Privacy Policy

Last updated: July 2, 2026

Squatly is operated by Osgiliath Labs, LLC, a Florida limited liability company with its principal office at 7901 4th St N, STE 300, St. Petersburg, FL 33702 ("we", "us", "our"). References in this document to the operator of Squatly refer to Osgiliath Labs, LLC.

1. Information We Collect

Account Information

When you create a Squatly account, we collect:

  • Email address (for email/password sign-up)
  • Name and email from your Apple ID or Google account (if you use social sign-in)
  • A unique user identifier generated by our authentication system

Workout Data

We collect the training data you enter in the app, including exercises, sets, reps, weight, RPE (rate of perceived exertion), workout notes, and timestamps. This data is stored locally on your device and synced to the cloud so you can access it across devices.

Progress Photos

If you choose to upload progress photos, they are stored securely in AWS S3. Photos are associated with your account and are not shared with other users or third parties.

Apple HealthKit Data

If you grant permission, the app reads workout data and body weight from Apple HealthKit, and writes completed workouts and body weight entries back to HealthKit. See Section 3 for our full HealthKit policy.

AI Coaching Conversations

When you use the AI coaching feature, we collect the messages you send and the AI responses you receive. Your recent workout history may be included as context to personalize coaching responses.

Device and Technical Data

We collect minimal technical information necessary for the app to function, including device type, operating system version, and push notification tokens (if you enable notifications). We do not collect browsing history or precise location data.

Advertising Identifier (IDFA) & Attribution Data

If you grant permission through Apple's App Tracking Transparency prompt, we collect your device's advertising identifier (IDFA) and basic install/attribution data and share them with our mobile measurement partner (AppsFlyer) and the advertising networks we use (Meta, TikTok, Google) so we can measure which ad or link brought you to Squatly. If you decline, or have not been prompted, no IDFA is collected and we rely on Apple's privacy-preserving SKAdNetwork only. Users on a European Economic Area, United Kingdom, or Swiss App Store storefront are never asked and are never tracked this way. App Tracking Transparency is the iOS mechanism for accessing the IDFA; it is not, by itself, the legal basis for the processing. See Section 9 and Section 5.

Product Usage Data

To understand how the app and our website (squatly.app) are used so we can improve them, we collect pseudonymous usage events: which screens you view and a defined set of in-app actions (for example, starting a workout, viewing the subscription screen, or completing onboarding), along with your app version and device type. On the website, this covers page views and interactions such as tapping a download link, collected without cookies or any identifier stored in your browser. We deliberately do not capture the content you view or enter — the text of your workouts, measurements, coaching messages, or your email is never collected as analytics data. This data is used only in aggregate, never for advertising or cross-app tracking. See Section 5 (PostHog) for details.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Squatly app
  • Sync your workout data across your devices
  • Authenticate your identity and secure your account
  • Power AI coaching features by sending your messages and workout context to our AI provider
  • Send push notifications for workout reminders and coaching alerts (with your permission)
  • Process subscription purchases through the Apple App Store (via RevenueCat)
  • Understand, in aggregate, how features are used so we can improve the app (via pseudonymous product analytics)
  • Respond to support requests
  • Comply with legal obligations

We do not sell your personal information, and we do not serve advertisements inside the app. Most of the third-party services listed in Section 5 act as our service providers, processing data only on our behalf to deliver the app's functionality. The exception is our advertising-measurement stack: if you opt in to tracking on iOS, we share your device advertising identifier (IDFA) and install/conversion signals with AppsFlyer and the ad networks (Meta, TikTok, Google) so those networks can measure and optimize the campaigns that brought users to Squatly. For that specific purpose those networks act as independent third parties, not service providers. You can decline on the iOS prompt or turn it off later in Settings; see Section 9 for your opt-out rights.

3. Apple HealthKit Data

Squatly integrates with Apple HealthKit to enhance your training experience. This integration requires your explicit permission and can be revoked at any time in your device settings.

What We Read

  • Workout data (to display training from other apps)
  • Body weight measurements (to track progress over time)

What We Write

  • Completed workout sessions logged in Squatly
  • Body weight entries recorded in Squatly

HealthKit Data Policy

In accordance with Apple's HealthKit requirements:

  • HealthKit data is used only within the app to display your health and fitness information
  • HealthKit data is never transmitted to Squatly's servers, third-party services, or cloud storage
  • We will not use HealthKit data for advertising or similar services, or disclose HealthKit data to third parties for advertising, marketing, or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research
  • HealthKit data is stored only on your device in the app's local database

4. AI Coaching & LLM Processing

Squatly offers AI-powered coaching through a conversational interface. When you use this feature:

  • Your messages are sent to our backend server (hosted on AWS) and forwarded to third-party AI providers (Fireworks AI and Cerebras) to generate coaching responses
  • To provide personalized advice, we include relevant training data as context alongside your messages — your workouts, sets, reps, personal records, goals, equipment, and training metrics
  • We do not send your name, email address, account ID, or device identifier to these providers. Anything you choose to type in chat is sent as written
  • These providers process this data only to return a response and do not use it to train or improve their AI models, per their published privacy policies. Data is encrypted in transit and at rest
  • We may change or add AI providers over time; this policy will be updated to reflect the current providers
  • AI coaching conversations are stored in your account so you can reference them later
  • You can delete individual conversations or all coaching data by deleting your account

AI coaching responses are for informational purposes only and do not constitute medical, fitness, or health advice. Always consult a qualified professional before making changes to your training program.

5. Third-Party Services

We rely on a limited number of third-party services to operate Squatly:

AWS (Amazon Web Services)

We use AWS as our cloud provider for authentication, data storage, file storage, and backend hosting. Your data is processed and stored in AWS data centers in the United States.

RevenueCat

We use RevenueCat to manage subscriptions purchased through the Apple App Store. RevenueCat receives a user identifier and subscription status. Squatly does not process or store payment card information directly — all payments are handled by Apple through the App Store.

AI Providers (Fireworks AI & Cerebras)

We currently use Fireworks AI and Cerebras as our AI inference providers to power AI coaching features. Messages you send to the AI coach, along with relevant training data, are transmitted to these third-party AI providers to generate a response. We do not send your name, email address, account ID, or device identifier to these providers. Per Fireworks AI's privacy policy, prompts and API inputs are not used to train or improve their AI models, and Fireworks does not store prompt or generation content for the open models we use. Per Cerebras' privacy policy and terms of use, inputs and outputs sent to its inference service are not retained and are not used to train or fine-tune models. Data is encrypted in transit and at rest. We may change or add AI providers over time; this policy will be updated to reflect the current providers. See Section 4 above for details.

Expo Push Notifications

We use Expo's push notification service to deliver workout reminders and coaching alerts. This requires storing a device push token associated with your account. You can disable notifications at any time in your device settings.

Sentry

We use Sentry for crash and error reporting. When the app encounters a crash or unhandled error, Sentry receives diagnostic information including the stack trace, error message, breadcrumbs of recent app activity (such as recent screens visited and network request paths), device model, operating system version, app version, and a Sentry-generated anonymous identifier used to group related events. Before any diagnostic payload leaves the device, we run it through a scrubber that redacts recognized email addresses, UUIDs (account identifiers), JWTs, and Bearer / Basic authorization tokens — replacing them with placeholders such as [REDACTED:EMAIL]. We do not enable Sentry's IP-address collection. Sentry data is used solely to detect and fix bugs; it is not used for advertising or behavioral profiling.

PostHog

We use PostHog (United States region) for product analytics — understanding how the app and our website at squatly.app are used so we can improve them. PostHog receives pseudonymous usage events: which screens you view and a defined set of in-app actions (such as starting a workout, viewing the subscription screen, or completing onboarding), together with your app version, device type, and the account identifier described above. We deliberately do not capture the content you view or enter — automatic capture of on-screen text is disabled, so your workouts, body measurements, coaching messages, and email are never sent to PostHog. On the website, PostHog runs in a cookieless mode: it does not set cookies or store identifiers in your browser, and website analytics are likewise aggregate-only. We use this data only in aggregate to measure engagement and improve features. PostHog data specifically is not used for advertising, and we do not link it to other companies' apps or websites, so the PostHog data on its own does not constitute "tracking" under Apple's App Tracking Transparency framework. (Our separate advertising-measurement stack — AppsFlyer and the ad networks below — is what relies on the ATT prompt; see that entry.)

AppsFlyer, Meta, TikTok & Google (advertising measurement)

To measure and improve our paid marketing, we use AppsFlyer as our mobile measurement partner and run campaigns on Meta, TikTok, and Google. If you opt in through Apple's App Tracking Transparency prompt, AppsFlyer receives your device advertising identifier (IDFA) and install/conversion events, and shares attribution and conversion signals with those ad networks so they can measure and optimize the campaigns that brought users to Squatly. For this purpose, those networks act as independent third parties (not service providers), and this is "sharing" for cross-context behavioral advertising under California law. We send our partners only the advertising identifier and standard attribution/conversion signals — never your workouts, body measurements, coaching messages, email, or name. Subscription revenue is reported to AppsFlyer only via RevenueCat's server-to-server integration. If you decline the prompt — or are on a European Economic Area, United Kingdom, or Swiss App Store storefront, where we never show it — no IDFA is collected and we use only Apple's privacy-preserving SKAdNetwork. You can change your choice anytime in your device's tracking settings.

6. Data Storage & Security

Squatly uses an offline-first architecture. Your workout data is stored locally on your device in a SQLite database and synced to the cloud (AWS) when a network connection is available. This means the app works fully offline, and your data is backed up in the cloud.

We protect your data by:

  • Using HTTPS/TLS encryption for all data in transit
  • Encrypting data at rest in AWS services
  • Using industry-standard token-based authentication
  • Implementing row-level access controls so users can only access their own data
  • Storing progress photos in private cloud storage accessible only to the owning user

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

If we become aware of a security breach affecting your personal data, we will notify you and the relevant supervisory authorities without undue delay, in accordance with applicable data-protection laws (including, where applicable, GDPR Articles 33–34, UK GDPR, and U.S. state breach-notification laws).

7. Data Retention

We retain your account data, workout history, and coaching conversations for as long as your account is active. When you delete your account:

  • All cloud data (workout history, progress photos, AI conversations, account information) is permanently deleted from our servers
  • Local app data on your device — including any cached HealthKit-derived rows in the app's local database — is cleared from active use and remains only as inert files until you uninstall the app
  • Deletion is processed within 30 days, though some data may persist in encrypted backups for up to 90 days before automatic expiration

8. Your Rights

You have the following rights regarding your personal data:

Access Your Data

You can view all your workout data, progress photos, and account information directly within the app at any time.

Export Your Data

You can export your complete workout history in JSON or CSV format from the app's Settings. This gives you a portable copy of all your training data.

Delete Your Account

You can permanently delete your account and all associated cloud data from Settings within the app. This action is irreversible and removes your workout history, progress photos, AI coaching conversations, and account information from our servers.

Manage Permissions

You can revoke HealthKit access, push notification permissions, and photo library access at any time through your device's Settings app.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights.

Categories of Personal Information We Collect

Using the categories defined in California Civil Code §1798.140, we collect the following:

  • Identifiers — email address, name (from social sign-in), unique account identifier, push notification tokens
  • Customer Records — your account information
  • Commercial Information — subscription status (records of purchases through the Apple App Store)
  • Internet or Network Activity — minimal device and app diagnostic information; crash and error reports; pseudonymous product-analytics usage events (screen views and defined in-app actions); and, if you opt in to tracking on iOS, your device advertising identifier (IDFA) and install/conversion attribution data
  • Other (Health & Fitness Information) — workout data you log, body weight, optional progress photos, AI coaching messages

Categories of Personal Information We Do NOT Collect

Biometric identifiers; precise geolocation; audio, electronic, visual, thermal, olfactory, or similar information (other than progress photos you choose to upload); professional, employment, or education information; inferences drawn to create a profile about you. We collect the device advertising identifier (IDFA) only if you opt in to tracking on iOS (see the Internet or Network Activity category above); we do not collect the Android advertising identifier (GAID), as Squatly is iOS-only.

Your CCPA Rights

  • Right to Know — You may request details about the categories and specific pieces of personal information we have collected about you
  • Right to Delete — You may request deletion of your personal information, which you can do directly from Settings in the app
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights
  • No Sale; Limited Sharing for Advertising Measurement — We do not, have never, and will never sell your personal information for money or other valuable consideration. We do, however, share a limited category of personal information — your device advertising identifier (IDFA) and install/conversion attribution data (Internet or Network Activity) — for cross-context behavioral advertising, as those terms are defined by the CCPA/CPRA, but only if you opt in through Apple's App Tracking Transparency prompt. This sharing is with AppsFlyer and the ad networks (Meta, TikTok, Google) described in Section 5; for that purpose those networks are independent third parties, not service providers. We do not share any other category of personal information for advertising. You can stop this sharing at any time using the Do-Not-Share / opt-out controls below.
  • Right to Opt Out of Sharing (Do Not Share) — You may opt out of the advertising-measurement sharing described above. Decline (or revoke) the iOS App Tracking Transparency prompt in your device's tracking settings, or contact us at privacy@squatly.app. Opting out does not affect your access to any part of the app.

Our only "sharing" under the CCPA/CPRA is the opt-in advertising-measurement sharing described above; we do not "sell" personal information. We treat an opt-out of tracking — including the Global Privacy Control (GPC) signal and similar browser/platform opt-out preferences, and a declined or revoked App Tracking Transparency choice — as a request to stop that sharing, and we honor it. For users who have not opted in (including all EU/EEA/UK App Store storefronts, where the prompt is never shown), no such sharing occurs in the first place.

To exercise your CCPA rights, contact us at privacy@squatly.app. We will verify your identity before processing any request.

10. European & UK Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation and UK GDPR provide you with the following rights:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Ask us to correct inaccurate or incomplete data
  • Erasure — Request deletion of your data (also available directly from Settings in the app)
  • Restriction — Ask us to limit how we process your data
  • Portability — Receive your data in a structured, machine-readable format (use the Export feature in Settings)
  • Objection — Object to processing based on legitimate interests
  • Withdraw Consent — Where processing is based on your consent (such as HealthKit access or push notifications), you may withdraw that consent at any time through your device settings
  • Lodge a Complaint — File a complaint with your local data protection authority

Data Controller

The data controller for personal data processed by Squatly is Osgiliath Labs, LLC, a Florida limited liability company. You can contact the controller at privacy@squatly.app. A postal address is available on request from the same email.

Legal Bases for Processing

  • Performance of a contract — Account creation, workout sync, subscription management, AI coaching responses
  • Consent — HealthKit access, push notifications, photo library access
  • Legitimate interests — Crash and error reporting (Sentry), product analytics to understand and improve feature usage (PostHog), securing the service against abuse, rate limiting
  • Legal obligations — Compliance with applicable laws and lawful requests

Advertising Measurement and EU/UK Users

The opt-in advertising-measurement sharing described in Section 5 (the IDFA shared with AppsFlyer and the ad networks) is not offered to users on a European Economic Area, United Kingdom, or Swiss App Store storefront: we do not show the tracking prompt to those users, we do not collect their IDFA, and we instruct AppsFlyer to treat them as subject to the GDPR without consent for data usage, so they are measured only via Apple's privacy-preserving SKAdNetwork on an anonymized basis. Apple's App Tracking Transparency prompt, where shown, is the technical mechanism for accessing the IDFA — it is not, by itself, the legal basis for any processing.

International Data Transfers

Squatly's servers and the third-party services listed in Section 5 are located in the United States. When you use the app from outside the United States, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses or equivalent safeguards offered by AWS, Fireworks AI, Cerebras, RevenueCat, Expo, Sentry, PostHog, and (for users who opt in to advertising measurement) AppsFlyer and the ad networks, to provide an adequate level of protection for international transfers.

To exercise any of your rights, contact us at privacy@squatly.app. We will respond within 30 days.

11. Children's Privacy

Squatly is intended for users aged 16 and older. We do not knowingly collect personal information from anyone under the age of 16, and accounts are not offered to users under 16.

If we become aware that we have collected personal information from a user under 16, we will take steps to delete that information promptly. If you believe a user under 16 has provided us with personal information, please contact us at privacy@squatly.app.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify you through the app or via email. We encourage you to review this policy periodically.

Your continued use of Squatly after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy, your data, or your privacy rights, contact us at:

We aim to respond to all privacy-related inquiries within 30 days.