Privacy Policy

VibeFit is operated as a Malaysian sole proprietorship. References to "we", "us", or "VibeFit" in this policy refer to the operator. This policy is written to comply with the Personal Data Protection Act 2010 (Malaysia).

• Account data: email, display name, password hash (or a Google account identifier if you use Google Sign-In).
• Profile data you choose to enter: height, weight, fitness level, injuries, training preferences.
• Workout outcomes: rep counts, form scores, dates, streaks, badges, coins.
• Billing data: handled by Stripe. We store only the Stripe customer ID and subscription status. We do NOT see or store your card number.
• Operational logs: standard HTTP request logs at our hosting providers (Render, Vercel) for security and debugging.

• Webcam video. Pose detection runs entirely in your browser. No video frame ever reaches our servers. Only the derived numbers (rep count, form score) are uploaded.
• Location data.
• Contacts, photos, microphone, or any other device sensor.

• To provide the service: route you to a recommended routine, verify your reps, update your streak and badges.
• To run the coin economy and the buddy feature.
• To bill you (via Stripe) if you upgrade to Pro.
• To send transactional emails (receipts, payment failures — Stripe sends these on our behalf).
• To improve the product. We may look at aggregated, anonymous usage patterns. We never look at an individual user's data to sell, market, or transfer.

• Stripe— payment processing. Stripe's privacy policy at stripe.com/privacy.
• Render — application hosting (backend + database).
• Vercel — frontend hosting + CDN.
• Google — only if you choose Google Sign-In. Google sees the sign-in event; we receive your email + name.
• Anthropic, ElevenLabs — only for Pro accounts, and only the workout summary or text-to-speech prompt is sent. No PII is included.

We do not sell, rent, or trade your personal data to advertisers or data brokers.

You have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Withdraw your consent at any time by closing your account.
• Request deletion of your data.
• Limit the processing of your data.

To exercise any of these rights, email us at the contact address on the Contact page. We respond within 30 days.

We keep your data for as long as your account is active. If you delete your account, your workout history, profile, and coin ledger are deleted within 30 days. Billing records are retained for 7 years to comply with Malaysian tax law.

VibeFit is not directed to children under 13. If you are between 13 and 18, please have a parent or guardian read this policy with you before signing up.

We will post material changes to this policy on this page. If changes are significant (e.g., a new third-party data processor), we will notify you by email.

Questions about this policy? Email us at hello@vibefit.my.