Privacy Policy

Last updated: May 26, 2026 Version: 7

This Privacy Policy explains how Kettle Muscle handles your information. It is written in plain language first, with the detailed legal disclosures below. If anything is unclear, email us at contact@kettlemuscle.com.

Note to reviewers. This document is a protective first draft prepared for review by licensed counsel in Canada and each target jurisdiction before public release. Some contact roles flagged as "pending appointment" below will be filled before submission to any public app store.

Quick summary (the plain-English version)

An account is required to use Kettle Muscle. We need it to keep your workouts safe across devices, to honour data-export and deletion requests, and to enforce the children's-privacy age threshold required in your region.
Your workouts are stored on your phone first and synced to your account in the background. The on-device copy works without a network; the cloud copy is what survives a lost phone or a re-install.
We use crash reports and basic stability telemetry to keep the app running — that's the only data collected without asking, and it's anonymised.
We ask for your permission, separately, for anything else: health-data processing for the fatigue engine, product analytics, research aggregation, or any AI feature.
We do not sell your personal information. We do not share your individual workout, health, or body data with advertisers.
You can export everything we hold about you, or delete your account, at any time, in-app under Profile → Privacy.
Every non-essential data use is off by default and can be toggled independently.

1. Who we are

Data controller. The person responsible for your data under this policy is:

Pulkit Kakkar, operating as an individual developer
Based in Ontario, Canada
Primary email: contact@kettlemuscle.com

A postal address and telephone number for COPPA-mandated parent contact will be published before public App Store submission. In the interim, contact@kettlemuscle.com is monitored and responses are issued within thirty (30) days.

The contact channels above are provided to satisfy the contact requirements of 16 C.F.R. §312.4(d)(1) (COPPA Rule, as amended 2025, compliance deadline 22 April 2026). Parents who believe we have inadvertently collected personal information from a child under 13 may contact us at any of the addresses above to review, delete, or refuse further collection of that information.

Kettle Muscle is a consumer fitness application. It is not a medical device, not a healthcare provider, and not a HIPAA-covered entity (see §12).

1.1 Representatives in the EU, UK, and elsewhere

European Union (GDPR Art. 27). Our EU representative is currently being arranged. In the interim, EU/EEA residents may raise privacy concerns at contact@kettlemuscle.com; we will respond within thirty (30) days. The representative's name and address will be published in this section before public submission to any EU app store.
United Kingdom (UK GDPR). Our UK representative is currently being arranged on the same timeline as the EU representative above.
India (DPDPA 2023). Pulkit Kakkar acts as the grievance officer pending appointment of a dedicated officer, reachable at contact@kettlemuscle.com. We will respond to verified requests within thirty (30) days.
Brazil (LGPD). Pulkit Kakkar acts as our data protection contact (Encarregado) pending appointment of a dedicated DPO, reachable at contact@kettlemuscle.com.
Quebec (Law 25). Our Person in Charge of the Protection of Personal Information is Pulkit Kakkar, reachable at contact@kettlemuscle.com. A French-language translation of this policy is available on request while permanent translation is prepared.

Until the named representatives are appointed, contact@kettlemuscle.com will acknowledge and route all requests within thirty (30) days, which is the default response window under every applicable regime.

2. What we collect and why

We group everything we collect into four buckets. You can see the legal basis for each one in §4.

2.1 Account data (required to use the Service)

Kettle Muscle requires an account. The choices are Sign in with Apple, Sign in with Google, or email + password. The data we collect to maintain the account is:

Your email address and (for federated sign-in) the display name and provider identifier returned by Apple or Google.
Apple's private email relay is accepted and treated the same as a real email.
A unique account identifier generated by Firebase Authentication.
For email + password sign-up: an "email verified" timestamp once you click the verification link Firebase sends you, plus a salted hash of your password held by Firebase (we never see the plaintext).
A consent record (Terms version, Privacy Policy version, timestamp) created when you tap "I agree" at sign-up — see §13.

Why. An account lets your data survive a lost or wiped device, lets you exercise the data-export and deletion rights described in §8, anchors the children's-privacy age gate to a verified identity, and lets us honour Apple's account-deletion requirement (App Store Review Guideline 5.1.1(v)).

Legal basis. Processing this category is necessary for the performance of the contract between you and us — GDPR Art. 6(1)(b), UK GDPR equivalent, LGPD Art. 7(V), DPDPA §6, PIPEDA Principle 3. It is not processed on the basis of consent, so you cannot withdraw it without closing the account (see §8.1 right to erasure).

2.2 Fitness and body data (the core of the app)

Workouts you log: exercises, sets, reps, weight, rest, tempo, RPE, and notes.
Body stats you enter: height, weight, sex (used for calorie and fatigue calculations), and date of birth (used only for the children's-privacy age gate — see §11).
Personal records, streaks, and progress computed on-device from the above.
If you grant the Apple Health permission (iOS only), data we read from Apple Health on your behalf. At onboarding or from your profile screen, with your explicit opt-in, we read your date of birth, biological sex, latest body weight and latest height to pre-fill your profile; these fields are then stored in your user profile and follow the cloud-sync path described in §2.1 and §6 — that is, they are mirrored to our backend alongside the rest of your profile. We also request permission to read heart rate, resting heart rate, heart-rate variability and active energy burned; these are reserved for a future recovery-analytics feature and are not sampled in the current release. We do not poll Apple Health in the background and we do not use observers or background delivery.
If you grant the Apple Health write permission (iOS only), when you finish a workout we write the completed session — start and end times, the mapped activity type, an estimated calorie figure, and (for applicable activities) distance — and your updated body weight to Apple Health. This direction is on-device only and never routes through our backend. If you delete a workout in the app, we ask Apple Health to delete the matching record we previously wrote. We cannot delete data that you, or other apps, wrote into your Apple Health store — under Apple's privacy model, that data belongs to you, and you can remove it from Settings → Privacy & Security → Health → Kettle Muscle.

Why. To run the fatigue engine, plan sessions, show progress, and let you review your own training. This is sensitive / special-category data under GDPR Article 9, Washington MHMDA, Quebec Law 25, DPDPA, and LGPD. It is collected only with your specific, unbundled consent at the onboarding screen titled "Built around your workouts," and only after the age gate (see §11).

2.3 Stability telemetry (kept as anonymous as possible)

Crash reports with stack traces, the iOS / Android version, and the build number.
Non-fatal error events (a function threw that we want to fix).
Anonymous technical identifiers that let us correlate a crash to a session — not your name, email, or Apple ID.

Why. We need this to know the app isn't crashing for you. It is the equivalent of a server log file and is essential to keeping the service running. We process this on the basis of our legitimate interest (GDPR Art. 6(1)(f)) in operating and securing the service, and the corresponding bases under PIPEDA, LGPD, and DPDPA. You can still opt out under Profile → Privacy → Diagnostics; doing so limits our ability to fix bugs that affect you.

2.4 Product analytics (only if you turn it on)

Which screens you open, which features you tap, how long a session lasts.
A device-level identifier used only for aggregated analytics; stripped of anything that could identify you personally.

Why. To learn which features are worth investing in. This is off by default and only enabled after a separate, plainly-worded in-app prompt that names this purpose. You can turn it off again at any time under Profile → Privacy → Analytics.

2.5 Research aggregation (only if you turn it on)

Aggregated, de-identified statistics derived from your workouts (for example: average rest times across users who pursued a hypertrophy goal) — never your individual records.

Why. To make the fatigue engine and recommendation logic better for everyone. This is off by default, requires your separate opt-in on the consent screen, and can be toggled off at any time under Profile → Privacy → Research aggregation. We never combine research data with your account.

2.6 What we specifically do not collect today

Contacts, calendar, photos library outside the image you explicitly attach to a note, microphone audio, location, browsing history, or any advertising identifiers for advertising purposes.
We do not run an advertising SDK. We do not sell any data.

2.7 Email verification (email + password sign-ups only)

If you sign up with email + password, Firebase sends a verification email to the address you provided. Until you click the link, the account exists in an "unverified" state and you cannot reach the rest of the app. Firebase logs the verification event, the IP address of the click, and the user-agent of the browser that opened the link. That metadata is held by Google as our processor under the Firebase DPA and is purged when the account is deleted (or, for accounts never verified, on the 30-day abandonment-purge schedule described in our Data Retention Policy).

3. AI features and your data

As of this policy's last-updated date, the Kettle Muscle application does not transmit your fitness or account data to any third-party AI service by default. The app includes no paid server-side AI feature.

If you choose to enable an optional AI feature in the future by entering your own API key (bring-your-own-key, or "BYOK") — for providers such as OpenAI, Anthropic, or Google Gemini — then:

Before your first request to any such provider, we will show you the exact prompt and context that will be transmitted and require your affirmative, in-app consent. You can cancel at that point without any transmission taking place. This satisfies Apple App Review Guideline 5.1.2(i) (November 2025) and is applied uniformly to every cloud AI provider.
Your prompts and the context they need (for example, your recent workout summary) will be sent directly from your device to that provider you chose, under the provider's own terms and privacy policy. We do not see or store those prompts.
Your API key is stored on your device in the iOS Keychain (protected by the Secure Enclave where the device supports it) via expo-secure-store, or the equivalent Android Keystore. It is never transmitted to us.
You can remove your key and disable the feature at any time in Settings.

If Kettle Muscle ever introduces a server-side AI feature (one that we host), we will:

Update this Privacy Policy before the feature goes live.
Gate it behind a separate, opt-in consent screen that names the AI provider, the data sent, and the retention period.
Never use your individual workouts or body data to train general-purpose AI models without your explicit, separate consent.
Route the feature through a provider whose terms permit commercial use and prohibit training on customer data.
Comply with the EU AI Act Article 50 transparency requirement (applicable 2026-08-02) by clearly marking AI-generated output in the interface.

We are intentionally conservative here. If you would prefer that we commit to not shipping server-side AI at all, we cannot — products change. What we commit to is: no data goes to any AI provider we have not named to you, ever.

3.5 Subscription and payment processing

When you purchase a Kettle Muscle paid subscription on iOS, two third parties handle the transaction on our behalf:

Apple Inc. acts as the merchant of record. Your payment method, billing name, and Apple ID details are handled entirely by Apple. Kettle Muscle never sees your payment card, billing address, or App Store receipt details — we receive only an opaque transaction identifier and an entitlement state.
RevenueCat, Inc. (1032 E Brandon Blvd #3003, Brandon, FL 33511, United States) operates the subscription-management infrastructure that translates Apple's purchase events into the entitlement state our app reads. RevenueCat acts as our service provider under the CCPA/CPRA and as a processor under the GDPR, UK GDPR, LGPD, and Quebec Law 25, processing data only on our documented instructions under an executed Data Processing Addendum.

3.5.1 What we share with RevenueCat

Category	Specific fields	Purpose
Pseudonymous account ID	Your Firebase UID (a random opaque string; not your email, name, or any directly identifying value)	To attach the subscription entitlement to the correct account across your devices
Apple-issued purchase events	Apple transaction ID, original transaction ID, product identifier, purchase date, expiry date, country/storefront code, currency	To verify your subscription is current and to honor the entitlement
Platform metadata	iOS version, device model class, app version, device language	To diagnose purchase-flow issues and (if you opted in to analytics) measure cohorts

3.5.2 What we do not share with RevenueCat

We do not share — and RevenueCat does not receive — any of the following: your name, email address, password, Apple ID, payment-card information, App Store receipt body, fitness or workout data, exercises performed, sets / reps / weights, body composition, age, sex, height, weight, AI prompts or AI output, BYO-AI provider API keys, or any free-text content you entered into the app. The pseudonymous identifier we send cannot be linked back to you by RevenueCat without information held only by Kettle Muscle.

3.5.3 Lawful basis

We process subscription-billing data on the basis of GDPR Art. 6(1)(b) — performance of the contract between you and us, which is the paid-subscription agreement set out in our Terms of Use. For the equivalent UK GDPR, LGPD Art. 7(V), DPDPA §6, and PIPEDA bases, see the table in §4. No special-category (Art. 9) data is shared for billing.

3.5.4 International transfer

RevenueCat is established in the United States and processes the data above on US infrastructure. Where your data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States via RevenueCat, the transfer is governed by:

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 3 (processor-to-processor) since Kettle Muscle is itself acting as a processor of your account data on RevenueCat's downstream tier;
The UK International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office on 21 March 2022; and
The Swiss SCC supplement approved by the FDPIC.

These instruments are incorporated by reference into our DPA with RevenueCat (effective 17 December 2025; current text at https://www.revenuecat.com/dpa/).

3.5.5 Retention

RevenueCat retains the pseudonymous transaction record described in §3.5.1 for the duration of your subscription plus seven (7) years from the date of the last billing event, to support financial recordkeeping required of an internet-payment processor under US tax and accounting rules. If you delete your Kettle Muscle account, we will instruct RevenueCat to delete the pseudonymous account identifier within thirty (30) days via RevenueCat's DELETE /v1/subscribers/{appUserID} REST endpoint. The transaction-event records that are required for tax recordkeeping are retained in pseudonymized form (no identifier linking back to you) for the seven-year statutory period and then purged.

3.5.6 Your right to erasure

Account deletion under §8 of this Policy invokes a server-side wipeRevenueCatUser call that will issue the REST DELETE described in §3.5.5. If RevenueCat is unavailable at the time of deletion, the call is queued and retried; you will not be billed during the retry window because Apple, not RevenueCat, controls billing. Deleting your Kettle Muscle account does not, by itself, cancel an active Apple subscription — see §10.9 of the Terms of Use for how to cancel through Apple.

3.5.7 Apple's role

Apple acts as the payment processor for every iOS in-app purchase. Apple's collection and use of your payment information is governed by Apple's Privacy Policy (https://www.apple.com/legal/privacy/) and the Apple Media Services Terms (https://www.apple.com/legal/internet-services/itunes/). Apple does not share your name, email, payment card, or billing address with Kettle Muscle. The receipt body that StoreKit issues for each purchase is verified server-side at Apple via RevenueCat's verification call and never reaches Kettle Muscle's own servers.

4. Legal bases on which we rely (EU, UK, Brazil, Canada, India)

Purpose	Data used	Primary legal basis (GDPR / UK GDPR)	Equivalent basis (LGPD / DPDPA / PIPEDA)
Run the core app (fatigue engine, workout history, progress)	Fitness + body data (§2.2)	Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))	Consent (LGPD Art. 7(I), Art. 11(I)); consent (DPDPA §6); consent (PIPEDA Principle 3)
Maintain your account, sync across devices, enforce export and deletion rights, enforce age threshold	Account data (§2.1)	Performance of a contract (Art. 6(1)(b)) — an account is required to provide the Service and to fulfil our obligations under §8 (rights)	Execution of contract (LGPD Art. 7(V)); contract performance (DPDPA §7(a)); necessary for fulfilment of contract (PIPEDA Principle 3)
Keep the app stable and secure	Stability telemetry (§2.3)	Legitimate interest (Art. 6(1)(f)) — "ensuring security and continuity"	Legitimate interest (LGPD Art. 7(IX)); legitimate use (DPDPA §7); implied consent for safeguarding (PIPEDA)
Improve the product through usage data	Product analytics (§2.4)	Consent (Art. 6(1)(a))	Consent (LGPD / DPDPA / PIPEDA)
Aggregated / de-identified research	Derived research aggregates (§2.5)	Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))	Consent (LGPD / DPDPA / PIPEDA)
Comply with law or defend legal claims	Any of the above, as strictly necessary	Legal obligation / legitimate interest (Art. 6(1)(c) / (f))	Compliance with legal obligation (LGPD Art. 7(II)); legal obligation (DPDPA §7)

You may withdraw any consent-based processing at any time. Withdrawing consent for a purpose we rely on to operate the core app means we can no longer operate the core app for you — in that case we will help you export your data before your account is closed.

5. How long we keep your data (retention)

We keep personal information only as long as we need it for the purpose for which we collected it, or for a related legal purpose, then we delete it. A fuller policy is set out in our Data Retention Policy, maintained as required under 16 C.F.R. §312.10 (COPPA 2.0) and the parallel retention provisions of GDPR Art. 5(1)(e), UK GDPR, CPRA §1798.100(a)(3), PIPEDA Principle 4.5, Quebec Law 25 s.23, LGPD Art. 16, and DPDPA §8(7). In summary:

Category of data	Retention period	Trigger to delete
Account identity (email, name, provider ID, Firebase UID)	Life of the account	Account deletion
Authentication tokens (Apple authorisation code, refresh tokens)	Life of the account; Apple authorisation code up to 6 months to support Sign-in-with-Apple revocation	Account deletion
Subscription transaction records held by RevenueCat (pseudonymous Firebase UID + Apple transaction IDs)	Duration of subscription + 7 years from last billing event for financial recordkeeping; pseudonymous identifier deleted within 30 days of account deletion	Account deletion (identifier); 7-year tax-record purge (transaction body)
Apple-side payment records (held by Apple, not by us)	Per Apple's published retention policy	Per Apple
Fitness and body data (workouts, sets, body stats, sex, personal records)	Until you delete each record, or until account deletion	Record deletion / account deletion
Cloud-synced mirror of fitness data	Life of the account	Account deletion
Date of birth	Until you pass the age gate; we then retain the accepted birth year and the fact the gate was passed, not the exact day / month	Account deletion
Under-age block state	Retained only as a "blocked" signal with no personal identifier, for as long as the operating system retains app-installation state	Device wipe or re-install
Consent records (version, timestamps, opt-in toggles, Terms / Privacy version hash)	Life of the account + 24 months after account deletion, to evidence lawful processing on later inquiry	Scheduled purge, 24 months after deletion
Stability telemetry (crash reports, non-fatal errors)	90 days	Automatic purge
Product analytics events (only if you opted in)	14 months, aggregated	Automatic purge
Research aggregates (only if you opted in)	Indefinite only if irreversibly aggregated and not re-identifiable	Purge if re-identification becomes feasible
BYO-AI API key (if you entered one)	Until you remove it; stored only on-device	Key removal / account deletion / app uninstall
Data-subject-request records (access, deletion, correction, export requests)	3 years from the date of the request	Automatic purge
Legal, tax, dispute, or audit records	As long as the applicable legal obligation requires	Expiry of the obligation

If you delete your account, a "deleting" marker is placed on your account record first so that a mid-delete crash can resume the cascade. Within ninety (90) days of account deletion, no data tied to your personal identity remains in our backend other than the consent records and data-subject-request log entries listed above, which are retained for the stated periods so we can evidence compliance on later inquiry.

6. Who else sees your data

We use a small set of third parties strictly to deliver the service. Each one is bound by the service's own privacy terms, and by a data-processing agreement where available.

Processor	What it does	What it sees	Location
Google LLC (Firebase and Google Cloud services — Authentication, Firestore, Cloud Functions, App Check, Analytics)	Sign-in, cloud sync, abuse prevention, telemetry	Account ID, cloud-synced workout records, diagnostic events	United States (default region)
Apple — Sign in with Apple	Auth federation if you choose it	Your choice to sign in	Apple's infrastructure
Google — Sign in with Google	Auth federation if you choose it	Your choice to sign in	Google's infrastructure
OpenAI / Anthropic / Google (Gemini)	Only if you enter your own API key for an AI feature	Your prompt and the context you include	Provider's infrastructure, per their terms
RevenueCat, Inc. (San Francisco, CA, USA) — subscription processor	Translates Apple purchase events into entitlement state; manages subscription lifecycle	Pseudonymous Firebase UID; Apple-issued transaction IDs, product IDs, prices, country code; iOS / device / app version; language. Not name, email, health, fitness, or AI data	United States
Apple Inc. — App Store payment processor	Processes every iOS in-app purchase as merchant of record	Your payment method and billing details; processed by Apple, not received by us	Apple's infrastructure
Apple Health — inbound profile import (iOS, on-device API)	Reads your DOB, biological sex, latest body weight and latest height with your explicit permission, to pre-fill your profile	The HK fields named above. Imported values are persisted in your user profile and follow the same cloud-sync path as other profile data — see Google LLC row above	iOS device → on-device → mirrored to United States via Firestore
Apple Health — outbound workout + body-mass write (iOS, on-device API)	When you complete a workout we write the session (times, activity type, calories, distance where applicable) and body-weight changes to your Apple Health store; deletes in-app cascade to a matching delete in Apple Health	The workout and body-mass values we send	On-device only; never routed through our servers

We do not use Meta Pixel, Google Ads, IAB TCF vendors, or any other advertising or ad-tech processor. If that ever changes, we will update this table and require a separate opt-in.

We also do not share your data with data brokers and we do not "sell" personal information as that term is defined in the California CCPA/CPRA, Colorado CPA, Virginia VCDPA, or equivalent state laws.

7. Where your data is stored and moved across borders

Cloud-synced data is stored in the United States on Google Cloud infrastructure operated by Firebase. When you use the app from the European Economic Area, the United Kingdom, Switzerland, Canada, Brazil, India, or elsewhere, your data will be transferred to the United States for storage and processing.

We rely on the following transfer mechanisms:

European Economic Area → United States: the European Commission's Standard Contractual Clauses (2021/914), supplemented where required.
United Kingdom → United States: the UK International Data Transfer Addendum to the EU SCCs.
Switzerland → United States: the Swiss-version SCCs approved by the FDPIC.
Canada → United States: contractual protections equivalent to PIPEDA; in Quebec, we maintain a Privacy Impact Assessment (PIA) documenting the transfer per Law 25.
Brazil → United States: contractual safeguards equivalent to Article 33 of the LGPD.
India → United States: standard contractual measures, pending classification under DPDPA cross-border transfer rules.

You can request a copy of the relevant transfer safeguards by emailing contact@kettlemuscle.com.

8. Your rights

8.1 Rights that every user has, everywhere

Access the data we hold about you.
Correct data that is inaccurate.
Export your data in a portable format (JSON) under Profile → Privacy → Download my data. Rate-limited to one export every 24 hours.
Delete your account and the data it holds under Profile → Privacy → Delete account. Deletion cascades across our backend. If you signed in with Apple, we also revoke your Apple ID token via Apple's REST endpoint in accordance with Apple App Review Guideline 5.1.1(v), so that Kettle Muscle no longer appears in iOS Settings → Apple ID → Sign in with Apple. If you have already uninstalled the app, you can still request deletion from the public web page at https://kettlemuscle.com/delete-account. Deleting your account does not by itself cancel an active Apple subscription. Apple is the merchant of record for every iOS in-app purchase; cancellation must be performed in iOS Settings → Apple ID → Subscriptions (or at https://apps.apple.com/account/subscriptions). If your subscription is in a paid period at the time of deletion, Kettle Muscle will continue to honor entitlement reads for that period until the period naturally expires, after which no further data is associated with you.
Opt out of product analytics, research aggregation, and any future advertising feature at any time under Profile → Privacy.
Withdraw consent you previously gave. Withdrawal is effective for future processing; it does not undo processing that already happened lawfully.
Complain to us first at contact@kettlemuscle.com, and to a regulator if you remain dissatisfied (see §14 for regulator contacts).

8.2 If you are in the European Union, EEA, United Kingdom, or Switzerland

You have the full set of rights under the GDPR and the UK GDPR, including:

Access (Art. 15), rectification (Art. 16), erasure ("right to be forgotten") (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and not to be subject to solely automated decision-making (Art. 22).
Withdraw consent at any time for consent-based processing (Art. 7(3)).
Lodge a complaint with your local Data Protection Authority. A list is available at edpb.europa.eu/about-edpb/about-edpb/members_en; UK residents may contact the Information Commissioner's Office at ico.org.uk.
Our EU representative under Article 27 is named in §1.1 of this policy.

Kettle Muscle does not carry out automated decision-making of the kind that produces legal or similarly significant effects on you.

8.3 If you are in California

You have rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), including: the right to know, access, delete, correct, portability, opt out of sale/sharing (we do not sell or share), opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (we do not do this), and to limit the use of sensitive personal information ("Limit SPI"). The Limit SPI toggle is available under Profile → Privacy.

On a verified consumer request, we will disclose the specific pieces of personal information we collected about you, and the sources, purposes, and recipients of that collection, in the twelve (12) months preceding your request, in accordance with Cal. Civ. Code §1798.130(a)(5).

You may also designate an authorised agent to make requests on your behalf. We will verify your identity before acting on a request.

We do not knowingly sell or share the personal information of minors under 16. We do not need to, because the app is gated at 13+ and no data collected is used for advertising.

We honour browser-level Global Privacy Control signals where technically applicable.

8.4 If you are in Washington State (or another US state with consumer-health-data laws)

In addition to any rights under your state's general privacy law (if any), you have rights under the Washington My Health My Data Act (Wash. Rev. Code 19.373), which treats fitness-tracker data as "consumer health data". Because WMHMDA requires a separately-accessible disclosure, we maintain a stand-alone Consumer Health Data Privacy Policy that sets out the categories of consumer health data we collect, the specific third parties that receive it, the purposes for which we process it, and the six WMHMDA rights you have and how to exercise them. Equivalent rights apply to residents of Nevada (under SB 370) and Connecticut (under the Data Privacy Act's consumer-health-data provisions); contact us the same way.

In short: we do not sell consumer health data, and general acceptance of these Terms or this Policy is not authorisation to do so. You may contact contact@kettlemuscle.com with the subject line "Consumer Health Data Request" to exercise any of your rights, and we will respond within forty-five (45) days (extendable by a further forty-five days where reasonably necessary). You may also contact the Washington Attorney General's Office at atg.wa.gov, which has a private right of action under the Washington Consumer Protection Act.

8.5 If you are in Canada

You have rights under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), including access, correction, and withdrawal of consent.

If you are a Quebec resident, you additionally have the rights in Act respecting the protection of personal information in the private sector ("Law 25"), including the right to de-indexing (Art. 28.1) and the right to portability (Art. 27). We do not make decisions about you based exclusively on automated processing that have legal or similarly significant effects on you; if that ever changes we will inform you in advance and provide a human-review right in accordance with Law 25 Art. 12.1. A summary of our Law 25 Privacy Impact Assessment for cross-border transfers is available on request. A French-language version of this Privacy Policy is provided before Quebec residents are permitted to create an account; English governs only where Quebec law permits. You may file a complaint with the Commission d'accès à l'information du Québec (CAI) at cai.gouv.qc.ca.
Residents of Alberta and British Columbia may contact their respective provincial Offices of the Information and Privacy Commissioner.
Federally, you may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

8.6 If you are in Brazil

Under the Lei Geral de Proteção de Dados (LGPD) (Law 13.709/2018), Article 18, you have the following rights:

Confirmation of the existence of processing of your personal data;
Access to your personal data;
Correction of incomplete, inaccurate, or out-of-date data;
Anonymisation, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD;
Portability of your data to another service or product provider;
Deletion of personal data processed with your consent, subject to the exceptions in Article 16;
Information about the public and private entities with which we have shared your data;
Information about the possibility of refusing consent and the consequences of doing so; and
Revocation of consent.

The consent required to process your sensitive personal data under LGPD Article 11 is obtained in a highlighted and specific manner, separately from any other contractual clause.

Our LGPD contact ("Encarregado") is named in §1.1.
You may also contact the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

8.7 If you are in India

Under the Digital Personal Data Protection Act, 2023 (DPDPA) and the DPDP Rules 2025, you have the right to: access a summary of your data, correct and erase data, nominate another person to exercise rights on your behalf in the event of your death or incapacity, and seek redress through our grievance officer (named in §1.1).

The app is not intended for and is not available to users under 18 in India, because Rule 10 requires verifiable parental consent under 18 and we do not currently provide a verifiable-parental-consent flow. Age is enforced at onboarding.
You may also escalate to the Data Protection Board of India once it is operational under the staged rollout.

8.8 How to make a request

Email contact@kettlemuscle.com with the subject line "Privacy Request" and tell us what you want. You do not need to write it in any particular form. To protect your account, we may ask you to verify you are the account holder before we act on a request that concerns an account.

We will respond within the time frame required by your local law — at most, within thirty (30) days of verifying your request, extendable by a further thirty (30) days (or forty-five (45) days under WMHMDA) where reasonably necessary, with notice to you.

9. Security

We take security as seriously as a solo developer reasonably can. Our full practice is documented in the Information Security Program (maintained as required under COPPA 2.0). In summary:

Transport encryption (TLS 1.2+) for every request between the app and our backend.
Encryption at rest for Firebase-stored data.
Your BYO-AI API keys are stored in the iOS Keychain (protected by the Secure Enclave where the device supports it) via expo-secure-store, or the equivalent Android Keystore, and are never sent to our servers.
Per-user isolation on the server: Firestore rules reject any read or write that crosses account boundaries, and Firebase App Check rejects any request not originating from a genuine app install.
Password requirements follow NIST SP 800-63B Rev 4 — a minimum of fifteen characters with no arbitrary composition rules, checked against the Have I Been Pwned breach database before being accepted.
A written incident-response and breach-notification procedure, including timely notification to affected users and regulators (within seventy-two (72) hours under GDPR, and in accordance with PIPEDA, LGPD, DPDPA, and applicable US state laws).

No system is perfectly secure. If we experience a breach affecting your data, we will notify you and the applicable regulators within the time frames required by law.

10. Cookies, tracking, and device permissions

Kettle Muscle is a native mobile app. It does not set browser cookies.

On iOS, the app will display the App Tracking Transparency (ATT) prompt before any feature that could track you across apps and websites is enabled. Currently, no such feature is enabled; if product analytics are ever tied to an advertising identifier, we will request ATT permission first.
Permissions we ask for are each tied to a specific feature: Apple Health (iOS only — read access to pre-fill your profile and, in a future release, power recovery analytics; write access to record completed workouts and body-weight changes in your Apple Health store), camera (for attaching a photo to a workout note), microphone and speech recognition (for optional voice-log), and push notifications (not yet enabled). Each iOS purpose string describes precisely why we are asking, and you can review or revoke any permission at any time in Settings → Privacy & Security on your device.

11. Children's privacy

Kettle Muscle is not directed to, and we do not knowingly collect personal information from:

Children under 13 anywhere in the world.
Children under 16 in the European Economic Area or the United Kingdom without the consent of a person holding parental responsibility.
Children under 18 in India (as described in §8.7).

We enforce this through an age gate presented before any sign-up or sign-in option is shown and before any personal data — including an email address — is collected. If a user indicates an age below the threshold for their region, the app blocks onboarding, does not present any account-creation control, and does not retain the date of birth beyond what is needed to display the block screen and prevent re-entry on the same device.

If you believe a child has nonetheless provided us with data, email contact@kettlemuscle.com and we will delete it promptly.

This policy and our age gate are designed to comply with the Children's Online Privacy Protection Rule, as amended 2025 (COPPA 2.0) (compliance deadline 22 April 2026), the UK Age Appropriate Design Code, the California Age-Appropriate Design Code Act, DPDPA Rule 10, and the children's-data provisions of LGPD.

12. HIPAA does not apply

Kettle Muscle is a consumer wellness service that collects data directly from you, the user. We are not a HIPAA-covered entity (a healthcare provider, health plan, or healthcare clearinghouse), and we are not a business associate of any such entity. The information you enter into Kettle Muscle is not Protected Health Information under HIPAA, and HIPAA's Privacy, Security, and Breach Notification Rules do not govern our handling of it.

What governs our handling of that information is this Privacy Policy, the consumer privacy laws listed in §8, and the security practices in §9.

If you use Kettle Muscle in a professional capacity (for example, as a coach or trainer logging a client's workouts), you remain responsible for any obligations you have to that client under the laws that apply to you.

13. Changes to this policy

If we make material changes — for example, a new category of data, a new processor, a new AI feature, or a new advertising feature — we will:

Update the "Last updated" date and bump the version number at the top of this policy.
Surface an in-app notice before the change takes effect.
Where a change requires fresh consent (for example, a new processing purpose for special-category data), re-present the consent screen and require your affirmative action before the change applies to you.

For non-material changes (such as improving the wording of a section without changing what we do), we will update the "Last updated" date without a separate notice.

Effective date of the November 4, 2025 update. The update on November 4, 2025 reflects that an account is now required to use Kettle Muscle. Existing users who were previously using the app without an account will be guided through a one-time account-creation flow on their next launch. Local workout history on the device is preserved and will be synced to the new account on first sign-in. If you do not wish to create an account, you may export your data using the in-app export tool before signing up, and then uninstall.

14. Contact, complaints, and regulators

The best first step for any question or request is to email us at contact@kettlemuscle.com.

If you are not satisfied with our response, you may contact the supervisory authority or regulator in your region:

EU / EEA: your national Data Protection Authority (list at edpb.europa.eu).
United Kingdom: the Information Commissioner's Office — ico.org.uk.
Canada (federal): the Office of the Privacy Commissioner of Canada — priv.gc.ca.
Quebec: Commission d'accès à l'information — cai.gouv.qc.ca.
California: California Privacy Protection Agency — cppa.ca.gov, or the Office of the Attorney General — oag.ca.gov.
Washington State: Office of the Attorney General — atg.wa.gov.
Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd.
India: Data Protection Board of India (once operational under DPDPA).

End of Privacy Policy.