Fit: Building an AI Health App That Knows When to Call a Human Coach

The average person serious about their health has at least five apps open on any given day: a calorie tracker, a workout logger, a sleep monitor, a wearable companion, and maybe a coach messaging platform. None of them talk to each other. The calorie app doesn't know you had a rough night. The workout logger doesn't know your menstrual cycle is in its luteal phase and high-intensity training isn't ideal today. The coach sends a generic check-in because they have no visibility into your week.

That fragmentation is the core problem Fit is built to solve. One app. Every signal. Smarter guidance — with a human in the loop when it matters.

The Gemini Hybrid: Fast Where Speed Matters, Deep Where Depth Matters

AI features in health apps often fall into one of two failure modes: too slow to use in the moment, or too shallow to be useful. We spent a long time thinking about how to avoid both.

Fit uses Google Gemini in a hybrid configuration. Gemini Flash handles everything that needs to happen in under two seconds: food photo recognition, quick dietary suggestions, threshold-based feedback. Gemini Pro handles everything that benefits from deeper reasoning: generating a week-long personalized workout program, building a nutrition plan from scratch, creating coaching summaries for human trainers to review.

The cost model follows the same logic. Flash calls are cheap and fast — suitable for every meal log. Pro calls are richer but more expensive — used only when the user explicitly requests a new program, or when the system determines a meaningful coaching event has occurred. Every call is logged to ai_call_logs with EUR cost, model used, and whether the user is on the free or premium tier. Per-user monthly budgets are enforced at the middleware layer via AiUsageGuard — the free tier gets enough for roughly two food recognitions per day, premium gets significantly more headroom.

Cuisine Intelligence That Doesn't Burn Tokens Forever

Food recognition is only as good as its food database. A generic Western food database fails when a Turkish user photographs a plate of menemen or a serving of ayran. An Estonian user's kama porridge is invisible to most calorie counters.

Fit solves this with a one-time country-specific cuisine report. The first time a country is needed, Gemini Pro generates a comprehensive structured report: the 200 most common dishes, their typical ingredients, calorie ranges, macro breakdowns, regional variations, and serving conventions. That report is stored statically. Every subsequent food recognition for users in that country passes the report as context to Gemini Flash — giving it local food intelligence without re-spending Pro tokens on every single meal photo.

This architecture means that adding cuisine support for a new market costs one Pro call, then becomes effectively free to operate at scale. It also means the flash recognition can confidently handle regional dishes that a generic model would struggle to identify.

Wearables: On-Device First, Server When It Matters

The MVP targets three wearable ecosystems: Apple HealthKit (Apple Watch), Huawei Health Kit, and Xiaomi Zepp Life / Mi Fitness. Flutter's health package abstracts the permission model across iOS and Android, and the bidirectional sync means Fit both reads from and writes back to these platforms.

The more interesting architectural decision is where coaching logic runs. Real-time alerts — "your heart rate has been above 165 bpm for 60 seconds during this recovery interval, consider slowing down" — run on the device, not the server. The threshold rules are compiled into the app at build time. No network round-trip, no latency, no battery drain from constant API polling.

Server-side coaching handles what can't be done locally: daily synthesis, meal plan revisions, complex longitudinal pattern detection, and anything requiring Gemini. The split keeps the real-time experience crisp while still enabling rich insight generation in the background.

Cycle Tracking as a First-Class Signal

Cycle tracking in most fitness apps is an afterthought — a period calendar bolted on to satisfy a demographic. In Fit, cycle phase is a first-class input to both the workout recommendation engine and the nutrition module.

The follicular phase (post-period to ovulation) typically supports higher training intensity and carbohydrate utilization. The luteal phase (post-ovulation to period) often warrants reduced intensity, higher iron and magnesium focus, and modified recovery expectations. These aren't soft suggestions — they're integrated into the program generation prompt sent to Gemini Pro when a new workout week is requested.

Data comes from manual entry or from Apple Health Cycle Tracking sync (iOS only in V1). The cycle data is never sent to Gemini without explicit sub-consent — it's one of the most sensitive data types we handle, and we treat it accordingly. Coach access to cycle data requires a separate, explicit permission grant beyond the base health data consent.

The Human Coach System: Scaling Without Losing the Human

AI coaching has an obvious ceiling. It can recognize patterns, suggest adjustments, and answer common questions well. It cannot read between the lines of a message from a user who is clearly struggling emotionally. It cannot make a judgment call that requires years of practitioner experience. It cannot build a relationship.

Fit doesn't try to replace human coaches. It tries to make them more effective.

Human coach assignment is available for premium users who have been on the platform for at least 60 days and have accumulated a sufficient activity score (the average user hits this after roughly two months). The matching is two-directional: users can browse and request coaches; coaches can proactively invite users whose profiles match their specialty.

Once assigned, the coach sees a structured dashboard: aggregated meal logs, workout completion rates, sleep trends, water intake, and any AI-flagged concerns. They can revise workout plans, send meal recommendations, assign check-ins, and send messages using templated formats. What they cannot see — by technical enforcement, not just policy — is the user's raw AI chat history, social DMs, full date of birth, precise location, or cycle data unless the user has granted that specific sub-consent.

Every time a coach accesses a client record, the access is written to coach_access_logs. This isn't optional — it's required by KVKK Article 30 and mirrors the audit expectations of GDPR's accountability principle. Users can view their own access log at any time.

The AI-to-Human Handoff (And Back)

The system is designed so that AI and human coaching reinforce each other rather than conflict. A few mechanics worth noting:

If a user repeatedly messages the AI about the same issue (pain during workouts, persistent fatigue, significant mood changes), the system flags an escalation suggestion and nudges the user toward requesting a human coach session. The AI doesn't just keep answering — it recognizes the boundary of its competence.

When a coach approves a plan, the AI's system prompt is updated to include "do not contradict the coach's approved plan." The AI becomes an assistant to the coach's decisions rather than an independent agent that might undermine them.

Coaches can also hand off conversations to the AI when appropriate — writing a custom system prompt for a specific topic, or asking the AI to prepare a summary of a user's last two weeks of data before a scheduled check-in. The AI generates that summary with explicit user consent and presents it to the coach. This saves the coach 20 minutes of manual data review and frees them to focus on the conversation.

Privacy Architecture: Anonymization Before Every AI Call

Health data sent to a third-party AI model is one of the highest-risk data processing activities under both GDPR and KVKK. We made a deliberate architectural choice: nothing identifiable reaches Gemini.

Before any call, the pipeline strips user name, email, exact date of birth (replaced with age decade), precise GPS coordinates (replaced with city-level approximation), and full IP address. The only user identifier passed is a salted hash — Gemini cannot reconstruct who the user is even if the output were somehow captured. Micronutrient and biometric data is passed as aggregated ranges rather than raw values where possible.

The application is deployed on a single German VPS (Hetzner Frankfurt region). This satisfies both GDPR's data residency expectations and Turkey's KVKK requirement for adequate protection measures when processing Turkish citizens' health data internationally. We appointed a Data Protection Contact before launch and completed a Data Protection Impact Assessment for the AI processing pipeline — both required when handling health data under GDPR Article 9.

Social Community: Opt-In, Layered Safety

The social features in Fit are probably the most contested design decisions we made. A fitness social network has obvious appeal — accountability, community, shared events. It also has well-documented abuse vectors, particularly when women are involved.

Our approach: opt-in at every layer. Location visibility is off by default. DMs are off by default. The social module requires 18+ verification. Users who enable DMs can restrict to mutual group members, verified accounts, same gender, or specific age ranges. The first message in any new conversation is text-only — no media attachments until both parties have exchanged messages.

Incoming messages pass through a pre-flight NSFW and spam filter before delivery. Accounts with repeated harassment reports enter a shadow review state — they can still use the app, but their messages are held for review before reaching recipients. Selfie verification with liveness detection and face-match runs at account creation and is required for the social module.

None of this eliminates risk. But it meaningfully raises the cost of abuse and makes the experience safer for the users most likely to be targeted.

Tech Stack: Flutter + Laravel 12 + Filament

The mobile client is Flutter 3.10 — single codebase for iOS and Android. State management uses Riverpod, routing uses go_router, and network calls go through Dio. Data models are generated via Freezed and json_serializable, which keeps the serialization layer consistent and avoids hand-written boilerplate.

The backend is Laravel 12 on PHP 8.2. Authentication uses Laravel Sanctum (token-based, no sessions). The admin panel is Filament 4 — it handles user management, food database editing, coach assignment, moderation queues, push notification dispatch, and analytics dashboards. The queue runs on the database driver initially, with a Redis migration planned post-MVP once throughput demands it.

In-app purchases go through RevenueCat, which abstracts the iOS App Store and Google Play billing surfaces into a single API. This means we're not maintaining two separate IAP integrations and can manage subscription entitlements from one place. Push notifications use FCM for Android and APNS for iOS, both wired through Firebase Core.

Pricing: Free Tier That Actually Works, Premium That Pays for Itself

Free tier users get the core experience: meal and water logging, sleep and stress tracking, basic community access, and AI-powered food recognition within a 2€/month compute budget. That budget supports roughly two photo recognitions per day — enough to log breakfast and lunch, and to manually enter dinner.

Premium is €9.99/month or €77.90/year (a 35% discount). It unlocks unlimited food recognition, personalized workout program generation, advanced analytics, cycle tracking integration with coaching, real coach eligibility, and a 5€/month AI compute budget. There's a 7-day free trial — no credit card required for the trial period.

The AI budget model is worth explaining. We don't want to limit features arbitrarily, but we also can't absorb unlimited Gemini Pro calls per user at scale without the math breaking down. The budget cap is transparent to users — they can see their remaining monthly compute in the app — and it's generous enough that a typical premium user will never hit it in normal use. Heavy users who push up against it can see exactly why and can upgrade or wait for the monthly reset.

What's Next

Fit is currently in active development. The core meal logging, workout, and wearable sync features are functional. The coach assignment system and social module are in internal testing. The MVP launch is planned for the Turkish and Estonian markets first, with English support available from day one for international users.

Before the production launch, we're completing the DPIA review, finalizing the legal documents (Terms of Service, Privacy Policy, and KVKK aydınlatma metni in all three languages), and running the selfie verification system through a third-party security audit. The Sentry integration and fail2ban configuration are the last infrastructure pieces before the hardening checklist is signed off.

If you're a personal trainer, nutritionist, or wellness coach interested in joining the early coach network — or if you're a developer curious about the Gemini hybrid architecture — reach out. We're building this in the open and happy to talk through the technical decisions.