Privacy Policy

1. Information We Collect

Account Information

When you create a Squatly account, we collect:

• Email address (for email/password sign-up)
• Name and email from your Apple ID or Google account (if you use social sign-in)
• A unique user identifier generated by our authentication system

Workout Data

We collect the training data you enter in the app, including exercises, sets, reps, weight, RPE (rate of perceived exertion), workout notes, and timestamps. This data is stored locally on your device and synced to the cloud so you can access it across devices.

Progress Photos

If you choose to upload progress photos, they are stored securely in AWS S3. Photos are associated with your account and are not shared with other users or third parties.

Apple HealthKit Data

If you grant permission, the app reads workout data and body weight from Apple HealthKit, and writes completed workouts and body weight entries back to HealthKit. See Section 3 for our full HealthKit policy.

AI Coaching Conversations

When you use the AI coaching feature, we collect the messages you send and the AI responses you receive. Your recent workout history may be included as context to personalize coaching responses.

Device and Technical Data

We collect minimal technical information necessary for the app to function, including device type, operating system version, and push notification tokens (if you enable notifications). We do not collect browsing history, advertising identifiers, or precise location data.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Squatly app
• Sync your workout data across your devices
• Authenticate your identity and secure your account
• Power AI coaching features by sending your messages and workout context to our AI provider
• Send push notifications for workout reminders and coaching alerts (with your permission)
• Process subscription purchases through the Apple App Store (via RevenueCat)
• Respond to support requests
• Comply with legal obligations

We do not, and never will, sell, rent, trade, or otherwise share your personal information with third parties for marketing, advertising, profiling, or any commercial purpose. We do not serve advertisements. The third-party services listed in Section 5 act as service providers, processing data only on our behalf and only to deliver the app's functionality.

3. Apple HealthKit Data

Squatly integrates with Apple HealthKit to enhance your training experience. This integration requires your explicit permission and can be revoked at any time in your device settings.

What We Read

• Workout data (to display training from other apps)
• Body weight measurements (to track progress over time)

What We Write

• Completed workout sessions logged in Squatly
• Body weight entries recorded in Squatly

HealthKit Data Policy

In accordance with Apple's HealthKit requirements:

• HealthKit data is used only within the app to display your health and fitness information
• HealthKit data is never transmitted to Squatly's servers, third-party services, or cloud storage
• We will not use HealthKit data for advertising or similar services, or disclose HealthKit data to third parties for advertising, marketing, or other use-based data mining purposes other than improving health, medical, and fitness management, or for the purpose of medical research
• HealthKit data is stored only on your device in the app's local database

4. AI Coaching & LLM Processing

Squatly offers AI-powered coaching through a conversational interface. When you use this feature:

• Your messages are sent to our backend server (hosted on AWS) and forwarded to Anthropic, our large language model (LLM) provider, to generate coaching responses
• To provide personalized advice, we include relevant workout history as context alongside your messages
• Anthropic processes this data under their usage policies. Per Anthropic's API terms, data sent through their API is not used to train their models
• AI coaching conversations are stored in your account so you can reference them later
• You can delete individual conversations or all coaching data by deleting your account

AI coaching responses are for informational purposes only and do not constitute medical, fitness, or health advice. Always consult a qualified professional before making changes to your training program.

5. Third-Party Services

We rely on a limited number of third-party services to operate Squatly:

AWS (Amazon Web Services)

We use AWS as our cloud provider for authentication, data storage, file storage, and backend hosting. Your data is processed and stored in AWS data centers in the United States.

RevenueCat

We use RevenueCat to manage subscriptions purchased through the Apple App Store. RevenueCat receives a user identifier and subscription status. Squatly does not process or store payment card information directly — all payments are handled by Apple through the App Store.

Anthropic

We use Anthropic's Claude API to power AI coaching features. Messages you send to the AI coach, along with relevant workout context, are transmitted to Anthropic for processing. See Section 4 above for details.

Expo Push Notifications

We use Expo's push notification service to deliver workout reminders and coaching alerts. This requires storing a device push token associated with your account. You can disable notifications at any time in your device settings.

Sentry

We use Sentry for crash and error reporting. When the app encounters a crash or unhandled error, Sentry receives diagnostic information including the stack trace, error message, breadcrumbs of recent app activity (such as recent screens visited and network request paths), device model, operating system version, app version, and a Sentry-generated anonymous identifier used to group related events. Before any diagnostic payload leaves the device, we run it through a scrubber that redacts recognized email addresses, UUIDs (account identifiers), JWTs, and Bearer / Basic authorization tokens — replacing them with placeholders such as [REDACTED:EMAIL]. We do not enable Sentry's IP-address collection. Sentry data is used solely to detect and fix bugs; it is not used for advertising or behavioral profiling.

6. Data Storage & Security

Squatly uses an offline-first architecture. Your workout data is stored locally on your device in a SQLite database and synced to the cloud (AWS) when a network connection is available. This means the app works fully offline, and your data is backed up in the cloud.

We protect your data by:

• Using HTTPS/TLS encryption for all data in transit
• Encrypting data at rest in AWS services
• Using industry-standard token-based authentication
• Implementing row-level access controls so users can only access their own data
• Storing progress photos in private cloud storage accessible only to the owning user

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

If we become aware of a security breach affecting your personal data, we will notify you and the relevant supervisory authorities without undue delay, in accordance with applicable data-protection laws (including, where applicable, GDPR Articles 33–34, UK GDPR, and U.S. state breach-notification laws).

7. Data Retention

We retain your account data, workout history, and coaching conversations for as long as your account is active. When you delete your account:

• All cloud data (workout history, progress photos, AI conversations, account information) is permanently deleted from our servers
• Local app data on your device — including any cached HealthKit-derived rows in the app's local database — is cleared from active use and remains only as inert files until you uninstall the app
• Deletion is processed within 30 days, though some data may persist in encrypted backups for up to 90 days before automatic expiration

8. Your Rights

You have the following rights regarding your personal data:

Access Your Data

You can view all your workout data, progress photos, and account information directly within the app at any time.

Export Your Data

You can export your complete workout history in JSON or CSV format from the app's Settings. This gives you a portable copy of all your training data.

Delete Your Account

You can permanently delete your account and all associated cloud data from Settings within the app. This action is irreversible and removes your workout history, progress photos, AI coaching conversations, and account information from our servers.

Manage Permissions

You can revoke HealthKit access, push notification permissions, and photo library access at any time through your device's Settings app.

9. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights.

Categories of Personal Information We Collect

Using the categories defined in California Civil Code §1798.140, we collect the following:

• Identifiers — email address, name (from social sign-in), unique account identifier, push notification tokens
• Customer Records — your account information
• Commercial Information — subscription status (records of purchases through the Apple App Store)
• Internet or Network Activity — minimal device and app diagnostic information; crash and error reports
• Other (Health & Fitness Information) — workout data you log, body weight, optional progress photos, AI coaching messages

Categories of Personal Information We Do NOT Collect

Biometric identifiers; precise geolocation; audio, electronic, visual, thermal, olfactory, or similar information (other than progress photos you choose to upload); professional, employment, or education information; inferences drawn for behavioral profiling; advertising identifiers (IDFA / GAID).

Your CCPA Rights

• Right to Know — You may request details about the categories and specific pieces of personal information we have collected about you
• Right to Delete — You may request deletion of your personal information, which you can do directly from Settings in the app
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights
• No Sale or Sharing of Personal Information — We do not, have never, and will never sell or share your personal information for cross-context behavioral advertising, as those terms are defined by the CCPA/CPRA. We have not sold or shared personal information in the preceding 12 months and have no intention of doing so. The third-party services listed in Section 5 are bound by service-provider obligations that prohibit using your data for any purpose other than providing the app's functionality

Squatly does not engage in cross-context behavioral advertising and does not "sell" or "share" personal information as those terms are defined by the CCPA/CPRA. Because we do not engage in those practices, the Global Privacy Control (GPC) browser signal and similar opt-out preferences have no effect on our processing — we already operate in the manner those signals request. We honor any such signals automatically by default.

To exercise your CCPA rights, contact us at privacy@squatly.app. We will verify your identity before processing any request.

10. European & UK Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation and UK GDPR provide you with the following rights:

• Access — Request a copy of the personal data we hold about you
• Rectification — Ask us to correct inaccurate or incomplete data
• Erasure — Request deletion of your data (also available directly from Settings in the app)
• Restriction — Ask us to limit how we process your data
• Portability — Receive your data in a structured, machine-readable format (use the Export feature in Settings)
• Objection — Object to processing based on legitimate interests
• Withdraw Consent — Where processing is based on your consent (such as HealthKit access or push notifications), you may withdraw that consent at any time through your device settings
• Lodge a Complaint — File a complaint with your local data protection authority

Data Controller

The data controller for personal data processed by Squatly is Osgiliath Labs, LLC, a Florida limited liability company. You can contact the controller at privacy@squatly.app. A postal address is available on request from the same email.

Legal Bases for Processing

• Performance of a contract — Account creation, workout sync, subscription management, AI coaching responses
• Consent — HealthKit access, push notifications, photo library access
• Legitimate interests — Crash and error reporting (Sentry), securing the service against abuse, rate limiting
• Legal obligations — Compliance with applicable laws and lawful requests

International Data Transfers

Squatly's servers and the third-party services listed in Section 5 are located in the United States. When you use the app from outside the United States, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses or equivalent safeguards offered by AWS, Anthropic, RevenueCat, Expo, and Sentry to provide an adequate level of protection for international transfers.

To exercise any of your rights, contact us at privacy@squatly.app. We will respond within 30 days.

11. Children's Privacy

Squatly is intended for users aged 16 and older. We do not knowingly collect personal information from anyone under the age of 16, and accounts are not offered to users under 16.

If we become aware that we have collected personal information from a user under 16, we will take steps to delete that information promptly. If you believe a user under 16 has provided us with personal information, please contact us at privacy@squatly.app.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will notify you through the app or via email. We encourage you to review this policy periodically.

Your continued use of Squatly after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy, your data, or your privacy rights, contact us at:

• Email: privacy@squatly.app
• Website: squatly.app

We aim to respond to all privacy-related inquiries within 30 days.