This Privacy Policy explains how Black Iron Nutrition LLC ("Black Iron Nutrition", "we", "us", or "our") collects, uses, stores, and shares information when you use our coaching service through the website at
tools.blackironnutrition.com and the Black Iron Nutrition mobile application (collectively, the "Service").
By creating an account or using the Service, you agree to the practices described here. If you don't agree, please don't use the Service.
1. Information we collect
Account information
- Name (first and last)
- Email address
- Phone number (optional)
- Time zone
- Password (stored as a one-way hash; we cannot read your password)
- Profile photo (optional)
Coaching and health information
- Intake form responses (goals, training history, dietary preferences, medical considerations you choose to share)
- Weekly check-in responses, comments, and questions
- Body measurements (weight, body fat, circumferences)
- Daily macronutrient entries (calories, protein, carbs, fat, fiber)
- Habit completion data
- Progress photos (front, side, back, signup photos)
- Meal photos
- Messages exchanged with your coach
- Coach notes about your coaching relationship
Wearable and third-party app data
If you connect a wearable device or nutrition-tracking app (Garmin, Oura, Fitbit, Whoop, Coros, Polar, Suunto, Withings, MyFitnessPal, Cronometer, MacrosFirst, etc.) we receive the following from that integration:
- Daily activity (steps, distance, calories burned, active minutes)
- Sleep (duration, stages, efficiency, score)
- Heart rate and heart rate variability
- Body composition (weight, body fat where available)
- Individual workouts (type, duration, distance, calories)
- Nutrition entries from connected food-tracking apps
We only receive data for the categories the integration supports and that you authorize.
Apple HealthKit (iOS only)
Our iOS app may read health and fitness data from Apple HealthKit if you grant permission. Categories may include: workouts, active energy, steps, distance, sleep analysis, body mass, body fat percentage, heart rate, heart rate variability, and dietary data (calories, macronutrients).
Per Apple's HealthKit policy:
- We do not sell HealthKit data to advertising platforms, data brokers, or information resellers.
- We do not use HealthKit data for advertising or similar use-based data mining purposes.
- We do not disclose HealthKit data to third parties without your explicit consent, except as necessary to provide the coaching service to you.
- We do not access HealthKit data for any purpose other than providing your coaching experience (sharing data with your coach for review and storing it as part of your check-in history).
You can revoke HealthKit access at any time in iOS Settings → Privacy & Security → Health → Black Iron Nutrition.
Mobile app permissions
The mobile app may request the following permissions:
- Camera — to take progress, meal, or profile photos.
- Photo library — to choose existing progress, meal, or profile photos.
- Health (HealthKit, iOS) — to sync nutrition, activity, sleep, and body measurements (see above).
- Notifications — to send check-in, message, and habit reminders. Opt-out available in account settings.
All permissions are optional; the app works (with reduced functionality) if you decline any of them.
Payment information
Subscription billing is handled by Stripe. We do not store full credit card numbers on our servers. We do retain:
- Your Stripe customer ID and subscription ID
- Subscription status (active, paused, cancelled, etc.)
- Last payment date and paid-through date
- The last four digits and expiration date of your payment method (provided by Stripe)
Usage and technical information
- Login session cookies (web) and bearer tokens (mobile) used to authenticate you
- Server-side request logs (IP address, user agent, timestamp) retained for operational debugging
- Email delivery logs (which transactional emails we sent and when)
- Push notification delivery tokens (mobile only, used to send notifications)
We do not use third-party analytics, advertising, or tracking SDKs. We do not sell your data.
2. Not a HIPAA-covered entity
Black Iron Nutrition is a coaching service, not a healthcare provider, health plan, or healthcare clearinghouse. We are not a "covered entity" or "business associate" under the U.S. Health Insurance Portability and Accountability Act (HIPAA). The health and fitness information you share with us is not Protected Health Information (PHI) and is not covered by HIPAA.
We treat the health and fitness information you share as sensitive personal data and protect it with the security and disclosure practices described in this policy.
3. How we use your information
- Provide the coaching service: deliver check-ins, store progress photos and measurements, route messages between you and your coach, generate AI-assisted check-in summaries for your coach to review.
- Bill you for subscriptions (via Stripe) and send billing-related emails (upcoming payment, payment failed, cancellation confirmations).
- Send transactional emails relevant to your coaching (intake-form receipts, check-in reminders, coach response notifications, message reminders).
- Send push notifications for daily habits and messages (mobile app only; opt-out available in your account settings).
- Operate, secure, and improve the Service (debugging, abuse prevention, analytics on aggregated usage trends — never tied back to individual identity).
- Comply with legal obligations.
4. How we share your information
We share data with the following service providers strictly to operate the Service:
- Stripe — payment processing. Stripe Privacy Policy
- Terra — wearable and nutrition-app data integration. Terra Privacy Policy
- Cloudflare — image storage (R2) for photos you upload. Cloudflare Privacy Policy
- Anthropic — AI provider used to generate coach-facing check-in briefings. When you submit a check-in, we send your check-in responses, body measurements, daily macro entries, recent coach/client messages, and your first name to Anthropic's API for summarization. We do not send your email, photos, or last name. Anthropic processes the data per their API terms and does not train on it. Anthropic Privacy Policy
- Railway / PythonAnywhere — hosting providers for the Service.
- Email service provider (transactional) — delivers account and coaching emails.
- Expo — push notification delivery service for the mobile app. Expo Privacy Policy
- Apple App Store / Google Play Store — when you download the mobile app, the platform may collect data per its own privacy policy (device identifiers, crash reports, install/uninstall events). We don't control or have visibility into that data. See Apple Privacy Policy and Google Privacy Policy.
Inside Black Iron Nutrition, your data is accessible to:
- Your assigned coach, who uses it to deliver coaching
- Owner/administrative staff for support, billing, and account-management purposes
We may disclose information when required by law, in response to valid legal process, or to protect rights, property, or safety. We do not sell or rent personal information to third parties.
5. Children
The Service is intended for users 18 years of age and older. We do not knowingly collect information from anyone under 18. If we learn that we have collected information from a person under 18, we will delete it.
6. Cookies and similar technologies
On the website, we use a small number of strictly-necessary technologies to keep you logged in and secure:
- Session cookies — signed by our server, used to identify your account on each request. Expires when you log out or after a period of inactivity.
- CSRF tokens — protect against cross-site request forgery on form submissions.
On the mobile app, we use bearer tokens (stored securely in iOS Keychain / Android Keystore) for authentication, plus an Expo push-notification token (if you grant notification permission).
We do not use third-party advertising cookies, cross-site trackers, fingerprinting libraries, or "Like"/"Share" buttons that report back to social networks. We honor "Do Not Track" (DNT) browser signals — although since we don't track in the first place, the practical effect is the same either way.
7. Data retention
We retain your account, coaching, and health information for as long as your account is active. After cancellation, your data is preserved so you can resume coaching with your prior history intact. You may request deletion at any time (see Section 9).
When you request deletion, we will permanently remove your account, photos (from R2 storage), and dependent records (check-ins, measurements, messages, Terra data, etc.) within 30 days. Some information may be retained for longer where required by law (e.g., financial records for tax purposes) or in anonymized backup snapshots that age out automatically.
Server logs and email delivery logs are retained for up to 12 months. Push notification tokens are retained while your mobile session is active and rotated when you log out.
8. Security
- Passwords are stored as bcrypt hashes; we cannot read them.
- Data in transit is encrypted via HTTPS/TLS.
- Photos are stored in private buckets accessible only via signed URLs from authenticated sessions.
- Database backups are protected by the same access controls as the live database.
No system is perfectly secure. We will notify affected users in accordance with applicable law if we learn of a breach affecting their personal information.
9. Your rights
You can:
- Access and update your profile information through your account settings.
- Update your notification preferences (email + push) in account settings.
- Cancel your subscription at any time. After your paid period ends, your account will be deactivated automatically; data is preserved unless you request deletion.
- Request a copy of your data (data export) in a portable, machine-readable format by emailing the address in Section 13. We will provide it within 30 days at no cost.
- Request deletion of your account and data by emailing the address in Section 13, or — if you're using the mobile app — using the in-app account deletion option in Account Settings. We will permanently delete your account within 30 days and confirm completion.
- Disconnect any wearable or nutrition-app integration at any time from the account settings page; we stop receiving new data immediately, and existing synced data is removed if you also request deletion.
- Revoke Apple HealthKit access in iOS Settings → Privacy & Security → Health.
- Lodge a complaint with a supervisory authority in your country if you believe we've violated your privacy rights.
10. International users
The Service is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the U.S. and other countries where our service providers operate. By using the Service you consent to that transfer.
11. California, Virginia, and other state privacy rights
Residents of certain U.S. states (including California, Virginia, Colorado, Connecticut, and Utah) have specific rights regarding their personal information:
- Right to know / access what personal information we have collected and processed about you
- Right to correct inaccurate personal information
- Right to delete your personal information (subject to legal exceptions)
- Right to data portability — receive a copy in a machine-readable format
- Right to opt out of sale or sharing for targeted advertising
- Right to limit use of sensitive personal information (CA only)
- Right to non-discrimination for exercising any of these rights
We do not sell or share personal information for targeted advertising, and we do not use sensitive personal information beyond providing you the coaching service. We treat health and fitness data, payment information, and account credentials as sensitive personal data.
To exercise any of these rights, contact us using Section 13. We may need to verify your identity before fulfilling the request. We will respond within the timeframes required by your state's law (typically 30-45 days). You can designate an authorized agent to make a request on your behalf, subject to verification.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated to active clients by email.
13. Contact