Privacy Policy

1. Who We Are

Zana LLC is a Vermont limited liability company operating a multi-tenant coaching platform at zanaplatforms.com and tenant-specific domains including app.mygoddessproject.com.

2. Information We Collect

2.1 Information you provide directly

• Account information: name, email, password hash, profile photo, timezone
• Coaching content: daily check-ins (energy, mood, muscle soreness, sleep), notes you write for your coach, messages in direct chat, forum posts
• Health & wellness data: workout logs, nutrition logs with meal photos, body measurements (weight, waist), menstrual cycle dates if you opt in, self-reported goals
• Session data: 1-on-1 coaching sessions scheduled with your coach, session notes
• Billing information: processed directly by Stripe; we store only the subscription status and last-four card digits

2.2 Information from integrations you connect

• Oura Ring (optional): readiness score, sleep data, heart-rate variability, body temperature trends, cycle phase indicators — only if you choose to connect your Oura account
• Zoom: meeting metadata (join link, duration) for scheduled sessions; Zana does not record, store, or access video or audio content
• Cal.com: booking metadata when you schedule a session via our Cal.com integration

2.3 Information we collect automatically

• Usage data: pages visited, features used, approximate time of activity
• Device data: browser type, operating system, IP address
• Cookies: see our Cookie Policy for details

3. How We Use Your Information

We use your information only for the following purposes:

• Operate the platform — create and manage your account, deliver coaching features
• Share your coaching data with your assigned coach so they can support you
• Process payments and manage subscriptions (via Stripe)
• Analyze meal photos using AI (Google Gemini) to estimate macros — photos are not used to train AI models
• Send transactional emails (account verification, payment receipts, session reminders)
• Improve the platform — we look at aggregate, de-identified usage patterns only
• Comply with legal obligations

We do not sell your personal information. We do not use your health data for advertising. We do not allow third-party advertising networks to track you on the platform.

4. Legal Basis (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract: to provide the coaching services you signed up for
• Consent: for health data, cycle tracking data, wearable integration, and marketing emails — you can withdraw consent at any time
• Legitimate interest: for security, fraud prevention, and product improvement
• Legal obligation: tax, accounting, and responding to lawful government requests

Health data, cycle data, and any biometric information are treated as special category data under GDPR Article 9. We process them only with your explicit opt-in consent.

5. Who We Share Information With

5.1 Your coach and their authorized team

If you are a client of a coaching business on Zana, your coach can see the data you log: check-ins, workouts, nutrition, measurements, session notes, and messages. Coaches are bound by a subcontractor agreement with Zana that includes confidentiality and data-handling obligations.

5.2 Service providers (processors)

We use the following third-party services to run the platform. Each is contractually bound to protect your data:

• Supabase — database, authentication, file storage (United States)
• Vercel — hosting and CDN (United States)
• Stripe — payment processing (United States, UK, EU)
• Zoom — video meetings (United States)
• Cal.com — scheduling (United States)
• Google (Gemini API) — meal photo analysis (United States); photos are processed on request and not retained for model training
• Oura Health Oy — wearable data, only if you connect your Oura account (Finland/EU)
• Resend — transactional email, when enabled (United States)

5.3 Legal requirements

We may disclose information if required by law, court order, or valid government request, or to protect the rights, property, or safety of Zana, our users, or others.

5.4 Business transfers

If Zana is acquired, merged, or sells assets, your information may transfer to the new entity. We will notify you and give you an opportunity to delete your account before the transfer takes effect.

6. International Data Transfers

Most of our service providers are located in the United States. If you access Zana from outside the United States, your information will be transferred to and processed in the US. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses and additional safeguards where applicable.

7. How Long We Keep Your Data

• Active accounts: as long as your account is active
• Deleted accounts: 30 days soft-delete window (recoverable), then permanent deletion from production systems within 90 days
• Backup copies: up to 35 days in encrypted backups before they roll off
• Billing records: up to 7 years to comply with tax and accounting laws
• Anonymized analytics: may be retained indefinitely — this data cannot be linked back to you

8. Your Rights

8.1 Everyone

Regardless of where you live, you can:

• Access your data by exporting it from account settings
• Correct inaccurate information
• Delete your account and associated data
• Withdraw consent for optional processing (e.g., Oura integration, marketing emails)
• Contact us at betike@me.com for any privacy request

8.2 EEA, UK, and Switzerland (GDPR rights)

In addition, you have the right to:

• Restrict or object to certain processing
• Data portability — receive your data in a machine-readable format
• Lodge a complaint with your local data protection authority

8.3 California (CCPA / CPRA rights)

California residents have the right to:

• Know what personal information we collect and how it is used
• Delete personal information we have collected
• Correct inaccurate personal information
• Opt out of "sale" or "sharing" of personal information — Zana does not sell or share your personal information as defined under CCPA
• Limit the use and disclosure of sensitive personal information — health data is treated as sensitive and used only to deliver coaching services
• Non-discrimination for exercising these rights

We respond to verified requests within 45 days. To submit a request, email betike@me.com.

9. How We Protect Your Data

• All data transmitted over HTTPS (TLS 1.2 or higher)
• Database-level Row Level Security ensures users only access their own data
• Passwords stored as salted hashes (never in plain text)
• Service credentials kept in encrypted environment variables, rotated periodically
• Webhooks authenticated with HMAC signatures and replay protection
• Third-party integration tokens encrypted at the application layer
• Access to production systems limited and logged

No system is perfectly secure. In the event of a data breach affecting your personal data, we will notify affected users and relevant authorities within 72 hours of becoming aware of the incident, as required by applicable law.

10. HIPAA Status

Zana is not a HIPAA-covered entity. We provide a wellness and coaching platform for fitness, nutrition, and lifestyle support. We do not provide medical diagnosis, treatment, or healthcare services. Coaches on the Zana platform are wellness professionals, not licensed clinical providers billing insurance.

If you are seeking medical advice or treatment, please consult a licensed healthcare provider. Zana is not a substitute for medical care.

11. Children's Privacy

Zana is not intended for anyone under 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us at betike@me.com and we will delete the data.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or through the platform at least 30 days before the changes take effect. The "Last updated" date at the top of this policy reflects the most recent version.

13. Contact Us

For any privacy-related question, request, or complaint, contact: