Privacy Policy

1. Introduction

At LevelMax ("we," "our," or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, mobile experiences, and AI physique analysis services (collectively, the "Service").

2. Information We Collect

2.1. Information you provide

  • Email address and authentication information when you create an account or sign in (for example, with Google via Firebase Authentication).
  • Photos you upload for physique analysis and related safety checks.
  • Profile and questionnaire information you choose to provide, such as height, weight, age, and country, used to contextualize your analysis.
  • Payment information when you purchase credits. Payments are processed by Razorpay; we do not store your full card details on our servers.
  • Support or feedback content you voluntarily send us (which may include screenshots uploaded for troubleshooting).

2.2. Information automatically collected

  • Device and browser information (for example, device type, screen characteristics where available, and browser type).
  • Page views and interactions, collected through Vercel Web Analytics and, when enabled for our deployment, Google Analytics 4.
  • Referring website or app information when your browser sends it.
  • Approximate country derived from network information (for example, headers provided by our hosting provider) to support regional features such as pricing and compliance.

We aim to use privacy-conscious analytics where possible. Vercel Web Analytics is designed to minimize personal data collection. If Google Analytics is active on your visit, Google's terms and cookie practices also apply; see Section 8.

3. How We Use Your Information

  • To provide, operate, and maintain the Service.
  • To run automated physique analysis and generate reports.
  • To generate or link optional workout and meal planning features when you use them.
  • To process payments and manage credits.
  • To communicate with you about service updates, security, or support.
  • To provide customer support and respond to inquiries.
  • To detect, prevent, and address fraud, abuse, or technical issues.
  • To comply with legal obligations and enforce our terms.

4. Photo Usage and Storage

4.1. Photo processing

  • Photos are used to generate your analysis and, where applicable, automated content moderation before or during upload.
  • Analysis is performed using secure third-party AI services (see Section 5 and 13).
  • We do not use your photos to train our own machine-learning models.
  • Uploaded images are stored with Cloudinary (cloud media storage) and referenced from your account so you can view past analyses.

4.2. Photo retention

  • Photos and related media generally remain available while the associated analysis exists in your account.
  • When you delete an analysis through the Service, we remove the analysis record and attempt to delete associated images from Cloudinary. Third-party systems may retain data for a limited period consistent with their backup and logging practices.

5. Data Sharing

We share data with service providers that help us operate the Service, including:

  • Google for authentication (if you use Google sign-in) and for Google Cloud Vision automated safety checks on images when that feature is enabled.
  • Firebase / Google Cloud for authentication, database, and related infrastructure.
  • Cloudinary for storing and delivering uploaded images.
  • OpenAI for AI-based physique analysis (see Section 13).
  • Razorpay for payment processing.
  • Vercel for hosting, edge routing, and analytics.
  • Google (Analytics) only when our deployment has Google Analytics enabled.

We do not sell or rent your personal information to third parties for their marketing purposes.

5.1. Third-party data processing (summary)

  • OpenAI: Processes images and text prompts to return analysis output. Retention and training practices are governed by OpenAI's policies for API customers; treat outputs as estimates, not medical facts.
  • Razorpay: Processes payments and maintains records required for transactions, refunds, and tax or fraud prevention.
  • Google: Provides sign-in and, when used, content safety analysis on images you submit.
  • Cloudinary: Hosts your uploaded images and derived delivery URLs.
  • Firebase / Google Cloud: Stores account-related data, analysis documents, and operational logs as configured for the Service.
  • Vercel: Hosts the application and may process limited technical telemetry for analytics and reliability.

We select vendors with strong security practices. Where required by law, we rely on appropriate legal mechanisms (such as standard contractual clauses) for international transfers.

6. Data Security

We implement reasonable technical and organizational measures, including:

  • HTTPS encryption for data in transit between your browser and our Service.
  • Authentication and access controls for user data.
  • Use of established cloud providers with industry certifications and monitoring.

No method of transmission or storage is completely secure; we cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have rights to:

  • Access the personal data we hold about you.
  • Correct inaccurate information.
  • Delete your data, including by deleting individual analyses in the app where that feature is available.
  • Request data portability in a structured, commonly used format where feasible.
  • Object to or restrict certain processing, and to withdraw consent where processing is consent-based.
  • Opt out of marketing communications (we send service messages only as needed to operate your account).

To exercise these rights, contact us at levelmax.fit@gmail.com. We will respond within a reasonable period and within any timeframe required by applicable law (often 30 days for GDPR-related requests, subject to verification).

8. Cookies and Tracking

8.1. Essential technologies

We use cookies and similar technologies as needed for authentication, session management, security, fraud prevention, and remembering preferences.

8.2. Analytics

  • Vercel Web Analytics helps us understand aggregate usage with a privacy-oriented approach.
  • If Google Analytics 4 is enabled on our deployment, Google may use cookies or similar technologies according to Google's policies.

We do not use third-party advertising cookies to track you across unrelated sites for ad retargeting. If your browser sends a Do Not Track signal, we treat it as a preference signal where technically feasible, noting that not all analytics tools fully honor DNT.

9. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from anyone under 18. If you believe we have collected information from a minor, please contact us and we will take appropriate steps to delete it.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last Updated" date below. For material changes, we may provide additional notice (for example, by email or an in-app message) where appropriate.

11. GDPR and KVKK

If you are in the European Economic Area, the United Kingdom, or Turkey, additional rights may apply under the General Data Protection Regulation (GDPR) and Turkey's Personal Data Protection Law (KVKK), including:

  • Right of access, rectification, and erasure.
  • Right to restrict processing and to object to certain processing.
  • Right to data portability.
  • Rights related to automated decision-making that produces legal or similarly significant effects (our physique scoring is informational and not used as an automated decision with legal effect).

To exercise these rights, email admin@levelmax.fit. You may also lodge a complaint with your local supervisory authority.

12. Data Breach Notification

If we become aware of a breach that affects your personal information and requires notification, we will:

  • Notify affected users by email where feasible and as required by law.
  • Describe the categories of data involved and steps we are taking to mitigate harm.
  • Cooperate with regulators as required.

13. AI Processing

  • Our Service uses artificial intelligence to analyze physique photos and questionnaire inputs.
  • Processing is automated; we do not perform routine manual review of your photos for scoring.
  • Photos are not used to train LevelMax-owned models.
  • Outputs are stored with your account in our database so you can access your reports.
  • You may request deletion of stored analyses; see Sections 4 and 7.

AI-generated assessments are estimates for fitness and educational purposes and are not a substitute for medical advice, diagnosis, or treatment.

14. Caching and Performance

To improve performance, content may be cached by our hosting provider, content delivery networks, or your browser. As a result, a small delay can occasionally occur before updates (such as a deleted analysis) are visible everywhere in the world.

15. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you may have the following rights:

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete personal information, subject to exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of "sale" or "sharing" of personal information as defined under California law.
  • Right to limit use of sensitive personal information where applicable.
  • Right to non-discrimination for exercising these rights.

15.1. Categories of information

In the preceding 12 months, we may have collected identifiers (such as email), photos, commercial information (purchases of credits), internet or electronic network activity, geolocation (approximate, such as country), and inferences produced by AI analysis.

15.2. Sale / sharing

We do not sell your personal information for money. We disclose information to service providers as described in Section 5. Some analytics tools may constitute "sharing" for cross-context behavioral advertising under California definitions; we configure analytics for measurement rather than advertising, but you may contact us to learn more about your choices.

15.3. Exercising your rights

Email admin@levelmax.fit with your request. We will verify your identity as required by law and respond within the timeframe California law requires (typically 45 days for many requests, with a possible extension).

Last Updated: April 13, 2026