Privacy Policy.

• Account creation. Your email address (used for magic-link sign-in) and the Group invite code you enter at signup.
• Profile.Display name, date of birth, sex (male/female — required for the "DOTS" strength coefficient used in leaderboards), pledge class, crossing date, line name, bio, and optional profile photo.
• Training data. Bodyweight entries (stored in kilograms, displayed in your unit preference), unit preference, and your default workout audience (chapter-only, all groups, or private).
• Workout content. Exercises, sets (weight, reps, RPE, tempo, warmup flag), per-workout notes, photos you attach to workouts, progress photos (with optional bodyweight and caption), and workout start/end times.
• Social content. Kudos, comments, mentions, and journal entries.
• Coach Chat. Messages you send to our AI coach and the resulting conversation history.
• Gym equipment photos.Optional photos you submit to the "Identify machine" feature.

• Authentication. Short-lived session tokens issued by Supabase Auth (1-hour expiry, refresh rotation enabled). No passwords are ever stored — we use magic-link sign-in.
• Device and browser. Standard server logs (IP address, user-agent, request paths, error stack traces) used to operate the Service, debug issues, and detect abuse.
• Usage analytics. Page-view counts and performance timings via Vercel Analytics and Vercel Speed Insights. These are cookie-less and sampled.
• Approximate location (only if you opt in).If you enable the optional "GPS auto-stop" feature, your browser will share your location with the Service so we can detect when you leave your registered gym and auto-end a workout. Your coordinates are processed in real time and only the auto-stop event is stored — we do not log or retain your raw GPS coordinates. You can disable this at any time in profile settings.

• Anthropic returns text completions from Claude models in response to your Coach Chat messages or post-workout summary requests.
• Googlereturns structured results from Gemini in response to a gym equipment photo you submit. Returned fields (machine class, confidence, OCR'd placard text, candidate exercises) are stored against your machine-observation record.

Both providers act as data processors on our written instructions and do not receive your account identity — only the minimum data needed for the request.

• Government identifiers, payment cards (we accept no payments), Social Security numbers.
• Racial or ethnic origin, religion, immigration status, citizenship, union membership, sexual orientation, genetic data, or biometric identifiers (e.g., facial recognition templates).
• Precise GPS coordinates, except as described in § 2.2 if you opt in.
• Advertising-tracking data, cross-site cookies, fingerprinting signatures, or third-party ad pixels.

By default, your workouts, photos, comments, and kudos are visible only to members of the same Group as you. You can set any workout's audience to private (only you), chapter-only (default for chapters), or all groups you belong to. You can change a workout's audience at any time after posting.

Your profile (display name, photo, line name, bio, pledge class) is visible to members of any Group you share with another user.

We share personal data with the following independent third parties so they can perform contracted services for us. They are bound by data-processing agreements and may only use your data on our written instructions:

• Supabase, Inc. — managed PostgreSQL database, authentication, and file storage. Receives: all account data, user content, files. Location: United States (us-east-1).
• Vercel, Inc. — web hosting, analytics, and speed insights. Receives: request logs, performance metrics, served content. Location: United States.
• Anthropic, PBC — Claude AI for Coach Chat and post-workout summaries. Receives: chat messages, recent conversation context, and the workout data we attach when summarizing. Location: United States.
• Google LLC— Gemini AI for gym equipment identification and exercise research. Receives: equipment photo bytes, OCR'd placard text, exercise-name query strings. Location: United States.
• PostHog, Inc. — product analytics and session replay so we can fix bugs and improve features during the closed beta. Receives: pageviews, click events, form interactions, and anonymized session recordings (text inputs marked sensitive are masked at capture time). Receives your user ID once you sign in. Does not receive your chat messages, comment bodies, progress-photo captions, or bodyweight numbers. Location: United States.
• Functional Software, Inc. (Sentry) — error monitoring and performance tracing. Receives: stack traces, request metadata, and brief session replays anchored to error events (text and input contents are masked by default). Receives your user ID once you sign in, attached to the error report so we can ask you what you were doing when it crashed. Does notreceive your chat messages, comment bodies, progress-photo captions, or bodyweight numbers. Location: United States.

We will update this list when we add or change a subprocessor and will revise the "Last updated" date at the top of this Policy.

We may disclose your data in response to a valid subpoena, court order, or other lawful request, or where we believe disclosure is necessary to (a) comply with applicable law, (b) protect the safety of any person, or (c) defend Lifts against legal claims. We will challenge requests we believe to be overbroad and, where permitted by law, will notify the affected user before disclosure.

If Lifts is acquired, merged, or transferred to a successor, your personal data may transfer too, subject to the same protections described in this Policy. We will notify you at least 30 days before any such transfer takes effect and give you a chance to delete your account first.

For any other disclosure, we will ask you first.

The Coach Chat feature, post-workout summaries, the contextual nudges shown on your dashboard, and the Identify machine feature in workout logging are powered by AI. When you use these you are interacting with an automated system, not a human. The system may produce output that is inaccurate, incomplete, fabricated, or out of date and is not a substitute for professional advice.

• Coach Chat: your message, the recent conversation history (turn-limited), and a system prompt with general training principles. We do not send your full account history, real name, email address, photos, or workout database.
• Post-workout summaries: the exercises and sets you logged in that workout. We do not send workout photos.
• Identify machine: the image bytes you upload and any placard text the model extracts. We do not send your account identity.
• Exercise draft / research: the exercise name or placard text. We do not send your profile.

• Coach Chat messages and AI responses persist in your account under Coach until you delete them. You can wipe your full chat history from in-app settings.
• AI invocation metadata (provider, model, token counts, latency, cost in USD, success flag) is logged for cost monitoring and abuse detection. These logs are tied to your user ID but do not contain message contents.
• Gym equipment photos are stored in a private bucket scoped to your user; you can delete them from your machine-observation history.

We have contracted with our AI providers in a way that prohibits them from using your data to train their foundation models. We do not train any AI on your data.

AI output should not be treated as medical, nutritional, biomechanical, or legal advice. The "Identify machine" feature may misclassify equipment — verify any suggested exercise before logging it. We rate-limit AI requests per user and per IP and may suspend AI features in response to abuse, cost anomalies, or provider outages.

We use a small number of cookies and similar entries to:

• Keep you signed in (Supabase session tokens).
• Remember your theme preference and unit preference.
• Remember whether you've dismissed the install-PWA prompt.

We do not use advertising cookies, cross-site tracking cookies, or behavioral-profiling cookies.

Vercel Analytics and Vercel Speed Insights collect page-view counts and performance timings without setting tracking cookies; events are anonymized and sampled. Aggregated metrics let us understand which features are used and where the app is slow.

We respect the Global Privacy Control browser signal. Because we do not sell or share personal data, sending a GPC signal will result in no change of behavior — but we honor it as a signal that you've expressed an opt-out preference and treat it as a valid request under the CCPA, TDPSA, and other US state privacy laws that recognize universal opt-out mechanisms.

We verify rights requests by requiring you to make the request from the email address tied to your account, or by validating your active session. We do not request additional personal information for verification beyond what we already hold.

You have rights to:

• Know what we collect and how we use it.
• Delete personal information we hold about you.
• Correct inaccurate personal information.
• Opt out of sale or sharing for cross-context advertising.
• Limit the use and disclosure of sensitive personal information.
• Receive a portable copy of your data.
• Not be discriminated against for exercising these rights.

We do not sell or share your personal informationand we do not use sensitive personal information beyond the purposes that are necessary to provide the Service you requested. For that reason, we do not currently display a "Do Not Sell or Share My Personal Information" link or a "Limit the Use of My Sensitive Personal Information" link. If our practices change, we will add those links.

To exercise CCPA rights, email privacy@lifts.app or use the in-app deletion control. An authorized agent may submit a request on your behalf with documented authorization; we will verify the agent's authority and your identity.

You have the right to: confirm processing and access; correct; delete; obtain a portable copy; and opt out of (1) targeted advertising, (2) sale of personal data, and (3) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in any of (1)–(3). To exercise these rights, email privacy@lifts.app.

If we deny a request, you may appeal by emailing privacy@lifts.app with the subject line "Appeal." If your appeal is denied, you may contact the Texas Attorney General at https://oag.my.site.com/CPDivisionContactUs/s/datasecurity.

You have rights substantially similar to those described above under the Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Oregon OCPA, Montana MCDPA, and other applicable US state privacy laws. Email privacy@lifts.app to exercise these rights and follow the same appeal process as for Texas.

Lifts is operated from the United States and is not directed to the European Economic Area, the United Kingdom, or Switzerland. If you nevertheless use the Service from one of these regions, the legal bases for our processing are: your consent (which you may withdraw by deleting your account), performance of a contract with you (operating the Service for you), and our legitimate interests in security and abuse prevention. Standard contractual clauses or equivalent transfer mechanisms apply to transfers to the United States. To exercise GDPR rights, email privacy@lifts.app.

We process a small number of categories that may qualify as "sensitive personal information" under the CCPA and similar laws — most notably:

• Precise geolocation, only if you enable the optional GPS-auto-stop feature, and only for the duration of an active workout.
• Health-related data: your bodyweight, workout intensity (RPE), and exercise volume.

We use this data only to provide the Service you requested. We do not use it to infer characteristics about you, to make decisions that produce legal or similarly significant effects, or for any purpose beyond operating the Service.

• All Service traffic is encrypted in transit (TLS 1.2+).
• Data at rest in Supabase is encrypted (AES-256, per Supabase security documentation).
• Row-level security policies enforce that each user can read or write only the data they're authorized to see.
• The privileged "service" key that can bypass row-level security is restricted to a small set of server-side modules, enforced at the linter level and audited in code review.
• Authentication is magic-link only — we never store passwords.
• We rate-limit signup attempts, AI requests, and group-code lookups.
• All administrative actions are logged to an audit table.

Use a strong, unique password on the email account associated with your Lifts account (it is effectively your Lifts credential, since magic-link emails grant sign-in). Don't share screenshots of magic-link URLs. Sign out on shared devices.

Despite our practices, no system is 100% secure. If you discover a vulnerability, please email security@lifts.app. We will acknowledge within 72 hours and will not pursue legal action against good-faith researchers who follow coordinated-disclosure norms.