Legal notice: This Privacy Policy is a binding legal document. By creating an account or using Rebuilt, you acknowledge that you have read, understood, and agree to this Policy. If you do not agree, you must not use the application.
Rebuilt is operated by Aditya Kadam, an individual data fiduciary based in Pune, Maharashtra, India. For purposes of India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and DPDP Rules 2025, Rebuilt is the Data Fiduciary responsible for your personal data.
Contact details:
Email: privacy@rebuilt.in
Data Fiduciary: Aditya Kadam
Address: Pune, Maharashtra, India
Response time: Within 72 hours of receipt
This Policy applies to all personal data collected, processed, stored, or used in connection with:
The Rebuilt mobile application (iOS and Android)
The Rebuilt web application at rebuilt.in
All AI-generated content produced on your behalf: workout plans, diet plans, machine guides, and coaching insights
Exercise demonstration videos delivered through the Application
FitCoins virtual currency earned, held, and spent within the Application
Trainer check-in and chat features (Mastery tier)
QR code and NFC machine guide interactions at partner gyms
Support tickets and all communications between you and Rebuilt
This Policy covers users in India and, to the extent applicable, users accessing Rebuilt from any other jurisdiction.
Account information: Name, email address, password (stored as a one-way cryptographic hash — never in plain text)
Identity: Date of birth, gender (used solely for physiological plan calibration)
Physical measurements: Height, weight, body fat percentage if provided, fitness experience level
Health and fitness goals: Target weight, training objective (fat loss, hypertrophy, endurance, recomposition), dietary restrictions, injuries or physical limitations
Dietary preferences: Food type preferences, allergies, cultural and religious dietary requirements including Jain, vegetarian, PCOS-aware, and regional Indian cuisines
Gym selection data: Your selected gym, machine preferences, training schedule, and gym-switching history
Workout logs: Exercises completed, sets, reps, weights used, substitutions made, and perceived exertion ratings
Diet adherence logs: Meals checked off, FitCoin deductions for missed meals, and dietary notes
Recovery check-ins: Self-reported energy levels, soreness scores, and sleep quality ratings used to adapt your workout intensity
FitCoin transactions: FitCoins earned through workout and diet completion, FitCoins spent on workout refreshes or premium actions, and your current FitCoin balance and full transaction history
Trainer interactions: Messages sent to and received from assigned trainers via in-app chat (Mastery tier); recovery check-in responses reviewed by trainers; trainer notes and feedback on your plans
Support ticket data: Content of support tickets you submit, any attachments, your account details at time of submission, and all correspondence with the support team
Other communications: All other messages, feedback, and correspondence you send to us
Device identifiers: Device type, operating system version, and unique device ID
First-party usage analytics: Features accessed, session timestamps, tap and scroll interactions, screen views, and feature engagement depth. All analytics are first-party only. We do not use third-party analytics platforms that track you across other services.
QR and NFC machine scan logs: Machine ID and name of the guide accessed, partner gym location, timestamp, and your user ID. Used to personalise your workout recommendations and generate anonymised gym analytics.
Approximate location: Your approximate location is inferred from your device network connection, browser locale, or server request headers (IP-based geolocation at city or region level only). Used for gym discovery and locally relevant content. We do not collect or store precise GPS coordinates.
Performance diagnostics: Anonymised app crash reports and error logs containing no personally identifiable information.
Authentication logs: Login timestamps and session tokens retained for 90 days for security and fraud prevention. Raw IP addresses used for fraud detection at login are not surfaced in any analytics dashboard, admin view, partner gym portal, or manufacturer report.
Explicit limitations: Rebuilt does not collect: biometric identification data; medical records or clinical diagnoses; financial information or payment card data; precise real-time GPS location; data from minors under 18; data from your device contacts, microphone, or camera beyond what you explicitly initiate; or any data for targeted third-party advertising.
We process your personal data only for the purposes listed below. We do not use your data for any unlisted purpose without obtaining fresh, specific consent.
To create and maintain your account and verify your identity
To operate the admin approval gate: new signups are reviewed by Rebuilt administrators before full access is granted. We assess your submitted information for completeness and eligibility. You will be notified by email of approval or rejection.
To generate AI-powered personalised workout plans calibrated to your gym equipment, physical measurements, goals, and recovery status
To generate AI-powered personalised diet plans calibrated to your nutritional goals, dietary preferences, and cultural food requirements
To dynamically adapt and update your plans based on logged workout performance, diet adherence, and recovery check-ins
To deliver Know Your Machine guides via QR code and NFC including machine-specific form steps, safety cues, muscle targeting information, and exercise demonstration videos
To operate the FitCoin system: calculating FitCoins earned from workout and diet completion, processing FitCoin redemptions, and displaying your FitCoin balance and transaction history
To facilitate trainer check-ins and chat sessions for Mastery tier subscribers: sharing your workout logs, recovery data, and progress with your assigned trainer to enable personalised coaching
To calculate and display your XP, rank progression, streak, and performance analytics
To generate AI Coach insight cards summarising your training patterns and recommending next actions
To process, track, and resolve your support tickets
To send transactional communications: account verification, admin approval notifications, password resets, plan updates, FitCoin transaction confirmations, and service notifications
To detect, prevent, and investigate fraud, security incidents, and abuse
To comply with applicable legal obligations under Indian law
To improve the Rebuilt service through aggregated, anonymised usage analytics that cannot identify you individually
To provide partner gyms with aggregated, anonymised machine interaction analytics (scan counts, peak times, equipment utilisation rates) containing no personally identifiable information
To provide equipment manufacturers with aggregated, anonymised usage insights about how their machines are used across the Rebuilt network, containing no personally identifiable information
AI processing disclosure: Your personal data including fitness goals, physical measurements, workout logs, dietary preferences, and recovery check-ins is processed by AI systems including the Anthropic Claude API to generate your personalised plans, machine guides, and coaching insights. This processing is conducted under your explicit consent. You have the right to request human review of any AI-generated output that has a significant effect on you.
Consent: The primary basis for processing your health and fitness data. You provide explicit, informed, specific consent at account creation. You may withdraw consent at any time (see Section 12).
Contractual necessity: Processing required to deliver the services you signed up for, including plan generation, machine guides, FitCoin operations, trainer chat, and progress tracking.
Legitimate interests: Security monitoring, fraud prevention, and aggregated anonymised analytics only where these interests do not override your fundamental privacy rights.
Legal obligation: Where Indian law requires retention or disclosure of data.
We do not rely on legitimate interests as a basis for processing sensitive health data. All health and fitness data is processed on the basis of explicit consent only.
Anthropic (AI processing): Your fitness goals, physical measurements, workout logs, dietary preferences, and relevant personal context are transmitted to the Anthropic Claude API to generate personalised AI outputs. Anthropic processes this data as a data processor under our instructions.
Render and Vercel (hosting): Application and frontend hosting under appropriate data processing agreements.
Supabase (database): PostgreSQL database hosting. All personal data is encrypted at rest and in transit.
Payment processors: Razorpay or equivalent for subscription payments. We do not receive or store your payment card data. FitCoin balances are stored in our own database and are not shared with payment processors.
Partner gyms: Anonymised, aggregated machine interaction analytics only: total QR/NFC scan counts per machine, peak usage time windows, and equipment utilisation rates. Gyms receive no name, email, health data, FitCoin balance, diet data, trainer chat content, or any individually identifiable information. Raw IP addresses are never surfaced in gym analytics dashboards.
Equipment manufacturers: Aggregated, anonymised usage insights only about how specific machine models are used across the Rebuilt network. No personally identifiable information. No gym-level attribution without explicit gym consent.
Trainers (Mastery tier): Your assigned trainer receives your workout logs, recovery check-in data, plan history, and progress analytics to enable coaching. Trainers are contractually bound to confidentiality and may not use your data for any purpose outside their coaching role on Rebuilt.
Hard limits on data sharing: We never: sell your personal data; share identifiable health or fitness data with advertisers or data brokers; share your data with insurance companies or employers; use your data for targeted third-party advertising; allow third parties to use your data for their own independent purposes; or surface raw IP addresses in any analytics dashboard, admin view, partner gym portal, or manufacturer report.
We may disclose your personal data to law enforcement, government authorities, or courts only if required by a valid legal order, warrant, or applicable Indian law. We will notify you of any such disclosure to the extent permitted by law and will challenge overbroad or unlawful requests.
Active account data: Retained for the duration of your account plus 30 days after deletion.
Workout logs, diet logs, recovery check-ins: Retained for the duration of your account. Deleted within 30 days of account deletion.
AI-generated plan and machine guide history: Retained for the duration of your account. Deleted within 30 days of account deletion.
FitCoin transaction history: Retained for the duration of your account and for 12 months after account deletion for dispute resolution.
Trainer chat history (Mastery tier): Retained for the duration of your active Mastery subscription plus 30 days. Deleted within 30 days of subscription downgrade or account deletion.
Support ticket data: Retained for 12 months from the date the ticket is closed, then deleted.
QR/NFC machine scan logs: Retained for 12 months for plan personalisation, then anonymised. Anonymised scan data may be retained indefinitely for aggregated analytics.
Authentication logs: Retained for 90 days. Raw IP addresses used for fraud detection are not retained beyond the authentication session unless a security incident requires investigation.
Approximate location data: Not stored persistently. Used in real time for gym discovery and content localisation, then discarded.
Anonymised aggregated analytics: Retained indefinitely as they cannot identify you individually.
Legal and compliance records: Retained for the period required by applicable Indian law.
When you delete your account, all identifiable personal data is permanently deleted from production systems within 30 days. Backup systems are purged within 90 days maximum.
Encryption in transit: All data transmitted between your device and Rebuilt servers is encrypted using TLS 1.2 or higher.
Encryption at rest: All personal data stored in our database is encrypted at rest.
Authentication: Passwords stored using industry-standard one-way cryptographic hashing. JWT-based session management with secure token expiry.
Access controls: Personal data is accessible only to authorised personnel with a legitimate need. Trainer chat content is accessible only to the assigned trainer and Rebuilt administrators. Raw IP addresses are not accessible in partner gym or manufacturer analytics views.
Admin approval gate: All new user accounts are reviewed by Rebuilt administrators before full access is granted. This process protects the community and the integrity of the platform.
Security monitoring: Active monitoring for unauthorised access attempts, unusual activity, and potential data breaches.
Vulnerability management: Regular security reviews and prompt patching of identified vulnerabilities.
Breach notification: Under the DPDP Act 2023 and DPDP Rules 2025, we will notify the Data Protection Board of India of all personal data breaches regardless of severity. We will notify you directly of any breach likely to result in harm to you within 72 hours. Notification will be sent to your registered email address.
Your personal data may be transferred to and processed outside India, including in the United States (Anthropic, Render, Vercel) and other countries where our service providers operate. All transfers are made under data processing agreements requiring protection equivalent to or exceeding Indian law. By using Rebuilt, you consent to these transfers under those safeguards.
Authentication tokens: Strictly necessary session tokens. Cannot be disabled without breaking core functionality.
Preference storage: Local storage of your in-app preferences. Stored on your device only, not transmitted to our servers.
First-party analytics: Anonymised session analytics collected by Rebuilt directly to understand aggregate feature usage. We do not use Google Analytics, Meta Pixel, or any third-party analytics platform that tracks you across other services. No advertising cookies. No cross-site tracking.
You may clear your browser local storage at any time without affecting your account data stored on our servers.
FitCoins are a virtual currency existing solely within the Rebuilt Application. The following privacy terms apply:
Your FitCoin balance and full transaction history including coins earned, coins spent, and the reason for each transaction are stored in our database and visible to you in the Application.
FitCoin transaction data is retained for 12 months after account deletion for dispute resolution.
FitCoins have no monetary value, cannot be exchanged for cash, and are not transferable between accounts.
We do not share your individual FitCoin balance or transaction history with any third party including partner gyms and manufacturers.
Right to access: Request a copy of all personal data we hold about you. We will respond within 30 days in a structured, machine-readable format.
Right to correction: Request correction of inaccurate or incomplete data. Most data can be corrected directly in your profile settings.
Right to erasure: Request deletion of your account and all associated personal data. Deletion is irreversible and completed within 30 days.
Right to withdraw consent: Withdraw consent to data processing at any time. Note that withdrawing consent for core data processing requires account deletion, as the service cannot function without it.
Right to data portability: Request your workout logs, diet plans, FitCoin transaction history, and progress data in portable format (JSON or CSV) at any time.
Right to object to automated decision-making: Request human review of any AI-generated output that has a significant effect on you, and object to decisions made solely by automated processing.
Right to grievance redressal: Raise a complaint at privacy@rebuilt.in. We respond within 72 hours and resolve within 30 days. If unsatisfied, escalate to the Data Protection Board of India.
Right to nominate: Nominate another person to exercise your rights on your behalf in the event of your death or incapacity, by contacting privacy@rebuilt.in.
How to exercise your rights: Email privacy@rebuilt.in with subject line Privacy Rights Request. Include your registered email address and describe the right you wish to exercise. We verify your identity before processing and respond within 30 days. No charge applies.
Rebuilt is not intended for persons under 18. We do not knowingly collect data from minors. If we discover a user is under 18, the account will be terminated and all data deleted immediately. If you believe a minor has created an account, contact privacy@rebuilt.in immediately.
AI model: Workout plans, diet plans, machine guides, and coaching insights are generated using the Anthropic Claude API. Your relevant personal data is transmitted to this API to generate your personalised outputs.
Exercise demonstration videos: Exercise demo videos delivered through the Application are sourced from licensed third-party libraries or produced by Rebuilt. They are provided for general educational guidance only. Rebuilt does not warrant that the technique shown is appropriate for your individual physical condition. No personal data is embedded in or transmitted through video content.
No training on your data: Your personal data is not used to train or fine-tune any AI model without your explicit, separately obtained consent. We do not currently use user data for AI model training.
Accuracy limitation: AI-generated plans are personalised recommendations, not medical advice. Consult a qualified medical professional before beginning any new exercise or diet programme.
Human review: You may request human review of any AI-generated plan by contacting support@rebuilt.in. We will respond within 5 business days.
Automated decisions: XP, rank, streak, and FitCoin calculations are automated. These affect your in-app experience only and have no legal or similarly significant effects outside the Application.
Your assigned trainer will have access to your workout logs, recovery check-in data, diet adherence data, progress analytics, and AI-generated plans for the purpose of providing personalised coaching.
All messages exchanged in trainer chat are stored on Rebuilt servers and are accessible to your assigned trainer, Rebuilt administrators for quality and safety monitoring, and you.
Trainer chat content is not shared with partner gyms, manufacturers, or any other third party.
Trainer chat history is deleted within 30 days of your Mastery subscription ending or your account being deleted.
If you have a complaint about trainer conduct, contact privacy@rebuilt.in. We will investigate within 5 business days.
Gym administrators receive only anonymised, aggregated machine interaction analytics: total scan counts per machine, peak usage time windows, and equipment utilisation rates. They receive no name, email, health data, FitCoin data, diet data, trainer chat content, or any individually identifiable information.
Raw IP addresses are never included in any analytics shared with gyms or manufacturers.
Equipment manufacturers may receive aggregated, anonymised insights about how specific machine models are used across the Rebuilt network. This data is aggregated across multiple users and cannot identify any individual.
All partner gyms are required to sign a Data Processing Agreement before accessing any analytics dashboard. This agreement prohibits gyms from attempting to de-anonymise individual users from aggregated data.
If you switch your selected gym, scan data from your previous gym ceases to contribute to that gym analytics going forward.
New Rebuilt accounts are not automatically activated. All signups are reviewed by Rebuilt administrators before full access is granted.
During review we assess whether your submitted information is complete and whether your account meets our eligibility criteria. We review your email address and name only. We do not access your health data, physical measurements, or any other sensitive personal data during the approval review.
You will receive an email notification of approval or rejection, typically within 24 to 48 hours of signup.
If your account is rejected, your account data will be deleted within 7 days unless you appeal by contacting support@rebuilt.in.
Minor changes: Corrections and clarifications. We update the version number without separate notification.
Material changes: Changes affecting your rights or data practices. We notify you by email at least 30 days before the effective date. Continued use constitutes acceptance. You may delete your account if you do not accept.
Version history is available on request at privacy@rebuilt.in.
Step 1: Contact privacy@rebuilt.in. We acknowledge within 72 hours and resolve within 30 days.
Step 2: Escalate to the Data Protection Board of India if unsatisfied with our response.
Step 3: Approach courts of competent jurisdiction in India for remedies under applicable law.
This Policy is governed by the laws of India, including the DPDP Act 2023, the DPDP Rules 2025, and the Information Technology Act 2000. Disputes shall be subject to the exclusive jurisdiction of the courts at Pune, Maharashtra, India, subject to your rights before the Data Protection Board of India.
Data Fiduciary: Rebuilt / Aditya Kadam, the entity that determines the purpose and means of processing personal data.
Data Principal: You, the individual whose personal data is collected and processed.
Data Processor: Third parties who process personal data on our behalf such as Anthropic, Render, and Supabase.
FitCoins: Virtual in-app currency with no monetary value, used to unlock specific features within the Application.
Trainer: A fitness professional assigned to Mastery tier subscribers to provide personalised coaching via in-app check-ins and chat.
QR/NFC scan: The act of scanning a QR code or tapping an NFC tag on gym equipment to access a machine guide within the Application.
Admin approval gate: The process by which Rebuilt administrators review and approve new user accounts before full access is granted.
Acknowledgement
By creating an account on Rebuilt, you confirm that you have read and understood this Privacy Policy in its entirety, that you are at least 18 years of age, and that you provide your free, informed, specific, and unambiguous consent to the processing of your personal data as described in this Policy.
Aditya Kadam
Data Fiduciary : Rebuilt
Pune, Maharashtra, India
privacy@rebuilt.in
Effective Date: 29 May 2026 • Version 2.0