Privacy Policy

MORFYN ("we", "our", "us") is an AI-powered fitness application developed by Diyorbek Ermamatov (dba DiorDev). The app is available on the Apple App Store.

For privacy-related questions, contact us at: [email protected]

2.1 Information you provide directly:

• •Account information: name, email address, password (hashed), profile picture
• •Physical profile: age, gender, height, weight, fitness goal, activity level, gym experience
• •Nutrition logs: meals, foods, portion sizes, water intake
• •Workout data: exercises performed, sets, reps, weights, session duration
• •Body measurements: weight history, BMI records, progress photos (stored locally on your device)
• •AI chat messages: your conversations with the MORFYN AI coach

2.2 Information collected automatically:

• •Sleep data: automatically retrieved from Apple Health (with your permission)
• •Step count and activity data: from Apple Health (with your permission)
• •Push notification token: for sending workout reminders and weekly summaries
• •Device information: platform (iOS/Android), app version, language preference
• •Usage analytics: features used, session frequency (no keystroke or screen recording)

2.3 Information from third-party services:

• •Google Sign-In: name, email, and profile picture from your Google account
• •Apple Sign-In: email address (which Apple may anonymize) from your Apple ID
• •RevenueCat: subscription status, purchase history (product identifiers, dates)

• •To create and manage your MORFYN account
• •To calculate personalized calorie and macro targets based on your profile
• •To generate AI-powered meal suggestions and workout plans tailored to you
• •To power the AI coach chat (your messages are sent to OpenAI's API to generate responses)
• •To analyze photos of your meals and estimate nutritional content (via OpenAI GPT-4o Vision)
• •To track your progress over time and surface insights and trends
• •To send push notifications: workout reminders, weekly summaries, re-engagement messages (only if you enable notifications)
• •To process in-app purchases and manage your subscription via RevenueCat and Apple App Store
• •To improve app performance, fix bugs, and develop new features
• •To comply with legal obligations

We never sell your personal data to third parties. We do not use your data for advertising profiling.

MORFYN collects health-related data including weight, calorie intake, sleep duration, exercise activity, and body measurements. This data is:

• •Used exclusively to provide fitness tracking and coaching features
• •Never sold, shared with advertisers, or used for insurance/financial purposes
• •Never used to determine eligibility for insurance, credit, employment, or housing
• •Stored securely on our servers (MongoDB with encrypted connections)
• •Accessible only to you and our core engineering team (under strict confidentiality)

4.1 Sensitive Health Data:

Certain data we collect is considered sensitive under applicable privacy laws (e.g., body weight, BMI, calorie intake, fitness level, sleep patterns). We handle this data with heightened protection:

• •Sensitive health data is processed only with your explicit consent
• •It is not shared with any third party except OpenAI (solely to generate AI coach responses) and RevenueCat (solely for subscription management)
• •You may delete all health data at any time by deleting your account via Settings → Delete Account

Progress photos you take within MORFYN are stored only on your device and are not uploaded to our servers unless you explicitly choose to share them.

Apple Health Integration: MORFYN reads sleep and step data from Apple Health only if you grant explicit permission through iOS. We write data back only if you enable this option. You can revoke this permission at any time in iOS Settings → Health → Data Access.

MORFYN uses OpenAI's API (GPT-4o) to power the AI coach chat and meal photo analysis. When you interact with the AI coach or analyze a meal photo:

• •Your message (and relevant profile context like goals and calorie targets) is sent to OpenAI's servers to generate a response
• •Meal photos are sent to OpenAI GPT-4o Vision for nutritional analysis
• •OpenAI may retain data per their own privacy policy for safety and abuse prevention
• •We do not use OpenAI's data training opt-out APIs — your data is not used to train OpenAI models by default (per OpenAI's API terms)
• •Consent required: We will ask for your explicit consent before sending any personal or health data to OpenAI. You may decline, in which case AI features will not be available.

For OpenAI's privacy practices, visit: openai.com/privacy

5.1 Automated Decision-Making:

MORFYN uses AI to generate personalized workout plans, meal suggestions, and weekly fitness summaries. These outputs are generated automatically based on your profile and activity data. AI-generated suggestions are recommendations only — they do not constitute binding decisions and have no legal or similarly significant effect on you. You may always override, ignore, or modify any AI-generated suggestion. To opt out of AI features entirely, simply do not grant AI consent when prompted.

We work with the following third-party providers:

Your data is stored on secure servers with the following protections:

• •All data in transit is encrypted using TLS/HTTPS
• •Passwords are hashed using bcrypt (never stored in plain text)
• •Database access is restricted by IP allowlist and authentication
• •API endpoints are protected by JWT authentication
• •Regular security reviews and dependency updates

While we take security seriously and follow industry best practices, no system is 100% impenetrable. In the event of a data breach, we will notify affected users within 72 hours.

• •Your account data is retained as long as your account is active
• •If you delete your account, we will permanently delete your data within 30 days
• •Anonymized, aggregated usage statistics may be retained indefinitely
• •Backup copies may persist for up to 90 days after deletion for disaster recovery

Depending on your location, you have the following rights regarding your personal data:

• •Access: Request a copy of all data we hold about you
• •Correction: Update inaccurate or incomplete data
• •Deletion: Request permanent deletion of your account and data
• •Portability: Export your data in a machine-readable format
• •Objection: Object to specific uses of your data
• •Withdrawal: Withdraw consent for optional data processing at any time

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

To delete your account and all associated data, go to MORFYN app → Settings → Delete Account. Deletion is permanent and removes all your health, workout, nutrition, and AI conversation data. Alternatively, email us at [email protected].

MORFYN is intended for users aged 17 and above (per App Store age rating). We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will promptly delete it.

If you are a parent or guardian and believe your child has used MORFYN, please contact us at [email protected].

MORFYN may send push notifications for workout reminders, weekly fitness summaries, and re-engagement messages. These notifications are:

• •Only sent if you grant notification permission when prompted by iOS
• •Controllable in iOS Settings → Notifications → MORFYN
• •Also toggleable within the app under Settings → Notifications

MORFYN operates globally. Your data may be processed in countries other than your own (including the United States where our servers and third-party providers are located). By using MORFYN, you consent to the transfer of your information to these countries, which may have different data protection laws than your country of residence.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you through the app or by email. The "Last updated" date at the top of this page will always reflect the most recent version.

Continued use of MORFYN after changes are posted constitutes your acceptance of the revised policy.

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information:

• •Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom we share it.
• •Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
• •Right to Opt-Out of Sale: MORFYN does not sell your personal information to third parties. We do not and will not sell your data.
• •Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• •Right to Correct: You may request correction of inaccurate personal information we hold about you.

To exercise your CCPA rights, submit a verifiable consumer request to [email protected]. We will respond within 45 days. We may need to verify your identity before fulfilling your request.

Shine the Light Law: California Civil Code § 1798.83 permits California residents to request a list of third parties to whom we disclosed personal information for direct marketing purposes in the preceding year. We do not share personal information for direct marketing purposes.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable local laws grant you the following rights:

• •Right of Access (Art. 15): Obtain a copy of your personal data and information about how it is processed.
• •Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• •Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten") where there is no legitimate reason for continued processing.
• •Right to Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• •Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
• •Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• •Rights related to Automated Decision-Making (Art. 22): Not be subject to solely automated decisions that produce significant legal effects (our AI features do not produce such decisions — see Section 5.1).
• •Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Legal Bases for Processing:

• •Contract performance: Processing necessary to provide the services you signed up for (account management, core fitness tracking).
• •Consent: AI coaching features and health data processing (you may withdraw consent at any time).
• •Legitimate interests: Security, fraud prevention, and service improvement, balanced against your rights.
• •Legal obligation: Where we are required to process data to comply with applicable law.

To exercise your rights, contact us at [email protected]. We will respond within 30 days (extendable to 90 days for complex requests with notice). You also have the right to lodge a complaint with your local data protection authority.

International Transfers: When your data is transferred outside the EEA (e.g., to OpenAI servers in the US), we rely on Standard Contractual Clauses (SCCs) or the recipient's participation in a recognized adequacy framework.

For privacy questions, data requests, or concerns: