PRIVACY POLICY

Last updated: 28 April 2025

This Privacy Policy explains how Horizh Ltd ("Horizh", "we", "us", or "our") collects, uses, and protects your personal data when you use the Horizh mobile application and website (horizh.com). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Horizh Ltd is a company registered in England and Wales. Our registered address is available upon request. For all privacy-related enquiries, please contact us at support@horizh.com.

2. Data We Collect

Information you provide directly

Email address (for account creation and login)
Body photographs (front, side, and back — uploaded for AI analysis)
Physical information you voluntarily enter (height, weight, training goals)
Workout logs and exercise data you record in the app
Training preferences (equipment, experience level, training days)

Information collected automatically

App usage data (screens visited, features used, session duration)
Device information (device type, operating system version)
IP address and approximate location (country level only)
Crash reports and error logs

Camera and photo library access

The Horizh app requests access to your device camera and photo library solely for the purpose of capturing or selecting body photographs for AI physique analysis. We do not access your camera or photo library for any other purpose. You may choose to upload an existing photo from your library or take a new photo using your camera. This access is requested only when you initiate a body scan. You can revoke camera and photo library permissions at any time through your device settings.

Health and fitness data

The Horizh app processes body photographs to analyse muscle development and physique composition. This constitutes special category data under UK GDPR. We process this data only with your explicit consent, which you provide when you upload photographs for analysis.

3. How We Use Your Data

To provide the AI physique analysis service you request
To generate personalised workout plans based on your scan results
To track your progress over time and show scan comparisons
To send you service-related communications (account notifications)
To improve our AI models and service quality (using anonymised, aggregated data only)
To comply with legal obligations

4. Third Parties We Share Data With

OpenAI

Your body photographs are sent to OpenAI's API (GPT-4o) for analysis. OpenAI processes this data as a data processor on our behalf. OpenAI does not use API data to train their models. You can review OpenAI's privacy policy at openai.com/privacy.

Supabase

We use Supabase for secure database storage and authentication. Your data is stored on encrypted servers in the EU. Supabase is compliant with GDPR requirements.

RevenueCat

We use RevenueCat to manage in-app subscriptions. RevenueCat processes your purchase data to manage your subscription status. They do not have access to your body photographs or health data.

Railway

Our backend server infrastructure runs on Railway. Anonymised processing data may pass through Railway's servers.

We do not sell your personal data to third parties under any circumstances.

5. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access — request a copy of all data we hold about you
Right to rectification — correct inaccurate data
Right to erasure — request deletion of your data ("right to be forgotten")
Right to restrict processing — limit how we use your data
Right to data portability — receive your data in a portable format
Right to object — object to processing based on legitimate interests
Right to withdraw consent — withdraw consent for health data processing at any time

To exercise any of these rights, email support@horizh.com. We will respond within 30 days.

6. Data Retention

We retain your account data for as long as your account is active. Body scan photographs and analysis results are retained for the duration of your account to enable progress tracking. You can delete your account at any time directly within the app by going to Settings → Delete Account. Upon account deletion, all personal data including body photographs, scan results, and workout logs are permanently deleted within 30 days. You may also request deletion by emailing support@horizh.com.

7. Data Security

We implement appropriate technical and organisational measures to protect your data including:

End-to-end encryption for data in transit (TLS/HTTPS)
Encrypted storage for body photographs
Row-level security on our database
Access controls limiting who can view your data

8. Children's Privacy

Horizh is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us immediately at support@horizh.com.

9. International Data Transfers

Your data may be processed in the United States when sent to OpenAI's API. This transfer is made under appropriate safeguards in accordance with UK GDPR requirements. OpenAI participates in the UK-US Data Bridge framework.

10. Cookies

Our website (horizh.com) uses essential cookies only — necessary for the website to function. We do not use tracking or advertising cookies. Our mobile app does not use cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. The date at the top of this page reflects the most recent update.

12. Complaints

If you have concerns about how we handle your data, please contact us first at support@horizh.com. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

13. Contact

For all privacy-related enquiries:
Email: support@horizh.com
Website: horizh.com