Zenith
Sign in

Legal

Privacy Policy

Last updated: 2026-04-20

This policy explains what personal data Zenith (“we”, “us”) collects when you use the service, why we collect it, how long we keep it, and the rights you have over it. It is written to meet our obligations under the UK GDPR and the Data Protection Act 2018.

Who is the data controller?

The data controller is the operator of Zenith. You can contact us about anything in this policy at ZenithAppSupport@proton.me.

What we collect

  • Account data — email address and a hashed password, managed for us by Supabase.
  • Health & lifestyle data — habits you choose to track, fitness sessions you log, calendar events and reminders you create, weight readings, nutrition entries, and any sleep/steps data you import from Apple Health.
  • Preferences — timezone, weigh-in cadence, and which widgets you want on your dashboard.
  • Third-party tokens — if you connect Spotify, we store an encrypted access and refresh token so we can fetch your top tracks on your behalf.
  • Technical data — the IP address and user-agent seen by our hosting and auth providers. We do not set analytics or advertising cookies.

Why we collect it (lawful basis)

  • Contract — we need account and health data to provide the service you signed up for.
  • Consent — connecting Spotify or importing Apple Health data is optional and only happens when you ask.
  • Legitimate interests — essential logs to keep the service secure and debuggable.

Who we share it with

We use a small number of processors to run Zenith:

  • Supabase — authentication, database, storage. Hosted in the EU.
  • Vercel — application hosting and CDN.
  • Open-Meteo— free weather API. We send your approximate latitude and longitude (from your browser's geolocation prompt) so the forecast is accurate.
  • Spotify — only if you explicitly connect it. We exchange tokens with Spotify on your behalf; we do not share your Zenith data with them.

We do not sell or share your data with advertisers, data brokers, or any party not listed above.

How long we keep it

Your account data and everything you log is kept for as long as your account exists. When you delete your account from the Settings page, we immediately delete every row of data we hold about you. Encrypted database backups may retain a copy for up to 7 days before they expire.

Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, object to, and port your personal data.

  • Access & portability — email us at ZenithAppSupport@proton.meand we'll send you a JSON export of everything we hold about you, typically within 30 days.
  • Correction — edit your entries directly in the app, or contact us.
  • Erasure — delete your account from Settings → Danger zone, or email us.
  • Complaints — you can also complain to the Information Commissioner's Office at ico.org.uk.

Cookies

Zenith only uses strictly-necessary cookies to keep you signed in and secure common actions. We do not use analytics, advertising, or third-party tracking cookies, so no cookie banner is required.

Security

Data is transmitted over HTTPS and encrypted at rest. OAuth tokens are additionally encrypted before being stored using industry-standard encryption. Access controls ensure that no user can read or write another user's data.

Changes to this policy

If we make material changes we will update the “last updated” date at the top of this page, and, for significant changes, notify you by email.