Privacy Policy

Last updated: May 3, 2026

This Privacy Policy describes how Workout Aura (“we”, “our”, “us”) handles information when you use the Workout Aura iOS application (the “App”). Workout Aura is local-first: by default, all your data lives only on your device. If you choose to sign in, the App also backs your data up to our cloud so you can restore it on a new device.

1. Anonymous Use vs. Cloud Sync

You can use Workout Aura without ever signing in. In anonymous mode, every workout, body measurement, photo, preference, and vault item lives only on your device using iOS local storage. None of it is transmitted anywhere.

If you sign in with Apple ID or Google, the App switches to cloud-sync mode: your data is mirrored to Supabase (our cloud provider) so you can restore it on a new device, and so we can power features like leaderboards in future releases. You can sign out at any time and return to anonymous mode; signing out clears local data but your cloud backup remains until you delete your account.

2. What We Collect (Cloud-Sync Mode)

When you sign in, we store the following on Supabase Inc.'s servers (United States):

• Email address — provided by Apple or Google during sign-in (Apple may give us a private relay address if you choose "Hide my email").
• User ID — a Supabase-issued UUID that uniquely identifies your account.
• Training data — completed workout sessions (exercises, sets, weights, reps, RPE, notes), body weight history, and any photos attached.
• Profile photo — if you upload one. Stored in a private bucket scoped to your user ID; only you can read it.
• Campaign progress — current campaign, week, day, completed workouts, claimed milestones, paused state.
• Vault state — talismans, auras, rings, stripes, and mantras you've unlocked or equipped.
• Workout templates — any custom routines you create.
• Exercise notes & mantras — short text you've written.
• Preferences — units (lbs/kg), vibration, RPE display, etc.
• Subscription status — whether your subscription is active or expired (delivered to us by Apple via our subscription provider).

3. What We Don't Collect

• We do not collect your name, phone number, or address.
• We do not track your location.
• We do not access your contacts, your photo library beyond your chosen profile picture, or other apps.
• We do not use third-party analytics SDKs, advertising trackers, or fingerprinting.
• We do not sell, rent, or share your data with anyone.

4. How Your Data Is Used

Cloud data is used solely to power your in-app experience: showing your history, calculating PRs, advancing campaigns, awarding XP, generating progress charts, and (when leaderboards launch) ranking lifters. Subscription status is used solely to gate premium features. We do not use your data for marketing, advertising, or analytics.

5. Data Retention & Deletion

Cloud data is retained as long as your account exists. You can permanently delete your account and all associated cloud data at any time from the App: Settings → Account → Delete Account. This:

• Deletes your Supabase auth user;
• Cascade-deletes every row linked to your user ID across our cloud tables;
• Removes your profile photo from cloud storage;
• Clears local data on the device.

If you'd rather keep your account but wipe local-only data, use Settings → Reset Device.

6. Children's Privacy

You must be at least 13 years old to create an account. We do not knowingly collect data from children under 13. If you become aware that a child under 13 has signed in, contact us at support@myworkoutaura.com and we will delete the account. Anonymous local-only use of the App is permitted at any age subject to a parent's or guardian's supervision.

7. Third Parties

Workout Aura uses these third-party services:

• Apple — Sign in with Apple, App Store subscriptions, optional StoreKit.
• Google — Sign in with Google.
• Supabase Inc. — authentication backend, Postgres database, and object storage. Their privacy policy is available at supabase.com/privacy.
• RevenueCat (planned) — subscription management and entitlement state. They receive only what Apple shares with them.

We do not use analytics SDKs (Google Analytics, Mixpanel, Amplitude, etc.) or advertising SDKs.

8. Your Rights (GDPR / CCPA)

Regardless of where you live, you have the right to:

• Access — export all your data via Settings → Export (CSV or JSON file).
• Erasure — delete your account in-app, or contact support to confirm full deletion.
• Correction — edit any of your data directly in the App.
• Portability — CSV opens in Excel/Sheets; JSON is human-readable and machine-readable.

For requests beyond what the App handles, email support@myworkoutaura.com. We process such requests within 30 days.

9. International Transfers

Our cloud provider (Supabase) hosts data in the United States. By signing in from outside the US, you consent to the transfer of your data to the United States.

10. Security

Your data is protected by Supabase's row-level security: every table is gated so only the authenticated user can read or write their own rows. Communication uses TLS. Subscription state is write-protected (only our subscription provider can update it via webhook), so users cannot forge premium status.

11. Changes to This Policy

We may update this Privacy Policy from time to time. The “Last updated” date above will reflect any changes. Material changes will be communicated through an in-app notice.

12. Contact

If you have questions about this Privacy Policy or our data practices, contact us at support@myworkoutaura.com.