Privacy Policy

LiftStuff ("the App") is a personal fitness app that lets you plan workouts, track meals and macros, log cardio and check-ins, and review statistics across days. The App is developed and operated by LiftStuff. For privacy questions or requests, contact privacy@liftstuff.app.

Your logs (workouts, exercises, sets/reps, meals and macros, goals, streaks and other day entries) are stored locally on your device using IndexedDB so the app works offline. If you sign in with your email, the App can back up and restore your data to our cloud database.

• Account information: email address used for sign‑in via one‑time passcode (OTP).
• App content you create: workout templates, day logs (workouts, meals/macros, cardio, check-ins), and related notes or settings. This is your data.
• Authentication and security data: hashed OTP codes (temporary), JSON Web Tokens (JWT) for session management, and backup timestamps.
• Location data: When you use cardio workout tracking features, we collect GPS coordinates, speed, accuracy, and timestamp information to track your workout route, distance, and pace. This data is collected only when you actively start a cardio workout tracking session.

We do not collect address books, photos, or precise device identifiers. We do not include advertising SDKs and do not serve ads.

• Authenticate you using email OTP and maintain your session with a JWT.
• Store your content on‑device and, if you choose to sign in, back it up to the cloud.
• Provide subscription features and access control for premium functionality.
• Send required transactional emails (your OTP code) when you request it.
• Track cardio workouts: use location data to calculate distance, speed, pace, and generate route maps during workout tracking sessions.

• On your device: IndexedDB stores your day logs, templates, and cardio workout data including location coordinates from tracking sessions. On web, the JWT may be kept in a secure cookie or local storage; on mobile (Capacitor), tokens are stored in the device's secure storage.
• In the cloud (optional): When signed in, backups including cardio workout location data are sent over HTTPS to our infrastructure on Microsoft Azure (Cosmos DB for data storage and Azure Communication Services for sending OTP emails). Azure provides encryption at rest by default.

Location data collected during cardio workouts is not shared with third parties. It is used solely within the app for your workout tracking and analysis.

• Microsoft Azure Cosmos DB – stores user accounts and your optional backups.
• Microsoft Azure Communication Services – sends OTP emails to your address.
• RevenueCat (purchases‑capacitor) – manages in‑app purchases and subscriptions via the Apple App Store and Google Play. We do not receive your full payment details.

Purchases are processed by the Apple App Store or Google Play. RevenueCat helps manage entitlements. We do not store your card numbers. The stores may provide us with non‑financial information such as subscription status to enable premium features.

The app requests location permission when you use cardio workout tracking features. This includes:

• Fine location access: Required to track your precise GPS coordinates during workouts for accurate distance and speed calculations.
• Background location access: Allows continued workout tracking when the app is not in the foreground, so your workout data remains accurate even if you switch to other apps or your screen locks.

You can deny these permissions, but cardio workout tracking features will not function. Location data is only collected when you actively start a cardio workout tracking session.

OTP codes are hashed and expire within minutes. Account records and cloud backups are retained while your account is active. Location data from cardio workouts is retained as part of your workout history until you delete the specific workout entries or your account. You can delete your local data from the app at any time. If you want your cloud‑stored data deleted, contact privacy@liftstuff.app and we will remove it.

Data is transmitted over HTTPS. Tokens are stored in secure storage on mobile and may be stored in http‑only cookies in the web app. Azure provides encryption at rest. No system is 100% secure, but we take reasonable steps to protect your information.

The App is not directed to children under 13, and we do not knowingly collect personal information from children. If you believe a child provided us information, contact us to request deletion.

Depending on your location, you may have rights to access, correct, export, or delete your data. Contact privacy@liftstuff.app to make a request. We may ask you to verify your identity.

We may update this policy as our app evolves. We will post updates here and revise the date above. Your continued use of the App after changes take effect constitutes acceptance.