DexaFit Privacy Policy

Last Modified: May 29, 2026

1. Introduction

Welcome to DexaFit. We, DexaFit, Inc, together with our subsidiaries and affiliates (collectively, "DexaFit," "we," "us," or "our"), prioritize your privacy and are committed to protecting your personal information. This Privacy Policy explains our practices regarding the collection, use, protection, and disclosure of personal information across our website (dexafit.com), our mobile applications (including the DexaFit AI and Operator apps), our digital and custom reports, our social media pages, interactive features, and other services that link to this Privacy Policy (collectively, the "Platforms").

How DexaFit Works (Please Read). DexaFit, Inc. operates the DexaFit brand and the DexaFit software platform. The in-person wellness services promoted on our Platforms—such as DEXA body composition scans, VO2 Max testing, and RMR assessments—are provided by independently owned and operated businesses that license the DexaFit trademark and software ("Licensed Operators"). DexaFit is not a franchisor and Licensed Operators are not franchisees. Our role is limited to (i) licensing the DexaFit brand and (ii) providing the software platform that processes your data and presents your results and reports. Section 2 explains this relationship and what it means for your data and for any issues arising at a Licensed Operator location.

General Wellness Disclaimer. DexaFit is a general wellness product intended to support your overall health and wellness. It is not designed or intended to diagnose, treat, cure, mitigate, or prevent any disease or medical condition. Our reports, scores, and insights are meant to enhance your well-being and provide helpful, educational information—they are not medical advice and are not a substitute for care from a qualified healthcare provider. DexaFit's general wellness products are intended to be consistent with applicable FDA guidance for general wellness/low-risk products. Always consult your physician before making decisions about your health, fitness, nutrition, or exercise.

EMERGENCY NOTICE: IF YOU ARE EXPERIENCING A MEDICAL EMERGENCY, DIAL "911" IMMEDIATELY. Our Platforms are not for medical emergencies or urgent situations.

Key Definitions

  • "Personal Information" means any data that can directly or indirectly identify you, such as your name, email address, phone number, and wellness-related information.

  • "De-Identified Information" means information that has been processed so that it can no longer reasonably be linked back to you, and which we maintain and use only as De-Identified Information (see Section 5).

  • "Consumer Health Data" means personal information that identifies your past, present, or future physical or mental health status, as defined under applicable consumer-health-privacy laws (e.g., Washington and Nevada). This includes body composition, bone density, metabolic, and fitness assessment data.

  • "Licensed Operator" means an independently owned and operated business that licenses the DexaFit trademark and/or software to provide wellness services.

Geographic Scope

Our Platforms are operated from the United States and are also made available to users in regions where DexaFit or its Licensed Operators offer services. If you access our Platforms from outside the United States, your information may be transferred to, processed, and stored in the U.S. and other countries where privacy laws may differ from those in your country. Where required, we rely on appropriate legal transfer mechanisms (see Sections 11 and 12). By using our Platforms, you acknowledge this Privacy Policy; where consent is the applicable legal basis, we obtain it as required by law.

We encourage you to read this Privacy Policy carefully to understand our practices and your rights.

2. Our Relationship with Independent Licensed Operators

This is important to how your data is handled and who is responsible for what.

What DexaFit does. DexaFit (a) licenses the DexaFit trademark and brand and (b) provides the software platform, applications, analytics, and reporting that process the data collected at Licensed Operator locations and present it back to you through our apps and reports. In handling your data for these purposes, DexaFit acts as a technology and data-processing provider.

What Licensed Operators do. Licensed Operators are independent businesses—clinics, wellness centers, gyms, and similar establishments—that are not owned, operated, managed, staffed, controlled, or supervised by DexaFit or any of its subsidiaries or affiliates. Licensed Operators are solely responsible for their own premises, equipment, personnel, scheduling, clinical and testing procedures, on-site conduct, safety, pricing, regulatory compliance, and their own privacy and data-handling practices.

Allocation of responsibility. DexaFit's licensing of its brand and provision of software does not make DexaFit responsible for the acts, omissions, services, equipment, or premises of any Licensed Operator. In the same way that a scheduling, hosting, or software vendor that stores a business's data is not responsible for what physically happens on that business's premises, DexaFit's role as a brand licensor and software/data provider does not extend to the in-person services you receive. Any issue, claim, or dispute relating to services performed, equipment used, or conduct occurring at a Licensed Operator location must be addressed directly with that independent Licensed Operator.

Data sharing with Licensed Operators. To deliver the service you request, data flows between you, the Licensed Operator that serves you, and the DexaFit platform. We share information with the relevant Licensed Operator as necessary to facilitate your assessments and results, and Licensed Operators share assessment data with us so we can generate your reports and app experience. Each Licensed Operator is responsible for its own use of your information; where applicable law requires, these data flows are governed by contractual data-protection terms.

3. Information We Collect

We collect the following categories of information to provide and improve our services:

Personal Identifiers. Name, email address, postal address, phone number, and account credentials—for account creation, communication, and providing the services you request.

Wellness and Health Information (Consumer Health Data). Body composition data, bone density evaluations, fitness and VO2 Max results, RMR and metabolic assessments, wellness histories, and related information collected at Licensed Operator locations or entered by you. This data enables us to generate your reports and provide personalized insights. This information is not, and is not intended to be, an Electronic Health Record (EHR), Electronic Medical Record (EMR), or a medical record, and our general wellness services are generally not subject to HIPAA (see Section 13).

Demographic and Lifestyle Information. Age, sex, ethnicity, lifestyle choices, and similar information used to personalize your experience and improve our models and services.

Third-Party Wellness Integrations. If you choose to connect services such as Apple Health, Google Fit, or other wellness platforms, we receive the data you authorize to give us a broader picture of your activity and wellness. See Section 4 for the strict limits on how this connected-health data may be used.

Usage and Technical Data. Collected automatically through cookies and similar technologies (see Section 6), including device information (type, OS, browser), IP address and approximate location, usage patterns and preferences, and Platform interaction data. Our mobile apps may also send push notifications (which you can disable in your device settings).

Communication Data. Records of your communications with us, including support requests, feedback, survey responses, and marketing interaction history.

4. How We Use Your Information

We use the information we collect to provide, improve, and personalize our services.

Service Provision and Account Management. Deliver services and manage your account; process transactions and billing; provide customer support; authenticate your identity and secure your account; and facilitate appointments and coordination with the Licensed Operator that serves you.

Communications. Send service updates, account notifications, and policy changes; respond to inquiries; and—where you have provided your contact details and any required consent—send marketing communications, surveys, and invitations to participate in research studies by email or SMS/text. Message and data rates may apply to text messages; you can opt out of marketing emails via the unsubscribe link and opt out of texts by replying STOP. See Section 8 for all opt-out options.

Personalization and Product Improvement. Customize content and features; analyze usage to improve our services and user experience; develop new features and offerings; and conduct research and analytics to enhance quality and Platform performance. We use your data to improve our products and services.

Marketing Analytics. We use your information—including, where used for marketing campaigns, De-Identified Information—to perform analytics that measure and improve our own marketing campaigns. We work with a third-party digital marketing team that may process De-Identified Information for our campaigns.

AI and Machine-Learning Models. We use machine-learning and AI techniques to generate wellness insights, composite scores, and predictive models based on your data, and to test and improve experimental features. Where these models produce a meaningful personalized result about you (profiling), you have the rights described in Section 9. We train and improve our models primarily using De-Identified Information.

Connected Health Data — Important Limits. If you connect Apple Health (HealthKit), Google Fit, or a similar service, we use that connected-health data to provide and personalize the wellness features you request. Consistent with Apple and Google platform requirements, data obtained through Apple Health (HealthKit) or Google Fit is never used for advertising or marketing, is never sold, and is never included in any De-Identified dataset that we license to third parties.

Security, Compliance, and Legal. Maintain Platform security and prevent fraud; comply with legal and regulatory obligations; enforce our Terms of Service and protect user safety; and respond to lawful requests and protect rights.

De-Identified Information. We may create and use De-Identified, aggregated, or anonymized information (that cannot reasonably be used to identify you) for product development and model training, research and service enhancement, supporting clinical and academic research, developing future products and technologies, internal analytics and business insights, and statistical and trend analysis. We may also license De-Identified Information commercially (see Section 5). De-Identification Commitment: we maintain such information in De-Identified form, make no attempt to re-identify it, and contractually require recipients to do the same.

5. How We Share Your Information

We do not sell your personal information for money in the traditional sense. We share information only as described below.

Licensed Operators. As described in Section 2, we share information with the independent Licensed Operator that serves you to facilitate your services and results.

Service Providers. We use trusted vendors (e.g., hosting, payment processing, analytics, scheduling, customer support, communications) who process data on our behalf, are bound by confidentiality and data-protection obligations, and may use it only for the purposes we specify.

Wellness Provider Coordination. When you use services involving consultations or telehealth, we may share relevant information with the licensed provider to facilitate your care, consistent with applicable law and your consent.

Marketing and De-Identified Data Sharing.

  • We may share De-Identified Information with our third-party digital marketing team for analytics and our own marketing campaigns.

  • We may license De-Identified Information commercially to third parties (e.g., research, analytics, technology, and product development that advances health and wellness knowledge), subject to our De-Identification Commitment in Section 4.

  • We will not share personal information that identifies you with third parties for their own marketing without your consent, and you may opt out at any time (Section 8).

Research and Analytics Partners. We may share De-Identified or aggregated information with academic institutions, clinical study collaborators, and analytics partners for health and wellness advancement.

Business Operations and Corporate Transactions. We may share information with our subsidiaries and affiliates for internal operations, and in connection with a merger, acquisition, financing, restructuring, or asset sale (subject to applicable law and your rights). We may disclose information to comply with legal obligations, court orders, subpoenas, or government requests, and to protect rights, safety, and security.

Emergency Situations. We may share information when we believe in good faith that disclosure is necessary to protect the vital interests of a person, prevent fraud, or address an urgent safety concern.

"Sale"/"Sharing" Under State Law. Some U.S. state laws define "sale" and "sharing" (including for targeted advertising) broadly. To the extent any of our practices are considered a "sale" or "sharing" under those laws, you have the right to opt out—see Section 8.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Platforms.

Types. Essential cookies (functionality, security, authentication); performance cookies (usage analytics); functional cookies (preferences and settings); and marketing cookies (relevant content and advertising, used only with consent where required).

Your Controls. You can manage cookies through our cookie banner (accept, deny, or customize) and through your browser settings; disabling some cookies may affect functionality. Where applicable law requires it of us, we honor recognized opt-out preference signals.

Mobile App Tracking (Apple ATT). On iOS, where any feature would track you across other companies' apps or websites for advertising, we request your permission through Apple's App Tracking Transparency (ATT) prompt first. Declining does not reduce the core functionality of the app.

Third-Party Technologies. Third-party analytics and advertising partners may use their own tracking technologies subject to their own privacy policies, which we encourage you to review.

7. Consumer Health Data (Washington, Nevada, and Similar Laws)

Certain states (including Washington under the My Health My Data Act and Nevada under SB 370) provide specific protections for Consumer Health Data. Where these laws apply to you:

  • We collect Consumer Health Data to provide the wellness services and reports you request, and we obtain your consent to collect and process it as required by law.

  • We will not share or sell your Consumer Health Data in a way that identifies you without your separate consent or, where required, your valid written authorization.

  • You may withdraw consent, access, and request deletion of your Consumer Health Data, subject to legal limits.

  • We do not use geofencing to track you around any health facility for advertising or to send health-related messages.

Residents of these states may have a separate Consumer Health Data Privacy Notice made available through our Platforms; where one is posted, it controls for the data and rights it covers. To exercise these rights, contact us at privacy@dexafit.com.

8. Your Privacy Rights

Depending on where you live, you have some or all of the following rights:

Access and Information. Know what personal information we collect, use, and share; request a copy; and learn the categories of personal information we process.

Correction and Update. Correct inaccurate or outdated information and update your account details and preferences.

Deletion and Portability. Request deletion of your personal information (subject to legal retention and legitimate business needs); request transfer of your data; and close your account.

Consent and Communications.

  • Withdraw consent for processing based on consent, at any time.

  • Opt out of marketing emails via the unsubscribe link in any marketing email or in your account settings.

  • Opt out of marketing texts by replying STOP to any message.

  • Limit the use of sensitive personal information, including health data, where provided by law.

  • Opt out of profiling/automated decision-making as described in Section 9.

State-Specific Rights. Residents of U.S. states with comprehensive privacy laws—including California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Minnesota (MCDPA), Maryland (MODPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Delaware (DPDPA), New Hampshire, New Jersey, Tennessee (TIPA), Indiana, Kentucky, Rhode Island, and Nevada—have rights as provided under their respective laws, which may include the rights above, the right to appeal, and (in Minnesota) the right to question the result of profiling and review the data used. Maryland and Washington residents have heightened protections for sensitive and consumer health data, including limits on the sale of sensitive data.

EU/EEA and UK Rights. See Sections 11–13 for GDPR/UK GDPR rights.

How to Exercise Your Rights. Email privacy@dexafit.com with your full name, the email associated with your account, the specific request, and verification information. We will respond within the timeframe required by applicable law (typically 30–45 days) and may request additional verification. You may use an authorized agent where the law allows.

Appeals. If we decline your request, you may appeal by replying to our decision or emailing privacy@dexafit.com with "Privacy Appeal" in the subject line. We will respond within the period required by law (typically 45–60 days). If your appeal is denied, you may contact your state Attorney General.

No Discrimination / Retaliation. We will not discriminate or retaliate against you for exercising your privacy rights, including by denying services, charging different prices, or providing a different quality of service.

9. Automated Processing and Profiling

We use machine-learning models to generate composite wellness scores, insights, and predictions from your data. These outputs are educational wellness information and are not automated decisions that produce legal or similarly significant effects, and they do not replace professional advice. Where applicable law gives you the right to opt out of profiling or to obtain information about, or human review of, automated processing, you may exercise that right by contacting privacy@dexafit.com. Minnesota residents may additionally question the result of profiling and review and correct the data used.

10. Data Security

We implement industry-standard safeguards to protect your personal information:

  • Technical: encryption in transit and at rest, access controls, secure storage, regular security assessments, and multi-factor authentication where appropriate.

  • Administrative: employee privacy/security training, confidentiality agreements with staff and vendors, regular policy reviews, and incident-response procedures.

  • Physical: secure facilities and equipment and controlled access to data environments.

No method of internet transmission or electronic storage is completely secure. Use strong passwords and report suspicious activity. In the event of a data breach affecting your personal information, we will notify affected individuals and regulators as required by applicable law (and within 72 hours of awareness where the GDPR/UK GDPR applies).

11. Data Retention

We retain personal information only as long as necessary for the purposes in this Privacy Policy and to meet legal obligations:

  • Account Information: for the life of your account and a reasonable period thereafter (typically 3–7 years) for backup, audit, and legal purposes.

  • Wellness Information: for as long as needed to provide your reports and history and to meet legal and business requirements.

  • Communication Records: as needed for support, dispute resolution, and legal compliance (typically 3–7 years).

  • Transaction Data: as needed for contractual, tax, and accounting obligations (typically 7 years).

  • Marketing Data: until you opt out or for a reasonable business period (typically 3–5 years).

  • De-Identified Information: may be retained indefinitely for research, analytics, and business purposes.

When retention periods expire or you request deletion, we securely delete or anonymize personal information using industry-standard methods; some data may persist briefly in backups before final deletion, and De-Identified or aggregated data may be retained. We may retain information longer where required for legal, regulatory, or compliance obligations, or for pending litigation, investigations, fraud prevention, or technical reasons.

12. International Users and Data Transfers

DexaFit is headquartered in the United States, and our platform infrastructure is primarily U.S.-based. If you access our services from outside the U.S., your data may be transferred to and processed in the U.S. and other countries. Where we transfer personal data from the EU/EEA, UK, or Switzerland to the U.S. or other countries, we use appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum) and/or certification under an applicable data-transfer framework where available. You may request more information about these safeguards at privacy@dexafit.com.

13. Regulatory Compliance

HIPAA. Our general wellness services are generally not subject to the Health Insurance Portability and Accountability Act (HIPAA), and the wellness data we process is not a medical record. However, where we act as a Business Associate to a covered entity, we comply with HIPAA for that Protected Health Information (PHI) under a Business Associate Agreement (BAA), including appropriate safeguards, minimum-necessary use, individual rights, and breach-notification procedures.

GDPR / UK GDPR (EU/EEA and UK Users). As DexaFit makes services available in Europe, we commit to compliance with the GDPR and UK GDPR, including:

  • Lawful bases for processing (consent; performance of a contract; legitimate interests; legal obligation; and, for special-category health data, your explicit consent or another applicable Article 9 condition);

  • Data subject rights: access, rectification, erasure, restriction, portability, objection, and the right not to be subject to certain automated decision-making;

  • Data protection by design and default and data protection impact assessments for high-risk processing;

  • Breach notification to the relevant supervisory authority within 72 hours where required;

  • The right to lodge a complaint with your local supervisory authority.

Where required, we will designate an EU/UK representative and a contact for data-protection inquiries; you can reach our privacy team at privacy@dexafit.com.

U.S. State Privacy Laws. We comply with applicable comprehensive and health-data privacy laws, including those listed in Section 8 and the Washington My Health My Data Act and Nevada SB 370 (Section 7), as applicable. This list is illustrative and not exhaustive; we comply with applicable state privacy laws as they take effect.

Other. We adhere to applicable FDA guidance for general wellness products, FTC guidelines on data security and consumer protection, and relevant professional and industry standards for wellness data.

14. Updates to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or for legal, operational, or regulatory reasons. We will communicate significant changes through our Platforms or by email, and the "Last Modified" date above reflects the latest update. Please review this policy periodically.

15. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, contact our Privacy Officer:

Privacy Department
DexaFit, Inc.
3601 Minnesota Drive, Suite 515
Edina, MN 55435

Email: privacy@dexafit.com
General Support: support@dexafit.com
Billing: billing@dexafit.com
Website: https://dexafit.com

Carrito (0)