Privacy Policy
Last revised: May 16, 2026 / Effective: May 16, 2026
This English version is provided for reference. In the event of any discrepancy, the Japanese version shall prevail.
NicoFit (operated by sole proprietor Kazusa Furuhashi, hereinafter "we" or "us") handles users' personal information as described below in connection with providing the service "NicoFit" (hereinafter the "Service"). This Policy complies with Japan's Act on the Protection of Personal Information (APPI) and related laws and regulations while respecting the rights of users.
1. Information We Collect
We collect the following information in order to operate the Service.
(1) Account information
- Email address, display name, role (user / trainer / owner), year of birth (optional), height (optional), goal weight (optional), and time zone
- When LINE is linked: LINE user ID (an external identifier)
(2) Fitness and health-related information
- Body weight, body fat percentage, sleep duration, training history (exercises, weights, repetitions, etc.)
- Meal records (menu names, PFC, kcal, photos)
- Step count and calories burned (including when synced via HealthKit)
- Reflection notes (stored encrypted)
(3) Special-care-required and sensitive information
We collect the following information only after obtaining your individual consent (opt-in). You may withdraw your opt-in at any time from the settings screen.
- Menstrual cycle (menstruation) — opt-in only. We will not share this with a trainer without your separate individual consent.
- Bowel records (bowel) — opt-in only.
- Body weight (weight) — opt-in only.
- Meal photos (handled with care, as faces and similar features may sometimes appear)
- HealthKit health data — data synced from Apple Health
- Reflection notes — encrypted with AES-256-GCM, as they may contain psychological state, relationships, and similar content
(4) Billing and transaction information
- Stripe Customer ID, subscription ID, plan code, and transaction status
- We do not store credit card numbers or other card details on our servers (they are managed securely by Stripe).
(5) Access and device information
- IP address, browser information, cookies, and push notification tokens
2. Purposes of Use
- Processing necessary to provide, improve, and operate the Service
- Sharing records with trainer users (only within the scope the user has consented to)
- Generating AI drafts and monthly reviews (medical advice and diagnosis are prohibited)
- Billing, prevention of fraudulent use, and customer support
- Informing you of campaigns and new features (opt-out available)
- Responding to legal requirements, resolving disputes, and ensuring safety
3. Provision to Third Parties
Except in the following cases, we will not provide personal information to third parties without the user's consent.
- Where the user has consented (opted in) within the Service to "share with a trainer" (the recipient is limited to the trainer the user designates)
- Where required by law (court orders, police inquiries, etc.)
- Where urgently necessary to protect a person's life, body, or property
4. Subcontractors and Cross-Border Transfers
We entrust the handling of personal information to the following providers in order to operate the Service. Because some of these providers are located outside Japan, in accordance with Article 28 of the APPI we set out below their location, an overview of the personal information protection systems in those countries, and the security measures each provider implements.
| Provider | Country | Entrusted services | Overview of the country's system | Security measures implemented |
|---|---|---|---|---|
| Supabase, Inc. | USA | Database, authentication, and storage | The United States has no comprehensive federal law on personal information protection; it is partially protected by sector-specific federal laws and state laws (CCPA / CPRA, etc.). It has not received an adequacy decision equivalent to the EU General Data Protection Regulation (GDPR). | DPA (data processing agreement) concluded / encryption at rest via TLS and AES-256 / SOC 2 Type II audit / row-level isolation via RLS |
| Stripe, Inc. | USA | Payment processing (handling of credit card information) | USA (same as Supabase above). | PCI DSS Level 1 certified / DPA concluded / card numbers are tokenized on Stripe's side and not stored on our servers |
| Anthropic, PBC | USA | AI drafts, AI coach text, and photo nutrition estimation | USA (same as above). | DPA concluded / contractual prohibition on reusing transmitted data for model training / data minimization by removing special-care-required personal information on the server before transmission / TLS-encrypted communication |
| Resend, Inc. | USA | Transactional email delivery | USA (same as above). | DPA concluded / TLS-encrypted transmission |
| Vercel Inc. | USA | Hosting and delivery of the web application | USA (same as above). | DPA concluded / SOC 2 Type II audit / TLS encryption / priority delivery from the Tokyo region |
| OpenAI, L.L.C. / Google LLC | USA | Automatic moderation of videos and photos (Vision / Moderation API) | USA (same as above). | DPA concluded / used only via API (contractually not reused for model training) / metadata removed before transmission |
| LINE Corporation / LY Corporation | Japan (partly operated in South Korea) | LINE Official Account integration and LINE Login | Japanese domestic law (the APPI) applies. Part of the operating infrastructure is located in South Korea, which has its own Personal Information Protection Act (PIPA) and has received an adequacy decision from the EU under Article 45 of the GDPR. | Handled only via the official LINE API / OAuth authorization scopes minimized / users can unlink the integration |
* The system overviews for each provider are summaries based on the Personal Information Protection Commission's "Survey on Systems for the Protection of Personal Information in Foreign Countries" and information published by each company. For the most accurate and up-to-date information, please refer to the Commission's official website and each company's privacy policy.
These providers conclude agreements with us regarding the security management of personal information (such as DPAs) and handle personal information only within the scope of the entrusted services and according to our instructions. With respect to provision to the U.S.-based providers above, by agreeing to the Terms of Service and this Policy you are deemed to have also consented to the cross-border transfer. If you wish to withdraw your consent, please contact the point of contact at the end of this Policy (note that as a result of withdrawal you may be unable to use the core features of the Service).
5. Security Measures
- Communications are encrypted with HTTPS (TLS).
- Reflection notes are stored encrypted with AES-256-GCM.
- Meal photos are stored in private storage and cannot be viewed by anyone other than the user and a trainer with whom they have been shared by consent.
- Row Level Security (RLS) is applied to all tables in the database.
- We implement employee access controls, log monitoring, and regular vulnerability checks.
6. Retention Period and Deletion
- After account withdrawal, user data is retained for 30 days and then physically deleted.
- Before withdrawing, you can obtain your data using the CSV export feature.
- Information that is required by law to be retained, such as accounting books, is kept for the statutory period.
7. Rights of Users
Under the APPI, users have the following rights.
- Request for disclosure of retained personal data
- Request for correction, addition, or deletion
- Request for suspension of use, erasure, or suspension of provision to third parties
- Request relating to data portability (CSV export is supported)
Please direct the above requests to the contact at the end of this Policy. After verifying your identity, we will respond within a reasonable period.
8. Cookies, etc.
The Service uses cookies and similar technologies (such as localStorage) to provide and improve the Service. Cookies are classified into the following three categories, and categories other than essential are enabled only when the user has consented. Consent is obtained via the cookie consent banner at the bottom of the screen and is saved to the browser's localStorage key cookie_consent_v1. You can change your settings from this Policy at any time.
(1) Essential cookies
- Purpose: maintaining login authentication sessions, CSRF protection, and retaining display settings
- Provider: us (including Supabase Auth cookies)
- Consent: not required (the Service cannot be used if disabled)
(2) Analytics cookies
- Purpose: measuring page views, time on page, funnels, etc., and improving the Service
- Provider: Google LLC (Google Analytics 4), PostHog Inc.
* GA4 is used with IP anonymization enabled. PostHog profiles only identified users (identified_only mode). - Consent: required (loaded only if explicitly permitted in the banner)
(3) Advertising-related cookies
- Purpose: ad measurement and optimization
- Provider: not currently implemented. If introduced in the future, we will notify you through this Policy.
- Consent: required (after introduction, only if explicitly permitted in the banner)
When a logged-in user grants or withdraws consent, we record the evidence (consent categories, date and time, and hashed IP / User-Agent) in our consent_audit table. The consent status of anonymous users is stored only in localStorage and is not transmitted to our servers.
You can also refuse cookies in general through your browser settings, but in that case essential cookies will also be disabled, so features such as login will not be available.
9. Use by Minors
The Service may be used only by persons aged 18 or older. The video upload feature is limited to persons aged 18 or older from the perspective of the Act on Punishment of Activities Relating to Child Prostitution and Child Pornography and the protection of young people.
10. Internal Use of Statistical and Anonymized Data
In order to improve the quality of the Service and develop the Service, we may internally use record data obtained from users (meal records, PFC, training, body weight, sleep, etc.) after aggregating and anonymizing it into a form that cannot identify individuals. The intended purposes of use are as follows.
- Improving Service features and validating new features (e.g., improving recommendation accuracy based on dietary tendencies)
- Aggregation and statistical research by segment (age group, primary goal, meal occasion, etc.)
- Internal analysis for future service development and health-related research
- Improving and building evaluation datasets for AI model prompts (we do not transmit individual raw data externally as training material)
When creating anonymized information, we follow the standards set out in the APPI and Article 34 of the Enforcement Rules for the Act on the Protection of Personal Information, and delete descriptions and personal identification codes that can identify a specific individual. We do not attempt to restore the original data.
We do not currently provide anonymized information to external third parties for a fee. If in the future we provide anonymized information externally, we will revise this Policy, clearly state the items and method of provision, and comply with the procedures (such as public announcement) under Article 43 et seq. of the APPI.
If you wish to exclude your own data from this internal statistical use (opt-out), please contact us via the "Privacy items" section of the settings screen or the point of contact at the end of this Policy. Note that because the correspondence with an individual has already been severed at the point of anonymization, we may be unable to comply with retroactive exclusion.
11. Changes to this Policy
This Policy may be revised in response to amendments to laws and regulations, changes to the Service, and the like. We will notify you of material changes within the Service or via the email address you registered.
Contact
Personal Information Protection Manager: Kazusa Furuhashi
Contact email: olkazu0828@gmail.com
Business operator: NicoFit (sole proprietor: Kazusa Furuhashi)
Address: 3-6-5 Toyosu, Koto-ku, Tokyo, Japan
Service URL: https://nico-fit.com