Privacy Policy

Account Information

When you create an account we collect:

• Email address — used to sign in via Firebase Authentication.
• Display name — shown on your profile and in the social feed.

We do not collect your legal name, phone number, or payment information.

Workout Data

When you log workouts we collect:

• Exercise names, sets, repetitions, weights, and workout dates.
• Rate of perceived exertion (RPE) and warmup flags (optional per set).
• Training goal, experience level, equipment, session length, days per week, and any reported problem areas or injuries (entered during onboarding to filter exercises).
• Calorie estimates — active calories burned per workout, sourced either from your wearable (Apple Health / Google Health Connect) or a MET-based formula if no wearable is available. Stored locally on your device only; not uploaded to Firebase.

Health & Fitness Platform Data (Optional — requires your permission)

If you grant permission, Rep reads the following data from Apple Health (iOS) or Google Health Connect (Android) to personalise your training and recovery recommendations:

• Sleep — last night's total sleep duration.
• Resting heart rate — most recent reading and a 30-day history.
• Active calories burned — today's workout-tagged energy expenditure.
• Body weight & body fat percentage — most recent reading and a 12-week history.
• Menstrual cycle — current phase and day in cycle (used to adjust training load suggestions).
• Imported workouts — recent workout sessions recorded by other health apps (e.g. Strava, Nike Run Club), to show cross-app activity in your history.

Rep also writes completed strength workouts back to Apple Health / Google Health Connect so they count toward your Activity rings and can be seen by other health apps. Only the workout start time, end time, activity type, and calorie estimate are written.

You can revoke health permissions at any time from your device's Health app settings. Rep works normally without health permissions — all health features are optional.

Body Statistics (Optional)

You may optionally enter your body weight and height. These fields are entirely optional. If not provided, no body-stat data is collected.

Social Interactions

If you use the social feed, we collect workout posts you share, likes and comments you make, and the users you follow and who follow you. Trainer–athlete relationships are also stored if you use the trainer role.

Technical and Usage Data

We do not operate third-party analytics pipelines. Firebase (our infrastructure provider) may collect limited technical information as described in their own privacy policy (see Section 3.2). This can include device type, operating system version, and crash reports.

We also collect anonymised, aggregated workout activity data (exercise names, muscle groups, sets, and repetitions) to improve workout recommendations. This analysis is performed on data that has been stripped of all identifying information — it cannot be traced back to you individually. You can opt out of this at any time from the app's Settings screen.

Location Data

On Your Device

All workout data is stored locally in an SQLite database (via expo-sqlite) on your device. The app works fully offline. Local data is protected by your device's OS-level security (iOS sandbox + Secure Enclave encryption; Android app sandboxing).

Health platform data (sleep, heart rate, body weight, menstrual cycle, active calories) is read from Apple Health / Google Health Connect and processed entirely on-device. None of this data is written to Firebase or any remote server.

Calorie estimates are stored only in the local SQLite database and are never uploaded to Firebase.

Firebase Cloud (Google)

When you are signed in, your data is synced to Google Firebase (Firestore + Firebase Authentication). Firebase is operated by Google LLC under Google's privacy policy:

• Firebase Privacy & Security ↗
• Google Privacy Policy ↗

Firebase servers are located primarily in the United States. If you are outside the US, your data is transferred under Google's data-transfer safeguards (including Standard Contractual Clauses where applicable).

Exercise Data Source

Exercise names and metadata are sourced from the open-source free-exercise-db ↗ project. No personal data is sent to this service. This is a read-only, anonymous data source.

We do not sell, rent, or share your personal data with third parties, except:

• Firebase/Google — as the infrastructure provider described above.
• Other users you interact with — your display name and posts you explicitly share are visible to other Rep users in the social feed. Likes and comments are attributed to your display name.
• Your trainer — if you add a trainer (or are added as a client), that trainer can view your recent workout history in-app. You can remove a trainer at any time.
• Legal requirements — if required by law, court order, or to protect the rights, property, or safety of users or the public.

Access and Correction

You can view and edit your display name, body stats, training goal, equipment, injuries, and split preferences directly from the Profile and Settings screens.

Analytics Opt-Out

You can opt out of anonymised analytics at any time from the app's Settings screen under "Privacy". Opting out prevents your workout activity from being included in aggregate product improvement analysis. Your core workout tracking and social features are not affected.

Account and Data Deletion

You can delete your account at any time from the Profile screen. This permanently deletes:

• Your Firebase Authentication account.
• All Firestore data (posts, likes, comments, follow relationships, trainer connections).
• The local SQLite database on your device.

Deletion is permanent and cannot be undone. Residual copies in Firebase automated backups are purged within 30 days.

If you cannot delete your account in-app, email rep.app.dev@gmail.com and we will complete deletion within 30 days.

California Residents (CCPA)

California residents may request to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. Contact rep.app.dev@gmail.com to exercise your rights.

European Residents (GDPR)

If you are in the EEA, UK, or Switzerland, you have rights under the GDPR including: access, rectification, erasure, restriction, objection, and data portability. Our lawful basis for processing is contract performance and legitimate interests. Contact rep.app.dev@gmail.com to exercise these rights.

We retain your data for as long as your account is active. When you delete your account, all associated data is deleted as described in Section 5.3. We do not retain data after deletion, except as may remain in automated backups (cleared within 30 days) or as required by law.

• Authentication is managed by Firebase Authentication (protections against credential stuffing and brute-force).
• Data in transit is encrypted via HTTPS/TLS.
• Data at rest in Firestore is encrypted by Google (AES-256).
• Local on-device data is protected by OS sandboxing and device encryption.

No method of transmission over the internet is 100% secure. We take commercially reasonable steps to protect your data but cannot guarantee absolute security.

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last Updated" date above and display an in-app notice (or notify you by email) before the changes take effect. Continued use of the app after an update constitutes acceptance of the revised policy. If you disagree, you may delete your account before the changes take effect.