Data Retention Policy
Last updated: April 23, 2026 Version: 2
This Data Retention Policy sets out how long Kettle Muscle keeps personal information, why, and when we delete it. It is maintained as a formal written policy as required under:
- The Children's Online Privacy Protection Rule, as amended by the 2025 Final Rule (compliance deadline 22 April 2026), 16 C.F.R. §312.10;
- GDPR Articles 5(1)(e) and 13(2)(a) (storage limitation principle);
- UK GDPR (equivalent);
- California CPRA §1798.100(a)(3) (disclosure of retention period by category);
- PIPEDA Principle 4.5 (limiting use, disclosure, and retention);
- Quebec Law 25, s. 23 (retention limited to the time necessary for the purpose);
- LGPD Article 16 (deletion after purpose fulfilment);
- DPDPA Section 8(7) (erasure after purpose fulfilment or consent withdrawal).
This document is referenced in §5 of our Privacy Policy.
1. Overall principle
We retain personal information only for as long as we need it for the purpose for which it was collected or for a related legal purpose, then we delete it — or irreversibly anonymise it if continued aggregated use is justified and consented to.
We avoid indefinite retention. No category of personal information in Kettle Muscle is retained without a documented expiration trigger.
2. Retention matrix
| Category of data | Source | Purpose | Retention period | Trigger to delete |
|---|---|---|---|---|
| Account identity (email, name, provider ID, Firebase UID) | Sign-up | Maintain your account | Life of the account | Account deletion |
| Authentication tokens (Apple authorisation code, refresh tokens) | Sign-in | Account recovery + SIWA revocation | Life of the account; authorisation code up to 6 months for SIWA revocation window | Account deletion |
| Fitness and body data (workouts, sets, body stats, sex, PRs) | User input | Run the core app | Until you delete each record, or until account deletion | Record deletion / account deletion |
| Cloud-synced mirror of fitness data | Device → Firestore | Sync across devices | Life of the account | Account deletion |
| Date of birth | Age gate at first launch | Verify age threshold for COPPA / GDPR / DPDPA | Until you successfully pass the age gate (the DOB is then retained as the accepted birth year + the fact that the gate was passed; the exact day/month is not required once the threshold is confirmed) | Account deletion |
| Under-age block state | Age gate | Prevent re-entry of a blocked user | Indefinitely, without any other personal data — only the blocked state | Device wipe or re-install |
| Consent records (version, timestamps, opt-in toggles, TOS/PP version hash) | Consent UX | Demonstrate compliance + honour your opt-ins | Life of the account + 24 months after account deletion, to evidence lawful processing in the event of a later regulatory inquiry | Scheduled purge, 24 months after deletion |
| Stability telemetry (crash reports, non-fatal errors) | Device runtime | Diagnose and fix bugs | 90 days | Automatic purge |
| Product analytics events (only if opted in) | Device runtime | Product improvement | 14 months, aggregated | Automatic purge |
| Research aggregates (only if opted in) | Derived from consented fitness data | Improve fatigue / recommendation models | Indefinite only if irreversibly aggregated such that no individual is re-identifiable | If re-identification ever becomes feasible, purge |
| BYO-AI API key (if you entered one) | User input | Call the AI provider you chose | Until you remove it from Settings; stored only on-device in the iOS Keychain, protected by the Secure Enclave where available | On removal, or on account deletion, or on app uninstall |
| Data-subject-request records (access, deletion, correction, export) | Support email | Demonstrate compliance with response obligations | 3 years from the date of the request (shortest legally defensible window for audit trail across jurisdictions) | Automatic purge |
| Legal compliance, enforcement, billing records | Various | Meet statutory record-keeping obligations | As long as required by the applicable law (for example, applicable tax or consumer-dispute limitation periods), and no longer | On expiry of the legal obligation |
| Marketing contact / mailing list | Opt-in (none today) | Send marketing messages if launched | Until you unsubscribe, or 2 years of inactivity, whichever comes first | Unsubscribe or inactivity purge |
3. Account deletion cascade
When you delete your account (via Profile → Privacy → Delete account):
- A "deleting" sentinel is written to your account record so that a mid-delete crash can resume (this protects against a half-deleted account).
- The cascade walks every subcollection tied to your user ID and removes records in batches.
- The Firebase Auth account is deleted.
- If you signed in with Apple, the Apple refresh token is revoked via Apple's REST endpoint (requires authorisation code retained in device Secure Enclave; the requirement is under Apple App Store Review Guideline 5.1.1(v)).
- Consent records and data-subject-request logs are retained in line with the matrix above.
- Local SQLite data on your device is cleared the next time you sign into a different account or uninstall the app.
Within 90 days of your account-deletion request, no data tied to your personal identity remains in our backend other than the consent and request-log entries required for audit.
4. Children's data (COPPA 2.0)
Kettle Muscle is not directed to children under 13 anywhere in the world, under 16 in the EEA/UK, or under 18 in India. The age gate presented on first launch blocks collection of any further personal information from a user below the applicable threshold.
If personal information of a child below the applicable threshold is nonetheless collected in error and later identified, we delete it on discovery and investigate the root cause. The record of the incident is retained for 24 months to evidence compliance and improvement.
5. Aggregation and anonymisation
Where we retain aggregated or de-identified statistics beyond the periods above (for example, from research aggregation), we:
- Remove direct and indirect identifiers before aggregation.
- Compute over a group size large enough that an individual cannot be singled out.
- Do not re-link aggregates back to identities.
- Treat the aggregated dataset as not personal data under GDPR, LGPD, and DPDPA — but only as long as re-identification is not reasonably feasible.
If new techniques or additional data could make re-identification feasible, we treat the dataset as personal data again, apply this retention policy, and purge as necessary.
6. Review schedule
This policy is reviewed:
- At least annually, by Pulkit Kakkar in the role of data controller;
- Whenever the app materially changes what it collects, how it processes it, or who sees it;
- Whenever a new processor is added (for example, adding Sentry for crash reporting, or a new advertising SDK);
- Whenever a material regulatory or store-policy change alters the requirements (for example, DPDPA cross-border-transfer rules coming into force).
Revisions bump the version number at the top of this document.
7. Contact
Questions about retention, or a request that we delete data earlier than the periods above, go to contact@kettlemuscle.com.
End of Data Retention Policy.