Tonal AI Workout Builder

Privacy Policy

1. Introduction

TonalAI LLC operates the TonalAI workout builder at tonalai.app. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our Service.

2. Information We Collect

Account Information

• Email address and password (password hashed with bcrypt, never stored in plain text)

Fitness Profile

• Physical attributes (height, weight, age, gender)
• Experience level, training frequency, and fitness goals
• Sport-specific context and equipment availability
• Movement restrictions and volume preferences
• Daily readiness and body map feedback

Tonal Account Credentials

• Your Tonal password is never stored. It is used only during the initial authentication flow to obtain a session token.
• Your Tonal refresh token is encrypted at rest using PBKDF2-HMAC-SHA256 key derivation with AES encryption.

Tonal Workout Data

• Workout history, exercise performance, and strength metrics synced from your Tonal account via three Tonal API endpoints (workout history, workout details, and user stats).

Generated Workout Data

• AI-generated workout plans, program schedules, and associated metadata.

Usage Analytics

• Page views, feature usage, and error events to improve the Service.

3. How We Use Your Information

We use your information to:

• Generate personalized AI workout programming tailored to your profile
• Send workouts to your Tonal device and sync your workout history
• Enforce your movement restrictions and volume preferences
• Adapt programming based on your performance history and daily readiness
• Provide account management, password reset, and support functionality
• Improve the Service through aggregated, non-identifying usage analytics

4. Third-Party Services

TonalAI integrates with the following third-party services:

• Anthropic Claude API — Powers AI workout generation. No personally identifiable information (PII) is sent to Anthropic. The AI receives only your anonymized fitness profile, preferences, and exercise catalog data.
• Tonal Platform — Used to send workouts to your Tonal device and sync your workout history, with your explicit authorization.
• SendGrid — Used for transactional emails (password reset, account notifications).
• Railway — Cloud hosting platform where the Service and database are deployed.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

5. Data Storage and Security

We take the security of your data seriously and employ the following measures:

• Database: PostgreSQL hosted on Railway with encrypted connections.
• Passwords: Hashed using bcrypt with per-user salts. Plain-text passwords are never stored.
• Tonal Tokens: Encrypted at rest using PBKDF2-HMAC-SHA256 derived keys with AES encryption.
• CSRF Protection: All state-changing requests are protected against cross-site request forgery.
• Rate Limiting: API endpoints are rate-limited to prevent abuse.

6. Data Retention

We retain your data for as long as your account is active. If you request account deletion, we will remove all your personal data, profile information, and workout history within 30 days of your request. Anonymized, aggregated analytics data that cannot be linked back to you may be retained indefinitely.

7. Your Rights

You have the right to:

• Access your personal data through your profile and account settings
• Update your profile information, preferences, and fitness data at any time
• Disconnect your Tonal account, which immediately revokes TonalAI's access to your Tonal data
• Request deletion of your account and all associated data by contacting us at support@tonalai.app

8. Children's Privacy

TonalAI is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Continued use of the Service after changes constitutes acceptance of the updated policy. We will indicate the date of the most recent revision at the bottom of this page.

10. Contact

If you have questions about this Privacy Policy or your personal data, contact us at support@tonalai.app.

Last updated: March 2026