Privacy Policy

Theron ("we", "our", "us") is a fitness application developed and operated in Greece. We are responsible for the processing of your personal data as described in this Privacy Policy.

Contact: support@theronapp.com

• Contract performance (Art. 6(1)(b)) — to provide the Theron service you signed up for.
• Explicit consent (Art. 9(2)(a)) — for health data processing. You grant this during onboarding and may withdraw at any time.
• Legitimate interests (Art. 6(1)(f)) — to improve the app, prevent fraud, and ensure security.

• Provide nutrition and workout tracking features
• Generate AI-powered insights (processed via OpenAI API — OpenAI does not use your data to train its models)
• Calculate and display personalised macro targets
• Process subscription payments
• Send transactional emails (password reset, support replies) via Resend
• Improve the app through anonymised usage analytics

We do not sell your data. We share it only with the following processors, under GDPR-compliant data processing agreements:

Food logs, body measurements, and workout data constitute health data under GDPR. We process this data only with your explicit consent, granted during onboarding.

You may withdraw this consent at any time by deleting your account. Upon deletion:

• All health data is permanently deleted immediately
• Account data is deleted within 30 days
• No health data is retained in any backup or archive

Theron uses AI to generate nutrition and fitness insights. These insights are informational only. They do not constitute automated decision-making with legal or similarly significant effects on you. All health and fitness decisions remain with you.

You may opt out of AI processing at any time by contacting support@theronapp.com.

• Health data — deleted immediately on account deletion request
• Account data — retained for 30 days after deletion (grace period), then permanently deleted
• Payment records — retained for 7 years (Greek tax law requirement)
• Support tickets — retained for 2 years

You have the following rights regarding your personal data. To exercise any of these, email support@theronapp.com. We respond within 30 days.

• Right to access — request a copy of all personal data we hold about you
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — delete your account and all associated data
• Right to data portability — export your data in JSON format
• Right to object — opt out of AI processing or analytics
• Right to withdraw consent — withdraw health data consent at any time without affecting prior processing
• Right to lodge a complaint — with the Hellenic Data Protection Authority at www.dpa.gr

• All data encrypted in transit using TLS 1.3
• Database encrypted at rest (Supabase)
• Access controls via Row Level Security (RLS) — users can only access their own data
• No Theron employee has direct access to individual health data
• Authentication via Supabase Auth with secure token management

Your data may be stored and processed outside the EU/EEA, specifically:

• Supabase — EU region where available; US transfers protected by Standard Contractual Clauses (SCCs)
• OpenAI — processes AI requests in the US; SCCs apply; data not retained for training

Theron is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you believe a child has provided us with personal data, contact support@theronapp.com and we will delete it immediately.

Theron is a mobile application and does not use browser cookies. Our website may use essential session cookies only, which do not require consent.

We may update this Privacy Policy. When we do, we will notify you via email and an in-app notice at least 14 days before the changes take effect. Continued use of Theron after the effective date constitutes acceptance of the updated policy.