Legal Document Changelog

This file summarises material changes to the public-facing legal documents shipped with Kettle Muscle. It is not a substitute for the documents themselves; it exists so that returning users, reviewers, and counsel can see at a glance what changed between versions and why.

For the per-document text, see:

• Privacy Policy
• Terms of Use
• Consumer Health Data Privacy Policy
• Data Retention Policy
• Information Security Program

Privacy Policy — v6 → v7 (May 26, 2026)

Headline change. Apple HealthKit integration is now live on iOS. Earlier drafts described HealthKit as a future / disabled feature; that language has been replaced throughout with an accurate description of what we read, what we write, and which direction crosses our backend.

Material edits:

• §2.2 "Fitness and body data". The single-line "Apple Health (not enabled in the current release)" bullet has been replaced with two bullets that distinguish (i) the inbound read of date of birth, biological sex, body weight and height (which is mirrored to our backend as profile data) from (ii) the outbound write of completed workouts and body-mass updates (which is on-device only). Heart-rate, RHR, HRV and active-energy reads are requested but not yet sampled, and that is now disclosed.
• §6 processor table. The "Apple Health — on-device only" row has been split into two rows so that the inbound profile-import row truthfully discloses the cloud mirror. Removing the historic "on-device only; not routed through our servers" line was material: it was correct for the v6 posture (no HK) but became misleading at the moment the HK profile-import shipped.
• §10 device permissions. Updated to describe the HealthKit prompt as a live, purpose-specific permission rather than a disabled future feature, and to point users at iOS Settings for revocation.

Re-consent. CONSENT_VERSION in src/lib/privacy/consent.ts is bumped alongside this release. Existing EU/UK and Brazilian users will be re-prompted on next launch because the scope of GDPR Art. 9 / LGPD Art. 11 consent has materially expanded.

Consumer Health Data Privacy Policy — v1 → v2 (May 26, 2026)

Headline change. Mirrors the Privacy Policy: HealthKit is live, and the document has been updated to accurately describe both data flows.

Material edits:

• §2 "What consumer health data we collect". The fifth bullet ("Apple Health data (currently disabled feature)") has been rewritten in line with the Privacy Policy §2.2 update. The fact that imported HK profile fields are mirrored to our backend is now disclosed explicitly, as required by WMHMDA RCW 19.373.020(1)(a)–(b).
• §5 "Who receives consumer health data". The Apple Health row has been split into an inbound-import row and an outbound-write row. The inbound row now points at the Google LLC row to disclose the cross-border mirror; the outbound row notes that the destination is the user's own Apple Health store, treated under RCW 19.373.010(28) as a user-directed disclosure.

No change to §§3, 4, 6, 7, 8, 9 — sources, purposes, retention, security, rights, and non-discrimination are all unchanged.

Data Retention Policy — v4 → v5 (May 26, 2026)

Adds two rows to the §2 retention matrix and one bullet to the §3 account-deletion cascade:

• "Apple Health — imported profile fields" — DOB, biological sex, body weight, height, and any future HK-read field are retained on the same schedule as user-entered profile data. Explicit note that we cannot delete data we wrote into the user's Apple Health store; the user must remove it via iOS Settings.
• "Apple Health permission state" — the healthkitConnected / healthkitConnectedAt / healthkitProfileImportedAt fields on the user document are retained for the life of the account and revoked / re-flagged on iOS Settings revocation.
• §3 bullet 7 (new) — explicit statement that our deletion cascade does not (and cannot) reach data previously written into the user's Apple Health store.

Privacy Policy — v5 → v6 (November 4, 2025)

Headline change. An account is now required to use Kettle Muscle. The "use without an account" path has been removed end-to-end. This update aligns the Privacy Policy with the product change.

Material edits:

• Quick summary (top of policy). Rewritten to state that an account is required, to explain that local-first storage continues to apply (a copy lives on the device first and is synced to the account in the background), and to explicitly call out health-data processing as a separately-consented use.
• §2.1 "Account data". Renamed from "Account data (only if you sign in)" to "Account data (required to use the Service)". Lawful basis upgraded from a mixed footing to performance of a contract (GDPR Art. 6(1)(b)), with parallel bases under LGPD Art. 7(V), DPDPA §6, and PIPEDA Principle 3. Adds the password salted-hash, the email-verified timestamp, and the consent record (Terms + Privacy version + timestamp) as fields collected at sign-up.
• §2.7 "Email verification" (new). Discloses the verification email Firebase sends to email + password sign-ups; notes that Firebase logs the verification event, IP, and user-agent of the link click; references the 30-day abandonment-purge schedule for never-verified accounts.
• §4 lawful-basis table. Row "Maintain your account" updated to reflect the contract-performance basis and to mention the additional contractual purposes of cross-device sync, fulfilment of data-subject rights, and age-threshold enforcement.
• §11 "Children's privacy". Clarifies that the age gate runs before any sign-up or sign-in option is shown, so that no email address is collected from an under-age user.
• §13 "Changes". Adds an effective-date paragraph for the November 4, 2025 update, describing the one-time guided account-creation flow that existing pre-account users will see on next launch, and confirming that on-device workout history is preserved and synced on first sign-in.

Token cleanup. Mustache-style placeholder tokens for the postal address, phone number, EU representative, UK representative, India grievance officer, and Brazil data-protection contact have been removed from §1 and §1.1 and replaced with explicit "pending appointment" language pointing to contact@kettlemuscle.com as the interim 30-day-SLA channel. The substantive obligation is unchanged; the named appointees will be published before public app-store submission.

Terms of Use — v6 → v7 (November 4, 2025)

Headline change. Mirrors the Privacy Policy: an account is required, and the "use without an account" mode previously described in §3 has been removed.

Material edits:

• §1 "Acceptance". Rewritten to require affirmative agreement at sign-up via a dedicated consent control; states that the date and version accepted are recorded and may be produced in response to a regulator's verification request; deletes the "by continuing past the sign-in screen without an account" path.
• §3 "Your account". Rewritten to require an account. Adds the email-verification step for email + password sign-ups, the 30-day abandonment-purge schedule, the NIST SP 800-63B Rev 4 password requirement (15-character minimum, screened against Have I Been Pwned), the Apple-token revocation tie-in to App Review Guideline 5.1.1(v), and a provider-linking paragraph explaining the secure same-email account-link flow.
• §18 "Changes". Adds the effective-date paragraph for the November 4, 2025 update, describing the one-time guided account-creation flow for existing pre-account users and the export-then-uninstall path for users who do not wish to create an account.

Token cleanup. The mustache-style placeholder for the DMCA designated-agent postal address has been replaced with explicit "pending Copyright Office agent registration" language; the counter-notice procedure remains operative via the monitored email address.

Consumer Health Data Privacy Policy — unchanged version (housekeeping)

Postal-address and telephone-number placeholders replaced with explicit "pending publication before public app-store submission" language. The 45-day WMHMDA response SLA via contact@kettlemuscle.com is unchanged.

Data Retention Policy — v3 → v4 (November 4, 2025)

Adds one row to the retention matrix:

• "Unverified pending accounts" — email + password sign-ups that have not clicked the verification link are deleted by a scheduled Cloud Function 30 days after sign-up. The purge runs daily at 03:00 UTC.

All other rows unchanged.

Information Security Program — unchanged

No material change in this update. The new server-side scheduled deletion job and the email-verification gate are operational details that fall under the existing program; the program's overall surface area is unchanged.