Privacy Policy

At Krush Fitness Labs LLC (doing business as Krush Fitlabs), your privacy is our priority. This Privacy Policy outlines how we collect, use, and protect your personal information when you use our iOS app, KRUSH, or interact with our related services (collectively, "Services"), including our website at www.krushfitapp.com. KRUSH is an iOS fitness app designed to help users stay focused during workouts. By accessing or using our Services, you consent to the practices described below. If you do not agree, please do not use our Services. If you have questions or concerns, contact us at privacy@krushfitapp.com.

We are responsible for decisions about how your personal information is processed. This policy applies to users in the United States (including California), Canada, and the United Kingdom, and complies with applicable laws such as the California Consumer Privacy Act (CCPA/CPRA), Personal Information Protection and Electronic Documents Act (PIPEDA), and UK General Data Protection Regulation (UK GDPR).

1. Information We Collect
We collect the following types of information to provide, improve, and secure our Services:

1.1 Personal Information:
-- Account details such as name, email address, and username (provided during account creation and login).
- Payment processing data (e.g., transaction history, subscription details) stored in our database, but actual payment handling (e.g., credit card details, billing addresses) is managed securely by Apple via In-App Purchases (IAP). We do not store sensitive payment instrument information.

1.2 Usage and Device Data:
- App activity, such as session notes you edit and save (user-generated content related to your workouts and progress).
- Device information, including mobile device ID (automatically collected for security, troubleshooting, authentication, and analytics purposes).
- We integrate third-party tools like Google Analytics (for usage trends and ad performance) and Supabase (for database and backend services), which may automatically collect additional data such as usage patterns or device interactions. For details on their collection practices, review Google's Privacy Policy and Supabase's Privacy Policy. If we run ads on platforms like Facebook/Instagram (Meta), we may use Meta's tools (e.g., Pixel or SDK) on our website or app to track ad conversions and user interactions, collecting data like identifiers and browsing behavior. See Meta's Privacy Policy for more information.
‍
1.3 Sensitive Information:
-Session notes or progress tracking may include health-related details (e.g., workout data), which could be considered sensitive under laws like CCPA, PIPEDA, or UK GDPR. We process this only with your consent (e.g., by using the app features) or as necessary to provide the Services. We do not collect racial/ethnic origins, sexual orientation, religious beliefs, or other special categories unless incidentally provided in user-generated content.

1.4 Information from Other Sources:
- We may obtain limited data from public sources or marketing partners (e.g., for targeted ads via Google or Meta), such as email addresses or user behavior data, to enhance our marketing and update records.

We do not knowingly collect data from minors under 18 years of age without parental consent. If we learn of such collection, we will delete it promptly. We encourage you to review Apple's privacy policy for their handling of payments, device features, and any data they process independently.

All personal information you provide must be true, complete, and accurate. Notify us of changes via privacy@krushfitapp.com.

2. How We Use Your Information
We process your information for the following purposes, only when we have a valid legal basis (e.g., consent, contract performance, legitimate interests, or legal obligations):
- To facilitate account creation, authentication, and management.
- To deliver and personalize Services (e.g., blocking distracting apps, tracking workout progress, saving session notes).
- To communicate with you about updates, features, support, subscriptions, and marketing (with opt-out options).
- To analyze usage trends and improve the app via tools like Google Analytics and Supabase.
- To run and optimize ads, including targeted advertising on platforms like Google, Facebook, and Instagram (Meta), based on your interactions and preferences.
- To process payments and manage subscriptions via Apple IAP.
- For security, fraud prevention, and compliance with our Terms and Conditions.
- To request feedback or identify trends for better user experience.
- To comply with legal obligations or protect vital interests (e.g., safety).

Under UK GDPR and PIPEDA, our legal bases include:
- Consent (e.g., for marketing or sensitive data).
- Performance of a contract (e.g., providing Services).
- Legitimate interests (e.g., analytics, ads—balanced against your rights).
- Legal obligations (e.g., record-keeping).

You can withdraw consent at any time (see Section 5), but this won't affect prior lawful processing.

3. Data Sharing
We do not sell or rent your personal information to third parties for their independent use. However, we may share information in specific situations to operate our Services. We require all recipients to protect your data and use it only as instructed, with contracts ensuring compliance (e.g., data processing agreements with safeguards like standard contractual clauses for international transfers).

3.1 Service Providers:
We share data with trusted third-party vendors, contractors, or agents who perform services for us, such as:
- Invoice and Billing:Apple (for In-App Purchases).
- Website Testing:TestFlight (for beta testing and app distribution).
- Cloud Hosting, Database, and Backend Infrastructure: Supabase (for storing and managing app data).
- User Account Registration & Authentication: Apple (for secure login and device integration).
- App Performance and Crash Reporting:** Apple (via built-in tools).
- Analytics: Google Analytics (to track usage and ad performance).
- Advertising and Marketing: Meta (Facebook/Instagram) – If we run ads on Facebook or Instagram, we may share data like device identifiers, usage info, or interactions via Meta Pixel or SDK to measure ad effectiveness, retarget users, and deliver personalized ads. This may involve cross-device tracking. For Meta's practices, see their Data Policy. We treat such sharing as "sharing" under CCPA (for targeted ads) and obtain consent where required under UK GDPR/PIPEDA.

These third parties are prohibited from using your data for other purposes or sharing it further without our direction.

3.2 Legal Compliance
- When required by law, subpoena, or court order in the US, Canada, or UK.
- To protect the rights, safety, or property of our company, users, or others (e.g., fraud prevention).
- To cooperate with regulators or law enforcement.

3.3 Business Transfers:
- In connection with a merger, acquisition, sale of assets, financing, or similar transaction, your information may be transferred to the new entity, subject to equivalent protections. We will notify you of such changes.

3.4 Other Disclosures:
- Aggregated or anonymized data (not identifiable to you) may be shared for research or marketing.
- Under CCPA, sharing for targeted ads (e.g., with Google or Meta) may qualify as "sharing" personal information; see opt-out rights in Section 5. We have not "sold" data in the past 12 months but have shared categories like identifiers and usage data with service providers for business purposes.

4. Data Security
We implement industry-standard technical and organizational measures (e.g., encryption, access controls) to protect your personal information through our integrations with Supabase, Apple, Google, and Meta. However, no electronic transmission or storage is 100% secure. We cannot guarantee absolute security against unauthorized access, but we strive to safeguard your data and will notify you of breaches as required by law.

5. Your Rights
Depending on your location, you have rights regarding your personal data:
- Access and Portability: Request a copy of your data.
- Correction: Update inaccurate information.
- Deletion: Request account and data deletion (subject to legal retention needs).
- Restriction/Limitation: Limit processing in certain cases.
- Withdrawal of Consent: Revoke consent (e.g., for marketing or tracking). Withdrawing consent will not affect the lawfulness of processing done prior to the withdrawal.
- Opt-Out of Sharing/Sale: For CCPA-eligible users, opt out of "sharing" for targeted ads (e.g., via Google Analytics or Meta tools). Visit https://tools.google.com/dlpage/gaoptout for Google; for Meta, adjust settings in your Facebook/Instagram account or contact us. We do not offer financial incentives for data collection.
- Objection: Object to processing based on legitimate interests.
- Non-Discrimination: We won't discriminate against you for exercising rights.

For California residents (under CCPA/CPRA) and similar US state laws: We collect categories of personal information such as:
- Identifiers (e.g., name, email, device ID)—Yes.
- Personal information under California Customer Records statute (e.g., contact info)—Yes.
- Protected classifications (e.g., age, gender)—No.
- Commercial information (e.g., purchase history)—Yes.
- Biometric information—No.
- Internet/network activity (e.g., usage data)—Yes.
- Geolocation data—No.
- Sensory data (e.g., audio/video)—No.
- Professional/employment info—No.
- Education info—No.
- Inferences (e.g., usage trends)—Yes.
- Sensitive personal information (e.g., health data from workouts)—Yes, but only with consent and not for inferring characteristics.

We collect from you, your device, and third parties (see Section 1); use for Services, analytics, ads (see Section 2); and share with providers like Apple, Supabase, Google, Meta (see Section 3)—disclosed in past 12 months for business purposes, but not sold. Retention: As long as your account is active or legally required. No automated profiling with legal effects.To exercise rights, email privacy@krushfitapp.com or visit www.krushfitapp.com/support. We'll verify your identity (e.g., via email confirmation) and respond within required timelines (e.g., 45 days for CCPA, 30 days for UK GDPR/PIPEDA). If denied, you can appeal by replying to our response. UK users can complain to the Information Commissioner's Office (ICO); Canadian users to the Office of the Privacy Commissioner.

6. Data Retention
We retain your personal data only as long as necessary for the purposes outlined (e.g., while your account is active) or to comply with legal obligations (e.g., tax records). Upon deletion request, we securely delete or anonymize data, unless retention is required (e.g., for 7 years under tax laws). Inactive accounts may be deleted after 2 years.

7. Cookies and Tracking Technologies
Our Services (especially the website) may use cookies, pixels, beacons, and similar technologies to collect and store information for security, functionality, analytics, and advertising. These help prevent crashes, save preferences, and tailor content.We permit third parties to use tracking technologies:
- Google Analytics: To track and analyze usage. Opt out at https://tools.google.com/dlpage/gaoptout. See Google's Privacy & Terms
- Meta (Facebook/Instagram):If we run ads, Meta Pixel or SDK may track interactions (e.g., views, clicks) to deliver targeted ads, retarget users, or measure conversions. This may involve cookies or device identifiers. Under CCPA, this could be "sharing" for ads; opt out via Meta's settings (e.g., "Off-Facebook Activity") or by contacting us. For UK GDPR/PIPEDA, we rely on consent—manage via device/app settings. See Meta's Cookie Policy

You can control these via your device/browser settings (e.g., block cookies) or Do-Not-Track (DNT) signals (though we may not respond to DNT yet, as no uniform standard exists). For app-specific tracking (e.g., IDFA), adjust iOS privacy settings. Specific details are in our Cookie Notice (available on request).

8. International Data Transfers
We may transfer and process your data in other countries (e.g., the US), and rely on legal safeguards like Standard Contractual Clauses to keep your data protected under UK and Canadian laws. Our Data Processing Agreements that include Standard Contractual Clauses are available here: https://supabase.com/legal/dpa. We have implemented similar appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.

9. Third-Party Links
Our Services may link to third-party sites or services (e.g., Apple, Google, Meta). We are not responsible for their privacy practices—review their policies before interacting.

10. Updates to This Policy
We may update this policy to reflect changes in practices, Services, or laws. The "Last updated" date will change, and we'll notify you via email, app notice, or website posting for material changes. Continued use after updates constitutes acceptance. Review periodically.

If you have questions, contact us at:
‍
Email: privacy@krushfitapp.com
Or via our contact form at www.krushfitapp.com/support

To review, update, or delete your data, use the contact details above or app settings.