REPDEMON

Privacy Policy

Last Updated · May 14, 2026

Introduction

RepDemonApp ("we," "us," "our," or the "Company") operates the RepDemonApp Progressive Web Application (the "Service"). This Privacy Policy explains how we collect, use, disclose, and otherwise handle your information when you use our Service.

This Privacy Policy applies to:

  • Our website at workout.repdemon.app
  • Our mobile Progressive Web App (PWA)
  • All related services, content, and functionality

If you don't agree with our practices, please don't use our Service. Your privacy is important to us, and we're committed to being transparent about how we handle your data.

1. Information We Collect

A. Account & Profile Data

When you sign up, we collect:

  • Email address (used for login and communication)
  • Password (14+ characters, encrypted with bcrypt)
  • Display name (public username, must be unique)
  • First and last name (optional, for personalization)
  • Body weight (in lbs or kg, for training calculations)
  • Social media links (Instagram, TikTok, Twitter, Facebook — optional)
  • Profile initials (auto-generated from your display name)
  • Email verification status (confirms you own your email)

B. Training & Fitness Data

When you log workouts, we collect:

  • Sessions: Workout date, time, duration, name, location, completion status
  • Exercises: Movement name, weight lifted, reps performed, number of sets, drop sets
  • Personal Records: Your best performances by movement (weight, reps, estimated 1RM)
  • Exercise notes: Custom notes you add to movements (persisted across sessions)
  • Movement substitutions: When you swap one movement for another during a workout
  • Draft sessions: Auto-saved in-progress workouts (deleted once completed)

C. Social & Community Data

When you use social features, we collect:

  • Friend codes: Your unique code to share with others (DEMON-XXXX format)
  • Friend requests: When you add or accept friends
  • Leaderboard opt-in: Your choice whether to appear on leaderboards
  • Pack visibility: Your privacy setting (Leaderboard Only or Full Details)
  • Shared content: Workouts, training splits, or movements you share with friends
  • Notifications: Types include friend requests, content shares, personal records, and friend acceptances

D. Location Data

  • Gym selection: The gym location you choose for each workout
  • Home gym ID: Your default gym location
  • Signup IP address and country: Your approximate location when you created your account
  • GPS coordinates: Optional, if you use browser geolocation to find nearby gyms

E. Usage Data

  • Session timestamps: When you log in, log out, and complete workouts
  • Last active: When you last completed a training session
  • Signup source: How you heard about RepDemonApp (e.g., "word of mouth," "referral")
  • Referral information: If a friend referred you, we may collect their name/email
  • Trainer information: If a coach introduced you, we may collect their name

F. Automatic Collection

  • Browser and device information: Browser type, OS, device type (collected via Supabase logs)
  • hCaptcha scores: Bot protection scores from our CAPTCHA service
  • Rate limiting data: Failed login attempts for security monitoring
  • Error logs: Technical errors you encounter (to help us improve the service)

2. How We Use Your Data

We use your information to:

A. Provide the Core Service

  • Create and maintain your account
  • Log and store your workout sessions
  • Calculate estimated 1RMs based on your performance
  • Detect and notify you of personal records
  • Generate statistics and insights (weekly session charts, top movements, volume tracking)
  • Enable you to create custom workouts, training splits, and movements

B. Enable Social Features

  • Manage friend requests and connections
  • Display your profile and workouts to friends (based on your privacy settings)
  • Show leaderboards (only if you opted in)
  • Deliver notifications about friend activity
  • Facilitate content sharing

C. Improve Our Service

  • Understand how you use RepDemonApp
  • Test new features and improvements
  • Fix bugs and troubleshoot technical issues
  • Analyze usage patterns to improve user experience
  • Respond to your feedback and support requests

D. Security & Safety

  • Detect and prevent fraud, abuse, and unauthorized access
  • Monitor for suspicious login attempts (geographic anomalies, rate limiting)
  • Enforce our Terms of Service
  • Comply with legal obligations

E. Communication

  • Send you email verification messages
  • Notify you of important service changes
  • Respond to your customer support inquiries
  • (Optional) Send product updates if you opt in

3. Third-Party Services & Data Sharing

We use the following third-party services. When you use our Service, their privacy policies also apply:

A. Authentication

Google OAuth — If you sign up or log in via Google, Google processes your email and profile information. Google Privacy Policy

We also support email/password authentication; Google is optional.

B. Bot Protection

hCaptcha — We use hCaptcha to protect our signup form from bots. hCaptcha processes your IP address and device information. hCaptcha Privacy Policy

C. Location Services

Nominatim (OpenStreetMap) — We use Nominatim to convert GPS coordinates into gym addresses. OpenStreetMap Privacy Policy

ipapi.co — We use ipapi.co to determine your country from your signup IP address for security monitoring. ipapi.co Privacy Policy

D. Hosting & Data Storage

Supabase (PostgreSQL) — Your data is stored on Supabase servers. Supabase is SOC 2 Type II certified. Supabase Privacy Policy

E. Fonts

Google Fonts — We use Google Fonts (Barlow Condensed and Barlow) for typography. Google Fonts Privacy

F. Future Services

Stripe — We plan to use Stripe for payments in v1.0 (not yet implemented). Stripe Privacy Policy

G. Data We Don't Share

  • We do NOT share your data for marketing or advertising purposes.
  • We do NOT sell your data to third parties.
  • We do NOT use third-party analytics services.
  • We only share data with service providers necessary to operate our Service (as listed above).

4. Your Privacy Controls

You have control over your data:

A. Leaderboard Visibility

  • Default: Your profile is private (not visible on leaderboards)
  • Opt-in: You can explicitly choose to appear on leaderboards
  • Visibility Level: Choose "Leaderboard Only" (show session counts only) or "Full Details" (show all workout data)

B. Social Features

  • Friend system is optional. You can use RepDemonApp without connecting with friends
  • Sharing is optional. You choose what content to share with specific friends
  • Data access is scoped. Friends only see data you've chosen to share

C. Google OAuth vs Email

  • Google OAuth is optional. You can use email/password authentication instead
  • Choosing email/password means Google doesn't process your profile data

D. Data Export & Deletion

  • Request an export of your data at any time (contact support@repdemon.app)
  • Delete your account anytime, which cascades to all your data: profiles, sessions, personal records, movements, notes, friend connections, notifications, and shared content (though friends may retain copies of shared workouts)

5. Data Storage & Security

A. Where Your Data is Stored

Your data is stored on Supabase PostgreSQL servers. Supabase complies with SOC 2 Type II standards and GDPR requirements.

B. How We Protect Your Data

  • In Transit: HTTPS/TLS encryption (all data sent to/from our servers is encrypted)
  • At Rest: Your data is encrypted at rest on Supabase servers
  • Access Control: Row-Level Security (RLS) enforced at the PostgreSQL layer — users can only access their own data
  • Password Hashing: Your password is hashed with bcrypt; we cannot see your password
  • Session Security: JWT tokens with auto-refresh; tokens expire after inactivity
  • Rate Limiting: Failed login attempts are rate-limited (5 attempts per 2 hours)

C. Security Measures in Development

  • Bot protection via hCaptcha
  • Geographic anomaly detection (flagged unusual login locations)
  • IP-based signup monitoring (we log signup attempts for security analysis)

D. Known Security Limitations

  • Multi-factor authentication (MFA/2FA): Not yet implemented (planned for future versions)
  • Penetration testing: Not yet conducted (planned before v1.0 release)
  • Security headers (CSP, HSTS): Planned for v0.4 release

No system is 100% secure. We take reasonable precautions, but we cannot guarantee absolute security. You are responsible for keeping your login credentials confidential.

6. Data Retention & Deletion

A. How Long We Keep Your Data

  • Sessions & Personal Records: Retained indefinitely (you can request deletion anytime)
  • Notes & Custom Movements: Deleted when your account is deleted
  • Signup attempts: Retained for 30 days for security monitoring (admin-only access)
  • Inactive accounts: Disabled after 90 days without login; data retained for 1 year, then deleted
  • Friend connections & notifications: Deleted when your account is deleted

B. Account Deletion

When you delete your account:

  • All your data is permanently deleted (cascade delete across all tables)
  • Your friend connections are removed
  • Any content you shared with friends is still accessible to them, but your profile is removed
  • This action cannot be undone

7. AI/ML Model Training

A. How We Use Your Data for AI

To improve our service and build better features, we may use your workout data (weight, reps, movements, volume metrics) to train machine learning models.

B. What Data is Included

  • Included: Exercise name, weight, reps, sets, volume, estimated 1RMs, movement substitutions
  • NOT included: Your name, email, social media links, friend connections, or any personally identifiable information (PII)

C. Opt-Out

This feature is enabled by default but you can opt out at any time:

  • In your account settings, toggle "Allow my workout data to be used for AI/ML training"
  • Once disabled, your future workout data will not be used for training
  • Historical data already used for training cannot be removed

D. Your Rights

  • You can request to know whether your data has been used for AI training
  • You can request that your future data not be used
  • Contact support@repdemon.app with any questions

8. Your Rights

You have the following rights regarding your personal data:

A. Right to Access

  • You can request an export of all your personal data
  • We'll provide it in a machine-readable format within 30 days

B. Right to Correction

  • You can update your profile information, display name, and settings anytime
  • You are responsible for the accuracy of your training data

C. Right to Deletion

  • You can delete your account and all associated data anytime
  • Some data may be retained for legal or safety reasons (e.g., fraud prevention)

D. Right to Restrict Processing

  • You can disable social features and AI/ML data usage
  • You can opt out of leaderboards at any time

E. No Automated Decision-Making

  • We do not use your data for automated profiling or decisions that affect your account

F. How to Exercise Your Rights

  • Contact us at support@repdemon.app
  • Include "Data Request" in the subject line
  • Specify which right you're exercising
  • We'll respond within 30 days

9. Children & COPPA Compliance

A. Minimum Age

RepDemonApp is designed for adults, particularly serious weightlifters. We do not knowingly collect data from anyone under 13 years old.

B. If Your Child Uses RepDemonApp

If you believe your child under 13 has created an account, please contact us immediately at support@repdemon.app, and we will delete their account and data.

C. If You're Under 18

If you're between 13-18, you can use RepDemonApp, but your parent or guardian should review this Privacy Policy. They have the right to request access to or deletion of your data.

10. International Users & GDPR

A. EU & GDPR Compliance

If you're located in the EU, you have additional rights under GDPR:

Lawful Basis for Processing:

  • Consent: You consent by signing up and agreeing to our Terms of Service
  • Legitimate Interest: We have a legitimate interest in improving our service and preventing fraud
  • Contract: Processing your training data is necessary to provide the Service

Your GDPR Rights:

  • Right to access your data
  • Right to rectification (correction)
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability (export in machine-readable format)
  • Right to object to processing (including AI/ML training)
  • Right to withdraw consent at any time

Data Processing Agreement: We have a Data Processing Agreement with Supabase to ensure GDPR compliance.

B. How to Exercise GDPR Rights

  • Email support@repdemon.app with your request
  • Specify "GDPR Data Request" in the subject line
  • Include which right you're exercising
  • We'll respond within 30 days

C. EU Data Transfers

Your data may be transferred to and stored in the United States or other countries. By using RepDemonApp, you consent to this transfer.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time:

  • Minor changes (clarifications, corrections): Effective immediately
  • Material changes (new data collection, retention policy changes): We'll notify you via email or in-app notification at least 30 days before the change takes effect
  • Your acceptance: Continued use of our Service after notification constitutes acceptance of the updated policy

We'll maintain a version history of this policy on our website.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices:

Email: support@repdemon.app

Response Time: We'll respond to your inquiry within 30 days

Address: We're currently a small team based in the United States. You can contact us via email for any privacy-related questions.

For GDPR data requests, please include "GDPR Data Request" in the subject line.

13. Additional Information

A. California Privacy Rights (CCPA/CPRA)

If you're a California resident, you have specific rights under CCPA:

  • Right to know what personal data is collected
  • Right to delete your personal data (with exceptions)
  • Right to opt-out of data sharing (we don't share data for advertising, so this is limited)
  • Right to non-discrimination (we won't discriminate against you for exercising these rights)

Contact us at support@repdemon.app to exercise these rights.

B. Do Not Track (DNT)

Our Service does not respond to "Do Not Track" signals from browsers, as we don't engage in cross-site tracking or behavioral advertising.

C. Changes to Third-Party Policies

We are not responsible for the privacy practices of third-party services (Google, Supabase, hCaptcha, etc.). Please review their privacy policies separately.

Thank you for trusting us with your fitness data. Your privacy matters to us.