1. Introduction

Welcome to Kettlebe ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and web services (collectively, the "Service").

By using the Service, you consent to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service. For information about your rights and responsibilities, see our Terms of Service.

2. Information We Collect

2.1 Information You Provide

We collect information that you voluntarily provide when using the Service:

• Account Information: Email address, username, password (securely hashed with bcrypt), profile photo
• Profile Data: Age, gender, fitness level, fitness goals, body measurements (all optional)
• Workout Data: Exercise logs, workout duration, kettlebell weights used, repetitions, sets, workout completion status, rest days
• Progress Data: Streak counts, workout history, personal records, progress photos (optional)
• Community Content: Comments, kudos, posts, shared workout data
• Payment Information: Processed exclusively through Apple App Store or Google Play Store (we do NOT store your payment details)
• Communication Data: Messages you send to customer support, feedback, survey responses

2.2 Automatically Collected Information

When you use the Service, we automatically collect certain information:

• Device Information: Device type, operating system version, device identifiers (IDFA/AAID - anonymized), mobile network information
• Usage Data: Pages/screens viewed, features used, time spent in app, button clicks, app opens/closes, crash logs
• Location Data: Approximate location based on IP address only (we do NOT collect precise GPS location)
• Log Data: IP address, browser type, access times, referring URLs, error logs
• Cookies and Tracking: Session cookies, analytics cookies, preference cookies (see Section 10)
• Advertising Data (Free Users Only): Google Ads may collect device identifiers, IP address, and general app usage information to show relevant ads. Your workout data and health information are never shared with advertising networks. See Google's Advertising Policies.

2.3 Health and Fitness Data

With your explicit consent, Kettlebe may collect health and fitness-related information, including:

• Workout activity (type, duration, intensity, frequency)
• Physical measurements (weight, body measurements - optional)
• Fitness goals and preferences
• Rest days and recovery patterns
• Perceived exertion and fatigue levels

This data is used solely to provide personalized workout recommendations, track your progress, and improve the Service. We treat health data with the highest level of security and confidentiality.

We do NOT collect heart rate data, blood pressure, glucose levels, or other medical health metrics.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service: Deliver core features, track workouts, display progress, manage your account
• Personalization: Generate AI-powered workout recommendations, customize training plans, suggest appropriate exercises based on your fitness level
• Community Features: Display user profiles, show activity feeds, enable social interactions, rankings, and leaderboards
• Analytics and Improvement: Understand how users interact with the Service, identify bugs, improve features, test new functionality
• Communication: Send workout reminders, streak alerts, product updates, customer support responses, transactional emails
• Marketing: Send promotional emails about new features, premium upgrades (with your consent - you can opt out anytime)
• Security: Detect and prevent fraud, unauthorized access, spam, violations of Terms of Service
• Legal Compliance: Comply with legal obligations, respond to legal requests, enforce our policies, protect rights and safety
• Subscription Management: Process payments through Apple/Google, manage subscriptions, handle cancellations and refunds

IMPORTANT: We do NOT use your health, fitness, or workout data for advertising purposes or share it with advertising networks.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service you requested (account creation, workout tracking, subscription management)
• Legitimate Interests: Improving the Service, analytics, preventing fraud, ensuring security (where not overridden by your rights)
• Consent: Health/fitness data collection, marketing communications, optional profile data, non-essential cookies (you can withdraw consent anytime)
• Legal Obligation: Compliance with applicable laws, regulations, and legal processes

5. How We Share Your Information

We do NOT sell your personal information for monetary value.

We may share your information in the following circumstances:

5.1 Service Providers

We share data with third-party service providers who perform services on our behalf:

• RevenueCat: Subscription management and payment processing (Apple, Google) - Privacy Policy
• Hetzner Cloud: Infrastructure and database hosting (EU-based servers in Germany/Finland) - Privacy Policy
• Firebase / Expo Push: Push notifications and app analytics - Firebase Privacy, Expo Privacy
• Google Analytics / Mixpanel: Usage analytics and insights (anonymized/aggregated where possible) - Google Privacy, Mixpanel Privacy
• Sentry: Error tracking and performance monitoring - Privacy Policy
• OneSignal: To send you transactional emails (password resets) and in the future push notifications about your workouts - Privacy Policy
• Google Ads: Advertising for free users (Google may collect device identifiers and usage data to show relevant ads - see Google's Privacy Policy and Advertising Policies)

These providers are contractually obligated to protect your data, use it only for the purposes we specify, and comply with GDPR and applicable data protection laws.

5.2 Community Features

When you use community features, certain information becomes visible to other users based on your privacy settings:

• Profile information (username, profile photo, bio)
• Workout activity (if you choose to share)
• Comments and kudos
• Current streak count

Default Privacy Settings: New users' profiles are set to "Followers Only" by default. You can change this to "Everyone" or "Only Me" at any time in Settings → Privacy.

5.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Legal processes (subpoenas, court orders, search warrants)
• Government or regulatory requests
• Protection of our rights, property, or safety, or that of users or the public
• Emergency situations involving health, safety, or law enforcement

5.4 Business Transfers

If Kettlebe is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the Service before your information becomes subject to a different privacy policy. See our Terms of Service for more information.

5.5 Aggregated and De-Identified Data

We may share aggregated, de-identified, or anonymized data that cannot reasonably be used to identify you, for purposes including research, analytics, and improving the Service.

6. What We DON'T Do

7. Data Storage and Security

7.1 Where We Store Data

Your data is stored on secure servers provided by Hetzner Cloud in the European Union (data centers in Germany and Finland). We use PostgreSQL databases with:

• Encryption at rest (AES-256)
• Encryption in transit (TLS 1.3)
• Automated daily backups
• Regular security updates and patches

7.2 Security Measures

We implement industry-standard security measures to protect your information:

• Password Security: Passwords hashed with bcrypt (industry-standard one-way hashing)
• Network Security: HTTPS/TLS for all data transmission, secure API endpoints
• Access Controls: Role-based access, multi-factor authentication for staff, least-privilege principle
• Monitoring: 24/7 security monitoring, intrusion detection, regular security audits
• Vulnerability Management: Regular penetration testing, security patches, dependency updates
• Data Isolation: Logical separation of user data, secure database configurations

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data using commercially acceptable means, we cannot guarantee absolute security.

7.3 Data Retention

We retain your information for as long as necessary to provide the Service and comply with legal obligations:

• Active accounts: Data retained while your account is active and for a reasonable period thereafter
• Deleted accounts: Most data deleted within 30 days; some data retained for legal/security purposes for up to 90 days
• Backup data: May be retained in backups for up to 90 days, then permanently deleted
• Legal/financial records: Retained as required by law (typically 7 years for tax/accounting purposes)
• Aggregated/de-identified data: May be retained indefinitely for analytics and research

Deletion is permanent and irreversible. Once deleted, your workout history, streaks, and community data cannot be restored.

7.4 Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Notify you and relevant authorities as required by law, typically within 72 hours of discovery
• Provide information about what data was affected and what steps we are taking
• Offer guidance on protecting yourself from potential harm
• Implement measures to prevent future breaches

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

8.1 Access and Portability

You have the right to access your personal data and receive a copy in a structured, commonly used, machine-readable format (CSV, JSON, PDF).

How to exercise: Request data export by contacting privacy@kettlebe.com or through Settings → Privacy → Export Data.

8.2 Correction

You can update your profile information and account settings at any time through the app. If you need assistance correcting inaccurate data, contact us at privacy@kettlebe.com.

8.3 Deletion

You can request deletion of your account and personal data:

• Through the app: Settings → Account → Delete Account
• By contacting us at privacy@kettlebe.com

Important: Deletion is permanent and irreversible. Some data may be retained for legal, security, or fraud prevention purposes as outlined in Section 7.3.

8.4 Withdraw Consent

Where we process data based on your consent, you can withdraw that consent at any time:

• Health data consent: Settings → Privacy → Health Data Consent
• Marketing emails: Click "unsubscribe" in any email or Settings → Notifications
• Push notifications: Device settings or Settings → Notifications
• Cookies: Browser settings or Settings → Privacy → Cookies

8.5 GDPR Rights (EEA/UK/Switzerland Users)

If you are in the European Economic Area, UK, or Switzerland, you have additional rights:

• Right to object: Object to processing based on legitimate interests
• Right to restrict: Request restriction of processing in certain circumstances
• Right to lodge a complaint: File a complaint with your local data protection authority
• Right to not be subject to automated decision-making: Request human review of automated decisions

To exercise these rights, contact us at privacy@kettlebe.com.

8.6 California Privacy Rights (CCPA/CPRA)

California residents have the right to:

• Know: Request information about personal information collected, used, and shared in the past 12 months
• Delete: Request deletion of personal information (with certain exceptions)
• Opt-out of sale: We do NOT sell personal information, so no opt-out is necessary
• Correct: Request correction of inaccurate personal information
• Limit use of sensitive information: Limit use of sensitive personal information
• Non-discrimination: Exercise rights without discrimination or retaliation

8.7 Other US State Privacy Rights

Residents of Colorado, Connecticut, Oregon, Texas, Utah, Virginia, and Montana have similar rights to California residents under their respective state privacy laws.

8.8 How to Exercise Your Rights

To exercise any privacy rights:

• Email: privacy@kettlebe.com
• In-app: Settings → Privacy → Privacy Request

We will respond to verified requests as required by applicable law. We may need to verify your identity before processing your request.

9. Children's Privacy

Kettlebe is not intended for children under the age of 13 (or the minimum age in your jurisdiction to consent to data processing). We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at privacy@kettlebe.com. We will promptly delete such information from our systems.

Users aged 13-17: We recommend parental supervision and encourage parents to review this Privacy Policy with their children.

10. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to improve your experience and analyze usage patterns.

10.1 Types of Cookies

• Essential Cookies (Required): Necessary for the Service to function - login sessions, security, authentication
• Analytics Cookies (Optional): Help us understand usage patterns - Google Analytics, Mixpanel (anonymized where possible)
• Preference Cookies (Optional): Remember your settings and preferences - theme, language, notification preferences
• Advertising Cookies (Free Users Only): Google Ads uses cookies and device identifiers to show relevant ads to free users. Premium users do not see ads and are not subject to advertising tracking.

Note: Your health and fitness data is never used for ad targeting. Google Ads may use general app usage information and device identifiers, but not your workout details or personal fitness information. For more details, see Google's Privacy Policy and Advertising Policies.

10.2 Managing Cookies

You can control cookies through:

• Browser settings: Most browsers allow you to block or delete cookies
• App settings: Settings → Privacy → Cookie Preferences
• Opt-out tools: Google Analytics opt-out browser add-on

Note: Disabling essential cookies may affect the functionality of the Service.

11. International Data Transfers

Your data is primarily stored on servers in the European Union (Hetzner Cloud - Germany and Finland). If you access the Service from outside the EU, your data may be transferred to and processed in the EU.

We ensure appropriate safeguards are in place for international data transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from EEA to third countries
• Compliance with GDPR requirements for international transfers (Article 44-50)
• Data Processing Agreements with all third-party processors
• Technical and organizational measures to ensure data security during transfer

12. Third-Party Links

The Service may contain links to third-party websites, apps, or services (e.g., exercise tutorial videos, nutrition guides). We are not responsible for the privacy practices of these third parties.

We encourage you to read the privacy policies of any third-party sites or services before providing any personal information. This Privacy Policy does not apply to third-party websites or services.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes, we will notify you by:

• Updating the "Effective Date" at the top of this document
• Sending you an email notification to your registered email address
• Displaying a prominent notice in the Service
• Requiring you to accept the updated Privacy Policy before continuing to use the Service (for material changes affecting your rights)

Changes will become effective on the date specified in the notice. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you must stop using the Service and may delete your account.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. For questions about our Terms of Service, see the contact information there.

EU Data Protection Authorities: If you are in the EEA, you have the right to lodge a complaint with your local data protection authority if you believe we have not adequately addressed your concerns.

15. Additional Information

15.1 Do Not Track Signals

We do not currently respond to "Do Not Track" (DNT) browser signals as there is no universally accepted industry standard for compliance. However, you can control cookies and tracking through browser settings and opt-out tools.

15.2 California "Shine the Light" Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do NOT share personal information with third parties for their direct marketing purposes.

15.3 Nevada Privacy Rights

Nevada residents have the right to opt out of the sale of personal information. We do NOT sell personal information as defined under Nevada law.

15.4 Your Consent

By using the Service, you consent to the collection, use, and sharing of information as described in this Privacy Policy. If you do not agree, please do not use the Service.