, we process them only on the basis of your explicit consent under Article 9(2)(a), which you give in the app when you enable Apple Health and AI coaching. Where we rely on consent (including for health data and, where required, for analytics), you may withdraw it at any time without affecting processing already carried out.

5. AI coaching and automated processing

The Service uses Google's Gemini API (paid service) to generate coaching responses and feedback. To do this, we send Google the content of your coaching conversation together with relevant context — your goals, training plan, scheduled sessions, fitness thresholds (e.g., max heart rate, FTP, threshold pace), events, and inferred preferences. We do not send your password, authentication tokens, or raw GPS coordinates to Google for this purpose.

Under Google's terms for paid Gemini API services, Google does not use your prompts or the model's responses to improve its products, but may process and temporarily retain prompts and responses to provide the service, detect abuse, maintain safety and security, and comply with legal obligations.

This processing produces coaching suggestions and informational content. It does not make legal or similarly significant automated decisions about you. AI-generated content may be inaccurate and is not professional medical, health, or fitness advice (see the Terms of Service).

6. Apple Health (HealthKit) data

We access Apple Health data only with your explicit permission and only to provide and personalize the Service (training analysis, coaching, plan adherence). Specifically:

7. How we share your data (service providers and third parties)

We do not sell your personal data. We share it only with the following categories of recipients, who act as our processors/service providers or as independent controllers where noted. We primarily process Service data in the United States; some providers (or their subprocessors) may process limited data in other countries where they operate, subject to applicable safeguards.

RecipientRoleData sharedPurpose
Google Cloud Platform (Google LLC)ProcessorAll Service data (hosting/database)Host and operate the Service (region: us-central1, USA)
Google Gemini API (Google LLC)ProcessorConversation content + coaching context (Section 5)Generate AI coaching
Google Firebase — Analytics & Crashlytics (Google LLC)ProcessorUsage events, user properties, crash diagnostics, pseudonymous user IDProduct analytics and crash reporting
Resend (Resend, Inc.)ProcessorEmail address, one-time login codeSend authentication emails
Apple — Sign in with Apple & Push Notifications (Apple Inc.)Independent controller / processorApple identifier, name, email (sign-in); device token and notification content (push)Authentication and notification delivery

We may also disclose personal data if required by law, to protect our rights or the safety of others, or in connection with a merger, acquisition, or sale of assets (with notice where required).

Each third party processes data under its own privacy policy:

8. International data transfers

We operate the Service from the United States and primarily process Service data there. Our service providers may process data in the United States and in other countries where they or their subprocessors operate. If you access the Service from outside the United States (e.g., the EEA or UK), your data will be transferred to and processed in the United States and potentially other countries. Where required, such transfers are made under appropriate safeguards (such as the EU Standard Contractual Clauses with our processors).

9. Data retention

We retain personal data for as long as your account is active or as needed to provide the Service, then delete or anonymize it, except where longer retention is required by law. Specific periods:

Data processed by our service providers (e.g., content sent to Google to generate a coaching response) may be retained by those providers according to their applicable terms, data-processing agreements, and retention practices.

10. Your rights and choices

Depending on where you live, you may have the right to:

How to exercise these rights:

California residents (CCPA/CPRA): To the extent these laws apply to us, we do not "sell" or "share" personal information as those terms are defined under California law, and we do not use sensitive personal information for purposes other than providing the Service. You have the rights described above and the right not to be discriminated against for exercising them.

EEA/UK residents: You may lodge a complaint with your local supervisory authority.

11. Children's privacy

The Service is intended for adults and is not directed to minors. You must be at least 18 years old to use the Service. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected such data, we will delete it. If you believe someone under 18 has provided us personal data, contact privacy@mytofitness.com.

12. Security

We use technical and organizational measures to protect your data, including encryption in transit (HTTPS), authentication controls, rate limiting, and storage of secrets in a managed secrets system. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

If we become aware of a security incident affecting your personal data, we will investigate and notify you, and regulators, where required by applicable law (including, where applicable, the FTC Health Breach Notification Rule and U.S. state breach-notification laws).

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice through the app or by email. Your continued use of the Service after changes take effect constitutes acceptance.

14. Contact us

DZ LLC
2108 N St, Ste N, Sacramento, CA 95816
Email: privacy@mytofitness.com