Privacy Policy

Account Data

When you sign up, we collect:

• Your name and email address
• Phone number (if provided)
• Profile photo (if set through your account)
• Authentication tokens (managed by Supabase Auth)

Expert Profile Data

If you apply to become an expert on ENFIITY, we additionally collect:

• Professional biography and qualifications
• Profile photo and cover images
• Certification documents and credentials
• Area of practice and specialisations
• Consultation pricing and availability

AI Conversation Data

When you interact with ZETA, our AI intelligence layer, we store your conversation history and the patterns ZETA derives from it. This includes:

• Messages you send to ZETA
• ZETA's responses
• Cross-domain patterns (training, nutrition, sleep, mood, habits) that ZETA uses to provide personalised guidance
• Internal notes ZETA generates between sessions to maintain continuity
• Identity layer data (your stated objectives, traits, evolving self-map)

Usage Data

We collect basic usage analytics to understand how people use the platform:

• Features used and pages visited
• Session duration and navigation patterns
• Device type, browser, and operating system
• Errors and crashes (via Sentry, our error tracking service)

Payment Data

All payment processing is handled by Stripe. We never see, store, or have access to your full credit card number, CVV, or banking details. Stripe provides us with only a customer reference ID, the last four digits of your card, and the card brand (e.g. Visa, Mastercard) for billing display.

Device Information

If you use our native iOS or Android app, or our progressive web app, we may collect device identifiers and push notification tokens to deliver notifications and personalised experiences.

Health and Wellbeing Data (Special Category Data)

ENFIITY's purpose involves you sharing information about your physical, mental, and biological wellbeing with ZETA. This includes:

• Workouts, training data, recovery patterns
• Nutrition and food logs
• Sleep patterns
• Mood and emotional state
• Habits and behavioural patterns
• Health goals and challenges

UK GDPR requires us to identify a lawful basis for each type of processing we carry out. Here's how we process your data:

You have the right to object to processing based on legitimate interests. Contact team@enfiity.com.

We use the information we collect for the following purposes:

• ZETA AI Coaching — Your messages and contextual data are sent to Anthropic's Claude API so ZETA can provide personalised intelligence across the mental, physical, and biological domains.
• ECLIPSE AI Strategy — Our internal AI system uses Claude to review expert applications, generate platform content, and manage operations.
• Personalisation — Our memory system stores your objectives, preferences, domain scores, and identity layer data so ZETA can provide consistent, contextual guidance over time.
• Expert Matching — We use your profile and preferences to recommend relevant experts.
• Booking Management — To process and manage expert bookings, send confirmations, and provide reminders.
• Email Notifications — We send transactional and product emails through Resend. You can opt out of non-essential emails at any time.
• Platform Improvement — Aggregated, anonymised usage data helps us identify issues and improve the product.
• Fraud Prevention and Security — We monitor for suspicious activity to protect users and the platform.

ENFIITY is an AI-powered platform. Here's exactly how AI processes your data:

ZETA (Your Intelligence Layer)

ZETA is powered by Anthropic's Claude. When you send a message to ZETA:

1. Your message and relevant conversation history are sent to Anthropic's API
2. Anthropic processes the request and returns a response
3. Anthropic does not retain your data after processing and does not use it for model training (per Anthropic's Commercial Terms)
4. The response is returned to you and stored in our database for conversation continuity

ECLIPSE (Expert Review System)

ECLIPSE uses AI to assist with expert application reviews. Significant decisions affecting expert applicants are subject to human review before final approval. You have the right to request human intervention in any automated decision affecting you (UK GDPR Article 22).

User Memory System

To provide continuity across your sessions, ZETA maintains a memory of:

• Your stated objectives and goals
• Domain scores (mental, physical, biological)
• Streaks, engagement patterns, and habit history
• Personal preferences and contextual information you share
• Patterns ZETA derives from your behaviour over time

AI-Generated Content Disclaimer

We rely on trusted third-party processors. Some of these services process data outside the United Kingdom. Where international transfers occur, we rely on the safeguards listed below.

We never sell your data to third parties. We never share your data with advertisers.

A full list of processors and copies of relevant contracts are available on request. Contact team@enfiity.com.

Different types of data are retained for different periods:

• Account data — Retained while your account is active, plus 30 days after deletion to handle billing reconciliation
• AI conversation history — Retained while your account is active; the most recent 50 messages per thread are stored. Older messages are automatically removed
• User memory and identity data — Retained while your account is active. Auto-deleted 90 days after your last session if you become inactive
• Profile and platform content — Retained while your account is active
• Payment records (Stripe) — Retained per Stripe's policies and applicable financial regulations (typically 7 years for tax/accounting purposes)
• Email logs (Resend) — Retained per Resend's standard policies, typically 30 days
• Error logs (Sentry) — Retained for 30 days
• Aggregated analytics data — Retained indefinitely in anonymised form

You have the following rights regarding your personal data:

• Right of access (Article 15) — Request a copy of all the data we hold about you
• Right to rectification (Article 16) — Correct inaccurate or incomplete data
• Right to erasure (Article 17) — Request that we delete your account and all associated data ("right to be forgotten")
• Right to restrict processing (Article 18) — Limit how we use your data in specific circumstances
• Right to data portability (Article 20) — Receive your data in a structured, machine-readable format
• Right to object (Article 21) — Object to processing based on legitimate interests, including direct marketing
• Right to withdraw consent — Withdraw your consent for any processing that relies on consent, including ZETA AI processing
• Right not to be subject to automated decision-making (Article 22) — Request human intervention in any automated decision that significantly affects you

To exercise any of these rights, email team@enfiity.com. We aim to respond within 30 days. There is no charge for exercising your rights, though we may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.

Right to Complain to the ICO

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

We would appreciate the opportunity to address your concerns first by contacting us at team@enfiity.com.

If you are an expert on the ENFIITY platform, additional data handling applies:

• Public Profiles — Once your expert profile is live, your name, photo, biography, qualifications, domain, and consultation details are publicly visible
• Application Review — Your application data is reviewed by ECLIPSE and by human reviewers. Final approval involves human judgement
• Certifications — Documents you upload are stored securely and only accessible to authorised platform administrators for verification
• Earnings and Bookings — Your booking history, session records, and earnings data are stored for operational, tax, and financial reporting purposes

We keep tracking to a minimum and use only essential technologies:

• Service Worker — Our progressive web app uses a service worker for offline caching and faster page loads
• localStorage — Used for session management, authentication tokens, and user preferences
• sessionStorage — Used temporarily during active sessions for state management
• Authentication cookies — Required to keep you signed in

For non-essential cookies (such as analytics), we will request your consent through a cookie banner where required. You can change your preferences at any time through your browser settings or the cookie banner controls.

We take reasonable measures to protect your personal information:

• HTTPS encryption — All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Stripe PCI compliance — All payment processing is PCI DSS Level 1 certified
• OAuth 2.0 — Authentication is handled through secure OAuth flows
• Row-level security — Database access is restricted via Supabase row-level security policies
• Access controls — Sensitive administrative endpoints are restricted to authorised administrators only
• Webhook signature verification — All payment webhooks are cryptographically verified before processing
• Rate limiting — All sensitive endpoints are rate-limited to prevent abuse
• Serverless architecture — Our Vercel-hosted serverless functions minimise attack surface

If you discover a security vulnerability, please contact us at team@enfiity.com. We treat all reports confidentially and respond promptly.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

1. Notify the UK Information Commissioner's Office within 72 hours of becoming aware of the breach
2. Notify affected users without undue delay, with a description of the breach, likely consequences, and the measures we are taking
3. Maintain a record of all breaches and our response

ENFIITY is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you believe a child has provided us with personal data, please contact us at team@enfiity.com and we will promptly delete that information.

ENFIITY is operated from the United Kingdom and primarily serves users in the UK and EU. If you access ENFIITY from outside these regions, you do so at your own initiative and are responsible for compliance with local laws. By using ENFIITY, you consent to the transfer and processing of your data in the United Kingdom and the locations of our processors listed in Section 5.

We may update this privacy policy from time to time. When we make significant changes:

• We will update the "Last updated" date at the top of this page
• For material changes, we will notify you via email at least 30 days before the changes take effect
• We may also display a notice within the platform itself

Your continued use of ENFIITY after changes are posted constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account at any time.