HeavyAF

Privacy Policy

How HeavyAF handles your data

Data Collection

HeavyAF processes sensitive biometric data including body measurements, body fat percentage, age, weight, and height. This data is collected solely for the purpose of providing body composition analysis and is stored securely in our database.

We collect the minimum amount of data necessary to provide our service:

  • Account information: Your email address for authentication via magic link login.
  • Analysis inputs: Age, gender, weight, and height provided during body composition analysis.
  • Analysis results: Body fat percentage, body measurements, and category classification.
  • Workout data: Exercise logs, workout plans, and session history if you use the workout tracker.

Encryption

All sensitive biometric data is encrypted at the database column level using PostgreSQL pgcrypto with PGP symmetric encryption. The following fields are encrypted at rest:

  • Age
  • Gender
  • Weight
  • Height
  • Body fat percentage
  • Body measurements

Encryption keys are stored securely and are never persisted in code or migrations. Each environment (development, staging, production) uses separate encryption keys.

Image Privacy

Uploaded images are never stored on disk or in the database. Images are:

  • Received as in-memory buffers by the API.
  • Forwarded to the processing worker for pose detection.
  • Discarded immediately after measurements are extracted.

No image data, file paths, or thumbnails are persisted anywhere.

Data Retention

Analysis records are automatically deleted after a configurable retention period (default: 2 years). A scheduled cleanup process runs daily to remove expired records. Records without a retention date are kept indefinitely until you choose to delete them.

Each analysis record is also assigned a pseudonymous ID that is unlinked to your user identity, enabling aggregate analytics without exposing personal information.

User Rights

You have the right to delete your account and all associated data at any time from the Settings page. Account deletion is permanent and includes:

  • All body composition analyses
  • All workout sessions and sets
  • All workout plans and exercises you created
  • Your profile and authentication record

No soft-delete is used. All data is permanently removed from our systems upon account deletion.

Row-level security ensures that you can only access your own data. All database tables enforce policies that restrict read and write access to the authenticated user.