Privacy Policy

Last updated: 7 June 2026

BodyWHAT (“BodyWHAT”, “we”, “us”) provides a body-composition scanning and AI coaching service. Because that service involves body photos and information about your body, we take your privacy seriously. This policy explains what we collect, why, how we protect it, and the rights you have over it.

1. Who we are

BodyWHAT is operated by Bodywhat SAS, a French société par actions simplifiée, which is the data controller for the personal data described here. For any privacy question or request, contact us at contact@bodywhat.com.

2. Information we collect

• Photos you upload for a scan (front, and optionally side and back). These are images of your body and are sensitive personal data.
• Body-composition information derived from your photos — estimated body-fat percentage, lean and fat mass, measurements, body shape and posture indicators. Information derived from images of your body may, in some jurisdictions, be treated as biometric data.
• Account information — your email address, display name, and authentication details (including, if you sign in with Google, the identifier Google provides).
• Health profile and goals you choose to enter — such as training experience, available equipment, injuries, conditions, dietary restrictions and target metrics.
• Coaching conversations with the AI coach and the plans generated for you.
• Payment information — handled by our payment processor, Stripe. We do not store your full card number; we keep a customer reference and your subscription status, plan and billing history.
• Technical and usage data — log data, device and browser information, and essential cookies needed to keep you signed in and remember preferences.

3. How we use your information

• To provide the service — process scans, generate metrics, coaching and plans, and let you compare and track progress.
• To create and maintain your account and keep you signed in.
• To process payments, trials and subscriptions.
• To operate, secure, debug and improve the service.
• To communicate with you about your account, security and service updates.
• To comply with legal obligations and enforce our terms.

We do not sell your personal data, and we do not use your photos or body data for third-party advertising.

4. Legal bases (EEA/UK users)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to deliver the service you sign up for); your consent (in particular for processing your photos and the sensitive/biometric body data derived from them, which you can withdraw at any time); our legitimate interests (to secure and improve the service); and legal obligations (for example, retaining payment records).

5. Sensitive and biometric data

Your photos and the body-composition data derived from them are sensitive. We process them only to provide the features you use, on the basis of your consent. Your face is automatically blurred on scans, scans are private by default, and you can delete any scan or your whole account at any time. We do not use this data to identify you to third parties.

6. How we share information

We share personal data only with:

• Service providers who process data on our behalf — notably Stripe for payments. They are bound to use it only to provide their service to us.
• Authorities, where we are legally required to, or to protect rights, safety and the integrity of the service.
• A successor entity in the event of a merger, acquisition or asset sale, subject to this policy.

We do not sell your data and we do not share it with advertising networks.

7. Data retention

We keep your personal data while your account is active. When you delete a scan it is removed; when you delete your account we delete your personal data, except where we must keep limited records to meet legal obligations (for example, payment and tax records). You can request deletion at any time.

8. Security

We protect data in transit with encryption (HTTPS/TLS) and restrict access to it. No method of storage or transmission is completely secure, but we work to protect your information and to limit who can access it.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict or object to the processing of your personal data, to withdraw consent, and to receive a copy of your data in a portable form. You can exercise many of these directly in the app, or by contacting contact@bodywhat.com. If you are in the EEA or UK, you also have the right to lodge a complaint with your local data-protection authority.

10. International transfers

Your data is processed on our servers and by our processors (such as Stripe), which may be located in countries other than yours. Where data is transferred internationally, we rely on appropriate safeguards as required by applicable law.

11. Cookies

We use essential cookies and local storage to keep you signed in and to remember preferences such as your theme and unit choice. We do not use third-party advertising cookies.

12. Children

BodyWHAT is intended for adults aged 18 and over and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us data, contact us and we will delete it.

13. Changes to this policy

We may update this policy as the service evolves. We will post the new version here and update the date above; significant changes will be communicated where appropriate.

14. Contact

Questions or requests about your privacy: contact@bodywhat.com.