1. Introduction
Repple ("we," "our," or "us") is a fitness tracking and gamification application. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your personal data.
By using Repple, you agree to the collection and use of information as described in this policy.
2. Information We Collect
2.1 Account & Authentication Information
When you register, we collect and store:
| Data | Description |
|---|---|
| Email address | Your primary account identifier, required at registration |
| Username | Chosen during onboarding; may be null until set |
| Password hash | Stored via Supabase Auth; we never see your raw password |
| Supabase User ID | Internal UUID assigned by our authentication provider |
| Account timestamps | When your account was created and last updated |
Authentication is handled by Supabase Auth, which issues JWT tokens (ES256/RS256 asymmetric keys) that we validate on every request.
2.2 Profile & Personal Characteristics
After onboarding, you may provide the following optional profile data:
| Data | Purpose |
|---|---|
| Body weight (lbs) | Used to look up strength standards and calibrate performance benchmarks |
| Gender | Used to look up gender-specific strength standards |
| Age | Optional; used for exercise standard comparisons |
| Experience level | One of: beginner, novice, intermediate, advanced, elite |
| Timezone | Used to schedule push notifications and workout reminders |
| Profile settings | JSON object including avatar/icon selection |
| Push notification preferences | Global toggle, per-category preferences, and quiet hours (start/end hour) |
2.3 Workout & Exercise Data
The core fitness data we collect includes:
Workout Splits & Structure:
- Split name, description, plan mode (regimented or free-for-all), and days-per-week target
- Workout day names, focus type (push/pull/legs/chest/back/shoulders/arms/core/full body/rest), and order within the split
- Exercise selections from our reference catalog
- Per-exercise notes (e.g., form cues you write)
- Cardio blocks associated with workout days
Exercise Logs (per workout session):
- Date the workout was performed
- Sets, reps, and weight for each exercise
- Per-set granular data: set number, reps, weight, and RPE (Rate of Perceived Exertion, 1–10 scale)
- Weight unit (lbs or kg)
Workout Completion Tracking:
- Which workout days you completed, and on which calendar dates
- Your position in your split cycle over time
- Weekly and daily streak counts
- Last workout date
2.4 Points & Performance History
We maintain a detailed record of your performance scoring:
- Weekly points records: total points, exercise points, missed-workout-day penalties, perfect week bonuses, streak bonuses, and whether a week was "perfect"
- Daily point snapshots: a nightly snapshot (created automatically at 23:59 UTC) of your points, exercises completed, workout days completed, streak status, and a full exercise-level breakdown
- Split snapshots: a frozen copy of your workout structure taken each Monday at 00:00 UTC to ensure consistent weekly calculations
- Pending changes: if you modify your split mid-week, the change is queued and applied the following Monday
2.5 Gamification Data
Power-ups:Type, rarity, status (available/active/used), how earned, when activated, bonus points provided, which exercise or workout type applies
Spin balance:Available spins, maximum spins, lifetime spins earned/used, last spin timestamps; new users receive 3 welcome spins
Streak milestones:Per-day records of streak achievements, reward type (points/power-up/icon/spin), whether claimed, and when claimed
Icon unlocks:Which avatar icons you have unlocked and how they were earned
Cumulative stats:Total lifetime points, current weekly/daily streak counts
2.6 Teams & Social Data
Teams:
- Team name, description, and icon
- Whether the team is public or private
- Team invite code (8-character code generated for sharing)
- Maximum team size and challenge mode setting
- Team creation and modification timestamps
Team Membership:
- Which teams you belong to, your role (owner or member), and when you joined
Team Join Requests:
- Your request status (pending/approved/declined/expired)
- An optional message you write explaining why you want to join
- Request expiration (7 days from creation)
- Who approved or declined your request and when
Friend Relationships:
- Accepted friendships (stored as a pair of user IDs)
- Pending and historical friend requests (sender, receiver, status, timestamps)
2.7 Challenges & Competition Data
- Which challenges your team participated in, week, status, and results
- Team scores, average member scores, member contribution breakdown, and which user IDs were on the team at challenge time
- ELO rating before and after each challenge, ELO change, and final rank
- Peak ELO achieved and the date it was reached
- Win/loss/draw records
- Challenge invites: which team sent/received the invite, week targeted, invite status, and response timestamps
2.8 Callouts (Workout Verification)
Callouts are challenges issued when a team member disputes another member's logged workout. We collect:
Who challenged whom:Challenger user ID and target user ID
Disputed log details:Exercise name, claimed weight, sets, reps, when it was logged
Points at stake:Penalty and reward points
Callout status:Pending → video submitted → under review → approved/rejected/disputed
Submitted video URL:URL to the proof video uploaded to Supabase Storage
Video submission timestamp:When the video was uploaded
Dispute metadata:Whether disputed, who requested the dispute, and when
AI review results:Whether AI reviewed the video, AI confidence score (0–100), AI decision (approve/reject), and the full AI analysis JSON
Votes:Each team member's vote (approve or reject) and any written comment justifying their vote
Video evidence is stored in Supabase Storage (bucket: callout-videos) and is also sent to OpenAI for automated review.
2.9 Chat & Messaging
| Data | Description |
|---|---|
| Message content | The text you write in team chats or challenge matchup chats |
| Message type | Text, system message, or callout event |
| Sender identity | Your user ID |
| Chat context | Which team or challenge the message belongs to |
| @Mentions | Records of which users were @mentioned in a message |
| Timestamps | When each message was sent |
2.10 Activity Feed
For each team, we generate an activity feed that records:
- Who completed a workout
- Who set a personal record
- Who created or resolved a callout
- Who joined the team
- Points associated with each activity
- Which exercise or workout day the activity relates to
2.11 Notifications
| Data | Description |
|---|---|
| Notification content | Title and body text |
| Category | One of: callout, challenge, motivation, achievement, reminder, social, system |
| Read status | Whether you have read the notification |
| Priority | Low, medium, high, or urgent |
| Deep link | URL for in-app navigation (e.g., repple://challenge/123) |
| Related entity | Which callout or challenge triggered the notification |
| Push delivery status | Whether a push notification was sent and when |
2.12 Device Information
| Data | Description |
|---|---|
| Device token | Unique push notification token from your iOS or Android device |
| Platform | iOS or Android |
| Device name | Human-readable name you provide (e.g., "iPhone 14 Pro") |
| App version | Version of Repple installed on the device |
| Last active timestamp | When this device last made an API call |
2.13 AI-Generated Content & Image Analysis
| Data | Description |
|---|---|
| Uploaded images | Workout plan photos or screenshots you submit |
| Requested workout parameters | Target days per week you request |
| Generated results | The AI-produced workout plan stored in our database |
| Processing status | Task status (pending/completed/error) and any error messages |
Images and workout descriptions are sent to OpenAI for processing.
2.14 Invite Links
| Data | Description |
|---|---|
| Invite code | 12-character unique code |
| Link type | Friend invite, team invite, or team join link |
| Creator | Your user ID |
| Target | Team ID (for team invites) |
| Expiration | 7 days from creation |
| Redemption | Who used the link and when |
3. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Providing the service | All workout, exercise log, and split data to display your training history |
| Calculating points and rankings | Exercise logs, weights, completion status, streaks |
| Strength standard comparisons | Body weight, gender, age, experience level |
| Team challenges and ELO | Weekly points, team membership, challenge history |
| Automated scoring | Nightly cron jobs create daily snapshots and weekly split snapshots |
| AI workout plan generation | Uploaded images, requested parameters |
| AI callout review | Submitted proof videos |
| Push notifications | Device tokens, notification preferences, timezone, quiet hours |
| Activity feeds | Workout completions, callout events, team joins |
| Gamification | Streak milestones, power-ups, spin balance, icon unlocks |
| Account security | Email, password hash, JWT tokens |
4. Third-Party Services
We share data with the following third-party services to operate the app:
4.1 Supabase (Authentication & Storage)
- Data shared: Email address, password (hashed by Supabase), JWT session data, callout video files
- Purpose: Authentication (login/signup/session management) and storage of proof videos
- Storage location: Supabase-managed infrastructure
- Privacy policy: supabase.com/privacy
4.2 OpenAI
- Data shared: Workout plan images you upload, natural language workout descriptions, callout proof videos
- Purpose: AI-powered workout plan parsing and callout video review ("Repple Monkey" AI reviewer)
- Note: Once data is sent to OpenAI, it is subject to OpenAI's data usage policies
- Privacy policy: openai.com/policies/privacy-policy
4.3 Apple Push Notification Service (APNS)
- Data shared: Your iOS device token, notification title and body text
- Purpose: Delivering push notifications to iOS devices
- Privacy policy: apple.com/legal/privacy
4.4 Firebase Cloud Messaging (Google FCM)
- Data shared: Your Android device token, notification title and body text
- Purpose: Delivering push notifications to Android devices
- Privacy policy: policies.google.com/privacy
5. Data Retention
5.1 Account Deletion
When you delete your account, the following data is permanently deleted:
- All workout splits, workout days, exercises, and exercise logs
- All exercise log set records
- All weekly points, daily snapshots, and split snapshots
- All team memberships and join requests
- All challenge participation records
- All chat messages and @mentions
- All notifications and activity feed entries
- All device tokens
- All power-ups, spins, streak milestones, and icon unlocks
- All callouts, callout votes, and submitted proof videos
- All friend relationships and friend requests
- All invite links you created
- All AI plan generation tasks and results
- Your user profile record
Some records that reference your account may have the user ID set to NULL rather than deleted (e.g., if you approved a team join request on behalf of a team you no longer own).
5.2 Automatic Expiration
| Data | Expiration |
|---|---|
| Team join requests | 7 days from creation |
| Friend invite links | 7 days from creation |
| Team invite links | 7 days from creation |
| Challenge invites | End of the targeted challenge week |
| Callout response deadlines | Sunday 10:00 PM EST of the challenge week |
5.3 Automated Data Generation
| Data | Schedule |
|---|---|
| Daily points snapshots | Every night at 23:59 UTC |
| Split snapshots | Every Monday at 00:00 UTC |
| Weekly challenge setup | Every Monday at 00:05 UTC |
| Challenge completion | Every Sunday at 22:05 UTC |
6. Data Security
- Authentication: Your password is never stored in plaintext. Supabase handles all password hashing. We validate your identity using cryptographically signed JWT tokens.
- Secrets: API keys and credentials are stored in server-side environment variables and never committed to source code.
- Transport: All API communication occurs over HTTPS.
- Cron endpoints: Administrative cron endpoints are protected by a secret key (X-Cron-Secret header) and are not accessible to regular users.
- Database: All data is stored in a PostgreSQL database hosted on Render. User ownership is enforced on every data access query.
7. Children's Privacy
Repple is not intended for users under the age of 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.
8. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate or incomplete data
- Delete your account and all associated data
- Object to certain types of data processing
- Data portability — request a copy of your data in a machine-readable format
- Withdraw consent for optional data (e.g., disable push notifications, remove device tokens)
To exercise any of these rights, contact us at the address below.
9. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top. If changes are significant, we will notify you via push notification or in-app message.
10. Contact
If you have questions, concerns, or requests regarding this Privacy Policy, please contact us at:
Repple
apprepple@gmail.com