Legal
Privacy Policy
Effective and last updated: July 15, 2026
At a glance
- Finn is an adult consumer wellness service, not a medical provider or emergency service.
- We do not sell personal or consumer health data, use it for advertising, or use it to train AI models.
- Google Gemini receives coaching data only after you give explicit permission. Apple Health summaries require a separate permission.
- You can withdraw AI permission, disconnect Apple Health, delete imported Apple Health data, or request access, correction, or deletion.
1. Scope and who we are
This Privacy Policy explains how Ellison Software LLC, doing business as Finn ("Finn," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal information when you use the Finn iOS application, coachfinn.com, our waitlist, or support services (collectively, the "Services"). Ellison Software LLC determines the purposes and means of processing described here.
Our separate Consumer Health Data Privacy Notice provides additional disclosures and rights for consumer health data. It supplements this Policy and controls if the two conflict regarding consumer health data.
2. Information we collect
| Category | Examples | Source |
|---|---|---|
| Account and contact | Name, email address, account identifiers, authentication status, waitlist and support communications. | You; our identity provider. |
| Profile, health, fitness, and nutrition | Height, weight, goals, schedule, training experience, workouts, mobility activity, soreness, injuries or limitations, sleep, dietary preferences, food intake, and nutrition goals. | You; Apple Health when you connect it. |
| Apple Health summaries | Daily summaries of sleep duration, resting heart rate, heart-rate variability (SDNN), respiratory rate, steps, exercise minutes, and active energy, plus workout type, timing, duration, and available workout measurements. | Apple Health, with your HealthKit permission. |
| User content and coaching records | Chat messages, onboarding answers, generated plans, recipes, workout and mobility logs, preferences, and feedback. | You; generated from your requests and data. |
| Purchase information | Product, entitlement, transaction identifier, purchase, renewal, expiration, and subscription status. We do not receive payment-card details. | Apple and RevenueCat. |
| Technical and usage | IP address, app and browser version, device and operating-system information, request time, security events, and diagnostic data. | Automatically from your device, app, browser, and servers. |
Free-form fields can contain information you choose to provide. Please do not submit information about another person unless you are authorized to do so. Finn does not use third-party advertising SDKs or engage in cross-app tracking.
3. How we use information
- Provide, personalize, and adapt workouts, mobility sessions, nutrition content, recipes, schedules, and coaching responses.
- Display and synchronize your history, progress, subscription access, and connected-health summaries.
- Authenticate users, maintain accounts, respond to support requests, and send service communications.
- Operate, secure, troubleshoot, test, and improve Service functionality and safety.
- Enforce our Terms, prevent fraud or abuse, comply with law, and establish or defend legal claims.
We do not use personal, chat, fitness, nutrition, or health information to train Finn or third-party AI models.
4. Apple Health and HealthKit
- Finn requests read access only to the specific HealthKit types listed in Section 2. You choose each permission in Apple Health and can change it in iOS Settings or the Health app.
- Raw HealthKit samples remain on your device. Finn normalizes them on-device and uploads the daily and workout summaries described above.
- HealthKit permission, Finn's Apple Health connection, and permission to use imported summaries with Google Gemini are separate choices.
- Finn does not use HealthKit data for advertising, marketing, eligibility decisions, or unrelated data mining; sell it; disclose it to data brokers; or store it in iCloud.
- Disconnecting Apple Health stops future imports and disables its AI-use permission. It does not by itself delete previously imported summaries; use the in-app delete control or contact us to delete them.
5. Google Gemini and explicit AI permission
Finn uses the paid Gemini API operated by Google LLC to produce requested coaching responses and plans. Before Finn sends personal information to Gemini, the iOS app identifies Google, describes the data and purpose, and asks you to allow the processing.
- Data sent: chat and onboarding content; relevant goals, schedule, injuries or limitations, nutrition preferences, plan and workout history; and Apple Health summaries only if you separately enable Apple Health AI use.
- Purpose: generate the response, plan, workout, mobility, recipe, or nutrition content you request and operate service safety and security.
- Not sent: Auth0 passwords, payment-card information, or raw HealthKit samples.
- Google's paid-service terms: Google states that it does not use paid-service prompts or responses to improve its products and processes them under its data processing terms. Google may log them for a limited period for abuse prevention, security, and required legal disclosures. See the Gemini API Additional Terms and Google Privacy Policy.
- Your choice: withdraw under Profile → AI Data Sharing. Withdrawal stops future AI processing and blocks AI-backed coaching until you grant permission again; it does not recall data already processed.
6. When we disclose information
We disclose only what is reasonably necessary for the following recipients and purposes:
- Google LLC: AI processing described in Section 5, after explicit permission.
- Auth0 by Okta: account authentication, identity, and security.
- RevenueCat, Inc.: purchase validation and subscription entitlements. See RevenueCat's privacy information.
- Apple: App Store purchases and the HealthKit permissions and data flows you control through Apple's services.
- Infrastructure and professional service providers: cloud hosting, databases, security, communications, and professional advisers acting for Finn.
- Legal, safety, and business events: when reasonably necessary to comply with law, protect rights or safety, investigate abuse, or evaluate a merger, financing, acquisition, or sale, subject to appropriate confidentiality and notice where required.
We require every third party with whom we share personal information to process it only for authorized purposes and to provide the same or equal protection of user data as stated in this Policy and required by Apple's App Review Guidelines. We do not sell personal information or consumer health data, share it for cross-context behavioral advertising, or disclose HealthKit data for advertising or marketing.
7. Retention and deletion
| Data | Retention approach |
|---|---|
| Imported daily Apple Health observations | Up to 180 days. |
| Imported workout summaries | Up to 365 days. |
| Value-free health sync audit records | Up to 90 days. |
| Account, profile, plans, logs, and chats | While your account is active and as needed to provide the Services, unless you delete them sooner. |
| Waitlist and support records | Until the request is resolved, you ask us to delete them, or they are no longer reasonably needed. |
| Purchase, security, and legal records | As needed for transaction records, fraud prevention, disputes, and legal obligations. |
A verified deletion request removes covered information from active systems unless retention is required or permitted for security, fraud prevention, transaction records, legal compliance, or legal claims. Residual copies may remain temporarily in protected backups until overwritten through the normal backup cycle. We direct processors to delete covered information when required.
8. Your choices and privacy rights
Depending on where you live, you may have the right to:
- know, access, and receive a portable copy of personal information;
- correct inaccurate personal information;
- delete personal information, subject to lawful exceptions;
- withdraw consent for future processing or sharing;
- confirm whether consumer health data is shared and obtain a list of recipients; and
- appeal a denial of a privacy request and not receive discriminatory treatment for exercising a right.
Use Profile → AI Data Sharing for Gemini permission, Profile → Apple Health for health permissions and imported-data controls, or email coachfinntech@gmail.com. State the right you want to exercise and the email associated with your account. We may verify your identity and authority before acting. We will respond and provide any appeal instructions within the period required by applicable law.
Permanent account deletion is currently completed through a verified email request. Deleting the app or using an in-app plan or data reset control does not by itself delete your Finn authentication identity or cancel an Apple subscription.
You can also change HealthKit permissions in iOS Settings or the Apple Health app and manage App Store subscriptions in your Apple Account. Deleting Finn does not cancel an Apple subscription.
9. Security and incident notice
We use administrative, technical, and organizational safeguards designed for the sensitivity of the information, including access controls, encrypted transport, and separation of permissioned data flows. No system is completely secure. If an incident triggers a notification duty under applicable law, including an applicable health-breach notification rule, we will provide the required notices.
10. Consumer wellness service; not HIPAA care
Finn is a direct-to-consumer wellness service, not a healthcare provider, health plan, medical record system, or emergency service. The Services are not intended to create a clinician-patient relationship or serve as a HIPAA-covered healthcare service. We treat health-related information as sensitive regardless of whether HIPAA applies.
11. International processing
Finn and its service providers may process information in the United States and other countries where they operate. Those countries may have different data-protection laws. Where required, we use an approved transfer mechanism and apply the protections described in this Policy.
12. Adults only
The Services are intended only for people age 18 or older. We do not knowingly collect personal information from anyone under 18. Contact us if you believe a minor has provided information, and we will investigate and delete it as appropriate.
13. Changes to this Policy
We may update this Policy as the Services or law changes. We will post the revised version and update the date above. If a change materially expands how we collect, use, or disclose sensitive or consumer health data, we will provide additional notice and obtain consent when required before applying the new practice.
14. Contact
Questions, complaints, privacy requests, and appeals may be sent to coachfinntech@gmail.com or mailed to Ellison Software LLC, 1302 Bonnie Brae Street, Hermosa Beach, CA 90254. Please do not include detailed health information in an unencrypted email.