Privacy policy.

Repify is a workout and nutrition tracking tool for iOS. This Privacy Policy explains what personal data we collect, why we collect it, how we protect it, and the rights you have over it. It applies to the Repify iOS application and the repify-app.com website.

The data controller is Repify, based in the United Kingdom. You can reach us at support@repify-app.com for any privacy question, subject access request, or complaint.

We operate globally. The law that applies to you depends on where you are. If you are in the UK we apply the UK GDPR and the Data Protection Act 2018. If you are in the EEA we apply the EU GDPR. If you are elsewhere, we still follow UK-GDPR-grade standards as a baseline.

We only collect what is necessary to run the app and improve it:

• 01Account info. Name, email address, profile picture.
• 02Health & fitness data. Workout logs, sets, reps, weights, nutrition data, body measurements. Under UK/EU GDPR this is a special category of personal data and receives extra protection.
• 03Uploaded media. Progress photos and meal photos you choose to upload.
• 04Subscription & purchase data. Subscription status, entitlements, purchase history (received from Apple / RevenueCat). We do not see your payment card details.
• 05Device data. Device type, iOS version, app version, push notification token, crash logs.
• 06Usage data. Basic in-app events that help us fix bugs and improve features. No third-party advertising or cross-app tracking.

Under Articles 6 and 9 of the UK GDPR every use of your data has a specific legal basis. Ours are:

• 01Running the app. Logging workouts, syncing across devices, processing subscriptions, providing customer support. Basis: performance of our contract with you (Art. 6(1)(b)).
• 02Processing your health & fitness data. Basis: your explicit consent, given when you create an account and enter health data (Art. 9(2)(a)). You can withdraw consent at any time by deleting your account.
• 03Security, fraud prevention, and abuse detection. Spotting suspicious activity and keeping the service reliable. Basis: our legitimate interests in running a secure service (Art. 6(1)(f)).
• 04Improving the product. Understanding which features are used, fixing bugs, making the app better. Basis: our legitimate interests; balanced against your right to privacy.
• 05Legal obligations. Retaining tax and accounting records, responding to lawful law enforcement requests. Basis: compliance with legal obligations (Art. 6(1)(c)).

We use a small, carefully chosen set of service providers ("sub-processors") to run Repify. They only process your data on our instructions and under written contracts that meet UK GDPR requirements.

• 01Supabase Inc. — Database, authentication, and secure backend infrastructure. Hosted in the United States.
• 02RevenueCat, Inc. — Subscription management and receipt validation. Receives your App Store user ID and subscription status. United States.
• 03Replicate, Inc. — AI image analysis for the photo-based food logging feature. When you snap a meal, the image is sent to Replicate to estimate macros, then discarded by them. United States.
• 04DigitalOcean LLC (Spaces). — Encrypted object storage for your uploaded progress and meal photos. United States.
• 05Apple Inc. — App Store distribution, In-App Purchase, Apple Push Notification service (APNs), and, if you opt in, Sign in with Apple. Global.
• 06Vercel Inc. — Hosting for the repify-app.com website. Serves static pages; does not see in-app user data.

We may also share data where required by law (for example, a valid court order), to enforce our Terms of Service, or to protect the rights and safety of users and the public.

International transfers. Several of our sub-processors are based in the United States. Transfers outside the UK / EEA are made under the UK International Data Transfer Addendum (IDTA) or the EU Standard Contractual Clauses (SCCs), with supplementary technical safeguards (encryption in transit and at rest).

We don't keep data longer than we need to:

• 01While your account is active. We keep your data for as long as you use Repify.
• 02After account deletion. Personal data is deleted from our live systems within 30 days. Encrypted backups rotate out within a further 90 days.
• 03Legal & financial records. Subscription and tax records are kept for up to 7 years where required by UK law, even after account deletion.
• 04Aggregated, anonymised statistics. May be kept indefinitely; these cannot be used to re-identify you.

Your data is encrypted in transit (TLS 1.2+) and at rest using industry-standard AES-256 encryption. Access to production systems is restricted, authenticated, and logged. Our core backend is powered by Supabase, a secure open-source Firebase alternative.

No system is perfect. If a personal data breach affects your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours of becoming aware, and notify you directly where the risk is high, as required by Article 33 and 34 of the UK GDPR.

Repify lets you upload photos to track your fitness journey and log meals. Here is how we handle them:

• 01Private by default. Progress photos are stored securely and are only accessible to your account. They are never visible to other users, shared with third parties for marketing, or used for any purpose beyond providing the app's functionality to you.
• 02Encrypted storage. Uploaded photos are held on encrypted cloud infrastructure (DigitalOcean Spaces) and encrypted both in transit and at rest.
• 03No human review. Repify staff do not access or review your uploaded photos unless required by law, to investigate a reported violation of our Terms, or with your explicit permission when you request support.
• 04Meal photos and AI. When you use photo-based food logging, the image is briefly sent to Replicate for analysis and immediately discarded by them. See "Automated processing" below.
• 05Deletion. When you delete a photo, or delete your account, the associated media is permanently removed from our servers within 30 days.

You should not upload sensitive, explicit, or illegal content, or images of other people without their consent. See our Terms of Service for full rules on acceptable content.

The photo-based food logging feature uses an AI model hosted by Replicate to estimate the macros on your plate from a photo. The result is an estimate, not a diagnosis or medical assessment, and you can always edit or reject it before saving.

This processing does not produce legal or similarly significant effects for you, so Article 22 of the UK GDPR (automated individual decision-making) is not engaged. If you would prefer not to use this feature, you can log meals manually instead.

The Repify website uses a minimal amount of local browser storage to remember your theme preference (light/dark). It does not set third-party advertising or analytics cookies. The iOS app does not use web cookies.

You have the following rights in relation to your personal data. We will respond to any request within one month (Article 12(3)).

• 01Right of access. Ask for a copy of the personal data we hold about you.
• 02Right to rectification. Ask us to correct data that is inaccurate or incomplete.
• 03Right to erasure ("right to be forgotten"). Ask us to delete your data. You can also do this yourself from Profile → Settings → Delete Account.
• 04Right to data portability. Receive your data in a structured, machine-readable format.
• 05Right to restrict processing. Ask us to pause certain uses of your data.
• 06Right to object. Object to processing based on our legitimate interests.
• 07Right to withdraw consent. Where we rely on your consent (including for health data), you can withdraw it at any time.
• 08Right not to be subject to solely automated decisions. We do not make decisions that have legal or similarly significant effects on you using only automated processing.

To exercise any of these, email support@repify-app.com. We may need to verify your identity before we act.

Repify is not directed at children under the age of 16 and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, email support@repify-app.com and we will delete it promptly.

We may update this Privacy Policy from time to time to reflect legal changes or new features. When we do, we will update the "Last updated" date at the top. If the changes are material we will notify you in-app or by email before they take effect. Continued use of Repify after an update means you accept the updated policy.

Data controller: Repify, United Kingdom.
Privacy contact: support@repify-app.com

We have not appointed a Data Protection Officer as we are not required to do so under Article 37 of the UK GDPR, but all privacy enquiries are handled personally and taken seriously.