Privacy Policy

Effective date: 27 September 2025
Company: Sharktooth PTY LTD (“Sharktooth”, “we”, “us”, “our”)
Products: BodyFatAI mobile applications, website(s), and related services (“Services”).
Registered location: Melbourne, Australia
Contact: support@bodyfataiapp.com

Sharktooth PTY LTD respects your privacy. This Policy explains what we collect, how we use and share information, and the choices you have. By using the Services, you agree to the practices described here.

1) Summary of how we protect your data

• Face blurring by default. Faces detected in capture frames are automatically blurred before analysis.
• Encryption. Data is encrypted in transit and at rest.
• You control your data. Delete scans and account data via in-app controls or by contacting us.
• No sale of personal information. We do not sell your personal information.
• Minimal and purpose-bound use. We use your information only to provide, secure, and improve the Services, to support you, and to meet legal obligations.

2) What we collect

We collect information in three main ways: (A) information you provide; (B) information collected automatically; and (C) information from third parties (e.g., app stores).

A. Information you provide

• Account details. Name (optional), email, password or SSO identifiers, country/region.
• Profile & inputs. Height, weight, age range, sex, goals and preferences, feedback or support messages.
• Images & scans. Front/side/back images or short captures used to estimate body fat and related metrics. Faces are blurred prior to analysis.
• Derived data. Computer-vision outputs such as pose key-points, quality scores, and body-fat estimates; trends, comparisons, streaks.
• Payment & subscription metadata. Transaction status, product tier, renewal state (processed by Apple App Store/Google Play or other billing providers; we do not receive full payment card numbers).

B. Information collected automatically

• Device & app data. Device model, OS version, unique device/instance identifiers, language, timezone, app version, install/referral source.
• Usage & diagnostics. Screens viewed, buttons tapped, feature usage, in-app events, crash logs, performance metrics.
• Network & security logs. IP address, timestamps, request/response metadata, error codes.
• Cookies & similar tech (web). On our website we may use cookies, local storage, and pixels for authentication, analytics, and preference management.

C. Information from others

• App stores & billing platforms. Subscription entitlements, refunds, purchase tokens, and receipts.
• Analytics/communication providers. Message delivery status, email opens/clicks (newsletter or transactional emails).
• Referrals & partners (if applicable). Campaign or code attribution.

3) Why we use your information (purposes & legal bases)

We use your information for these purposes:

• Provide the Services. Run scans, generate estimates, store history, restore purchases, and operate core features.
  Legal bases: contract performance; legitimate interests.

• Maintain safety and integrity. Authenticate users, prevent fraud/abuse, detect anomalies, secure accounts and infrastructure.
  Legal bases: legitimate interests; legal obligations.

• Improve and research. Measure quality, train quality-control heuristics (not re-identification), test new features, and improve user experience.
  Legal bases: legitimate interests; consent where required.

• Communicate with you. Send confirmations, receipts, service announcements, security alerts, and product tips you request; marketing only with consent/opt-in where required (every marketing email includes an unsubscribe link).
  Legal bases: contract performance; consent; legitimate interests.

• Compliance. Meet tax, accounting, regulatory, and legal process requirements.
  Legal bases: legal obligations; legitimate interests.

We do not use your unblurred facial images for any purpose, and we do not attempt to identify individuals.

4) How we process images & scans

1. Captures are checked for quality (pose, framing, distance, lighting).
2. Face blurring is applied before analysis.
3. Models estimate body-fat percentage and other derived attributes (e.g., lean/fat mass estimates, scan quality).
4. Temporary processing copies used for inference are removed after processing; the resulting outputs and (if you enable history) the blurred images are saved to your account for trends and comparisons.
5. You can delete any scan at any time in the app; deletion removes the image and associated outputs from our active systems (see §10 for retention details).

5) When we share information

We share information only with:

• Service providers / processors under contract who act on our behalf and follow our instructions, including:
  • Cloud hosting & storage (e.g., AWS)
  • Analytics & event processing (e.g., Mixpanel or similar)
  • Subscription entitlements (e.g., RevenueCat or equivalent)
  • Email delivery (e.g., SendGrid)
  • Customer support tooling
• App stores and payment platforms (Apple, Google) for purchase validation, refunds, and entitlements.
• Professional advisors & auditors (only as needed).
• Legal & safety: to comply with law, enforce terms, or protect rights, property, and safety.
• Business transfers: in a merger, acquisition, or asset sale, your data may transfer subject to this Policy.

We do not sell personal information and we do not share it for cross-context behavioral advertising as defined by some laws.

6) International transfers

We operate globally and may process data on servers located outside your state or country. We use safeguards appropriate to the transfer (e.g., data-processing agreements, Standard Contractual Clauses where applicable). By using the Services, you understand your data may be processed in jurisdictions with different privacy laws.

7) Security

We use administrative, technical, and organizational measures designed to protect your information, including:

• Encryption in transit (TLS) and at rest
• Face blurring prior to analysis
• Access controls and least-privilege policies
• Segregated environments for production and development
• Monitoring, logging, and regular reviews
• Vendor due diligence and contractual security requirements

No system is 100% secure; please use strong passwords, keep your device updated, and contact us immediately if you suspect unauthorized activity.

8) Your choices & rights

In-app controls

View history; delete scans; edit profile; manage reminders and notifications; export or delete your account.

Email preferences

Unsubscribe from marketing emails via the link in any email. Transactional messages (e.g., receipts, security alerts) may still be sent.

Rights under privacy laws

Depending on your location (e.g., Australia, EU/UK, California), you may have rights to:

• Access and portability of your data
• Correction of inaccurate data
• Deletion (erasure)
• Restriction or objection to certain processing
• Withdraw consent (where processing relies on consent)
• Opt out of certain disclosures (e.g., “sale”/“sharing” under U.S. state laws—Sharktooth does not sell your data)

To exercise a right, use in-app tools or email support@bodyfataiapp.com. We’ll verify your request (e.g., account email verification, device checks) and respond within the time required by law. You may designate an authorized agent where permitted.

• Australia: You may contact the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response.
• EU/UK: You also have the right to lodge a complaint with your local data protection authority.

9) Children’s privacy

The Services are not directed to children under 13 (or the minimum age required by your jurisdiction). We do not knowingly collect personal information from children under applicable age thresholds. If you believe a child has provided data, contact us and we will take appropriate action.

10) Retention

We retain information only as long as necessary for the purposes in this Policy.

• Scans & images: kept while your account is active to provide history/compare; you can delete any scan at any time (deletes the image and associated outputs from active systems). Temporary processing copies are typically removed within 24–48 hours.
• Derived metrics & logs: kept to support trends, quality, security, and troubleshooting; typical operational logs are retained 30–90 days.
• Account & billing records: retained as required by law (e.g., tax/accounting) — generally 7 years.
• Backups: removed on a scheduled cycle; some data may persist in encrypted backups for a limited period.

When retention is no longer necessary, we securely delete or de-identify data.

11) Cookies, SDKs & tracking technologies

• Apps: We may use mobile SDKs for analytics, crash reporting, and messaging.
• Web: We may use strictly-necessary cookies (authentication, security), plus performance/analytics cookies. Where required, we request consent. You can change settings in your browser; blocking cookies may affect site functionality.

12) Third-party links & content

The Services may link to third-party sites or include third-party SDKs. Their privacy practices are governed by their own policies; we are not responsible for their content or practices.

13) Newsletters & marketing

If you opt in, we may send you product updates, tips, and offers via email (e.g., through SendGrid). You can unsubscribe any time. We do not send marketing messages without the appropriate consent where required.

14) Automated decision-making

We use automated processing to produce estimates and quality checks, but we do not make decisions that have legal or similarly significant effects solely based on automated processing.

15) Changes to this Policy

We may update this Policy from time to time. Material changes will be notified via the app, website, and/or email. The “Effective date” above indicates the latest version. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy.

16) Contact us

If you have questions, requests, or complaints about privacy or this Policy, contact:

Sharktooth PTY LTD
Melbourne, Australia
Email: support@bodyfataiapp.com

17) Jurisdiction-specific disclosures

Australia (Privacy Act 1988 (Cth))

We handle personal information in accordance with the Australian Privacy Principles (APPs). You may request access or correction and submit complaints to us at support@bodyfataiapp.com. If unresolved, you may contact the OAIC.

European Economic Area (EEA) & United Kingdom (UK)

For users in the EEA/UK, Sharktooth PTY LTD is the data controller for your personal data. Legal bases we rely on include: contract performance, legitimate interests (e.g., security, product improvement), consent (e.g., marketing), and legal obligations. International transfers rely on appropriate safeguards (e.g., SCCs). You may exercise GDPR/UK GDPR rights as described in §8.

California & certain U.S. states (CPRA/CCPA and similar)

Categories collected: identifiers (account, device IDs), customer records (limited billing metadata), commercial information (subscriptions), internet/electronic activity (usage, analytics), geolocation (coarse, from IP), inferences (preference segments), and audio/visual information (images you choose to capture).
Sources: you, your device, app stores, processors.
Business purposes: the purposes listed in §3.
Sale/share: We do not sell or share personal information as defined by CPRA/CCPA.
Sensitive information: Images/scans are processed to provide the Service; we do not use them for inferring characteristics outside the Service’s scope.
Rights: access, deletion, correction, portability, opt-out (if applicable). See §8 for how to exercise.

18) Definitions (plain-English)

Personal information / personal data: Information that identifies or can reasonably be linked to an individual.
Processing: Any operation performed on personal information, such as collecting, storing, using, or disclosing.
De-identified data: Data that cannot reasonably be used to identify an individual. We may use de-identified or aggregated data for analytics and improvement.

Last updated: 27 September 2025