TowerVital

Privacy Policy

Last updated: April 24, 2026

Medical disclaimer: TowerVital is a fitness app that provides general exercise guidance based on published exercise-science principles. It is not a medical, diagnostic, pharmaceutical, or therapeutic service. Consult a qualified healthcare professional before starting any new exercise program, and stop immediately if you experience symptoms that concern you.

Hightower Fitness Solutions LLC ("we," "our," or "TowerVital") operates the TowerVital website (towervital.com / towervital.app) and iOS mobile application. This Privacy Policy explains what information we collect, how we collect it, how we use it, and every third party we share it with — including the third-party AI service that powers our AI Coach.

1. Information We Collect and How We Collect It

1.1 Account Information

What: Name, email address, password (stored as a bcrypt hash — we never store the plaintext password). How collected: You provide it when you create an account in the mobile app or on our website.

1.2 Fitness Profile

What: Fitness goals, fitness level, training track, available training days, target session duration, and optionally age, height, and weight. How collected: You enter it during onboarding or from the Profile screen.

1.3 Health & Fitness Data

What: With your explicit permission, our iOS app reads the following from Apple HealthKit: sleep analysis, heart rate, heart rate variability (HRV), step count, and active energy burned. We also accept optional wearable data (Oura, Whoop, Garmin) if you connect those accounts. How collected: Read via the HealthKit framework on your device, or fetched from connected wearable vendors' APIs using OAuth tokens you authorised. Data is transmitted from the app / wearable vendor to our servers over HTTPS/TLS.

1.4 Coach Conversations

What: The text of messages you send to the AI Coach and the text of responses returned. How collected: Captured when you type a message in the Coach tab. Stored on our database so you can see your chat history.

1.5 Daily Plans and Progress

What: AI-generated daily plans, which exercises you marked complete, any coach notes. How collected: Created when you generate a plan or mark exercises in the Plan tab.

1.6 Community Content

What: Posts you write, comments, workout invites, group memberships, images you upload. How collected: You submit them through the Community tab.

1.7 Usage and Device Data

What: Pages and screens visited, feature-level events, device model, operating-system version, crash reports, push notification token. How collected: Logged when you use the app, used to improve reliability and user experience.

1.8 Payment Information

What: Subscription tier, billing status. How collected: For iOS subscriptions, Apple manages all billing and provides us only the subscription status via receipt validation — we never see your card. For web subscriptions, card details are collected and processed by Stripe; we only receive the subscription status and the last four digits of the card.

2. How We Use Your Information

We use your information to:

  • Generate personalised daily fitness and wellness plans
  • Calculate daily health scores (Sleep, Readiness, Activity, HRV)
  • Power the AI Coach so it can answer you in the context of your goals and data
  • Operate the Community tab (posts, comments, RSVPs, moderation)
  • Process subscription status and restore purchases
  • Send account, service, and transactional notifications
  • Detect abuse, enforce our Terms of Use, and respond to content reports
  • Improve our products and fix bugs

We do not sell your personal information, and we do not use HealthKit data for advertising or marketing.

3. Third-Party AI Service — xAI (Grok)

The AI Coach and AI-generated daily plan features are powered by a third-party AI service provided by xAI Corp. (maker of Grok), operated at api.x.ai. Before any data is sent to xAI, the app presents an in-app disclosure and requires you to tap "Accept & Continue." You can revoke this consent at any time from Settings → AI Data Sharing, after which no further data is sent to xAI and the AI Coach and plan-generation features are disabled.

What we send to xAI:

  • For the AI Coach chat: the text of the message you typed, and up to the last 20 messages from your Coach history for conversational context.
  • For the AI Coach chat: a short summary of your fitness profile (goals, fitness level, training track).
  • For daily plan generation: your fitness profile (goals, level, track, session duration, age, weight if entered) and, if available, today's derived wearable scores (sleep, readiness, activity, recovery, HRV). Raw HealthKit samples are never sent — only the daily score values we compute.

What we do NOT send to xAI:

  • Your password, auth tokens, or account identifiers
  • Your email address
  • Raw Apple HealthKit samples (heart-rate timeseries, GPS, step logs, etc.)
  • Payment or subscription details
  • Community posts, comments, or any other user's data

How the data is transmitted: over HTTPS/TLS from our servers to api.x.ai/v1. The data is sent only when you actively use an AI feature.

How xAI uses the data: xAI processes the request to generate the AI response or plan and returns the result. xAI's use and retention of this data is governed by xAI's own privacy policy, which you can review at https://x.ai/legal/privacy-policy. We require xAI's handling of data transmitted through our API integration to provide protections substantially equivalent to those described in this Privacy Policy.

4. Other Third Parties We Share Data With

  • Apple — iOS subscription billing and receipt validation; APNs for push notifications. Governed by Apple's privacy policy.
  • Stripe — web subscription payment processing. Governed by Stripe's privacy policy.
  • Vercel — hosting for our website and API. Governed by Vercel's privacy policy.
  • Neon / Supabase (PostgreSQL) — managed database that stores your account, profile, plans, chat history, and community content.
  • Resend — transactional email delivery (account verification, password reset, moderation alerts).
  • Connected wearable vendors you authorise (e.g. Oura, Whoop, Garmin) — data is fetched from their APIs on your behalf using the OAuth tokens you granted, and only at your request.

We require each of these providers to protect the data we share with them with safeguards substantially equivalent to those described in this Privacy Policy.

5. Apple HealthKit

We comply with Apple's HealthKit guidelines. Specifically:

  • HealthKit data is used only to compute your daily scores and to personalise the plans and coaching we show you.
  • We do not sell HealthKit data to advertising platforms or data brokers.
  • We do not use HealthKit data for marketing or advertising.
  • We do not transmit raw HealthKit samples to xAI or any other third-party AI service — only the derived daily score values (e.g. a Sleep score from 0 to 100) are ever sent.
  • HealthKit data is transmitted securely (HTTPS/TLS) from the app to our servers.
  • You can disconnect Apple Health at any time from Settings → Wearable Devices.

6. Data Storage & Security

Your data is stored on managed PostgreSQL provided by Neon / Supabase, with application servers hosted on Vercel. All data in transit uses HTTPS / TLS 1.2+. Authentication tokens on your device are stored in the iOS Keychain via expo-secure-store. Passwords are hashed with bcrypt before storage.

7. Your Rights

You have the right to:

  • Access the personal data we hold about you
  • Delete your account and all associated data from the mobile app (Settings → Delete Account) — this is immediate and cascades through our database and connected services
  • Revoke AI data sharing at any time (Settings → AI Data Sharing)
  • Disconnect wearable devices and stop further health data syncing
  • Opt out of non-essential communications
  • Export your data — contact us at the address below

8. Data Retention

We retain your data while your account is active. When you delete your account, all personal data (profile, plans, coach chat history, community posts and comments, wearable data, push tokens) is permanently removed from our systems promptly, and in no case later than 30 days. Deleted content is also removed from backups within 30 days.

9. Children's Privacy

TowerVital is intended for users 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For any material change — including any change to what data we send to a third-party AI service or which third-party AI service we use — we will notify you by email or in-app notification and, where the change materially affects what is shared with an AI service, re-prompt you for consent inside the app.

11. Contact Us

Questions about this Privacy Policy or your data? Reach us at:

Hightower Fitness Solutions LLC
Acworth, GA, United States
Email: support@towervital.com