Privacy Policy

Updated on April 12, 2026

English Português

Se Mexa ("we," "our," or "us") is a health and fitness application developed by StartFlow. This Privacy Policy explains how your personal data is collected, used, stored, and shared when you use the Se Mexa app.

By creating an account or using Se Mexa, you agree to the terms of this Privacy Policy. If you do not agree, please do not use the app.

1. Data Controller

Company: StartFlow
Country: Brazil
Contact: sstartflow@gmail.com

2. Data We Collect

2.1 Account and Profile Data

  • Full name and email address
  • Phone number (optional)
  • Password (stored in encrypted format)
  • Profile photo (optional, user-provided via camera or gallery)
  • CPF (Brazilian tax ID — only for gym partner members, for enrollment verification — stored with HMAC-SHA256 cryptographic hash, never in plain text)

2.2 Health and Fitness Data

Collected during onboarding and ongoing use:

  • Age, gender, and physical characteristics (height and current weight)
  • Weight history and weight goal
  • Body Mass Index (BMI), calculated locally from data you provide
  • Physical activity level (sedentary, active, very active, etc.)
  • Fitness goals (weight loss, muscle gain, conditioning, health maintenance)
  • Dietary preferences and restrictions (vegan, vegetarian, gluten-free, lactose-free, etc.)
  • Health restrictions, injuries, and relevant medical conditions (free-text field provided by you)
  • Completed workout sessions, exercises performed, and duration
  • Daily step count via pedometer (device motion sensor)
  • Nutritional records: food descriptions, calorie and macro estimates, analysis history
  • Daily habits created by you and completion logs

2.3 Location Data (GPS)

When you start a workout with GPS tracking (running, walking, cycling, etc.), we collect real-time geographic coordinates to calculate distance, pace (min/km), and elapsed time. Location data is used exclusively during the active workout session and is not shared with third parties for advertising purposes.

2.4 Camera and Photo Library Data

Se Mexa requests access to your camera and photo library for the following specific purposes:

  • Food photo nutrition analysis: You can photograph or select an image of food so the app can identify the item, estimate the portion size, and calculate nutritional information (calories, protein, carbohydrates, fat, fiber, and sodium). The image is sent to the Google Gemini Vision AI service (Google LLC) for processing. No personally identifiable data (name, email, location) is sent alongside the image. Example: you photograph your lunch plate and the app returns estimated macronutrients.
  • Profile photo: You can take a photo or choose an image from your gallery to personalize your app profile.
  • Community posts: You can share photos in public posts in the app's community area.

Camera and photo library access is always requested via an explicit permission prompt by the operating system before first use. You can revoke these permissions at any time in your device's Settings app.

2.5 Social Data

  • Text, photo, and achievement posts shared in the app community
  • Comments and likes on other users' posts
  • Direct messages between users (content, sender, recipient, read status)
  • Friends list: friend requests sent, received, accepted, and removed

2.6 Push Notification Token

To send notifications about workout reminders, weight alerts, planned meals, and motivational messages, we collect and store the Expo push notification token for your device. You can disable notifications at any time in the app settings or your device's Settings app.

2.7 Strava Data (optional integration)

If you choose to connect your Strava account to Se Mexa, with your explicit permission we access:

  • Athlete profile (name, profile photo, city, country, gender — as made available by Strava)
  • Activity history (sport type, distance, duration, pace, elevation, heart rate if available)

The Strava access token is securely stored in the device's encrypted storage (Expo SecureStore). You can disconnect Strava at any time from within the app.

2.8 Professional Tracking Data (B2B)

If you are a member of a partner gym, clinic, or wellness studio, the professionals (trainers and nutritionists) linked to your account may record:

  • Physical assessments: Body composition (weight, body fat percentage, muscle mass), body circumferences (chest, waist, hips, arms, thighs, calves), and resting heart rate
  • Medications: Name, dosage, frequency, schedule, and instructions (e.g., "Losartan 50mg, once daily at 8:00 AM")
  • Health conditions: Diagnosed conditions (e.g., hypertension, diabetes), severity, and diagnosis date
  • Professional notes: Trainer or nutritionist observations about your progress, category (general, nutrition, workout) — may or may not be visible to you as defined by the professional
  • Meal plans: Calorie target, macronutrient distribution, restrictions, and guidelines set by the nutritionist

2.9 Appointment Data

If your partner gym or clinic offers scheduling, we collect appointment and session data including date, time, status (pending, confirmed, completed, canceled), and associated notes.

3. How We Use Your Data

  • Create and manage your account and user profile
  • Generate personalized workout programs based on your goals, activity level, and restrictions
  • Calculate and display health metrics (BMI, weight progress, calories)
  • Provide nutritional analysis of food via camera and text
  • Generate personalized weekly meal plans based on your preferences and goals
  • Offer AI-generated habit suggestions, weekly and quarterly goals
  • Track and display your daily step progress, workouts, and habits
  • Display your performance in the global activity ranking
  • Send reminder and motivational notifications (only with your permission)
  • Enable social interactions in the app community (posts, likes, comments, friendships)
  • Integrate activity data from Strava (only if you connect your account)
  • Continuously improve the app based on aggregated, anonymized usage patterns

4. AI and Third-Party Services

Se Mexa uses external Artificial Intelligence services to deliver advanced features. Below we detail each service, the data sent, and the purpose:

4.1 Google Gemini Vision AI — Food Photo Analysis

When used: When you use the "Analyze Photo" feature in the Nutrition tab.

Data sent: The photographic image of the food you captured or selected from your gallery. No personally identifiable data (name, email, location) is sent alongside the image.

Processor: Google LLC, via the Gemini Vision API.

Purpose: Identify the food in the image, estimate the portion size, and calculate nutritional information (calories, protein, carbohydrates, fat, fiber, and sodium).

Google's Privacy Policy: https://policies.google.com/privacy

Your consent: The app requests your explicit permission before sending any image for AI analysis on the first use of this feature.

4.2 Backend AI Service — Personalized Recommendations

When used: To generate workout programs, weekly meal plans, habit suggestions, weekly/quarterly goals, and the Smart Tracking widget.

Data sent to backend: Your profile data (goals, activity level, preferences, restrictions, gender, age, weight, height). No images, real-time location, or direct identification information is sent for these features.

Processor: Our own servers (StartFlow), which use AI models to generate recommendations.

Purpose: Personalize health and fitness recommendations according to your individual goals.

4.3 Strava — Optional Integration

We use the Strava public API exclusively when you voluntarily authorize the integration. See Strava's Privacy Policy at https://www.strava.com/legal/privacy.

4.4 Expo Push Notifications

Your device's push token is sent to Expo's (Expo Inc.) notification infrastructure exclusively to deliver the alerts and reminders you authorize. Expo's privacy policy: https://expo.dev/privacy.

4.5 MuscleWiki — Exercise Database

We use MuscleWiki's exercise video and instruction library to display video demonstrations. No personal data of yours is shared with MuscleWiki.

5. Business Model and Subscription

Se Mexa offers a freemium model with three plans:

  • Free: Access to basic workout and health monitoring features, at no cost.
  • Start: Access to nutrition, community, directed workout programs, and full history.
  • Pro: Full access to all features, including custom workout builder, AI camera-based food analysis, AI smart tracking, quarterly goals, and priority support.

Subscriptions are managed outside the app, via the website (semexa.app) or a gym partner. The app does not process payments directly and does not use Apple In-App Purchase.

Gym partners (B2B) may make plans available to their members, which include workout programs and meal plans created by the gym's health professionals.

6. Device Permissions

The following permissions may be requested by the app:

  • Camera: To photograph food for AI nutritional analysis, take a profile photo, and capture photos for community posts. Example: "Take a photo of your plate so the AI can calculate calories and macronutrients."
  • Photo Library: To select images from your gallery for the same purposes described above.
  • Location (GPS): To track routes, distance, and pace during outdoor activities such as running, walking, and cycling.
  • Motion Sensor (Pedometer): To count your daily steps using the device's accelerometer/motion sensor.
  • Push Notifications: To send workout reminders, weight alerts, meal reminders, and motivational messages.

All permissions are requested by the operating system before first use. You can manage them in your iPhone/iPad Settings at any time.

7. Data Sharing

We do not sell your personal data. We share data only in the following situations:

  • With AI services: As detailed in Section 4 (Google Gemini Vision for food photos; backend AI for personalized recommendations).
  • With Strava: Only if you voluntarily connect your account.
  • With gym partners (B2B): If you are a gym partner member and activate your account via CPF, your enrollment and progress may be visible to the gym manager.
  • For legal compliance: In response to court orders or competent authority orders.
  • In case of business transfer: In a merger, acquisition, or company sale, provided the acquirer agrees to comply with this Policy.

8. Data Retention

We retain your data while your account is active. When you delete your account:

  • Your personal data, health history, workouts, and nutritional records are deleted from our servers within 30 days.
  • Community posts may be anonymized.
  • Backup data may be retained for up to 90 days for operational security reasons, after which it is permanently deleted.

9. Data Security

  • All communications between the app and our servers use HTTPS (TLS).
  • Passwords are stored with encryption (bcrypt hash).
  • Access tokens for external services (Strava) are stored in Expo SecureStore (native encrypted device storage).
  • Database access is restricted to authorized personnel only.

In the event of a security incident affecting your data, you will be notified as required by applicable law.

10. Your Rights

As a data subject, you have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of incomplete, inaccurate, or outdated data.
  • Deletion: Request deletion of your data, except where retention is required by law.
  • Portability: Request transfer of your data to another service provider.
  • Objection: Object to processing carried out based on legitimate interest.
  • Consent withdrawal: Withdraw previously given consent at any time, without prejudice to prior processing.
  • Information: Obtain information about who we share your data with.

To exercise any of these rights, contact us at sstartflow@gmail.com. We will respond within 15 business days.

California residents (CCPA): You have the right to know what personal information we collect, to request deletion, and to opt-out of the sale of personal data (we do not sell personal data).

EU/EEA residents (GDPR): You have the right to lodge a complaint with your local supervisory authority.

11. International Data Transfers

Data processed by the Google Gemini Vision API and Expo infrastructure may be processed on servers located outside Brazil. We ensure that these partners implement security safeguards compatible with international data protection standards.

12. Children's Privacy

Se Mexa is intended for users 16 years of age or older. We do not knowingly collect data from persons under 16. If we identify an account created by someone under 16 without lawful guardian consent, we will immediately delete the account and associated data. If you are a parent or guardian and have identified such an account, please contact us at sstartflow@gmail.com.

13. Changes to This Policy

We may update this Privacy Policy periodically. For material changes, we will notify you in the app or by email at least 15 days before the changes take effect. Continuing to use the app after the notification period constitutes acceptance of the changes.

14. Contact Us

For questions, data rights requests, or complaints related to the processing of your personal data: