Privacy Policy

Last updated: April 23, 2026 Version: 4

This Privacy Policy explains how Kettle Muscle handles your information. It is written in plain language first, with the detailed legal disclosures below. If anything is unclear, email us at contact@kettlemuscle.com.

Note to reviewers. This document is a protective first draft prepared for review by licensed counsel in Canada and each target jurisdiction before public release. Placeholders marked {{…}} are pending business actions (EU / UK representative appointment, DMCA agent registration) and will be filled before submission to any app store.

Quick summary (the plain-English version)

• Your workouts live on your phone first. Nothing is sent to our servers unless you sign in.
• We use crash reports and basic stability telemetry to keep the app running — that's the only data we collect without asking, and it's anonymised.
• We ask for your permission, separately, for anything else: product analytics, research aggregation, or any future AI or advertising feature.
• We do not sell your personal information. We do not share your individual workout, health, or body data with advertisers.
• You can export everything we hold about you, or delete your account, at any time, in-app under Profile → Privacy.
• You are in control. Every non-essential data use is off by default and can be toggled independently.

1. Who we are

Data controller. The person responsible for your data under this policy is:

• Pulkit Kakkar, operating as an individual developer
• Based in Ontario, Canada
• Primary email: contact@kettlemuscle.com
• Postal address: {{POSTAL_ADDRESS}}
• Telephone: {{PHONE_NUMBER}}

The postal address and telephone number are provided to satisfy the contact requirements of 16 C.F.R. §312.4(d)(1) (COPPA Rule, as amended 2025, compliance deadline 22 April 2026). Parents who believe we have inadvertently collected personal information from a child under 13 may contact us at any of the addresses above to review, delete, or refuse further collection of that information.

Kettle Muscle is a consumer fitness application. It is not a medical device, not a healthcare provider, and not a HIPAA-covered entity (see §12).

1.1 Representatives in the EU, UK, and elsewhere

• European Union (GDPR Art. 27). Our EU representative is {{EU_REP_NAME}}, {{EU_REP_ADDRESS}}, {{EU_REP_EMAIL}}. EU/EEA residents may raise any privacy concern directly with them.
• United Kingdom (UK GDPR). Our UK representative is {{UK_REP_NAME}}, {{UK_REP_ADDRESS}}, {{UK_REP_EMAIL}}.
• India (DPDPA 2023). Our grievance officer is {{IN_GRIEVANCE_OFFICER}}, reachable at contact@kettlemuscle.com. We will respond to verified requests within thirty (30) days.
• Brazil (LGPD). Our data protection contact (Encarregado) is {{BR_DPO}}, reachable at contact@kettlemuscle.com.
• Quebec (Law 25). Our Person in Charge of the Protection of Personal Information is Pulkit Kakkar, reachable at contact@kettlemuscle.com. A French-language translation of this policy is available on request while permanent translation is prepared.

Until the named representatives are appointed, contact@kettlemuscle.com will acknowledge and route all requests within thirty (30) days, which is the default response window under every applicable regime.

2. What we collect and why

We group everything we collect into four buckets. You can see the legal basis for each one in §4.

2.1 Account data (only if you sign in)

• Your email address, display name, and provider identifier when you choose Sign in with Apple, Sign in with Google, or email + password.
• Apple's private email relay is accepted and treated the same as a real email.
• A unique account identifier generated by Firebase Authentication.

Why. To give you an account that works across devices and lets you delete or export your data.

2.2 Fitness and body data (the core of the app)

• Workouts you log: exercises, sets, reps, weight, rest, tempo, RPE, and notes.
• Body stats you enter: height, weight, sex (used for calorie and fatigue calculations), and date of birth (used only for the children's-privacy age gate — see §11).
• Personal records, streaks, and progress computed on-device from the above.
• If you later connect Apple Health (not enabled in the current release): heart rate, weight, and similar metrics you authorise.

Why. To run the fatigue engine, plan sessions, show progress, and let you review your own training. This is sensitive / special-category data under GDPR Article 9, Washington MHMDA, Quebec Law 25, DPDPA, and LGPD. It is collected only with your specific, unbundled consent at the onboarding screen titled "Built around your workouts," and only after the age gate (see §11).

2.3 Stability telemetry (kept as anonymous as possible)

• Crash reports with stack traces, the iOS / Android version, and the build number.
• Non-fatal error events (a function threw that we want to fix).
• Anonymous technical identifiers that let us correlate a crash to a session — not your name, email, or Apple ID.

Why. We need this to know the app isn't crashing for you. It is the equivalent of a server log file and is essential to keeping the service running. We process this on the basis of our legitimate interest (GDPR Art. 6(1)(f)) in operating and securing the service, and the corresponding bases under PIPEDA, LGPD, and DPDPA. You can still opt out under Profile → Privacy → Diagnostics; doing so limits our ability to fix bugs that affect you.

2.4 Product analytics (only if you turn it on)

• Which screens you open, which features you tap, how long a session lasts.
• A device-level identifier used only for aggregated analytics; stripped of anything that could identify you personally.

Why. To learn which features are worth investing in. This is off by default and only enabled after a separate, plainly-worded in-app prompt that names this purpose. You can turn it off again at any time under Profile → Privacy → Analytics.

2.5 Research aggregation (only if you turn it on)

• Aggregated, de-identified statistics derived from your workouts (for example: average rest times across users who pursued a hypertrophy goal) — never your individual records.

Why. To make the fatigue engine and recommendation logic better for everyone. This is off by default, requires your separate opt-in on the consent screen, and can be toggled off at any time under Profile → Privacy → Research aggregation. We never combine research data with your account.

2.6 What we specifically do not collect today

• Contacts, calendar, photos library outside the image you explicitly attach to a note, microphone audio, location, browsing history, or any advertising identifiers for advertising purposes.
• We do not run an advertising SDK. We do not sell any data.

3. AI features and your data

As of this policy's last-updated date, the Kettle Muscle application does not transmit your fitness or account data to any third-party AI service by default. The app includes no paid server-side AI feature.

If you choose to enable an optional AI feature in the future by entering your own API key (bring-your-own-key, or "BYOK") — for providers such as OpenAI, Anthropic, or Google Gemini — then:

• Before your first request to any such provider, we will show you the exact prompt and context that will be transmitted and require your affirmative, in-app consent. You can cancel at that point without any transmission taking place. This satisfies Apple App Review Guideline 5.1.2(i) (November 2025) and is applied uniformly to every cloud AI provider.
• Your prompts and the context they need (for example, your recent workout summary) will be sent directly from your device to that provider you chose, under the provider's own terms and privacy policy. We do not see or store those prompts.
• Your API key is stored on your device in the iOS Keychain (protected by the Secure Enclave where the device supports it) via expo-secure-store, or the equivalent Android Keystore. It is never transmitted to us.
• You can remove your key and disable the feature at any time in Settings.

If Kettle Muscle ever introduces a server-side AI feature (one that we host), we will:

1. Update this Privacy Policy before the feature goes live.
2. Gate it behind a separate, opt-in consent screen that names the AI provider, the data sent, and the retention period.
3. Never use your individual workouts or body data to train general-purpose AI models without your explicit, separate consent.
4. Route the feature through a provider whose terms permit commercial use and prohibit training on customer data.
5. Comply with the EU AI Act Article 50 transparency requirement (applicable 2026-08-02) by clearly marking AI-generated output in the interface.

We are intentionally conservative here. If you would prefer that we commit to not shipping server-side AI at all, we cannot — products change. What we commit to is: no data goes to any AI provider we have not named to you, ever.

4. Legal bases on which we rely (EU, UK, Brazil, Canada, India)

You may withdraw any consent-based processing at any time. Withdrawing consent for a purpose we rely on to operate the core app means we can no longer operate the core app for you — in that case we will help you export your data before your account is closed.

5. How long we keep your data (retention)

We keep personal information only as long as we need it for the purpose for which we collected it, or for a related legal purpose, then we delete it. A fuller policy is set out in our Data Retention Policy, maintained as required under 16 C.F.R. §312.10 (COPPA 2.0) and the parallel retention provisions of GDPR Art. 5(1)(e), UK GDPR, CPRA §1798.100(a)(3), PIPEDA Principle 4.5, Quebec Law 25 s.23, LGPD Art. 16, and DPDPA §8(7). In summary:

If you delete your account, a "deleting" marker is placed on your account record first so that a mid-delete crash can resume the cascade. Within ninety (90) days of account deletion, no data tied to your personal identity remains in our backend other than the consent records and data-subject-request log entries listed above, which are retained for the stated periods so we can evidence compliance on later inquiry.

6. Who else sees your data

We use a small set of third parties strictly to deliver the service. Each one is bound by the service's own privacy terms, and by a data-processing agreement where available.

We do not use Meta Pixel, Google Ads, IAB TCF vendors, or any other advertising or ad-tech processor. If that ever changes, we will update this table and require a separate opt-in.

We also do not share your data with data brokers and we do not "sell" personal information as that term is defined in the California CCPA/CPRA, Colorado CPA, Virginia VCDPA, or equivalent state laws.

7. Where your data is stored and moved across borders

Cloud-synced data is stored in the United States on Google Cloud infrastructure operated by Firebase. When you use the app from the European Economic Area, the United Kingdom, Switzerland, Canada, Brazil, India, or elsewhere, your data will be transferred to the United States for storage and processing.

We rely on the following transfer mechanisms:

• European Economic Area → United States: the European Commission's Standard Contractual Clauses (2021/914), supplemented where required.
• United Kingdom → United States: the UK International Data Transfer Addendum to the EU SCCs.
• Switzerland → United States: the Swiss-version SCCs approved by the FDPIC.
• Canada → United States: contractual protections equivalent to PIPEDA; in Quebec, we maintain a Privacy Impact Assessment (PIA) documenting the transfer per Law 25.
• Brazil → United States: contractual safeguards equivalent to Article 33 of the LGPD.
• India → United States: standard contractual measures, pending classification under DPDPA cross-border transfer rules.

You can request a copy of the relevant transfer safeguards by emailing contact@kettlemuscle.com.

8. Your rights

8.1 Rights that every user has, everywhere

• Access the data we hold about you.
• Correct data that is inaccurate.
• Export your data in a portable format (JSON) under Profile → Privacy → Download my data. Rate-limited to one export every 24 hours.
• Delete your account and the data it holds under Profile → Privacy → Delete account. Deletion cascades across our backend. If you signed in with Apple, we also revoke your Apple ID token via Apple's REST endpoint in accordance with Apple App Review Guideline 5.1.1(v), so that Kettle Muscle no longer appears in iOS Settings → Apple ID → Sign in with Apple. If you have already uninstalled the app, you can still request deletion from the public web page at https://kettlemuscle.com/delete-account.
• Opt out of product analytics, research aggregation, and any future advertising feature at any time under Profile → Privacy.
• Withdraw consent you previously gave. Withdrawal is effective for future processing; it does not undo processing that already happened lawfully.
• Complain to us first at contact@kettlemuscle.com, and to a regulator if you remain dissatisfied (see §14 for regulator contacts).

8.2 If you are in the European Union, EEA, United Kingdom, or Switzerland

You have the full set of rights under the GDPR and the UK GDPR, including:

• Access (Art. 15), rectification (Art. 16), erasure ("right to be forgotten") (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and not to be subject to solely automated decision-making (Art. 22).
• Withdraw consent at any time for consent-based processing (Art. 7(3)).
• Lodge a complaint with your local Data Protection Authority. A list is available at edpb.europa.eu/about-edpb/about-edpb/members_en; UK residents may contact the Information Commissioner's Office at ico.org.uk.
• Our EU representative under Article 27 is named in §1.1 of this policy.

Kettle Muscle does not carry out automated decision-making of the kind that produces legal or similarly significant effects on you.

8.3 If you are in California

You have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), including: the right to know, access, delete, correct, portability, opt out of sale/sharing (we do not sell or share), opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (we do not do this), and to limit the use of sensitive personal information ("Limit SPI"). The Limit SPI toggle is available under Profile → Privacy.

On a verified consumer request, we will disclose the specific pieces of personal information we collected about you, and the sources, purposes, and recipients of that collection, in the twelve (12) months preceding your request, in accordance with Cal. Civ. Code §1798.130(a)(5).

You may also designate an authorised agent to make requests on your behalf. We will verify your identity before acting on a request.

We do not knowingly sell or share the personal information of minors under 16. We do not need to, because the app is gated at 13+ and no data collected is used for advertising.

We honour browser-level Global Privacy Control signals where technically applicable.

8.4 If you are in Washington State (or another US state with consumer-health-data laws)

In addition to any rights under your state's general privacy law (if any), you have rights under the Washington My Health My Data Act (Wash. Rev. Code 19.373), which treats fitness-tracker data as "consumer health data". Because WMHMDA requires a separately-accessible disclosure, we maintain a stand-alone Consumer Health Data Privacy Policy that sets out the categories of consumer health data we collect, the specific third parties that receive it, the purposes for which we process it, and the six WMHMDA rights you have and how to exercise them. Equivalent rights apply to residents of Nevada (under SB 370) and Connecticut (under the Data Privacy Act's consumer-health-data provisions); contact us the same way.

In short: we do not sell consumer health data, and general acceptance of these Terms or this Policy is not authorisation to do so. You may contact contact@kettlemuscle.com with the subject line "Consumer Health Data Request" to exercise any of your rights, and we will respond within forty-five (45) days (extendable by a further forty-five days where reasonably necessary). You may also contact the Washington Attorney General's Office at atg.wa.gov, which has a private right of action under the Washington Consumer Protection Act.

8.5 If you are in Canada

You have rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), including access, correction, and withdrawal of consent.

• If you are a Quebec resident, you additionally have the rights in Act respecting the protection of personal information in the private sector ("Law 25"), including the right to de-indexing (Art. 28.1) and the right to portability (Art. 27). We do not make decisions about you based exclusively on automated processing that have legal or similarly significant effects on you; if that ever changes we will inform you in advance and provide a human-review right in accordance with Law 25 Art. 12.1. A summary of our Law 25 Privacy Impact Assessment for cross-border transfers is available on request. A French-language version of this Privacy Policy is provided before Quebec residents are permitted to create an account; English governs only where Quebec law permits. You may file a complaint with the Commission d'accès à l'information du Québec (CAI) at cai.gouv.qc.ca.
• Residents of Alberta and British Columbia may contact their respective provincial Offices of the Information and Privacy Commissioner.
• Federally, you may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

8.6 If you are in Brazil

Under the Lei Geral de Proteção de Dados (LGPD) (Law 13.709/2018), Article 18, you have the following rights:

• Confirmation of the existence of processing of your personal data;
• Access to your personal data;
• Correction of incomplete, inaccurate, or out-of-date data;
• Anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD;
• Portability of your data to another service or product provider;
• Deletion of personal data processed with your consent, subject to the exceptions in Article 16;
• Information about the public and private entities with which we have shared your data;
• Information about the possibility of refusing consent and the consequences of doing so; and
• Revocation of consent.

The consent required to process your sensitive personal data under LGPD Article 11 is obtained in a highlighted and specific manner, separately from any other contractual clause.

• Our LGPD contact ("Encarregado") is named in §1.1.
• You may also contact the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

8.7 If you are in India

Under the Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules 2025, you have the right to: access a summary of your data, correct and erase data, nominate another person to exercise rights on your behalf in the event of your death or incapacity, and seek redress through our grievance officer (named in §1.1).

• The app is not intended for and is not available to users under 18 in India, because Rule 10 requires verifiable parental consent under 18 and we do not currently provide a verifiable-parental-consent flow. Age is enforced at onboarding.
• You may also escalate to the Data Protection Board of India once it is operational under the staged rollout.

8.8 How to make a request

Email contact@kettlemuscle.com with the subject line "Privacy Request" and tell us what you want. You do not need to write it in any particular form. To protect your account, we may ask you to verify you are the account holder before we act on a request that concerns an account.

We will respond within the time frame required by your local law — at most, within thirty (30) days of verifying your request, extendable by a further thirty (30) days (or forty-five (45) days under WMHMDA) where reasonably necessary, with notice to you.

9. Security

We take security as seriously as a solo developer reasonably can. Our full practice is documented in the Information Security Program (maintained as required under COPPA 2.0). In summary:

• Transport encryption (TLS 1.2+) for every request between the app and our backend.
• Encryption at rest for Firebase-stored data.
• Your BYO-AI API keys are stored in the iOS Keychain (protected by the Secure Enclave where the device supports it) via expo-secure-store, or the equivalent Android Keystore, and are never sent to our servers.
• Per-user isolation on the server: Firestore rules reject any read or write that crosses account boundaries, and Firebase App Check rejects any request not originating from a genuine app install.
• Password requirements follow NIST SP 800-63B Rev 4 — a minimum of fifteen characters with no arbitrary composition rules, checked against the Have I Been Pwned breach database before being accepted.
• A written incident-response and breach-notification procedure, including timely notification to affected users and regulators (within seventy-two (72) hours under GDPR, and in accordance with PIPEDA, LGPD, DPDPA, and applicable US state laws).

No system is perfectly secure. If we experience a breach affecting your data, we will notify you and the applicable regulators within the time frames required by law.

10. Cookies, tracking, and device permissions

Kettle Muscle is a native mobile app. It does not set browser cookies.

• On iOS, the app will display the App Tracking Transparency (ATT) prompt before any feature that could track you across apps and websites is enabled. Currently, no such feature is enabled; if product analytics are ever tied to an advertising identifier, we will request ATT permission first.
• Permissions we ask for are each tied to a specific feature: Apple Health (disabled in the current release), camera (for attaching a photo to a workout note), microphone and speech recognition (for optional voice-log), and push notifications (not yet enabled). Each purpose string describes precisely why we are asking.

11. Children's privacy

Kettle Muscle is not directed to, and we do not knowingly collect personal information from:

• Children under 13 anywhere in the world.
• Children under 16 in the European Economic Area or the United Kingdom without the consent of a person holding parental responsibility.
• Children under 18 in India (as described in §8.7).

We enforce this through an age gate presented before any personal data is collected. If a user indicates an age below the threshold for their region, the app blocks onboarding and does not retain the date of birth beyond what is needed to show the block screen.

If you believe a child has nonetheless provided us with data, email contact@kettlemuscle.com and we will delete it promptly.

This policy and our age gate are designed to comply with the Children's Online Privacy Protection Rule, as amended 2025 (COPPA 2.0) (compliance deadline 22 April 2026), the UK Age Appropriate Design Code, the California Age-Appropriate Design Code Act, DPDPA Rule 10, and the children's-data provisions of LGPD.

12. HIPAA does not apply

Kettle Muscle is a consumer wellness service that collects data directly from you, the user. We are not a HIPAA-covered entity (a healthcare provider, health plan, or healthcare clearinghouse), and we are not a business associate of any such entity. The information you enter into Kettle Muscle is not Protected Health Information under HIPAA, and HIPAA's Privacy, Security, and Breach Notification Rules do not govern our handling of it.

What governs our handling of that information is this Privacy Policy, the consumer privacy laws listed in §8, and the security practices in §9.

If you use Kettle Muscle in a professional capacity (for example, as a coach or trainer logging a client's workouts), you remain responsible for any obligations you have to that client under the laws that apply to you.

13. Changes to this policy

If we make material changes — for example, a new category of data, a new processor, a new AI feature, or a new advertising feature — we will:

1. Update the "Last updated" date and bump the version number at the top of this policy.
2. Surface an in-app notice before the change takes effect.
3. Where a change requires fresh consent (for example, a new processing purpose for special-category data), re-present the consent screen and require your affirmative action before the change applies to you.

For non-material changes (such as improving the wording of a section without changing what we do), we will update the "Last updated" date without a separate notice.

14. Contact, complaints, and regulators

The best first step for any question or request is to email us at contact@kettlemuscle.com.

If you are not satisfied with our response, you may contact the supervisory authority or regulator in your region:

• EU / EEA: your national Data Protection Authority (list at edpb.europa.eu).
• United Kingdom: the Information Commissioner's Office — ico.org.uk.
• Canada (federal): the Office of the Privacy Commissioner of Canada — priv.gc.ca.
• Quebec: Commission d'accès à l'information — cai.gouv.qc.ca.
• California: California Privacy Protection Agency — cppa.ca.gov, or the Office of the Attorney General — oag.ca.gov.
• Washington State: Office of the Attorney General — atg.wa.gov.
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.
• India: Data Protection Board of India (once operational under DPDPA).

End of Privacy Policy.