Privacy Policy

1. Notice at collection (summary)

This summary is provided at or before the point of collection, as required by Cal. Civ. Code § 1798.100(a) and 11 CCR § 7012:

• Categories collected: Identifiers, customer records, protected classification information, commercial information, internet/network activity, general geolocation, sensitive personal information (health data), and professional/funding information (Adaptive / SDP clients only). See §3 below for detail.
• Purposes: To respond to inquiries, deliver training services, schedule sessions, process payments, comply with legal obligations, and improve safety. See §4 below.
• Retention: Each category is retained only for as long as needed for its purpose, with maximums set out in §9 below.
• Sale or sharing for cross-context behavioural advertising: We do not sell your personal information and we do not share it for cross-context behavioural advertising. There is nothing to opt out of.
• Sensitive personal information: We use sensitive personal information (your health data from the PAR-Q) only for the services you requested and the additional purposes permitted by 11 CCR § 7027(m), and never to infer characteristics about you.

2. Who we are

KinetiqAF is the trade name of James Kennedy & Associates LLC, a California limited liability company (EIN 33-1440054) operating an adaptive fitness and personal training practice in San Diego. The business is a sole-operator practice owned and run by James Kennedy.

We can be reached at:

• Email: james@kinetiqaf.com
• Phone: 442-375-5090
• Address: San Diego, California

We are the data controller for the information we collect about you.

3. Information we collect

We collect only what we need to run our practice and provide training services. The categories below match the categories defined in California Civil Code § 1798.140.

We do not collect:

• Bank account numbers, full credit card numbers, or social security numbers (Stripe handles payment data directly — we never see your card number).
• Biometric identifiers (fingerprints, voiceprints, face geometry).
• Precise GPS location.
• Information about your political affiliations, religious beliefs, or sexual orientation.
• Information from any third-party data broker.

4. How we use information

We use the information we collect only for these purposes:

• To respond to inquiries. When you submit the contact form on KinetiqAF.com, we use your name, email, phone, and message to reply with a consultation invitation or referral.
• To design and deliver training. Your PAR-Q, intake responses, and progress logs let us tailor a safe program to your goals and medical context.
• To schedule and confirm sessions. Calendar reminders, session confirmations, and rescheduling notifications.
• To process payments and issue invoices. For private-pay clients, we generate invoices and accept payment via Stripe. For SDP / FMS-funded clients, we generate the documentation your FMS provider requires for reimbursement.
• To send service-related communications. Account messages, agreement reminders, PAR-Q renewal prompts, schedule updates.
• To comply with legal obligations. Records retention for signed health screenings and service agreements as required by California professional standards and the IRS for business records.
• To improve safety. Reviewing incident notes, regulatory reporting for adaptive clients where mandated by §54327, internal quality review.

We do not use your information for advertising, profiling, automated decision-making, or any purpose unrelated to providing training services.

5. When we share information

We share information only as needed to run the practice. We do not sell information, and we do not share it for cross-context behavioural advertising. Specifically:

We sign Data Processing Agreements (or equivalent) with our service providers. We do not give them permission to use your information for their own purposes.

6. Health information

We collect health information through the Physical Activity Readiness Questionnaire (PAR-Q) and intake forms because a fitness practice that does not know your medical history cannot keep you safe.

We are not a HIPAA-covered entity — we are a personal training business, not a healthcare provider, and we do not bill insurance for medical services. However, because of the sensitivity of the information, we follow practices similar to HIPAA's:

• Health information is stored only in our Supabase database, encrypted in transit (TLS) and at rest.
• Access is restricted by Row-Level Security to your trainer and the practice owner.
• We do not discuss your health information with anyone outside the practice except as you authorize, as required by law, or as needed to process an emergency.
• You can download your full PAR-Q at any time from the Client Portal (Documents → PAR-Q → Download).
• You can request deletion of your health information at any time, subject to the records-retention requirements in §8 below.

If you are uncomfortable disclosing certain medical conditions, we would rather know about a gap than have incomplete information — please tell us, and we will work with you to design around it.

7. Children and minors

We work with clients of all ages, including minors. When the client is a minor:

• A parent, legal guardian, or authorized representative must complete the PAR-Q and sign the service agreement on the minor's behalf.
• The minor's Client Portal account, if any, is operated by the parent or guardian until the client turns 18.
• We do not knowingly collect personal information directly from any child under 13 without verifiable parental consent (COPPA).
• Parents and guardians can review, request changes to, or delete a minor child's information at any time by contacting us.

8. How we store and protect information

Our security posture:

• Encryption in transit: All connections to KinetiqAF.com and the Client Portal use HTTPS (TLS 1.2+). Our database connections to Supabase use TLS.
• Encryption at rest: Supabase encrypts data at rest with AES-256.
• Access controls: Authentication uses Supabase Auth. Database access is limited by Row-Level Security policies — the trainer only sees their own clients, and clients only see their own data.
• Audit trail: Signed agreements record the signing IP address and a timestamp per California UETA § 1633.7 for legal-record purposes.
• Account security: You are responsible for keeping your Client Portal password confidential. Tell us immediately if you believe your account has been accessed without your permission.
• Backups: Supabase performs automated backups. Backups are encrypted and access-controlled.

No system is perfectly secure. If we discover a breach of unencrypted personal information, we will notify affected California residents "in the most expedient time possible and without unreasonable delay" as required by Cal. Civ. Code § 1798.82, and will notify the California Attorney General if the breach affects more than 500 California residents. The notice will describe the categories of information involved, the date or estimated date of the breach, and the steps we have taken or recommend you take in response.

9. How long we keep information

We keep different categories of information for different periods, based on the purposes for which we collected them:

• Contact form submissions (leads who did not become clients): 18 months from submission, then deleted.
• Active client account data: For as long as you are an active client, plus the periods below after our relationship ends.
• Signed service agreements and signed PAR-Qs: 7 years after the agreement ends (California professional records-retention standard).
• Invoices and payment records: 7 years (California Revenue and Taxation Code and IRS recordkeeping).
• Session notes and progress logs: 5 years after your last session, then deleted.
• Messages exchanged through the Client Portal: 3 years after your last session, then deleted.
• Web analytics and server logs: 90 days, then automatically purged.
• Anything subject to a legal hold or active dispute: Held until the matter is resolved, then deleted on the schedule above.

You may request earlier deletion at any time — see your rights below. Note that signed legal records (agreements, PAR-Qs) may be retained even after a deletion request to the extent required to defend a legal claim, comply with tax law, or meet a records-retention obligation.

10. Your privacy rights

If you are a California resident, you have the following rights under the CCPA / CPRA:

• Right to know. You can ask what personal information we have about you, where it came from, how we use it, and who we share it with — going back at least 12 months.
• Right to access. You can request a copy of the information we have about you, in a portable format.
• Right to correct. If something we have is wrong, you can ask us to fix it.
• Right to delete. You can ask us to delete information, subject to the records-retention obligations described in §8 above.
• Right to limit use of sensitive personal information. You can ask us to use your health information only for the services you specifically requested. Because that is already how we use it, this right rarely changes anything in practice — but you can still exercise it.
• Right to opt out of sale or sharing. We do not sell or share your information for cross-context behavioural advertising. There is no opt-out to exercise because there is nothing to opt out of.
• Right to non-discrimination. We will not deny you services, charge you a different price, or provide a different level of service because you exercised any of these rights.
• Right to data portability. Where technically feasible, we will provide your information in a structured, commonly used, machine-readable format.
• "Shine the Light" right (Cal. Civ. Code § 1798.83). California residents may request, once per calendar year and free of charge, a list of any personal information we disclosed to third parties for those third parties' direct-marketing purposes in the prior calendar year. We do not share personal information for third-party direct-marketing purposes, so this list would be empty — but you may still submit a request to confirm that.

How to make a request

Submit any privacy request by emailing james@kinetiqaf.com with the subject line "Privacy request." We will verify your identity by confirming the email matches one we already have on file, or by asking a question only the account holder could answer.

We will respond within 45 days as required by Cal. Civ. Code § 1798.130(a)(2). If we need an additional 45 days (allowed by the statute), we will notify you within the first 45 days and explain why.

An authorized agent may submit a request on your behalf. We will require proof that you authorized them (a signed letter is sufficient) and may still ask you to verify directly.

11. Communications and opt-out

We send three kinds of email or text messages, and you have the right to control each:

• Service messages — session confirmations, schedule changes, invoice notifications, password resets, account-security alerts. These are necessary to deliver the service you signed up for. They are not marketing under CAN-SPAM and we will keep sending them as long as you are an active client. If you do not want service messages, the only option is to close your account.
• Transactional auto-replies — the single confirmation email sent when you submit the contact form. You cannot opt out of this one message because it confirms receipt of your inquiry, but we will not send you anything else from that submission unless you reply or become a client.
• Marketing or promotional messages — we do not currently send any. If we ever do, every message will include a one-click unsubscribe link as required by the CAN-SPAM Act (15 U.S.C. § 7704), and any SMS marketing would honour STOP, END, CANCEL, UNSUBSCRIBE, QUIT, or OPT-OUT replies as required by the Telephone Consumer Protection Act (47 U.S.C. § 227) and CTIA guidelines.

You may also email james@kinetiqaf.com at any time to update your communication preferences.

12. Cookies, tracking, and Global Privacy Control

KinetiqAF.com uses the minimum cookies needed for the site to function. Specifically:

• Session cookies for the Client Portal login, set by Supabase Auth. These are deleted when you sign out.
• Local storage in your browser to remember your portal preferences (language, accessibility-mode toggle, sidebar state).

We do not use:

• Advertising or tracking cookies.
• Social-media tracking pixels.
• Cross-site analytics like Google Analytics.
• Heatmap, session-replay, or behavioural-analytics services.

Because we don't track you, there is no "Do Not Sell or Share My Personal Information" link on our site — there is nothing to opt out of.

Global Privacy Control (GPC) and Do Not Track (DNT). Our site does not sell or share personal information for cross-context behavioural advertising, so there is no opt-out signal to honour. However, if your browser sends a GPC signal (per 11 CCR § 7025) or a legacy DNT header, we will continue to refrain from any such selling or sharing — the GPC signal will never cause us to increase data collection or be ignored.

Aggregated and de-identified data. We may produce aggregated or de-identified statistics (for example, total number of sessions delivered in a month) for internal planning. Once data is aggregated or de-identified per CCPA § 1798.140(h) and (m), it is no longer "personal information" and is not covered by this Privacy Policy. We will not attempt to re-identify it and will require contractually that any recipient also not attempt to re-identify it.

13. Automated decision-making and profiling

We do not use automated decision-making technology (ADMT) as defined by the CPRA regulations (11 CCR § 7200 et seq.) to make decisions about you. We do not profile, score, rank, sort, or evaluate you using software. Every decision about your training program, scheduling, or service eligibility is made by a human (James Kennedy) based on a direct conversation with you. Because we do not use ADMT, the related rights to access and opt out of ADMT do not arise in our practice.

14. Accessibility of this policy

We want this Privacy Policy to be understandable by everyone we serve, including clients with cognitive disabilities, low vision, or limited English proficiency. If any part of this policy is unclear, you may contact us and we will explain it in plain language, read it aloud, translate it, or provide it in a larger font or alternative format at no cost. The site itself is designed to meet WCAG 2.1 Level AA where reasonably achievable for a small-business website, and the Client Portal includes a dedicated accessibility mode.

15. Residents of other U.S. states

This policy is primarily written for California residents. We serve clients only in San Diego County, California, so almost all data subjects are California residents. If you are a resident of another U.S. state with a comprehensive privacy law (e.g., Colorado, Connecticut, Virginia, Utah, Texas, Oregon, or Montana) and you interact with us, we will honour the equivalent rights that state's law grants you (access, correction, deletion, portability, opt-out of sale/targeted advertising, opt-out of profiling). Submit any such request using the contact information in §18 and we will treat it as a privacy request under your state's law.

16. International users

KinetiqAF.com is operated from California, United States. Our services are intended for California residents. If you access our site from outside the United States, you understand that your information will be processed in the United States, which may have different data-protection laws than your jurisdiction. We do not offer services to residents of the European Economic Area or the United Kingdom from this website.

17. Changes to this policy

We update this Privacy Policy as our practices change or as the law requires. The "Last updated" date at the top of this page tells you when we last made a substantive change. We will email active Client Portal users about material changes at least 30 days before they take effect.

Prior versions of this Privacy Policy are kept on file. You can request a copy of any prior version at any time.

18. How to contact us