PRIVACY POLICY

Last Updated: October 17, 2025

1. INFORMATION WE COLLECT

Information You Provide Directly

Account information: Name, email address, password (encrypted)
Profile information: Age, gender, fitness goals, equipment access
Workout data: Exercises performed, sets, reps, weight, duration
Health metrics: Body weight, measurements, progress photos (optional)
User-generated content: Workout programs, form check videos, comments, reviews
Payment information: Credit card details (stored by Stripe, not by us)

Automatically Collected Information

Device information: Device type, OS version, unique device identifiers
Usage data: Features used, pages viewed, time spent, interactions
Location data: Approximate location (for friend challenges, optional)
Performance data: App crashes, errors, loading times
Analytics data: Heatmaps, session recordings, user flows

2. HOW WE USE YOUR INFORMATION

We use collected information to:

Provide and maintain our services
Personalize your workout experience
Send notifications (workout reminders, PR celebrations, friend activity)
Deliver recap content such as PR highlights, streak summaries, and training tips (email or push). You can opt out in settings or via unsubscribe links.
Analyze usage patterns and improve features
Detect and prevent fraud, abuse, and security threats
Process payments and subscription billing
Provide customer support
Comply with legal obligations
Send marketing communications (with your consent)

3. DATA SHARING AND DISCLOSURE

WE DO NOT SELL YOUR PERSONAL INFORMATION

We have never sold user data and never will. Your workout data, health metrics, and personal information are yours alone.

We Share Data Only When

You explicitly consent: Sharing workouts with friends, posting to social feed
Required by law: Court orders, subpoenas, legal investigations
With service providers: Payment processing, cloud storage, analytics (see Section 9)
In aggregated form: Anonymized analytics (e.g., "80% of users prefer bench press")
Business transfers: If acquired or merged, data transfers to new owner

4. THIRD-PARTY SERVICES

We integrate with third-party services that may collect data. Each service has its own privacy policy:

Payment Processing

Stripe - Processes subscription payments and creator payouts
Data collected: Card details, billing address, transaction history
Privacy Policy: stripe.com/privacy

Cloud Infrastructure

Supabase - Database, authentication, file storage
Data collected: All user data (workouts, profiles, videos)
Privacy Policy: supabase.com/privacy

Authentication

Apple Sign-In - OAuth authentication for iOS users. Privacy: apple.com/legal/privacy
Google Sign-In - OAuth authentication for Android/web users. Privacy: policies.google.com/privacy

Push Notifications

Expo Push Notifications - Sends workout reminders and notifications. Privacy: expo.dev/privacy

Video Hosting (optional, user-uploaded only)

YouTube/Vimeo - Users may link form check videos and exercise demos. Privacy: Google Privacy | Vimeo Privacy

GDPR & CCPA COMPLIANCE

All third-party services are vetted for GDPR and CCPA compliance. We have Data Processing Agreements (DPAs) with major service providers.

5. YOUR RIGHTS (GDPR & CCPA)

You Have the Right To

Access your data: Request a copy of all data we store about you
Correct your data: Update inaccurate or incomplete information
Delete your data: Request permanent deletion of your account and data
Export your data: Download your data in JSON format (Settings > Export Data)
Opt-out of marketing: Unsubscribe from promotional emails
Opt-out of data sale: We don't sell data, but you can opt-out of analytics tracking
Withdraw consent: Revoke previously granted permissions
Object to processing: Object to specific uses of your data
Lodge a complaint: File complaint with data protection authority

How to Exercise Your Rights

Export data: Settings > Data & Privacy > Export All My Data
Delete account: Settings > Data & Privacy > Delete My Account
Email requests: jon-e-worldwide@outlook.com
Response time: Within 30 days (45 days for complex requests)

6. DATA SECURITY

We implement industry-standard security measures:

Encryption in transit: TLS for all data transfers
Encryption at rest: AES-256 for stored data
Password hashing: bcrypt with salt (never stored in plain text)
Access controls: Role-based access and least privilege
Regular audits: Security assessments and penetration testing
Secure infrastructure: Supabase (AWS-hosted, SOC 2 compliant)
2FA available: Two-factor authentication for accounts

No system is 100% secure. While we use best practices, we cannot guarantee absolute security. You are responsible for keeping your password confidential.

7. DATA RETENTION

Active Accounts

Data retained as long as account is active
Workout history stored indefinitely (unless deleted by user)

Deleted Accounts

30-day grace period (can restore account by contacting support)
After 30 days: Permanent deletion of all data
Backups may retain data for up to 90 days (then purged)

Legal Requirements

Financial records: 7 years (tax compliance)
DMCA claims: 3 years (copyright law)
Legal disputes: Duration of dispute + 1 year

8. CHILDREN'S PRIVACY

Our Service is NOT intended for children under 13 years old
We do not knowingly collect data from children under 13
If we discover such data, we will delete it immediately
Parents: If you believe your child provided data, contact jon-e-worldwide@outlook.com

9. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to and processed in:

United States: Primary servers (AWS us-east-1)
European Union: GDPR-compliant data centers

We ensure appropriate safeguards such as Standard Contractual Clauses for transfers.

10. COOKIES AND TRACKING

Types of Cookies We Use

Essential cookies: Authentication, security, session management (cannot be disabled)
Functional cookies: Preferences, settings (can be disabled in Settings)