Privacy Policy

1. Information We Collect

We only collect the information needed to provide Spotter. Specifically:

• Account information: your name, email address, and a securely hashed password.
• Profile information you choose to provide: profile picture, height, and unit preference (metric or imperial).
• Fitness data you create in the app: workouts, exercises, sets, reps, weights, rest timers, completion times, push-up logs, bodyweight logs, and any notes or feedback you record.
• AI-generated workout requests and parameters: when you use the AI workout generation feature, we collect the details of your request (such as fitness goals, experience level, or preferences) and store the generated workout for your reference.
• Workout statistics and analytics: we derive and calculate metrics from your workout data (such as total volume, personal records, muscle group distribution, and streaks) to display on your dashboard.
• Social information: friend connections you initiate or accept, and friend requests you send or receive.
• Authentication data: API access tokens issued to your device so you stay signed in.
• Communications: emails you send to us for support, password resets, or email-change confirmations.
• Limited technical data: standard server logs (such as IP address, request time, and basic device/operating-system information sent automatically by your device) used for security, debugging, and abuse prevention.

We do not knowingly collect precise location data, contacts, photos (other than a profile picture you upload), microphone or camera input, biometric identifiers, advertising identifiers, health data from Apple Health or Google Fit, or any other information beyond what is listed above.

2. How We Use Your Information

We use the information we collect to:

• Create and maintain your account and authenticate your sessions.
• Save and display your workouts, logs, progress, and preferences.
• Calculate and display workout statistics and analytics on your dashboard.
• Generate personalized workout suggestions when you request them using our AI feature.
• Enable friend connections and show you content from friends you have accepted.
• Send transactional emails such as password resets and email-change confirmations.
• Diagnose problems, prevent abuse, and improve the reliability and security of the Service.
• Comply with legal obligations and enforce our Terms of Service.

We do not use your information to build advertising profiles, to perform behavioral advertising, or to train third-party machine learning models. Your AI generation requests are not used to train or improve third-party AI systems beyond what is necessary to provide the Service to you.

3. We Do Not Sell Your Personal Data

We have not sold or shared personal information in the preceding 12 months and we have no plans to do so. We do not have a financial incentive program tied to the collection of personal information.

4. How We Share Information

We only share your information in the limited circumstances described below:

• With other users you choose to connect with: when you accept a friend request, that friend can see your name, profile picture, and the workout activity that the app surfaces in friends-facing features.
• With service providers that help us operate Spotter (for example, our hosting provider, database provider, and transactional email provider). These providers process information only on our behalf, only for the purposes we instruct, and are bound by confidentiality and data protection obligations.
• With our AI provider to generate personalized workouts: when you use the AI workout generation feature, certain details about your request (such as fitness goals or preferences) are sent to Anthropic, Inc. ("Anthropic") to generate workout suggestions. Anthropic's processing of this information is governed by its privacy policy. We do not use the AI service to train models on your personal data beyond what is necessary to provide the Service to you.
• For legal reasons: if we are required to do so by law, subpoena, court order, or other valid legal process, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, the safety of others, or to investigate fraud or security incidents.
• In connection with a business transfer: if Spotter, operated by Stefan Stoyanovich is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you (for example, by email or in-app notice) before your information is transferred and becomes subject to a different privacy policy.
• With your explicit consent: for any purpose not described in this policy, we will ask you first.

5. Data Retention

We retain your account information and the fitness data associated with it for as long as your account is active so the Service remains useful to you.

If you delete your account, we will delete or anonymize your personal information within a reasonable period (typically within 30 days), except where we are required to retain it for legitimate business or legal reasons (such as fraud prevention, dispute resolution, or compliance with tax, accounting, or legal obligations). Backups containing residual data are overwritten on a rolling schedule.

5a. Categories of Data Shared with Third Parties (CCPA/CPRA Disclosure)

Under California law and similar U.S. state privacy laws, we are required to disclose the categories of personal information we share with third parties. Here are the categories and the purposes:

• Hosting and infrastructure providers: Account information, fitness data, authentication data, and technical logs — to operate, maintain, and secure the Service.
• Email delivery provider: Account information (name and email address) and communications data — to send transactional and transactional-related emails.
• AI service provider (Anthropic): Workout generation request parameters and fitness goal information — to generate personalized workout suggestions when you use the AI feature.
• Friends you connect with: Name, profile picture, and workout activity data you make visible in friends-facing features — to enable social fitness sharing.

We do not sell, rent, or share your personal information with data brokers, marketers, or advertisers for monetary or other valuable consideration. We do not share personal information for cross-context behavioral advertising purposes. These practices apply to all users, regardless of location, though California law specifically defines these practices under the CCPA and CPRA.

5b. California Residents — Summary of Privacy Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: You may request what personal information we collect, use, share, and sell about you.
• Right to delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct: You may request correction of inaccurate personal information.
• Right to opt-out of sale or sharing: You have the right to opt-out of the sale or sharing of your personal information. We do not sell or share your personal information, so this right does not currently apply.
• Right to limit use of sensitive personal information: You may limit our use of sensitive personal information to purposes necessary to provide the Service. We do not use sensitive personal information for other purposes, so this right does not currently apply.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights.

To exercise these rights, contact us at [privacy@workoutspotter.com] with the subject line "California Privacy Request." We will verify your identity and respond within 45 days (or up to 90 days if necessary).

6. Data Security and Breach Notification

We use industry-standard safeguards to protect your information, including encryption of traffic in transit (HTTPS/TLS), hashing of passwords using a one-way algorithm, scoped API access tokens, server-side authorization checks, and limited employee access on a need-to-know basis.

No method of transmission or storage is 100% secure. While we work hard to protect your information, we cannot guarantee its absolute security. If we become aware of a security breach affecting your personal information, we will notify you without unreasonable delay and in a manner consistent with applicable law. For residents of California and other jurisdictions with specific breach notification laws, we will provide notice within the timeframe required by law (typically within 30 days for California residents) and will notify appropriate regulatory authorities as required.

7. Your Rights and Choices

Depending on where you live, you may have some or all of the following rights regarding your personal information:

• Access: request a copy of the personal information we hold about you.
• Correction: ask us to correct inaccurate or incomplete information. You can edit much of this directly in the app via Settings.
• Deletion: ask us to delete your account and personal information. Note: deleted accounts cannot be recovered.
• Portability: request a machine-readable export of the personal information you have provided to us.
• Opt out of sales/sharing: not applicable, because we do not sell or share your personal information for cross-context behavioral advertising, as those terms are defined under California law and similar state privacy laws.
• Limit use of sensitive personal information: not applicable, because we do not use sensitive personal information for purposes that would trigger this right.
• Object to or restrict certain processing, and withdraw any consent you previously gave (for users in the EU/EEA, UK, and similar jurisdictions).
• Lodge a complaint with your local data protection authority if you believe we have violated your rights.

Response timeframes: To exercise any of these rights, contact us at [privacy@workoutspotter.com]. We will verify your request (typically by confirming control of the email address on the account). For California residents and residents of other U.S. states with privacy laws, we will respond within 45 days. If we need additional time (up to 45 additional days), we will provide notice. We will not charge a fee or discriminate against you for exercising your privacy rights.

8. International Data Transfers

Spotter is operated from State of California, USA. If you access the Service from outside that jurisdiction, your information will be transferred to, stored, and processed there. By using the Service, you understand that your information may be transferred to countries that may not have the same data protection laws as your country of residence. Where required, we rely on appropriate safeguards (such as Standard Contractual Clauses) for these transfers.

9. Children's Privacy

Spotter is not intended for and may not be used by children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us at [privacy@workoutspotter.com] and we will promptly delete the account and the information.

If you are between 13 and the age of majority in your jurisdiction, you may only use the Service with the involvement and consent of a parent or legal guardian.

10. Third-Party Services

Spotter runs on third-party infrastructure (hosting, database, and email delivery) that processes data on our behalf under contractual data-protection obligations.

AI Workout Generation: The optional AI workout generation feature relies on Anthropic's API. When you request an AI-generated workout, information about your request is sent to Anthropic's servers to generate suggestions. Anthropic's processing of this data is subject to its privacy policy. We recommend reviewing Anthropic's privacy practices to understand how they handle your data. Your workout generation requests are not stored by Anthropic beyond what is necessary to provide the immediate response to your request.

We do not embed third-party advertising SDKs, analytics that build user profiles across apps, or social-media tracking pixels in the app. If we ever add a service that materially changes what data is collected or how it is used, we will update this policy and notify you in the app or by email.

If you click a link in the app that takes you to a third-party website, that website's privacy policy will apply to your interaction with it — not this policy.

11. Cookies and Similar Technologies

The mobile app does not use browser cookies. To keep you signed in, we store an access token securely on your device. You can clear this token at any time by signing out from Settings.

This website uses only the cookies strictly necessary to load the page (for example, the standard Laravel session cookie). It does not use analytics, advertising, or third-party tracking cookies.

11a. Do Not Track Signals

Some browsers and devices allow you to signal a preference not to be tracked for behavioral advertising purposes (a "Do Not Track" or "DNT" signal). Spotter does not track you across websites for behavioral advertising purposes, and we do not respond to DNT signals differently from other users. However, our third-party service providers (such as hosting and email delivery providers) may track your usage in accordance with their own privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you in the app or by email before the changes take effect, and update the "Effective" date at the top of this document. Your continued use of Spotter after the effective date constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions, requests, or concerns about this Privacy Policy or our handling of your information, please contact us:

• Email (privacy): [privacy@workoutspotter.com]
• Email (general): [contact@workoutspotter.com]
• Website: [https://workoutspotter.com]
• Operated by: Spotter, operated by Stefan Stoyanovich