Privacy Policy

Overview

Liftpact ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and share information about you when you use our mobile application.

Information We Collect

• Account information: email address and username when you register. Passwords are never stored by us — authentication is handled securely by Supabase.
• Workout data: exercises, sets, reps, weights, workout history, and personal records you log in the app.
• Social data: friend connections, nudges sent and received, gym callouts, and comments.
• Device information: device type, operating system, and push notification token (only if you grant notification permission).
• Profile photo: if you choose to upload a profile picture, the image is transmitted to Google Cloud Vision SafeSearch for automated content moderation before being stored. This check is performed solely to detect unsafe content (explicit, violent, or adult material). We do not store the moderation result beyond the pass/fail decision, and the image is not used by Google for any other purpose.
• Health and fitness information (AI plan feature only): if you choose to generate an AI workout plan, you may voluntarily enter information about physical limitations or injuries. This field is optional. This information is transmitted to Anthropic solely to personalize your plan. Your raw questionnaire answers are not stored in our database; the generated plan is stored on your account so the app can display it. See "Health and Sensitive Information" below for full details.

Health and Sensitive Information

The AI workout plan questionnaire includes an optional free-text field for physical limitations or injuries. Because this may constitute health-related information, we treat it with heightened care:

• Providing it is entirely voluntary. You may skip the field or select "No limitations" with no impact on other app features.
• It is transmitted to Anthropic (our AI provider) to generate your plan. Your raw answers are not stored in our database; the generated plan itself is stored on your account so the app can display it to you.
• It is not used for advertising, user profiling, or any purpose other than generating your requested plan.
• You may withdraw at any time by not using the AI workout plan feature. Withdrawal does not affect data already sent for a previously generated plan.
• AI-generated plans are not reviewed by licensed medical or fitness professionals. Do not use them as a substitute for professional medical advice.

GDPR (EU/EEA users): injury and limitation data may qualify as health data — a special category under Article 9 GDPR. We process it on the basis of your explicit consent, given when you complete and submit the questionnaire. You may withdraw consent at any time by not using the feature.

CCPA/CPRA (California users): physical limitation and injury information is "sensitive personal information" under the CPRA. We use it only to fulfill your plan request. We do not sell it or share it for cross-context behavioral advertising.

How We Use Your Information

• To provide and operate the app and its features.
• To personalize your experience, including AI-generated workout plans. Workout plans are generated by artificial intelligence (Anthropic Claude) and are not reviewed by licensed fitness or medical professionals.
• To enable social features such as friend activity feeds, leaderboards, and nudges.
• To send push notifications (only if you grant permission).
• To process subscription purchases through RevenueCat.
• To improve the app and fix issues.

Lawful Basis for Processing (GDPR)

If you are located in the European Union or European Economic Area (EEA), we process your personal data under the following lawful bases:

• Performance of contract: processing your account information and workout data is necessary to provide the service you signed up for.
• Legitimate interests: we process data to improve the app, prevent fraud, and operate social features — weighed against your privacy rights.
• Consent: push notifications are only sent with your explicit permission, which you may withdraw at any time in device Settings.
• Explicit consent (Article 9 GDPR — special category data): physical limitation and injury information entered in the AI plan questionnaire may constitute health data. We process it only on the basis of your explicit consent, given when you submit the questionnaire. You may withdraw consent at any time by not using the AI plan feature; this does not affect the lawfulness of processing before withdrawal.

You have the right to object to processing based on legitimate interests by contacting us at the email below.

Information Shared With Others

When you use social features, certain information is visible to your friends. You can control all sharing settings in Settings → Sharing & Privacy.

Third-Party Service Providers

We use the following service providers, each engaged under a data processing agreement or equivalent contractual safeguard:

• Supabase – database, authentication, and file storage. Acts as a data processor on our behalf.
• Anthropic – AI workout plan generation. Acts as a data processor for plan generation. We do not send your name or email to Anthropic. Your raw questionnaire answers are not stored; the generated plan is stored on your account.
• RevenueCat – subscription and purchase management. Acts as a data processor for purchase data.
• Google Cloud (Vision API) – automated content moderation for profile photos. When you upload a profile picture, the image is submitted to Google Cloud Vision SafeSearch to check for unsafe content. Google processes the image solely for this moderation check and acts as a data processor on our behalf. See Google's Privacy Policy.
• Apple / Google – app distribution and in-app payment processing. Act as independent controllers for their own systems.

Data Controller

The data controller responsible for your personal data is:
Liftpact
Email: support@liftpact.app

We do not have a designated Data Protection Officer (DPO). For all data protection enquiries, contact us at the email above.

EU/EEA users: you may also contact your local data protection supervisory authority. We are in the process of assessing our obligations under GDPR Article 27 (EU representative). If you have questions about this before that process is complete, contact us directly at the email above.

International Data Transfers

Your data is stored and processed in the United States via Supabase, Anthropic, and Google Cloud (Vision API). If you are located in the EU/EEA, this constitutes a transfer of personal data to a third country. We rely on standard contractual clauses (SCCs) as adopted by the European Commission for Supabase, Anthropic, and Google Cloud. You may request a copy of the applicable transfer safeguards by contacting us.

Automated Decision-Making

We use Anthropic's Claude AI model to generate personalized workout plans. This processing produces a plan recommendation only — it does not produce any decision with legal or similarly significant effects on you. You are free to ignore, modify, or not use the generated plan. AI-generated plans are not reviewed by licensed fitness or medical professionals.

Data We Collect and Why

• Email address — required to create and manage your account.
• Username — required to identify you within the app.
• Workout data — required to use the core logging features.
• Push notification token — optional; only collected if you grant notification permission.
• Profile photo — optional; only collected if you choose to upload one. Transmitted to Google Cloud Vision for content moderation before storage.
• Physical limitations / injury information — optional; only collected if you use the AI workout plan feature and choose to provide it.

Data Retention

We retain your data for as long as your account is active. If you delete your account through Settings → Account → Delete Account, your profile, workouts, personal records, and all other personal data will be permanently removed from our systems.

Exception: security and fraud-prevention audit logs may be retained for up to 90 days after deletion. These logs are used solely to detect and prevent abuse and contain:

• Your user ID and the event type (e.g. account deletion, login anomaly, rate-limit violation).
• For report events: the ID of the reported user, the type of content reported (e.g. comment, workout), the content ID, and the report reason.

No name, email address, or workout content is stored in these logs.

Children's Privacy

Liftpact is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover or are notified that a user is under 13, we will immediately terminate that account and permanently delete all associated data.

Your Rights

You have the right to access, correct, delete, and port your personal data. EU/EEA residents (GDPR) may also lodge a complaint with your local supervisory authority. California residents (CCPA/CPRA) have the right to know, delete, and opt out of sale (we do not sell personal information).

To exercise any of these rights, or to request account deletion, email us at support@liftpact.app or visit our account deletion page.

Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, where required by applicable law.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy, please contact us at: support@liftpact.app