Privacy Policy

Repflow is operated by Justin Gallahar, a sole proprietor based in Indiana, United States. For privacy questions, data deletion requests, or anything else covered by this policy, contact:

Account information

• Email address — used for sign-in and account recovery.
• Name and profile photo — shown to friends on leaderboards and friend lists. Optional.
• Username — a public handle so friends can find you. Optional.
• Phone number— used only for friend discovery (see "Contacts and friend discovery" below). Optional.

Workout and fitness data

• Workouts logged (exercises, sets, reps, weights, duration)
• Cardio sessions including GPS routes for outdoor activities
• Body measurements and progress photos / videos you choose to record
• Nutrition logs (foods, macronutrients, micronutrients, water, supplements)
• Goals, training preferences, and program selections

Apple Health integration (iOS)

If you grant access, Repflow reads workouts, steps, heart rate, and active energy from Apple Health, and writes your completed Repflow workouts back to Apple Health. You can revoke this access at any time in the iOS Health app under Sources or Apps.

Location

Repflow uses your device's GPS to track outdoor cardio (walks, runs, rides). Location is collected only while you're actively tracking a workout. The route is stored with that workout in your account. Repflow does not track your location in the background outside of an active workout session.

Camera and photos

The camera is used to take progress photos, scan food barcodes, and read nutrition labels. The photo library is used when you select an existing photo to upload as a progress photo. Repflow doesn't access your camera or photos outside of these features.

Contacts and friend discovery

If you tap "Find from Contacts," Repflow reads your phone book to check which contacts are also on Repflow. We do this in a privacy-preserving way:

• Phone numbers are hashed on your device using SHA-256 before they ever leave your phone.
• Only the hashes are sent to our server, which checks them against the hashes of users who have added their phone numbers to Repflow.
• Your raw contact list is never uploaded or stored.
• Hashes that don't match a Repflow user are discarded immediately.

In other words: Repflow never sees the phone numbers of people in your contacts who aren't already on Repflow.

Information we do not collect

• We do not use third-party advertising networks.
• We do not use cross-app tracking SDKs.
• We do not sell or rent your data to anyone.
• We do not require permissions we don't actually use.

Repflow uses Google's Firebase platform (Cloud Firestore, Firebase Authentication, Firebase Cloud Storage, Firebase Cloud Functions) to store your account data, workouts, and media. Firebase is operated by Google LLC and stores data in Google data centers in the United States. Firebase is bound by Google's security and privacy commitments, available at firebase.google.com/support/privacy.

Data is encrypted in transit (TLS) and at rest (Google-managed encryption keys).

We use your data to:

• Provide the app's features (logging, tracking, syncing across your devices)
• Show your data on your own profile and progress screens
• Show limited public profile information (name, photo, username, weekly stats) to friends you've connected with and on global leaderboards if you've opted in by setting a username
• Send transactional emails via Firebase Authentication (sign-in verification, password reset)
• Diagnose crashes via Firebase Crashlytics (anonymized device and app state at the time of crash; no personal data)

We do not use your data for advertising, profiling for marketing purposes, or training third-party machine learning models.

We do not sell or rent your personal data. We share data only in the following limited circumstances:

• With other Repflow users you choose: friends on your leaderboard see your name, photo, username, and weekly workout statistics. Coaches you've explicitly linked to via an invite code can see workouts, body weight, progress photos, and progress videos you've explicitly shared with them.
• With service providers: Google (Firebase) for storage and authentication. Mapbox for rendering maps of your cardio routes — your route data is sent to Mapbox tile servers solely to render the visible map area; Mapbox does not retain it.
• For legal reasons: if required by valid legal process (subpoena, court order). We commit to challenging overbroad requests.
• In a business transfer: if Repflow is acquired, user data would transfer to the acquirer subject to this same policy.

Access and export

You can view all of your data inside the app. To request a full export of your account, email repflowtraining@gmail.com.

Correction

You can edit your profile, workouts, measurements, and other entries directly in the app at any time.

Deletion

You can delete individual workouts, photos, foods, etc. from inside the app. To delete your entire account and all associated data, email repflowtraining@gmail.com from the email address on the account. Account deletion is permanent and processed within 30 days.

Permission controls (iOS)

Camera, photos, location, contacts, motion, and Apple Health access can be revoked at any time in iOS Settings → Privacy & Security. Repflow features that depend on those permissions will stop working, but the app continues to function for everything else.

California, EU/UK, and other regions

If you live in California (CCPA/CPRA), the European Union (GDPR), the United Kingdom (UK GDPR), or another region with data protection laws, you may have additional rights including the right to access, port, correct, and erase your personal data, and to lodge a complaint with a supervisory authority. To exercise these rights, email repflowtraining@gmail.com.

We do not "sell" personal data as defined under the CCPA, and we do not process personal data for cross-context behavioral advertising.

Repflow is not intended for children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please email repflowtraining@gmail.com and we will promptly delete it.

We retain your account data for as long as your account is active. When you delete your account, your data is permanently removed within 30 days, except where retention is required by law (e.g., financial records for tax purposes, which Repflow does not currently maintain).

Crash logs and diagnostic data collected by Firebase Crashlytics are retained for up to 90 days.

We protect your data with industry-standard measures including TLS encryption in transit, Google-managed encryption at rest, and server-side authorization rules that prevent users from reading data belonging to others. No system is perfectly secure; if we ever experience a data breach affecting your information, we will notify affected users without undue delay.

We may update this policy from time to time. Material changes will be communicated via the app or email, and the "Effective date" at the top will be updated. Continued use of Repflow after a change indicates acceptance of the updated policy.

Privacy questions, data requests, or anything else covered by this policy: