Privacy & data protection

What we collect

We store the information you provide (such as email, display name, timezone, and unit preferences) and the training data you log (workouts, sets, templates, custom exercises, and derived progress summaries). Payment status is stored for subscription access; payment processing is handled by Stripe when enabled.

Passwords and sessions

Passwords are hashed with bcrypt. Sessions use signed cookies (JWT strategy) with a server secret. Protect your device and sign out on shared computers.

Who can access your data

Workout and account rows are scoped to your user id in the database. Application code uses that scope for queries and mutations. There is no separate admin role in the product today; only infrastructure operators with database or hosting access could view stored data under their normal policies.

Analytics

We use structured product analytics to understand usage (for example sign-in telemetry, workouts completed, templates, and checkout). You can turn off optional product analytics and ad-placement measurement in Profile. Ad measurement applies only on the free plan when optional ads are shown. When disabled, we do not record ad impression or click events tied to your account, and sign-in product analytics are suppressed. Other server-side events may still be emitted for core operations (for example workouts and billing sync); those are documented in the engineering analytics catalog.

Export and deletion

You can download a JSON export of your data from Profile. You can request account deletion; we record the request timestamp and will complete hard deletion in line with our operational process (including cancellation of active subscriptions where applicable).

Transport and hosting

Use the app over HTTPS in production. Database encryption at rest depends on your hosting provider (e.g. managed PostgreSQL settings).