Zero to Hero
Zero to Hero
Effective Date · June 2026

Health Data Policy

1. Who we are

Zero to Hero Coaching ("we", "us") provides fitness, nutrition, and lifestyle coaching. We are not a medical provider, we do not diagnose or treat any condition, and nothing in our app constitutes medical advice. Any health concern must be evaluated by a licensed physician.

2. What health data we collect

If you choose to use our Health Markers feature, we store:

  • Lab report files you upload (PDFs, images)
  • Structured biomarker values you or your coach enter (e.g. cholesterol, A1C, testosterone, vitamin D)
  • Body composition and vitals (body fat %, resting heart rate, blood pressure)
  • Source lab and draw date, where you supply them

Use of this feature is entirely optional. You can use the rest of the platform without ever uploading health data.

3. HIPAA

Because we are not a covered entity or business associate under HIPAA, the federal HIPAA rule does not apply to most of our processing. We voluntarily apply HIPAA-style controls — encryption, access logging, least-privilege access, and the right to delete — to protect this data as if it were regulated.

4. State and international law

We comply with applicable state health-data laws including California (CMIA, CCPA), Washington (My Health My Data Act), New York (SHIELD), and Texas (HB300). If you are an EU/UK resident, your data is processed under your explicit consent for the purpose of receiving coaching services (GDPR Art. 9(2)(a)).

5. Who can see your health data

  • You — always, in full.
  • Your assigned coach — only for the duration of your coaching relationship.
  • Our infrastructure provider (Supabase / Cloudflare) — encrypted at rest; they cannot read it in plaintext at our level of access.
  • No one else. We do not sell, rent, or trade health data. We do not share it with insurers, employers, advertisers, or data brokers.

6. Third-party AI

We do not send your lab files or biomarker values to third-party AI providers for analysis without your explicit, per-use consent. If we ever add an AI lab-interpretation feature, it will require a separate opt-in per upload.

7. Security

All health data is encrypted at rest and in transit. Lab files live in a private storage bucket gated by row-level security policies. Every coach view, edit, download, or deletion of health data is recorded in an audit log you can request.

8. Your rights

  • Delete: One-button deletion of all health data from your Health Markers page.
  • Access: Download anything you've uploaded at any time.
  • Audit log: Request a copy of who accessed your data and when.
  • Withdraw consent: Revoke your acknowledgment at any time, which also deletes your data.
  • Portability: Email hello@zeroherocoaching.com for a machine-readable export.

9. Retention

Health data is retained while your coaching relationship is active and for up to 12 months afterward, then deleted automatically unless you ask us to delete it sooner.

10. Contact

Questions about this policy or your health data: hello@zeroherocoaching.com.