Privacy Policy

1. Data We Collect

• Account data: email, name, profile picture (optional)
• Workout data: exercises, sets, weights, reps, duration, dates
• Health data (special category, GDPR Art. 9): sleep hours, heart rate, HRV, stress level, body weight, wellbeing (mood, energy, soreness)
• Menstrual data: cycle day (manually entered, stored only on device, never sent to server)
• Device data: push notification tokens, user agent

2. Legal Basis for Processing

• Explicit consent (GDPR Art. 9(2)(a)): processing health data including sleep, HRV, stress, menstrual cycle — for recovery calculation and AI recommendations
• Performance of contract (GDPR Art. 6(1)(b)): core functionality — storing workouts, statistics, templates
• Legitimate interest (GDPR Art. 6(1)(f)): service security, abuse prevention, analytics

3. How We Use Your Data

• Workout tracking, statistics, and AI recommendations
• Recovery Budget score calculation
• Push notifications (workout assignments, smart tips)
• Trainer features (assigning workouts, tracking progress)
• Social features (friend feed, comments — only if public profile is enabled)

4. AI Data Processing

For AI recommendations, workout parsing, and image OCR we use a tiered LLM provider chain that selects the available provider at request time. Only anonymized workout data is transmitted (no email or name). None of the providers train on your data.

• Groq (Llama 3.3 70B) — primary text provider, US
• Google AI (Gemini Flash) — vision (image OCR) + text fallback, US/EU
• Abacus AI — last-resort fallback, US

5. Data Retention Periods

• Workouts and templates: while account is active
• Health data (sleep, HRV, stress, weight, wellbeing): 2 years from date of entry
• Account data: while account is active + 30 days after deletion
• Consent records: 5 years from granting (for legal accountability)

6. Data Storage & Security

Your data is stored in a PostgreSQL database hosted on Supabase (AWS eu-central-1, Frankfurt) with Row Level Security (RLS) enabled on every table. All API routes require authentication. Passwords are hashed with bcrypt. All connections use HTTPS.

7. International Data Transfers

Your data is processed on servers in the European Union and the United States:

• Supabase (database) — AWS eu-central-1 (Frankfurt)
• Railway (application hosting) — US
• Groq (text AI) — US
• Google AI (vision AI) — US/EU
• Abacus AI (AI fallback) — US
• Resend (email) — US
• Paddle.com Market Limited (payments, Merchant of Record) — Ireland / UK

Data transfers from the EEA to the US are conducted under Standard Contractual Clauses (SCC) in accordance with GDPR Art. 46.

8. Third-Party Services

• Supabase — database hosting
• Railway — application hosting
• Resend — email delivery (verification + transactional emails)
• Groq / Google AI / Abacus AI — AI workout analysis (anonymized data)
• Paddle.com Market Limited — subscription billing as Merchant of Record (receives billing email, IP address, payment instrument metadata; does not return card numbers to us)
• Google / Yandex — OAuth login (optional)
• Upstash — rate-limit counters (per-user request counts; no payload data)

9. Data Sharing

We do not sell your personal data. Workout data is shared only:

• With your trainer (if you accept a trainer-client connection)
• With friends (if you enable public profile and workout sharing)
• With AI services (anonymized, for workout analysis)

10. Your Rights (GDPR)

You have the right to:

• Access (Art. 15): request a copy of all your data
• Rectification (Art. 16): correct inaccurate data
• Erasure (Art. 17): delete your account and all data
• Restriction (Art. 18): restrict processing of your data
• Portability (Art. 20): export all data in machine-readable format (JSON) via app settings
• Object (Art. 21): object to processing based on legitimate interest
• Withdraw consent (Art. 7(3)): withdraw consent to health data processing at any time
• Complaint: lodge a complaint with your country's data protection supervisory authority

11. Menstrual Data Notice

Menstrual cycle day is reproductive health data (special category, GDPR Art. 9). This data is stored exclusively on your device (browser localStorage) and is never transmitted to our servers. It is used only for client-side recovery score adjustment. You can delete it at any time by clearing your browser data or disabling cycle tracking.

12. Do Not Track

Replify does not use tracking cookies and does not track users across third-party websites. We honor the Do Not Track (DNT) signal.

13. Children's Privacy

Replify is intended for users aged 16 and older. We do not knowingly collect data from individuals under 16. If you believe a minor has provided us with data, please contact us.

14. Law Enforcement Requests

• We may disclose personal data when required by law (court order, subpoena, etc.).
• We will notify the affected user of a law enforcement request unless prohibited by law from doing so.
• We do not store menstrual cycle data on our servers — it is kept only on the user's device (localStorage) and is not available for server-side disclosure.
• We will challenge overbroad or unjustified requests.
• We maintain a log of all law enforcement requests and disclose the minimum data necessary.

15. Changes to This Policy

We may update this policy. Material changes will be communicated via email or in-app notification at least 14 days before taking effect.

16. Contact

For privacy questions: support@replify.space