Privacy Policy

Last updated: April 20, 2026

This Privacy Policy explains what personal data Roadmap Project collects, why we collect it, how we use and share it, and your rights and choices. By using the Service you confirm that you have read and understood this Policy.

Data Fiduciary / Controller:Roadmap Project is operated by Absalom Maxy, an independent individual based in India (“we,” “us,” or “our”). Absalom Maxy is the Data Fiduciary under the Digital Personal Data Protection Act 2023 and the Data Controller under the EU and UK GDPR, and is accountable for the processing of personal data described in this Policy.

1. Data We Collect

  • Account data: email address, display name, login provider (email/password or Google OAuth).
  • Fitness inputs: height, weight, age, gender, workout frequency, and a written goal description. These are considered sensitive health-related data.
  • Photos: your current body photo (optional) and goal reference photo (optional) for plan generation, plus progress check-in photos uploaded during your subscription. These are sensitive personal data.
  • Behavioural / analytics data:pages visited, actions taken (e.g. “plan generated,” “checkout clicked”), session identifier, URL path, approximate timestamps, browser user agent, and referrer URL. This data is collected through our own first-party analytics system and through Vercel Web Analytics, a privacy-friendly, cookieless analytics service (see Section 10). We do not use third-party advertising or cross-site tracking cookies.
  • Consent records: when you consent to data processing during onboarding, we record the consent scope, timestamp, and your IP address for compliance purposes.
  • Payment metadata: subscription status, plan type, and transaction identifiers provided by our payment processor. We never store your full card number or bank details — these are handled entirely by Dodo Payments.

2. Why We Use Your Data

  • Generate and iteratively update your personalised fitness and nutrition plan.
  • Analyse your progress photos and text updates during weekly check-ins.
  • Display your progress, milestones, and optional leaderboard participation.
  • Send workout reminders and check-in alerts by email (where you have enabled notifications).
  • Process your subscription payments and manage billing.
  • Secure the Service, prevent abuse, and meet legal obligations.
  • Understand how the product is used to improve reliability and features.
  • Record and maintain evidence of your explicit consents.

3. Legal Basis for Processing

We process personal data on the following grounds:

  • Contract: processing necessary to deliver the Service you signed up for (account management, plan generation, billing).
  • Explicit consent: for sensitive data — body photos, health metrics, and AI processing of that data. You provide this consent during onboarding. You can withdraw it at any time by contacting us or deleting your account. If you withdraw consent for sensitive data processing, we will delete that data; because the Service depends on this data, withdrawing consent means the Service will no longer be available to you.
  • Legitimate interests: first-party analytics and product improvement, security and fraud prevention.
  • Legal obligation: retaining payment records as required by tax and financial regulations.

For users in the EEA or UK, the above bases apply under the GDPR and UK GDPR respectively. For users in India, we process data in accordance with the Digital Personal Data Protection Act 2023 (DPDP Act) and the Information Technology Act 2000.

4. Sensitive and Health-Related Data

Body photos, fitness metrics, and health-related goal descriptions are sensitive personal data under regulations including GDPR, India's DPDP Act, and US state health data laws. We collect this data only with your separate, explicit consent given during onboarding. We use it solely to generate your plan and track your progress. We do not sell, share for advertising, or use this data to train AI models. You can withdraw consent and request deletion at any time by deleting your account from Settings or contacting us.

5. AI Processing

Your fitness inputs and uploaded photos are transmitted to Groq, Inc. (our AI inference provider) to generate your personalised plan and analyse check-in progress. Groq processes this data under its published Privacy Policy and standard API Terms, which state that API inputs are not used to train their models and are not retained beyond the duration of the inference request. We rely on these published processor commitments rather than a bespoke Data Processing Agreement, and we will update our integrations if these commitments change. AI-generated outputs — your personalised plan and check-in analyses — are stored in our database so you can access them from the dashboard, and are deleted when you delete your account.

In accordance with the EU AI Act, we inform you that plan generation and progress analysis are performed by AI systems. Outputs may be inaccurate or incomplete; you remain responsible for how you act on them, and should consult a qualified professional before relying on any recommendation.

6. Third-Party Processors

We do not sell personal data. We share data only with the following trusted processors, strictly for the purposes listed:

  • Vercel (United States) — hosting and deployment of the application.
  • Supabase (United States) — database, authentication, and file storage.
  • Groq / Llama (United States) — AI inference for plan generation and progress analysis.
  • Dodo Payments — payment processing and subscription management (Merchant of Record).
  • Resend (United States) — transactional email delivery for notifications and reminders.
  • Sentry (United States) — application error monitoring and performance diagnostics. Error reports may include request metadata and a small fraction of session replays on errors; we do not send body photos or payment details to Sentry.

We also share data where required by applicable law or a valid legal process.

7. Body Photos and Biometric Data

Your body photos are used solely for AI-powered body analysis and plan generation. The AI processes visual characteristics of your body (such as posture, apparent composition, and general proportions) to produce text-based fitness assessments. We do not create, store, or use biometric templates for identity verification, and we do not extract persistent biometric identifiers such as facial geometry, fingerprints, or retinal patterns. Depending on jurisdiction this visual processing may still be classified as processing of physical characteristics; we treat such data as sensitive personal data and handle it only with your explicit consent and solely for the purposes described in this Policy. Photos are stored securely in our database while your account is active and are permanently deleted when you delete your account. We do not sell, lease, or share your photos with any party other than our AI inference provider (Groq) for the sole purpose of generating your plan.

8. Consumer Health Data (US Users)

For users in Washington State, the fitness and health-related data we collect (height, weight, body photos, fitness goals, AI-generated body analysis) is considered consumer health data under the Washington My Health My Data Act. For users in California, this data may be sensitive personal information under the CCPA/CPRA. In both cases: we collect this data only with your explicit consent; we do not sell it; we share it only with the processors listed above for service delivery; and you may withdraw consent and request deletion at any time. To exercise your rights, delete your account from Settings or contact us at the address below.

9. Data Retention and Deletion

We retain personal data for as long as your account is active or as needed to provide the Service, comply with legal obligations, or resolve disputes. When you delete your account from Settings, all personal data — including your profile, fitness inputs, uploaded photos, generated plans, and consent records — is permanently and irreversibly deleted from our systems. Usage analytics events are stored pseudonymously — with a random session identifier rather than your name, email, or account ID — and we treat this data as personal data under GDPR and the DPDP Act. When you delete your account, analytics events linked to your session identifiers are deleted or irreversibly aggregated so they can no longer be associated with you. Payment transaction records (amount, date, subscription ID) may be retained for up to 7 years as required by applicable tax and financial regulations, but these records contain no health or biometric data.

10. Analytics

We operate our own first-party analytics system that records product usage events (e.g. page views, button clicks, onboarding steps) along with a random session identifier, page path, browser user agent, and referrer URL. This data is pseudonymous and we treat it as personal data; it is stored in our database and used solely to understand how the product is used and to improve it. We do not use advertising trackers or sell this data.

We also use Vercel Web Analytics, a privacy-friendly, cookieless analytics service provided by Vercel Inc. It collects aggregate, anonymised traffic metrics (page views, referrers, country, device type, browser) without setting cookies or storing personally identifiable information. It does not track users across sites and is not used for advertising. See Vercel’s privacy notice at vercel.com/legal/privacy-policy.

11. Cookies and Authentication

We use essential cookies and local storage for authentication and session management (via Supabase Auth). These are strictly necessary for the Service to function and cannot be disabled. We do not use cookies for advertising or cross-site tracking.

12. International Data Transfers

Our third-party service providers (Vercel, Supabase, Groq, Resend, Sentry) are primarily based in the United States. Data you provide may be transferred to and processed there. Each of these providers maintains Standard Contractual Clauses (SCCs) or participates in the EU-US Data Privacy Framework, providing a lawful transfer mechanism for users in the EEA and UK. We select only providers that maintain appropriate technical and organisational safeguards.

For users in India: if the Central Government restricts transfers of personal data to any country where our processors operate (under Section 16 of the DPDP Act 2023 or any successor rules), we will update our processing arrangements to comply, including by relocating affected data to a permitted jurisdiction or ceasing the restricted transfer.

13. Children

The Service is not directed at anyone under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have inadvertently collected data from a user under 18, we will delete it promptly. If you believe a minor has created an account, please contact us.

14. Your Rights

  • Access: request a copy of the personal data we hold about you.
  • Correction: correct inaccurate or incomplete data via Account Settings.
  • Deletion: delete your account and all associated data from Account Settings.
  • Export / Portability: download a copy of your personal data (profile, fitness plan, onboarding inputs, consent records) directly from Account Settings → “Download My Data.” Body photos can be requested by email and we will respond within 30 days.
  • Withdraw consent: withdraw consent for sensitive data processing at any time by deleting your account.
  • Opt out of communications: disable email notifications from Account Settings.
  • EEA / UK users (GDPR): right to object to processing based on legitimate interests, right to restriction, and right to lodge a complaint with your local supervisory authority.
  • India users (DPDP Act):right to information about processing, right to correction and erasure, right to grievance redressal, and the right under Section 14 of the DPDP Act 2023 to nominate another individual to exercise your rights on your behalf in the event of your death or incapacity. To nominate, contact us with the nominee’s full name and contact details.
  • Consent Manager (DPDP Act): where Consent Managers are registered and operational under the DPDP Act and its implementing Rules, you may give, manage, review, or withdraw consent through a registered Consent Manager. Until such Consent Managers are available, you can exercise these rights directly through Account Settings or by contacting us.
  • US users: rights under applicable state privacy laws including CCPA/CPRA (California) and the Washington My Health My Data Act.

To exercise any right not available through Account Settings, contact us at the address below. We will respond within 30 days.

15. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service at least 14 days before the changes take effect.

16. Grievance Officer (India DPDP Act)

In accordance with Section 10 of the Digital Personal Data Protection Act 2023 and Rule 3(11) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, the designated Grievance Officer is:

Name: Absalom Maxy
Role: Grievance Officer, Roadmap Project
Email: hello@growthresearchlab.com

The Grievance Officer will acknowledge complaints within 48 hours and aim to resolve them within 30 days of receipt, as required under applicable law.

17. Contact

Roadmap Project is operated as an independent individual project by Absalom Maxy from India. For any questions, requests, or complaints about this Privacy Policy or our data practices, including under India's DPDP Act or IT Act 2000, please contact us:

Email: hello@growthresearchlab.com