Fitbot - Privacy Policy
Last Modified: May 31, 2026
Introduction
This Privacy Policy ("Policy") governs the collection, processing, and transfer of personal data by Avishay Matayev, an Israeli sole proprietor (עוסק פטור) operating under the name "Fitbot" ("Fitbot," "we," "us," or "our"), when you use our AI fitness and wellness coaching service, delivered primarily through WhatsApp, together with any related website (collectively, the "Services").
This Policy is an integral part of any other agreement between us, including our Terms of Service ("Terms"). It explains what data we collect from users of the Services ("you," "your"), how it may be used or shared, how we safeguard it, and how you may exercise your rights, as required under applicable privacy law - including the Israeli Protection of Privacy Law, 5741-1981 ("Israeli Privacy Law") and, where applicable to users in the European Economic Area or United Kingdom, the EU/UK General Data Protection Regulation ("GDPR").
You are not required by law to provide us with any personal data. However, some Services require processing certain data, and without it we may be unable to provide all or part of the Services.
1. Data Controller and Contact
For the purposes of applicable privacy law, Avishay Matayev (Fitbot) is the Data Controller of the personal data collected from you.
You may contact us:
- By email: support@getfishbone.ai
- Via WhatsApp: 055-950-5283
2. Data We Collect and Why
| Data Set | Purpose and Operations | Lawful Basis (GDPR) |
|---|---|---|
| Account & contact data - your WhatsApp phone number and any name you provide. | To create and manage your account, verify your identity, deliver the Services, and send service and billing communications. | Performance of a contract. |
| Health & fitness data ("sensitive information"/מידע רגיש) - weight, height, body measurements, age, sex, dietary habits, activity and workout data, fitness goals, and similar information you share. | To generate personalized coaching, track progress, and provide the Services. | Performance of a contract (this data is necessary to deliver the coaching Service you signed up for). |
| Voice messages - audio you send via WhatsApp, which we may store and transcribe. | To understand and respond to your requests and deliver the Services. | Performance of a contract; consent for any health content. |
| Images - photos you send (e.g., meals, food labels, body/physique). Body-related images are treated as sensitive health information. | To analyze and provide relevant coaching. | Performance of a contract (image analysis is necessary to deliver the coaching Service). |
| Communications - the content of your messages with the Service. | To deliver coaching, provide support, and improve the Services. | Performance of a contract; legitimate interests (improvement). |
| Payment data - billing information you submit when subscribing. Processed by our third-party payment provider; we do not store full card numbers. | To process subscriptions and comply with bookkeeping obligations. | Performance of a contract; legal obligation. |
| Usage data - message timestamps, interaction frequency, feature usage, and technical logs, generated automatically. | To operate, secure, and improve the Services. | Legitimate interests; performance of a contract. |
We may also process personal data to prevent fraud, abuse, or illegal activity, to enforce our Terms, and to protect the security of our Services and our legal rights, based on our legitimate interests.
Non-Personal Data. We may collect or generate aggregated, de-identified data that cannot reasonably be linked to you. Such data may be used without limitation for any purpose. If combined with personal data, the combined data is treated as personal data while combined.
3. How We Collect Your Information
- Provided by you - when you register, complete intake, or interact with the Service (including text, voice, and images you send).
- Automatically - usage and technical data generated through your use of the Services.
4. How We Share Data
We share personal data only as necessary to operate the Services. Recipients fall into the following categories:
| Category of Recipient | Details |
|---|---|
| AI providers | We use third-party AI providers - currently Anthropic, OpenAI, and Google - to process your messages, including transcribing voice messages, analyzing images, and generating coaching responses. Engaging these providers is necessary to deliver the Service. Your data, including health and fitness data and the images you send, is transmitted to these providers and processed under their own consumer terms and privacy policies, which may permit them to retain your data, have it reviewed by humans, and use it to train and improve their AI models. We do not control or restrict these independent data practices. Our legal basis for this sharing is our legitimate interest in operating the Service through the AI providers we have chosen to integrate with; we may change providers or terms from time to time. If you are not comfortable with this processing, do not use the Service. We do not sell your data. |
| Messaging provider | WhatsApp / Meta Platforms delivers your conversations with the Service. |
| Hosting / infrastructure | Microsoft Azure hosts and stores Service data. |
| Payment processor | Tranzila processes subscription payments under its own terms and privacy policy. |
| Legal & law enforcement | We may disclose data to authorities or other parties where required to comply with law, respond to a verified legal request, or protect our rights, you, or others from legal liability - and only to the extent necessary. |
| Corporate transactions | In a merger, acquisition, or sale of all or part of the business, data may be transferred to the successor, who must honor this Policy. |
Service providers may access only the data strictly necessary to perform their function, are bound to keep it confidential, and may use it only for the agreed purposes. We do not sell your personal data.
5. International Data Transfer
Due to the providers we use, your data may be stored or processed outside Israel, including in the EU, UK, and US. We take appropriate measures to ensure an adequate level of protection in accordance with applicable law. Where personal data from the EEA/UK is transferred to a country without an adequacy decision, the transfer is made under the European Commission's Standard Contractual Clauses (or the UK equivalent). To learn more, contact us at the email above.
6. Data Retention
We retain personal data for as long as your account is active and as needed to provide the Services, comply with legal obligations (e.g., bookkeeping), resolve disputes, and enforce our agreements. When data is no longer needed, we delete or anonymize it. Except where required by law, we are not obligated to retain data for any particular period and may delete it at any time.
7. Security
We implement reasonable physical, technical, and administrative measures intended to comply with applicable law and industry standards, to protect your information against unauthorized access, misuse, loss, or destruction. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If you believe your data has been compromised, contact us immediately at the email above.
8. Your Rights
Subject to applicable law, you may have the right to: access the personal data we hold about you; correct inaccurate data; request deletion (where we have no overriding legal basis to retain it); restrict or object to certain processing; data portability; withdraw consent (including consent to process health data); and, in the EEA/UK, lodge a complaint with your supervisory authority. In Israel, you may also contact the Privacy Protection Authority.
To exercise your rights, contact us at support@getfishbone.ai. We may need to verify your identity before responding and will reply within the timeframes required by applicable law. You may opt out of proactive (non-essential) messages at any time by messaging the bot to unsubscribe; essential service and billing notices will still be sent.
9. Third-Party Services
The Services rely on and may link to third parties (e.g., WhatsApp, AI providers, Tranzila). Their handling of your data is governed by their own policies, and this Policy does not apply to them. We are not responsible for third-party practices.
10. Eligibility and Children's Privacy
The Services are intended for users aged 18 and over and are not directed at children. We do not knowingly collect data from anyone under 18. If we learn we have collected such data, we will delete it. Contact us at the email above if you believe a minor has shared information with us.
11. Changes to This Policy
We may amend this Policy from time to time at our discretion. The most recent version will always be posted, with the date reflected in the "Last Modified" heading above. Material changes affecting previously collected data will be notified to you in advance or, where legally required, made subject to your consent. We encourage you to review this Policy periodically.
12. Contact
For privacy questions or to exercise your rights, contact us at support@getfishbone.ai or via WhatsApp at 055-950-5283.