~/promptygainz~/privacy

PromptyGainz Privacy Policy

Last updated: April 30, 2026 Version: 1.0

1. Introduction

This Privacy Policy explains how PromptyGainz ("we", "us", "the app") collects, uses, stores, and protects your information when you use our mobile application. We've tried to write it in plain English. If anything is unclear, email us at support@promptygainz.com and we'll explain.

By creating an account and using PromptyGainz, you agree to the practices described here.

2. Who We Are

PromptyGainz is operated by Boliah (the "data controller" in legal terms), based in Canada. Our contact for any privacy-related question, request, or complaint is:

Email: support@promptygainz.com

We're a small team. Email is the only contact channel we offer at this stage.

3. What We Collect

We collect the following categories of information when you use the app:

Account information

  • Email address (used for sign-in and account recovery)
  • Password (stored as a hash by Supabase Auth — we never see your actual password)
  • Display name

Profile and demographics

  • Age, sex, birthday, height, current weight
  • Unit preference (imperial or metric), language, dark-mode preference

Fitness goals

  • Daily calorie target, protein/carb/fat targets, target weight, workouts per week

Nutrition logs

  • Meal entries: food items, quantities, calories, macros (protein, carbs, fat), timestamps, meal labels (breakfast/lunch/dinner/snack)

Workout logs

  • Exercise names, sets, reps, weights, muscle groups worked, timestamps, optional notes

Cardio logs

  • Cardio type (running, cycling, etc.), duration, calories burned, timestamps

Weight log

  • Daily weight measurements you record

Coach conversations

  • Your full chat history with the AI coach: messages you send, responses we return, timestamps

Voice audio (transient)

  • When you use voice input, audio is captured by your device and processed by Google's speech recognition service (cloud or on-device, depending on your device's settings). We never store the audio. Only the transcript text returned by Google reaches our servers, where it's treated as a regular chat message.

Usage data

  • Number of AI interactions per day and approximate token consumption — used internally for rate limiting (free tier: 5/day; premium: 50/day).

Diagnostic reports (only when you submit them)

  • When you tap "Report issue" inside the coach screen, we capture a snapshot of your last 10 chat messages, the app version, your operating system version, and your device model. This is sent to our backend so we can investigate the bug. You control whether and when this happens.

Special category data under GDPR

Your profile demographics (height, weight, age, sex), fitness goals, nutrition logs, workout logs, cardio logs, and weight log together constitute health-related data under Article 9 of the EU General Data Protection Regulation (GDPR). We process this data on the basis of your explicit consent, which you give by creating an account and using the app.

What we do NOT collect

For clarity:

  • No location data — we don't use GPS or IP-based geolocation tracking
  • No contacts, photos, SMS, or call logs
  • No background sensor data — we don't read heart rate, steps, or other sensor data from your phone or wearables
  • No advertising or tracking identifiers — we don't use Google Advertising ID, IDFA, or any cross-app tracking ID
  • No financial or payment information — closed testing is free; subscriptions are not yet available
  • No third-party analytics or crash reporting yet — these will be added in a future release, and we'll update this policy and notify you before they go live

4. How We Use Your Information

We use the data we collect for these purposes only:

  • Run the app's core features — log your meals, workouts, cardio, and weight; generate coaching responses; show you your dashboard, journal, and reports.
  • Personalize coaching — when you ask the coach a question, we send your last 7 days of summary data (macro totals, training volume, cardio) to the AI provider so the response is grounded in your actual history.
  • Rate limiting — track AI interaction counts per day to stay within fair-use limits and prevent abuse.
  • Debug issues you report — when you submit a diagnostic report, we use it to investigate the bug and improve the app.
  • Communicate with you — respond to support emails and account-related questions.

We do not use your data for advertising, profiling, or selling to anyone.

5. Sub-Processors

We use the following third-party services to operate PromptyGainz. Each one processes your data only as needed for the function listed.

Sub-processorWhat they doPrivacy policy
Supabase, Inc. (US)Hosts our database, authentication, and serverless functions. Stores all the categories of data listed in Section 3. Each user's data is isolated using Row-Level Security — other users cannot access yours, even at the database level.https://supabase.com/privacy
Anthropic, PBC (US)Provides the Claude AI models (Haiku and Sonnet) that power message parsing, food/workout extraction, and coaching responses. We send your message text plus relevant context. Anthropic does not retain or train on API customer data per their commercial terms.https://www.anthropic.com/legal/privacy <br> Commercial terms: https://www.anthropic.com/legal/commercial-terms
Google LLC (Speech Recognition) (US)Processes voice audio for speech-to-text when you use voice input on Android. Audio is processed cloud-side or on-device depending on your device settings. We never receive or store the audio.https://policies.google.com/privacy
U.S. Department of Agriculture (FoodData Central) (US)Public nutrition database we query for food macro information. We send food name strings (e.g., "chicken breast roasted") with no user identifier attached — these queries are anonymous from your perspective.https://www.usda.gov/privacy-policy
Google LLC (Play Store) (US)Distributes the app to your device. Google Play collects standard installation and crash telemetry under its own terms.https://policies.google.com/privacy

We do not engage any other sub-processors at this time. If we add new ones (for example, error monitoring or product analytics in a future release), we will update this policy and increment the version number above before they go live.

6. International Data Transfers

Your data is stored on Supabase infrastructure in the United States (AWS US West 2, Oregon).

If you are located in the European Union, the United Kingdom, or another jurisdiction with data-localization expectations, your data is transferred to and processed in the United States. We rely on the Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for this transfer. Supabase, our infrastructure provider, has signed the SCCs as part of its Data Processing Addendum.

If you have questions about how your data is protected during transfer, email support@promptygainz.com.

7. Your Rights

Depending on where you live, you have the following rights over your personal data. You can exercise any of these rights by emailing support@promptygainz.com. We respond within 30 days.

If you live in the European Union or the United Kingdom (GDPR / UK GDPR)

  • Right of access (Article 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Article 16) — ask us to correct inaccurate or incomplete data.
  • Right to erasure / "right to be forgotten" (Article 17) — request deletion of your account and associated data.
  • Right to restriction of processing (Article 18) — ask us to stop processing your data temporarily.
  • Right to data portability (Article 20) — receive your data in a machine-readable format.
  • Right to object (Article 21) — object to processing in specific circumstances.
  • Right to lodge a complaint with your local data protection supervisory authority if you believe we've mishandled your data.

If you live in California (CCPA / CPRA)

  • Right to know what categories of personal information we collect, the purposes, and any third parties we share with.
  • Right to delete your personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information.
  • Right to limit use of sensitive personal information (such as health data).
  • Right to non-discrimination — we will not deny service or charge different prices because you exercised a right.

If you live in Canada (PIPEDA)

  • Right to access your personal information.
  • Right to correction of inaccurate information.
  • Right to withdraw consent to processing (note: withdrawing consent will require account deletion since the app cannot function without processing your fitness data).
  • Right to file a complaint with the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca).

To exercise any right, email support@promptygainz.com with a subject line that names the right (e.g., "Data access request", "Delete my account"). We respond within 30 days.

8. Data Retention

We keep your data for as long as your account is active. When you delete your account, we permanently delete your data within 30 days. We do not retain anonymized backups beyond that window for the deleted account's records.

We do not currently delete inactive accounts automatically. If you stop using the app and want your data removed, request deletion via the in-app flow or by emailing support@promptygainz.com.

9. Children

PromptyGainz is intended for users aged 13 and over. We do not knowingly collect data from children under 13.

If you live in the European Union and are between 13 and 16, your country may require parental consent for processing your personal data. You should not create an account without parental authorization in that case. If we learn that we hold data for a user who lacks the required consent, we will delete it.

If you believe a child under 13 (or under your country's applicable age) has created an account, email support@promptygainz.com and we will investigate and delete the account.

10. Security

We protect your data using:

  • HTTPS encryption for all data in transit between your device, our servers, and our sub-processors.
  • Supabase Auth for password handling — passwords are hashed and we never see the plaintext.
  • Row-Level Security (RLS) at the database level — every query is scoped to your account, so even an internal bug cannot leak one user's data to another.
  • API key isolation — keys to Anthropic and other sub-processors are stored as server-side secrets in our serverless functions. They never reach the app on your device.

No system is perfectly secure. If we ever experience a breach affecting your data, we will notify you and the relevant authorities as required by GDPR (within 72 hours), CCPA, and PIPEDA.

11. How to Delete Your Data

You can delete your account and all associated data in two ways:

Option 1 — In-app (recommended): open the Settings tab and use the "Delete account" option. Confirm when prompted. Your account and data are deleted within 30 days.

Option 2 — Email: send an email to support@promptygainz.com with the subject "Delete my account". Include the email address associated with your account so we can verify and locate it. We confirm receipt within 5 business days and complete deletion within 30 days.

Deletion is permanent. We do not retain copies. If you have an active subscription (in a future release), cancel it through Google Play before deleting your account.

12. Changes to This Policy

We may update this policy when:

  • We add, remove, or change a sub-processor (e.g., when we activate error monitoring or analytics).
  • A law that applies to us changes.
  • We change a feature in a way that affects what we collect or how we use it.

Each new version increments the version number at the top of this policy and updates the "Last updated" date. For material changes — adding a new sub-processor with access to your data, collecting a new category of data, or broadening how we use your data — the updated policy will be published and available before the change takes effect. We encourage you to review this policy periodically.

The current version of this policy is always available at our public policy URL.

13. Contact

For any privacy question, request, or complaint:

Email: support@promptygainz.com

We respond within 30 days, usually faster.

This is version 1.0 of the PromptyGainz Privacy Policy, effective April 30, 2026.