Privacy Policy

CatalysFit is operated by Tiago Paladini, acting as sole controller for all personal data processed through the service. The business operates from Brazil. No separate legal entity is currently registered; operations are conducted by the individual founder. We handle personal data including, in particular, health-related information about personal-training clients. Because of that sensitivity, we have voluntarily designated a Data Protection Officer (DPO / Encarregado) before reaching thresholds that would make it mandatory. 📧 Privacy and data protection questions: dpo@catalysai.app 📧 General support: support@catalysai.app 🌐 catalysfit.com EU/UK residents: we have not yet appointed a representative under GDPR Article 27 or UK-GDPR Article 27. We are operating at pre-revenue scale and will formally designate representatives as user volumes grow. You may contact us directly at dpo@catalysai.app in the interim, and you retain the right to lodge a complaint with your national supervisory authority.

We collect the following categories of personal data. For California residents, these map to the 11 categories of personal information defined in Cal. Civ. Code §1798.140 (see "California (CCPA/CPRA)" below). A. Trainer account data • Identity: name, email, password hash, locale, time zone • Business profile: business name, logo, branding, payment settings • Device and login metadata: IP address, user agent, session timestamps B. Client (student) data, entered by the trainer or by the client • Identity and contact: name, email, age, sex • Health-related data (see Section 3): weight, height, body measurements, body-composition metrics, goals, training history, injuries, medical restrictions, medication notes, pregnancy status, sleep, pain, adherence, energy, mood • Progress photos and voice messages (where the client uploads them) • Notes the trainer records about the client C. Service usage and content • Workouts, meal plans, reports, messages, bookings, check-ins generated or exchanged through the platform • Feedback, support requests, chat widget interactions D. Payment and billing data (handled by Stripe and/or Apple/Google Play) • Billing contact details; invoice history • We do NOT store card numbers — Stripe, Apple, and Google handle payment credentials E. Technical and diagnostic data • Access logs, rate-limit records, crash reports • Push-notification device tokens (when you opt in) F. Cookies and similar technologies • Strictly necessary cookies for authentication and preferences • Optional analytics and session-replay cookies (PostHog) if you accept them in the cookie banner We do not knowingly collect personal data from children under 13 (or the equivalent minimum age in your jurisdiction — see Section 12).

The health-related data we collect (weight, injuries, medical restrictions, medication notes, pregnancy status, check-in pain and energy scores, body composition) qualifies as: • "Special categories of personal data" under GDPR Art. 9 and UK-GDPR Art. 9 • "Dados pessoais sensíveis" under LGPD Art. 5, II / Art. 11 • "Sensitive Personal Information" under CPRA §1798.121 • "Consumer Health Data" under the Washington My Health My Data Act We process this category of data only on the basis of your explicit consent (GDPR Art. 9(2)(a); LGPD Art. 11, II, a; CPRA §1798.121; MHMDA §70.372.030). The consent is collected: • From trainers when they sign up and indicate they will use the platform to record client health data • From clients (students) when they complete the in-platform anamnese / health questionnaire You may withdraw this consent at any time by emailing dpo@catalysai.app or deleting your account. Withdrawing consent will stop further processing; data processed before the withdrawal remains lawful. The separate Washington Consumer Health Data Privacy Policy at /washington-health-privacy provides the MHMDA-specific disclosures required for Washington residents.

We use personal data for the following purposes. Where the legal basis differs by jurisdiction, the most restrictive basis applies (e.g. health data always requires explicit consent). • Provide the service and the account you signed up for — performance of contract (GDPR Art. 6(1)(b); LGPD Art. 7, V) • Generate AI-assisted workouts, meal plans, and reports for trainers to review — performance of contract plus explicit consent for the health inputs (GDPR Art. 9(2)(a); LGPD Art. 11, II, a) • Process payments and billing — performance of contract (GDPR Art. 6(1)(b)); legal obligation for tax and accounting records (Art. 6(1)(c)) • Communicate about the service (transactional emails, service notices, push notifications) — performance of contract (Art. 6(1)(b)) • Detect fraud, prevent abuse, enforce our terms, protect the service — legitimate interests (Art. 6(1)(f)); LGPD Art. 7, IX • Marketing emails (newsletters, promotional content) — only with your opt-in consent (Art. 6(1)(a); LGPD Art. 7, I); you may unsubscribe at any time • Cookies / analytics / session replay — only with your opt-in consent (ePrivacy Art. 5(3); Art. 6(1)(a)) • Comply with legal obligations, respond to lawful requests — Art. 6(1)(c); LGPD Art. 7, II

We share personal data only with service providers ("sub-processors") that help us operate the service. Each has contractually committed to protect your data and to process it only on our instructions, except where they act as independent controllers for their own purposes. • Supabase (Supabase, Inc., US) — database, authentication, file storage • Vercel (Vercel, Inc., US) — application hosting and CDN • Stripe (Stripe, Inc., US) — web payment processing; acts as independent controller for fraud prevention and its own service purposes • RevenueCat (RevenueCat, Inc., US) — mobile in-app-purchase management • OpenRouter (OpenRouter, Inc., US) + MiniMax (MiniMax AI, Singapore/China) — large-language-model processing for AI-assisted workout and plan generation. Prompts sent to these providers include the input data necessary to generate a plan (training parameters derived from client data) but are scrubbed of direct identifiers where possible. These providers retain data per their own policies; we contract with them for zero- or limited-retention where the option is available. • Resend (Resend, Inc., US) — transactional email delivery • PostHog (PostHog, Inc., US) — product analytics and session replay, loaded only with your consent. Input fields are masked in session replays. • Sentry (Functional Software, Inc., US) — crash and error monitoring, PII-scrubbed • Langfuse (Langfuse GmbH, Germany, with cloud data plane in US) — LLM-call observability with PII scrubbing + hashed identifiers • Upstash (Upstash, Inc., US) — Redis-backed rate limiting; stores IP-based counters • Apple (Apple Inc., US) and Google (Google LLC, US) — platform app stores and push-notification services for the mobile app We do not sell your personal data. We do not rent it. We do not share it with advertisers for cross-context behavioral advertising. A current sub-processor list is maintained here; we will provide at least 30 days' notice by email or in-app before adding a new sub-processor that processes your personal data.

We retain personal data only as long as necessary for the purposes described in this policy, and then we delete it. Specific retention periods: • Active account data (trainer and client): while the account is active, plus up to 30 days after you delete your account to accommodate restore requests • Health / sensitive data: deleted within 30 days of account deletion or withdrawal of consent • Check-in / workout history: 30 days after account deletion • Payment and invoicing records: up to 5 years from the transaction date, to comply with tax and accounting obligations (LGPD Art. 16, II; national tax law) • Webhook / access logs: 30–90 days for security and debugging • Application logs under Brazilian Marco Civil Art. 15: minimum 6 months • Crash reports (Sentry): 90 days • Analytics data (PostHog, if you opt in): session replays 30 days; event data 12 months • LLM trace data (Langfuse): 30 days, PII-scrubbed • Audio recordings (voice messages): retained until the message thread is deleted, then deleted; voice messages are not used to generate voiceprints • Backups: deleted within the backup rotation cycle (maximum 90 days) We may retain certain records longer where a legal obligation, ongoing dispute, or enforcement action requires it.

Most of our sub-processors are based in the United States. Your personal data will therefore travel outside your country of residence. We rely on the following transfer mechanisms: For EU/EEA and UK residents (GDPR / UK-GDPR Chapter V): • EU Standard Contractual Clauses (Commission Decision 2021/914) and UK International Data Transfer Addendum, executed with providers that sign them • The EU-US Data Privacy Framework certification, where the provider is certified (e.g. Stripe, Vercel) • We perform a Transfer Impact Assessment for transfers where SCCs are the primary mechanism For Brazilian residents (LGPD Art. 33): • At the point you create your account and provide health data, you give specific, highlighted consent (Art. 33, VIII) to the international transfer of that data to US-based sub-processors, because ANPD has not yet issued adequacy decisions or approved standard clauses. We explain this in the consent flow. For Canadian residents (PIPEDA): • We remain accountable for your personal data regardless of where it is processed. You acknowledge that while processed outside Canada, data may be accessible to foreign courts, law enforcement, and national security authorities consistent with the laws of the receiving country. For Quebec residents (Law 25 Art. 17): • Before transferring your personal information outside Quebec we conduct a Privacy Impact Assessment (ÉFVP). Because Quebec does not consider the United States to provide an equivalent level of protection, we rely on your informed consent and on contractual safeguards with each sub-processor.

Depending on where you live you have some or all of the following rights over your personal data. All users (general): • Right to information about how we process your data (this policy fulfills that) • Right to access — request a copy of your personal data • Right to rectification — have inaccurate data corrected • Right to erasure — request deletion • Right to restrict processing • Right to object to processing that relies on legitimate interests • Right to data portability — receive your data in a common machine-readable format • Right to withdraw consent at any time (for processing based on consent) • Right not to be subject to solely automated decisions with legal or similarly significant effects — we keep a human trainer in the decision loop and you can always request human review • Right to lodge a complaint with your data protection authority LGPD residents (Brazil) — additional rights under Art. 18: • Right to anonymization or blocking of unnecessary / excessive data • Right to be informed of the public and private entities with which we shared your data • Right to know the consequences of denying consent • Right to petition ANPD directly: https://www.gov.br/anpd CCPA/CPRA residents (California) — additional rights: • Right to know what categories of personal and sensitive personal information we collect about you • Right to correct inaccurate personal information • Right to delete personal information • Right to opt out of the sale or sharing of personal information (we do not sell or share — see the "Do Not Sell or Share My Personal Information" link in the site footer) • Right to limit the use and disclosure of Sensitive Personal Information • Right to non-discrimination for exercising any of these rights • Right to appeal a denied rights request (see Section 9) Other US state residents (Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Florida, Iowa, Delaware, New Hampshire, New Jersey, Washington, others as enacted): • Right to access, correct, delete, and port your personal data • Right to opt out of targeted advertising, sale, and profiling (we do none of these) • Right to appeal a denied rights request Washington (MHMDA) — see the separate Consumer Health Data Privacy Policy at /washington-health-privacy Quebec (Law 25): • Right to data portability (in force since September 2024) • Right to be informed of any automated decision affecting you and the principal factors and parameters of the decision • Right to have any such decision reviewed by a human Canada (PIPEDA): • Right to access, correct, and challenge compliance via the Office of the Privacy Commissioner of Canada

You can exercise any of the rights above by: • Email: dpo@catalysai.app • In-app: account settings → Data & Privacy → export or delete your data • Public form: /delete-my-data (no login required; for data-deletion requests) We will respond: • Within 30 days (GDPR / CCPA / most US state laws / Quebec Law 25) • Within 15 days (LGPD; extendable once by 2 months with notification to you) • Within 45 days (some US state laws with a 45-day extension) We will not charge you a fee for your first request in any 12-month period. We may refuse repeated, excessive, or manifestly unfounded requests, and we will tell you why. Appeal process — if we deny a rights request, you may appeal by replying to the denial email or writing to dpo@catalysai.app with "Appeal" in the subject. We will respond to appeals within 60 days (Virginia, Connecticut) or within the statutory period of your state. If we deny your appeal, you may contact your state Attorney General or equivalent authority. To verify your identity we may ask you to confirm certain account-specific details so we only release your data to you.

We use a small number of cookies to operate the site and, only with your consent, to understand how people use it. • Strictly necessary cookies (authentication session, consent record, security) — always on; the site cannot function without them • Analytics / session replay cookies (PostHog) — set only after you click "Accept" in the cookie banner • No marketing or advertising cookies • No third-party cross-context behavioral advertising We honor the Global Privacy Control (GPC) signal. If your browser sends `Sec-GPC: 1` we treat it as a valid opt-out of any analytics and tracking. For the full per-cookie inventory — name, provider, purpose, duration — see the Cookie Policy at /cookie-policy. You can change your choice at any time by clearing the cookie banner preference in your browser or by emailing dpo@catalysai.app.

CatalysFit uses artificial intelligence to help trainers generate workout plans, meal plans, analyses, and reports from client data. We use this technology to assist a human trainer — never to make solely automated decisions with legal or similarly significant effects on a data subject. • A qualified human trainer reviews and approves every AI-generated workout, meal plan, or analysis before it is shared with a client • The AI provider stack is OpenRouter routing to MiniMax; inputs are scrubbed where possible • You have the right, under GDPR Art. 22, LGPD Art. 20, and Quebec Law 25 Art. 12.1, to request human review of any decision you believe was based on automated processing We also flag AI-generated content at the point of display with a "Generated by AI" label. The separate AI Transparency page at /ai-transparency explains in more detail what the AI does, what it does not do, and the safeguards we have in place.

CatalysFit is not intended for use by children. • Trainers must be at least 18 years old to sign up • We do not knowingly collect personal data from anyone under 13 (or the equivalent age under applicable law — 12 under LGPD Art. 14, 13 under COPPA, 16 under GDPR in some member states) We recognize that a personal trainer may work with minors. If a trainer adds a client under the age of majority, the trainer is responsible for obtaining verifiable parental consent before entering the minor's health data into the platform. We reserve the right to suspend accounts that appear to process minors' data without proper consent. If you believe a child has provided us personal data without the required parental consent, email dpo@catalysai.app and we will delete the data promptly.

We apply appropriate technical and organizational measures to protect your data, including: TLS 1.2+ in transit, AES-256 at rest, bcrypt password hashing, Row Level Security at the database layer, server-side webhook idempotency, rate-limited authentication endpoints, account lockout after repeated failed logins, and access controls limiting personal-data access to authorized personnel on a need-to-know basis. No method of transmission or storage over the Internet is 100% secure. If we become aware of a personal data breach we will: • Notify the competent supervisory authority without undue delay and within 72 hours where GDPR / UK-GDPR applies (Art. 33) • Notify ANPD and affected data subjects within a reasonable period where LGPD applies (Art. 48; ANPD Resolution 4/2023) • Notify the CAI (Commission d'accès à l'information) and affected individuals without delay where Quebec Law 25 applies • Notify the US Federal Trade Commission and affected individuals within 60 days where the FTC Health Breach Notification Rule (16 CFR Part 318) applies • Notify you directly if a breach is likely to result in a high risk to your rights and freedoms

We may update this Privacy Policy from time to time. When we make a material change we will: • Update the "Last updated" date at the top of this page • Notify active users by email and via an in-app notice at least 30 days before the change takes effect, where the change affects your rights The current version is always available at /privacy.

The rights and obligations above apply to all users; the notices below provide additional, jurisdiction-specific disclosures. — California (CCPA/CPRA) Categories of PI we collect (Cal. Civ. Code §1798.140): • Identifiers (A) — name, email, IP address, device identifiers • Customer records (B) — payment history, billing contact • Protected classification characteristics (C) — age, sex (for training plans) • Commercial information (D) — subscription records • Internet activity (F) — browsing within the app • Sensory (G) — voice recordings and progress photos (client-uploaded) • Professional information (I) — for trainers • Inferences (K) — training recommendations • Sensitive PI (defined at §1798.121) — precise health/medical data of clients Sources: directly from you; from your trainer (if you are a client) Retention: see Section 6 Sharing for cross-context behavioral advertising: none Sale of personal information: none "Shine the Light" — California residents who have an established business relationship may request, once per calendar year, information about our disclosures of PI to third parties for direct marketing. We do not make such disclosures. Contact: dpo@catalysai.app — Washington (MHMDA): see /washington-health-privacy — EU / UK (GDPR / UK-GDPR) Lawful bases: as set out in Section 4 Supervisory authorities: you have the right to lodge a complaint with your national DPA (e.g. CNIL in France, AEPD in Spain, ICO in the UK, Garante in Italy). EU representative: not yet designated UK representative: not yet designated Transfers to the US: see Section 7 — Brazil (LGPD) Controlador: Tiago Paladini (CatalysFit) Encarregado (DPO): Tiago Paladini — dpo@catalysai.app Transferências internacionais: baseadas em consentimento específico e destacado (Art. 33, VIII) ANPD: https://www.gov.br/anpd — Quebec (Law 25) Responsable de la protection des renseignements personnels: Tiago Paladini — dpo@catalysai.app Cross-border transfers: Privacy Impact Assessment on file; based on informed consent CAI: https://www.cai.gouv.qc.ca — Canada (PIPEDA) Accountability: Tiago Paladini — dpo@catalysai.app OPC: https://www.priv.gc.ca

📧 Privacy / DPO: dpo@catalysai.app 📧 General support: support@catalysai.app 🌐 catalysfit.com Responsible operator: Tiago Paladini, Brazil.