Privacy Policy

Effective Date: 2026-02-07

Last Updated: 2026-02-07

1. Introduction

Welcome to Tolma ("we", "our", "us"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our mobile application (the "App").

By using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the App.

2. Information We Collect

2.1 Personal Information

When you use Sign in with Apple to authenticate, we collect:

• Name (optional, from your Apple ID)
• Email address (private relay or actual email, from your Apple ID)
• Apple ID unique identifier (required for authentication)

You may optionally provide additional profile information:

• Age - Optional demographic information
• Weight - For workout tracking and progress calculation
• Height - For workout tracking and progress calculation
• Experience Level - Beginner, intermediate, or advanced (defaults to beginner)
• Unit System - Imperial or metric preference (defaults to imperial)
• Avatar URL - Profile picture (optional)
• Bio - Profile description (optional)
• Profile Visibility - Public or private setting (defaults to public)

2.2 Fitness Data

We collect fitness-related data that you input or generate while using the App:

Workout Sessions:

• Workout title and notes
• Start time and end time
• Total volume (weight x reps), total sets, and total reps
• Personal record (PR) count
• Public/private visibility flag

Exercise Sets:

• Weight lifted (in lbs or kg)
• Repetitions completed
• Number of sets
• Workout mode (lifting, cardio, etc.)
• RPE (Rate of Perceived Exertion) - Optional intensity rating
• Personal record flag (automatically detected)
• Completion timestamp
• Exercise notes (optional)

Exercise Catalog:

• Exercise names
• Exercise categories (e.g., upper body, lower body, cardio)
• Muscle groups targeted
• Exercise notes

Fitness Goals:

• Goal type (weight target, rep target, etc.)
• Target value
• Exercise name (optional, for exercise-specific goals)
• Muscle group (optional)
• Deadline (optional)
• Completion status

Workout Templates:

• Template name
• List of exercises with suggested sets, weights, and reps
• Creation date and last used date
• Use count (number of times template was used)
• Public/private visibility flag (defaults to private)

2.3 Social Data

If you choose to use social features, we collect:

Follow Relationships:

• Users you follow
• Users who follow you
• Timestamps of follow actions

Workout Likes:

• User ID of who liked
• Workout ID that was liked
• Timestamp of like

Workout Comments:

• User ID of commenter
• Workout ID being commented on
• Comment text content
• Timestamp of comment

Activity Feed:

• Aggregated data showing workout completions from users you follow
• Personal records achieved by users you follow
• Activity types and timestamps

Leaderboards:

• User rankings by type (weekly volume, monthly volume, all-time volume, weekly workouts)
• Ranking position
• Achievement values (volume or workout count)
• User name and avatar for display

2.4 Technical Data

We automatically collect technical data to enable app functionality:

• User ID - Unique identifier (UUID) generated by the system
• Record IDs - Unique identifiers for all database records (workouts, sets, goals, etc.)
• Timestamps - Creation dates (created_at), update dates, completion dates
• Sync Metadata - cloud_synced_at timestamps to track synchronization status between local device and cloud

2.5 Website Data

When you visit our website (tolma.app), we may collect:

Email Waitlist / Newsletter:

• Email address - When you voluntarily sign up for our waitlist or newsletter
• Signup source - Which form or page you signed up from
• Referrer - The website that referred you to us
• Timestamp - When you signed up

Contact Form:

• Name - Your name as provided in the form
• Email address - For us to respond to your inquiry
• Subject - The category of your inquiry
• Message - The content of your message

Analytics (via Plausible):

• Page views - Which pages were visited
• Referrer - The website that referred you
• Country - Approximate geographic location (country-level only)
• Device type - Desktop, tablet, or mobile

We use Plausible Analytics, which does not use cookies, does not collect personal data, and is fully GDPR/CCPA compliant. No consent banner is required.

We do NOT collect from our website:

• IP addresses (only hashed for rate-limiting, not stored in readable form)
• Cookies or tracking pixels
• Device fingerprints
• Browsing history

3. How We Use Your Information

We use your information to:

• Provide core functionality: Track workouts, calculate personal records, sync data across devices
• Enable offline experience: Cache data locally using SwiftData for offline-first functionality
• Display social features: Show activity feed from users you follow, generate leaderboards and rankings
• Support workout planning: Save templates, track goals, provide progress insights
• Authenticate securely: Verify your identity using Sign in with Apple
• Improve the App: Understand usage patterns and fix bugs (only if error tracking is enabled in production)

We do not use your information for advertising or marketing purposes.

4. Data Sharing and Disclosure

4.1 We Do NOT Sell Your Data

Tolma does not sell, rent, or trade your personal information to third parties for any purpose.

4.2 Third-Party Service Providers

We share your data with the following service providers to operate the App:

1. Supabase (Backend Provider)

• Purpose: Cloud database, authentication, and real-time data synchronization
• Data Shared: All user data (profile, workouts, sets, goals, social data)
• Status: ACTIVE
• Privacy Policy: https://supabase.com/privacy

2. Apple (Authentication Provider)

• Purpose: Sign in with Apple authentication
• Data Shared: Name, email address (or private relay), Apple ID unique identifier
• Status: ACTIVE
• Privacy Policy: https://www.apple.com/legal/privacy/

3. Plausible Analytics (Website Analytics)

• Purpose: Privacy-respecting website analytics (page views, referrers, device type)
• Data Shared: No personal data — Plausible does not use cookies or collect personal information
• Status: ACTIVE (website only)
• Privacy Policy: https://plausible.io/data-policy

4. Resend (Email Service)

• Purpose: Sending welcome emails and contact form notifications
• Data Shared: Email address (for waitlist subscribers), name and email (for contact form respondents)
• Status: ACTIVE (website only)
• Privacy Policy: https://resend.com/legal/privacy-policy

5. Sentry (Error Tracking - Optional)

• Purpose: Crash reporting and error tracking
• Data Shared: None (currently disabled in all builds)
• Status: DISABLED - Will only be enabled in production releases if needed
• Privacy Policy: https://sentry.io/privacy/

These service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.3 Public vs Private Data

Public Data (visible to other users if you choose to make your profile public):

• Profile information (name, bio, avatar) - only if you set is_public = true in settings
• Workouts marked as public - visible in activity feeds and leaderboards
• Comments and likes - always visible on public workouts
• Follow relationships - always visible to show social connections

Private Data (only visible to you):

• Private profile information - if you set is_public = false in settings
• Goals - always private to you
• Private workouts - only visible to you
• Email address - never shared publicly, controlled by Apple's privacy settings
• Workout templates - always private to you

You can control the visibility of your profile and individual workouts in the App settings.

4.4 Legal Requirements

We may disclose your information if required by law, such as:

• To comply with a subpoena, court order, or similar legal process
• When we believe disclosure is necessary to protect our rights, your safety, or the safety of others
• To investigate fraud or respond to a government request
• In connection with a merger, acquisition, or sale of assets (with advance notice to you)

5. Data Storage and Security

5.1 Where We Store Your Data

• Local Storage: SwiftData on your iOS device (encrypted at rest by iOS)
• Cloud Storage: Supabase PostgreSQL database with Row-Level Security (RLS) policies
• Geographic Location: Location unspecified (Supabase cloud infrastructure)

5.2 Security Measures

We implement industry-standard security measures to protect your data:

• Authentication: Sign in with Apple with cryptographically secure nonces (SHA256 hashing)
• Transport Security: All network requests use HTTPS encryption (TLS 1.2+)
• Database Security: Row-Level Security (RLS) policies ensure users can only access their own private data
• Access Control: Authentication required for all data access; no anonymous access
• Session Management: Secure token storage via Supabase SDK with automatic refresh
• No Plaintext Passwords: We never store passwords; authentication is handled entirely by Apple

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

5.3 Data Synchronization

• Offline-First: The App works fully offline; data syncs when an internet connection is available
• Bidirectional Sync: Changes sync from your device to the cloud and vice versa
• Conflict Resolution: Last-write-wins strategy using cloud_synced_at timestamps
• Sync Triggers: On app launch, after workout completion, and periodically in the background

6. Your Rights and Choices

6.1 GDPR Rights (European Union Users)

If you are located in the European Union, you have the following rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request a copy of all personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format (JSON)
• Right to Restrict Processing: Limit how we use your data in certain circumstances
• Right to Object: Object to processing of your data based on legitimate interests

You also have the right to lodge a complaint with your local supervisory authority if you believe we have not complied with GDPR.

6.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: What personal information is collected, used, shared, or sold (we do not sell)
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out of Sale: We do not sell personal information, so no opt-out is necessary
• Right to Non-Discrimination: Equal service and price, even if you exercise your privacy rights

6.3 How to Exercise Your Rights

To exercise any of these rights, contact us at:

• Email: claytor3@gmail.com
• In-App (planned feature): Settings → Privacy → Request Data / Delete Account

We will respond to your request within:

• GDPR: 30 days (may extend to 60 days for complex requests)
• CCPA: 45 days (may extend to 90 days for complex requests)

We may request verification of your identity before fulfilling requests to protect your privacy and security.

7. Data Retention

• Active Accounts: We retain your data indefinitely while your account is active and you continue to use the App
• Deleted Accounts: All personal data is permanently deleted within 30 days of account deletion
• Workout History: Retained until account deletion
• Comments and Likes: Removed immediately upon account deletion
• Backups: Deleted from all backups within 90 days of account deletion

Website Data:

• Email subscribers: Retained until you unsubscribe (email claytor3@gmail.com to unsubscribe)
• Contact messages: Retained for up to 2 years for support reference, then deleted

You can delete your account at any time by contacting us at claytor3@gmail.com or using the in-app account deletion feature (when available).

8. Children's Privacy

Tolma is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13.

If we become aware that we have collected data from a child under 13 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe a child under 13 has provided us with personal information, please contact us immediately at claytor3@gmail.com.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or functionality
• Legal, operational, or regulatory requirements

We will notify you of material changes via:

• In-app notification with highlights of changes
• Email notification (if you have provided an email address)
• Updated policy with new effective date

Continued use of the App after changes become effective constitutes acceptance of the updated policy. If you do not agree with changes, you should stop using the App and delete your account.

10. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: claytor3@gmail.com
• GitHub: https://github.com/claytor3/Claytor-Fitness

For GDPR-related inquiries or to contact our designated representative, please email claytor3@gmail.com.

Last Updated: 2026-02-07

Privacy Policy Version: 1.1.0

This privacy policy was generated and maintained using Claude Code to ensure accuracy and compliance with current regulations.