Privacy Policy

Last updated: May 8, 2026 · Version 2026-05-08

Legal basis: Brazilian Law nº 13.709/2018 (LGPD) · EU Regulation 2016/679 (GDPR)

1. Data Controller

The controller responsible for processing your personal data is:

NattyCore

Controller: Marcus Felipe de Araujo Fernandes

E-mail: nattycoreapp@gmail.com

Country of operation: Ireland

Data Protection Officer (DPO): Marcus Felipe de Araujo Fernandes · nattycoreapp@gmail.com

2. Data collected and legal basis

Data	Purpose	Legal basis (LGPD/GDPR)
Name and email (Google OAuth)	Authentication and identification	Contract performance (Art. 7, V)
Training data (sessions, loads, RPE)	Plan generation and progression tracking	Contract performance (Art. 7, V)
Body measurements, body fat %, BMI	Personalization and nutrition	Specific consent (Art. 11, I)
Progress photos	Body composition analysis	Specific consent (Art. 11, I)
Signup IP (anonymized)	Fraud prevention and security	Legitimate interest (Art. 7, IX)
Analytics data (anonymous)	Product improvement	Consent (Art. 7, I)

3. Health data (Art. 11 LGPD / Art. 9 GDPR — special category)

NattyCore processes data classified as health data under Art. 11 of the LGPD and Art. 9 of the GDPR. This data includes:

Weight, height, body fat percentage, and body circumferences
Training history with intensity, volume, and perceived effort (RPE/RIR)
Photos of the human body used for body composition analysis
Muscle scores derived from AI analysis
Estimated 1RM (maximum strength) per muscle group

Processing this data requires specific, separate, and highlighted consent, collected at onboarding and revocable at any time under Profile → Privacy.

4. International data transfers

Ireland is an EU member state with GDPR adequacy. For transfers outside the EEA, standard contractual clauses (SCCs) and/or specific consent apply (LGPD Art. 33, VIII).

Sub-processor	Country	Data transferred	Contractual basis
OpenAI	USA 🇺🇸	Training data and measurements (AI plan generation)	DPA + specific user consent
Supabase / AWS	Ireland 🇮🇪 (eu-west-1)	All data (database and photo storage)	Supabase DPA + SCCs
Vercel	USA 🇺🇸	Web requests (no data persisted)	Vercel DPA
Stripe	USA 🇺🇸	Payment data (Pro users)	Stripe DPA + SCCs
Meta Platforms, Inc.	USA 🇺🇸	Carousel images, captions, and hashtags (Instagram publishing). No athlete personal data.	Meta DPA + SCCs

The artificial intelligence referenced as "NattyCore AI" in the app interface is provided by OpenAI under this contract. Health data is transferred to this sub-processor only when you explicitly consent — without consent, AI features remain unavailable and no data is sent. The Meta (Instagram) integration is used exclusively by the NattyCore internal team to publish editorial content generated from blog articles on the official account — no athlete data is shared with Meta.

5. Data retention

Data type	Period	Criterion
Account and training data	Until account deletion	Contract performance
Measurements and progress photos	Until account deletion	Revocable consent
Signup IP (anonymized)	2 years	Fraud prevention
AI usage logs	1 year	Internal audit
Data after deletion request	30 days (grace period)	Reversibility before permanent deletion

6. Cookies and analytics

NattyCore uses Vercel Analytics for anonymous product usage analysis. No personally identifiable data is collected by this tool.

Analytics does not load by default — only after your explicit consent in the cookie banner
You can withdraw consent at any time under Profile → Privacy
Your preference is stored locally (localStorage) and not shared with third parties

7. Your rights (LGPD Art. 18 / GDPR Art. 15–22)

As a data subject, you have the following rights, exercisable at any time under Profile → Data & Account or by email:

Access: confirm whether we process your data and obtain a copy
Rectification: correct incomplete or incorrect data directly in the app
Erasure: request complete removal of all your data (30-day grace period, cancellable)
Portability: export all your data in structured JSON format (Profile → Export data)
Consent withdrawal: withdraw consent for health data, AI, or analytics without affecting basic app use
Objection: object to processing based on legitimate interest
Information on sharing: know with whom your data has been shared

Response time: up to 15 business days from the request.

8. Storage and security

Data stored in Supabase (PostgreSQL / AWS) with Row Level Security — each user can only access their own data
Photos stored in Supabase Storage with authenticated access
All communication protected by HTTPS/TLS end-to-end
Authentication via Google OAuth — we never store passwords
Signup IPs stored in anonymized form (last IPv4 octet replaced with 0)

9. Age restriction

NattyCore is exclusively for users aged 18 and over. We do not intentionally collect data from minors. If you believe data from a minor has been collected, please contact us for immediate removal.

10. Changes to this policy

For material changes, we will notify you by email with at least 15 days' notice. The current version of the policy is recorded with a date at the top of this page. Continued use of the app after changes take effect implies agreement with the new version.

11. Contact and complaints

To exercise your rights or clarify any questions: nattycoreapp@gmail.com

You may also lodge a complaint with the ANPD (Brazilian Data Protection Authority) at gov.br/anpd.