PRIVACY POLICY

notfat.io ("we", "us", "our") operates the notfat.io biohacker dashboard application (the "Service"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service, including our integration with third-party services such as WHOOP.

By using our Service, you agree to the collection and use of information in accordance with this policy.

Account Information

When you register, we collect your email address, username, and a securely hashed password. We never store your password in plain text.

Health & Biometric Data

You may manually log health metrics through our AI chat interface, including but not limited to: sleep hours, recovery scores, strain levels, body weight, mood, energy levels, calorie intake, and supplement usage. This data is stored in your daily entries.

WHOOP Integration Data

If you connect your WHOOP account, we access the following data through the WHOOP API using OAuth 2.0 authorization:

• Recovery data — recovery score, HRV (heart rate variability), resting heart rate
• Sleep data — sleep performance score, total sleep duration, sleep stages
• Strain data — daily strain score
• Workout data — workout summaries
• Cycle data — physiological cycle information
• Profile data — basic WHOOP profile information

Chat & Interaction Data

We store conversations between you and our AI assistant to provide context-aware responses and metric logging.

Uploaded Files

If you upload files (e.g., lab results, images), they are stored securely in cloud storage (AWS S3).

• Display your personal dashboard — visualizing your health and biometric trends over time
• AI-powered insights — providing personalized feedback and correlations through our AI chat
• Public profile — if you enable a public dashboard, selected metrics are visible at your public profile URL
• WHOOP data synchronization — automatically importing your WHOOP metrics to populate your dashboard
• Service improvement — understanding usage patterns to improve functionality

We do not sell your personal data or health information to third parties. We do not use your health data for advertising purposes.

Our integration with WHOOP operates as follows:

• Authorization — we use the OAuth 2.0 protocol. You are redirected to WHOOP's authorization page where you explicitly grant permission. We request only the scopes necessary for the Service: read:recovery, read:sleep, read:workout, read:cycles, read:profile.
• Token storage — access and refresh tokens are stored encrypted in our database. Tokens are automatically refreshed when they expire.
• Data access — we only read data from your WHOOP account. We never write to or modify your WHOOP data.
• Disconnection — you can disconnect your WHOOP account at any time from the Settings page. Upon disconnection, we delete stored access and refresh tokens. Previously synced historical data remains in your account unless you request full deletion.
• Data synced — we sync the last 7 days of data by default. Raw API responses are stored alongside extracted metrics for data integrity.

• All data is stored in a secured MySQL database with encrypted connections
• Passwords are hashed using bcrypt with appropriate salt rounds
• Authentication tokens (JWT) are stored in httpOnly cookies to prevent XSS attacks
• Third-party API tokens (WHOOP) are stored server-side and never exposed to the client
• File uploads are stored in AWS S3 with access controls
• All communication between your browser and our servers is encrypted via HTTPS/TLS

We do not share your personal data with third parties except in the following cases:

• Public dashboard — if you enable a public profile, selected health metrics will be visible at your public URL (notfat.io/u/your-username)
• AI processing — chat messages are sent to our AI provider (via OpenRouter) for generating responses. No personally identifiable information beyond the conversation context is shared.
• Legal requirements — we may disclose data if required by law or to protect our rights

We retain your data for as long as your account is active. You can delete your account and all associated data at any time directly from your Settings page — no need to contact us. You may also request deletion by emailing us at privacy@notfat.io. Upon account deletion, the following data is immediately and permanently removed:

• All personal information (email, username, profile) is permanently deleted
• All health metrics, daily entries, and WHOOP data are removed
• All chat history is erased
• All uploaded files are deleted from cloud storage (AWS S3)
• All third-party API tokens (WHOOP) are destroyed
• Authentication cookies are cleared

This action is irreversible. Once deleted, your data cannot be recovered.

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Delete your account and all data — self-service via Settings, or by contacting us
• Disconnect third-party integrations (WHOOP) at any time
• Export your data
• Withdraw consent for data processing

We use essential cookies only — specifically a secure, httpOnly authentication cookie (biohacker_token) to maintain your session. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 16, we will take steps to delete that information.

We may update this Privacy Policy from time to time. We will notify users of significant changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

privacy@notfat.io