This Privacy Policy explains what data Solo WOD collects, why we collect it, who we share it with, how long we keep it, and the choices you have. If you have any questions or concerns at any point, please contact us at support@solowod.app.
1. Who We Are
Solo WOD is a mobile fitness application operated by ProfitBoost LLC, a Florida limited liability company.
- Owner / Operator: Zach Schreiber
- Mailing address: Available on written request to the contact email below
- Contact: support@solowod.app
This Privacy Policy explains what data Solo WOD collects, why we collect it, who we share it with, how long we keep it, and the choices you have. By creating an account or using the app, you accept the practices described here.
2. Data We Collect and Why
In short: We collect the minimum data needed to provide a personalized training experience. We do NOT sell your data. We do NOT serve advertising. We do NOT use your data to train third-party AI models.
| Category | What We Collect | Why We Collect It |
|---|---|---|
| Authentication | Your email address and OAuth identifier (Google Sign-In or Sign in with Apple) | To create and secure your account |
| Athlete profile | Display name, experience level (Scaled / RX / RX+), equipment mode (Home Gym / Full Gym), goals you enter | To personalize the WODs we generate for you |
| Normalized biometrics | Readiness score (1-10) and soreness map derived from your Apple Health and/or Whoop data | To match each WOD to how recovered you are today |
| Workout content | WODs generated for you, completed sessions (duration, RPE, notes, score), lift records | To track your training history and improve future workout generation |
| Equipment scan images | Photos you submit through the "Scan Equipment" flow | Sent one-time to Anthropic for equipment identification; NOT retained on our servers after identification completes |
| Device telemetry | Anonymized crash and error reports from your app sessions | To diagnose bugs and improve stability |
What we explicitly DO NOT store
- Raw HRV, sleep duration, resting heart rate, or any other raw biometric reading from Apple Health or Whoop. These values are processed in-memory by our API to compute the normalized readiness score and are discarded immediately afterward. Only the resulting readiness score (1-10) is persisted.
- Equipment scan photos. Images you submit for equipment scanning are passed through to Anthropic for identification and are NOT saved to our database.
- Your name (beyond a display name you choose), birthday, address, phone number, or any government identifier.
- Payment information. Solo WOD is a paid-upfront app ($4.99 USD at launch). All payment processing is handled entirely by Apple through the App Store. We do not see or store any payment card or account information — only Apple's anonymized transaction confirmation. There are no in-app purchases or subscriptions.
3. Subprocessors
We rely on the following service providers ("subprocessors") to operate Solo WOD. Each has been chosen for its security posture, data protection practices, and US-based hosting. Solo WOD is not a HIPAA-covered entity (see section 7) and does not require its subprocessors to sign Business Associate Agreements.
| Subprocessor | Role | Jurisdiction | Notes |
|---|---|---|---|
| Supabase Inc. | Managed authentication and PostgreSQL database hosting | United States | Encrypted at rest. Standard Supabase Data Processing Agreement applies. |
| Railway Corp. | API compute hosting and encrypted secrets management (US-East) | United States | Standard Railway terms apply. |
| Anthropic PBC | AI workout generation and equipment identification via the Claude API (server-side only — your account identity is never sent) | United States | No biometric data is sent. Anthropic is contractually prohibited from training on API data per Anthropic Commercial Terms. |
| Functional Software, Inc. d/b/a Sentry | Error and crash reporting (keyed only by your Supabase user UUID — no email, name, or biometric values) | United States | No biometric values transmitted. |
| Whoop, Inc. | Wearable recovery, strain, and sleep data — accessed only if you explicitly connect Whoop via OAuth | United States | Your relationship with Whoop is governed by Whoop's own Privacy Policy. |
| Apple Inc. | App Store distribution, HealthKit access, Sign in with Apple, push notifications | United States | Your relationship with Apple is governed by Apple's Privacy Policy. |
| Google LLC | OAuth Sign-In only, if you sign in with Google. We receive your name and email — nothing else | United States | Your relationship with Google is governed by Google's Privacy Policy. |
We will update this list within a reasonable time of adding or replacing a subprocessor.
4. How We Store and Protect Data
- Encryption in transit: All connections between your device and our API use TLS 1.2+.
- Encryption at rest: Database storage at our infrastructure providers uses AES-256 at rest.
- Access control: Database access is restricted to the owner/operator with multi-factor authentication required.
- Row-level security: Each athlete's data is scoped to their authenticated user identifier at the database level; one user cannot read another user's data.
- Secrets: API keys and credentials are stored in Railway's encrypted secrets manager — never in source control.
5. Data Retention
| Category | Retention |
|---|---|
| Account data (email, athlete profile) | Until you delete your account |
| Workout and lift history | Until you delete your account |
| Normalized biometric snapshots | 12 months rolling, then automatically deleted |
| Raw biometric readings (HRV, sleep, etc.) | NOT retained — discarded immediately after normalization (see section 2) |
| Equipment scan photos | NOT retained — discarded immediately after equipment identification (see section 2) |
| Sentry error logs | 30 days (Sentry default), then automatically deleted |
| Authentication session tokens | 1 hour (access token) / 30 days (refresh token), then expired |
6. Your Rights
You have the right to:
- Access the data we hold about you. Email support@solowod.app and we will provide a copy within 30 days.
- Delete all your data. Open the Solo WOD app → Profile → Account → Delete Account. Deletion is immediate and permanent and includes all of your athlete profile, workout history, lifts, biometric snapshots, and connected device tokens. There is no recovery after deletion.
- Correct inaccurate data. Email support@solowod.app and we will correct it within 30 days.
- Withdraw consent by deleting your account.
- Opt out of crash telemetry — currently all crash telemetry is anonymous (keyed only by your Supabase user UUID). A dedicated opt-out toggle is on our roadmap.
7. Health Data Note
Solo WOD is not a HIPAA-covered entity. We are not a healthcare provider, health plan, or healthcare clearinghouse, and the data we collect — self-reported workout history and normalized recovery scores derived from your own consumer wearables — is not Protected Health Information ("PHI") under HIPAA.
That said, we treat biometric-derived data with care: raw HRV, sleep, and heart-rate readings are discarded immediately after we compute a single readiness score (see section 2), data is encrypted in transit and at rest, and access is restricted to the operator. We rely on standard commercial cloud infrastructure (Supabase for managed Postgres + auth, Railway for API compute) and do not claim or imply HIPAA-grade safeguards or Business Associate Agreements.
8. California Residents (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we have collected about you
- Request deletion of your personal information
- Opt out of the "sale" or "sharing" of your personal information (we do NOT sell or share, but you have the right anyway)
- Non-discrimination — exercising your rights will not result in a worse experience
To exercise any of these rights, email support@solowod.app or use the in-app Delete Account flow.
9. European Residents (GDPR)
If you are in the EU, EEA, UK, or Switzerland, our lawful basis for processing your data is your consent (granted when you create an account) and our legitimate interest in providing the app and improving its stability. You have all rights described in section 6 above, plus:
- Data portability — request a machine-readable export by emailing support@solowod.app
- Object to processing — withdraw consent at any time by deleting your account
- Lodge a complaint with your local Data Protection Authority
The data controller is ProfitBoost LLC (contact above). We do not currently have an EU representative; for cross-border issues, contact us directly.
10. Children
Solo WOD is not intended for use by anyone under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has created an account, email support@solowod.app and we will delete the account.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app banner the next time you open Solo WOD and, where we have an email on file, by email. The "Effective" date at the top of this document indicates the most recent revision. Continued use of Solo WOD after a material update constitutes acceptance of the updated policy.
12. Contact
Privacy questions, data requests, or complaints:
We aim to respond to all privacy inquiries within 5 business days.