Privacy Policy
Last updated: March 2026
1. What data we collect
Account data: Email address and password (hashed). Optional: name, experience level, biological sex.
Body data: Body weight and unit preference. Updated automatically when you log bodyweight exercises.
Training data: Workout sessions, set logs (exercises, weights, reps, duration), exercise preferences (loved/disliked), exercise notes, equipment profiles, muscle group feedback, recovery check-ins, and training plan configurations.
Subscription data: Subscription status and expiration date. Payment details are handled entirely by Apple (App Store) or Google (Play Store) via RevenueCat — we never see your credit card or payment information.
We do NOT collect: Location data, contacts, photos, health kit data, advertising identifiers, or any data from other apps on your device.
2. How we use your data
- Provide the training service: progression calculations, workout generation, coach reports
- Personalise your experience: exercise recommendations, weight suggestions, equipment filtering
- Process your subscription status (via RevenueCat webhooks)
- Send recovery check-in notifications (push notifications, if enabled)
- Improve the app based on aggregate, anonymised usage patterns
We do NOT: Sell your data. Share it with advertisers. Use it for profiling. Send marketing emails (unless you opt in).
3. Data storage and security
Your data is stored on servers hosted by Render (render.com) using PostgreSQL. Data is encrypted in transit (TLS/SSL) and at rest. Servers are located in the United States.
Passwords are hashed using bcrypt and never stored in plain text. API tokens are generated using secure random hex.
4. Third-party services
| Service | Purpose | Data shared |
|---|---|---|
| RevenueCat | Subscription billing | User ID, subscription events |
| Apple App Store | iOS payments | Purchase receipts (via RevenueCat) |
| Google Play | Android payments | Purchase receipts (via RevenueCat) |
| Render | Server hosting | All app data (as data processor) |
We do not use analytics SDKs, crash reporting tools, or advertising networks.
5. Data retention and deletion
We retain your data for as long as your account is active.
Account deletion: You can delete your account from within the app (More → Account → Delete my account). On deletion:
- Your account is immediately deactivated (you cannot sign in)
- After 30 days, all your data is permanently and irreversibly deleted
- This includes: all workout history, training plans, exercise preferences, equipment profiles, feedback, and your account
- During the 30-day window, contact support to cancel the deletion
6. Your rights
- Access your data — use the Export feature in the app
- Correct your data — edit your profile and training data directly
- Delete your data — use the account deletion feature
- Port your data — export as JSON or CSV
For EU/UK residents: you have additional rights under GDPR including the right to object to processing and the right to lodge a complaint with a supervisory authority.
7. Cookies
We use a single session cookie to keep you signed in. No tracking cookies, no third-party cookies, no advertising cookies.
8. Children
uppr is not intended for children under 16. We do not knowingly collect data from children.
9. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via the app. Continued use after changes constitutes acceptance.
10. Contact
Privacy questions? Email privacy@uppr.fit