Privacy

Privacy Policy for ELVT – Hypertrophy by Design

Last updated: June 1, 2025

ELVT – Hypertrophy by Design (“we”, “us”, or “our”), operated by Oneaxis Engineering, respects your privacy and is committed to protecting it. This Privacy Policy explains how we collect, use, and handle your data when you use the ELVT – Hypertrophy by Design mobile app (“the app”).

The app is designed to store your training data locally on your device. We do not operate servers to store your workout content. Some third-party services are used to enable crash reporting, advertising (based on consent), and optional data backup.

1. What Data We Collect

We only collect and process minimal information needed to run the app and improve its stability, adhering to principles of data minimization and purpose limitation.

        Workout Data (Stored Locally)

  • All workouts, exercises, logs, and similar fitness data are stored only on your device.
  • This includes sensitive health data such as weight, height, body fat, heart rate, detailed activity logs (e.g., steps, distance, calories burned), and sleep patterns, which are classified as sensitive personal information under various global privacy laws.
  • We do not access, transfer, or store this data on our servers.
  • You fully control this data and can delete or export it at any time within the app.

       Optional Google Drive Backup

  • You may choose to back up your data to your personal Google Drive account.
  • The app uses Google’s secure OAuth process for authentication.
  • Backups are created only when initiated by you and are saved in your Google Drive. We never access your data on Google Drive except for the backup/restore you trigger.
  • We adhere to Google API Services User Data Policy and Limited Use requirements, which prohibit selling user data or using it for advertising purposes.

        Crash Reporting via Sentry

  • We use Sentry to collect anonymized crash and error logs to help us fix bugs and improve app performance.
  • Information collected by default includes device type, OS version, app version, and general device information.
  • Sentry’s default settings prioritize data safety; it does not send cookies, information about logged-in users (like email or user ID), or users’ IP addresses by default unless explicitly configured by the developer.
  • No workout or user-entered content is included in crash reports.

        Advertising and Consent (via Google AdMob)

  • We use Google AdMob to display ads only if you give consent via Google’s User Messaging Platform (UMP).
  • If you consent to ads, the full set of app features will be available, and you may see personalized or non-personalized ads based on your selection.
  • Personalized ads are based on previously collected or historical data (e.g., app usage, location, demographics) to influence ad selection. Non-personalized ads use contextual information (e.g., coarse geo-targeting, content on the current app). Even non-personalized ads may use cookies or mobile ad identifiers for frequency capping and aggregated ad reporting, requiring consent where legally required.
  • AdMob automatically collects device’s IP address (for general location), user product interactions (app launches, taps, video views), diagnostic information (crash logs, app launch time, energy usage), and device/account identifiers (Android advertising ID, app set ID) for advertising, analytics, and fraud prevention.
  • AdMob also collects automatically collected user properties such as age (in six categories), app store, app version, country, device brand, device category, device model, first open time, gender, interests, and OS version. For iOS apps, IDFA collection is necessary to derive Age, Gender, and Interests properties.
  • If you do not give any form of consent, no ads will be shown. You can still use the app, but only in a basic, limited-feature mode.
  • We comply with Google’s EU User Consent Policy, which requires disclosures and consent for cookie usage and personal data for ads personalization in the EEA and UK. We use a Google-certified Consent Management Platform (CMP) that integrates with the Transparency and Consent Framework (TCF) to manage consent based on your location.

       User Contact (Optional)

  • If you contact us via in-app feedback or the website, we will receive the details you provide (e.g., email address, message content).
  • We use this information only to respond to your request or issue.
  • We do not use this data for advertising or share it with third parties.

2. How We Use Your Data

We process your data only for the following purposes, each supported by a clear legal basis:

  • To provide core app functionality: This includes displaying your workouts, planning your training, and enabling optional data backup/restore via Google Drive. This processing is based on contractual necessity.
  • To analyze crashes and fix bugs: Using anonymized technical data from Sentry to improve app performance and stability. This is based on our legitimate interest in maintaining a functional and secure app.
  • To serve ads and unlock full functionality: If you provide consent, we use data collected by AdMob for personalized or non-personalized advertising. This is based on your explicit consent.
  • To respond to user-initiated communication: Via email or feedback form. This is based on our legitimate interest in providing customer support.
  • To comply with legal obligations: When required by law (e.g., data access requests, fraud prevention). This is based on legal obligation.

We do not use your data for profiling, resell it, or combine it with other third-party sources for purposes other than those disclosed.

3. Third-Party Services

We engage with third-party service providers to facilitate our services. These providers process data on our behalf and are contractually bound to protect your data.

Service Purpose Categories of Data Shared
Sentry Crash and error tracking Device information (OS, version, build), thread stack information (at crash time), HTTP headers (sensitive headers redacted), request URL, request query string, general device information (CPU, GPU details). Sentry does not send cookies, logged-in user info, or IP addresses by default unless explicitly configured.
Google AdMob Ads display (with consent) IP address (for general location), user product interactions (app launches, taps, video views), diagnostic information (crash logs, app launch time, energy usage), device and account identifiers (Android advertising ID, app set ID), user properties (age, app store, app version, country, device brand, device category, device model, first open time, gender, interests, language, new/established user status, OS version).
Google Drive API Backup/restore (user-initiated) Workout data you choose to back up. Google explicitly states it does not sell customer data or use it for advertising.

We have agreements with all providers to ensure data protection and GDPR/CCPA compliance. No data is sold or shared for marketing beyond the purposes for which you provide consent.

4. International Data Transfers

Given our global user base, your data may be transferred to, and processed in, countries other than your own. We ensure such transfers comply with applicable data protection laws.

  • Sentry: Sentry’s product infrastructure is hosted in the United States (Iowa) and Germany (Frankfurt). Sentry has self-certified to the EU-U.S. Data Privacy Framework (DPF), the UK Extension, and the Swiss-U.S. Data Privacy Framework, relying on DPF Principles. Where DPF is not applicable or as an alternative, Sentry utilizes the European Commission’s Standard Contractual Clauses (SCCs).
  • Google (AdMob, Drive API): Google maintains servers around the world, and your information may be processed on servers located outside of the country where you live. Google Workspace allows administrators to select a geographic location for covered data, with options including the United States or European Union. Google complies with legal frameworks for data transfer, including European Commission, UK, and Swiss adequacy decisions, and the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF). In instances not covered by an adequacy decision, Google relies on Standard Contractual Clauses (SCCs) as a legally valid transfer mechanism.
  • General Mechanisms: We rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other approved mechanisms to ensure an equivalent level of data protection during international transfers.
  • Specific Jurisdictional Requirements:
  • PIPL (China): For users in China, explicit consent is mandatory before transferring data outside China, with clear notice of the recipient, purpose, and how to exercise rights. Depending on data volume and sensitivity, transfers may require a security assessment approved by the Cyberspace Administration of China (CAC), certification by a specialized body, or the use of approved standardized contracts.
  • US DOJ Rule: We also consider the U.S. Department of Justice (DOJ) rules that restrict U.S. businesses from transferring certain bulk sensitive personal data (e.g., biometric, financial, healthcare, location, genetic) to entities owned, controlled, or subject to the jurisdictions of “countries of concern” like China.

5. Your Privacy Rights

Depending on your location and applicable data protection laws, you may have the following rights regarding your personal data. We are committed to facilitating the exercise of these rights.

  • Right to Access: To obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data.
  • Right to Rectification: To request the correction of inaccurate or incomplete personal data without undue delay.
  • Right to Deletion/Erasure (Right to be Forgotten): To request the deletion of your personal data under certain circumstances.
  • Right to Data Portability: To receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
  • Right to Object to Processing: To object to the processing of your personal data under certain conditions, particularly for direct marketing purposes.
  • Right to Restriction of Processing: To request the restriction of processing of your personal data under certain conditions.
  • Right to Opt-Out of Sale/Sharing (CCPA/CPRA): For California residents, the right to opt-out of the “sale” or “sharing” of personal information. We provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on our website’s homepage and within the mobile application.
  • Right to Limit Use of Sensitive Personal Information (CCPA/CPRA): For California residents, the right to limit the use and disclosure of sensitive personal information.
  • Rights related to Automated Decision-Making (GDPR/PIPL/CCPA/CPRA): To object to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you. For PIPL, you have the right to request an explanation of the logic involved and to disallow such decisions.
  • Right to Confirm Processing (LGPD): To confirm the existence of personal data processing.
  • Right to Information on Sharing (LGPD): To be informed about how your personal data has been shared with third parties.
  • Right to Information on Consent Refusal (LGPD): To be informed about your right to refuse consent to process your personal data and the consequences of such refusal.
  • Right to Explanation (PIPL): To request an explanation of data processing rules and regulations.
  • Right of the Deceased (PIPL): Close relatives of a deceased person can exercise the rights the person held over their data.

Exercising Your Rights & Identity Verification:

To exercise these rights, please contact us at the email provided below. Deleting the app removes all locally stored data. For your protection and the protection of other users, when you submit a privacy request, we must authenticate the request by verifying your identity. The degree of proof required, and the type of information necessary to prove your identity, will vary depending upon the nature of the request and the sensitivity of the information. For example, requests for access to specific pieces of personal information or deletion requests may require additional identity verification beyond basic account information. We will use the additional personal information you provide only for the purpose of verification.

We will respond to verified requests within specific timelines: typically within 45 days for CCPA/CPRA deletion, correction, or information requests (with a possible 45-day extension if communicated), within one month for GDPR requests (with allowances for more complex requests), and promptly for LGPD requests (e.g., 15 days for access requests). PIPL requires timely responses to requests, and if denied, an explanation must be provided.

You also have the right to lodge a complaint with a supervisory authority if you believe your privacy rights have been infringed.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. This aligns with the principle of “storage limitation”.

  • Workout Data (Stored Locally): Retained on your device until you choose to delete or export it.
  • Account Information (e.g., email for contact): Retained for the duration of your active use of the app and for a limited period thereafter to facilitate account recovery or respond to inquiries, typically up to 2 years from last interaction, unless a longer period is legally required.
  • Crash Logs (via Sentry): Retained for a period necessary for debugging and performance improvement, typically up to 90 days, unless specific operational or legal requirements necessitate longer retention.
  • Advertising Data (via AdMob): Retention periods for advertising data vary based on purpose and user consent. Some data may be automatically deleted after a set period (e.g., 9 months for certain browsing information by Google), while other data may be retained longer for regulatory, security, and business reasons. Marketing data may be retained for up to 2 years from the last contact, subject to user preferences.
  • User Contact/Feedback Data: Retained only as long as necessary to address your inquiry and for a reasonable period thereafter for record-keeping, typically up to 1 year.

Once data is no longer needed for its original purpose or exceeds legal/business retention requirements, it is securely deleted or anonymized.

7. Data Security Measures

We are committed to protecting the security of your personal data. We implement appropriate technical and organizational measures to safeguard your information against unauthorized access, disclosure, alteration, and destruction. These measures include:

  • Data Encryption: Sensitive data is encrypted both at rest (when stored) and in transit (during transmission over networks) using robust protocols such as Advanced Encryption Standard (AES) with a 256-bit key. We employ encryption key management protocols to safeguard and regularly rotate encryption keys.
  • Access Controls: Strict access control mechanisms are implemented to restrict access to sensitive data, ensuring that only authorized personnel can view or modify specific data based on their role. This includes multi-factor authentication (MFA) and Role-Based Access Control (RBAC). The principle of least privilege is applied.
  • Regular Security Audits and Monitoring: We conduct systematic evaluations of our information systems regularly to identify vulnerabilities, outdated software, or improper access control settings. Continuous monitoring, utilizing tools like Intrusion Detection Systems (IDS), provides real-time surveillance of network activity to detect unauthorized access attempts and suspicious behavior.
  • Secure Development Practices: Security is integrated throughout the mobile app development lifecycle, including secure coding practices (input validation, output encoding, exception handling), regular code inspections, and app hardening techniques to prevent reverse engineering.
  • Secure Third-Party Integrations: We perform due diligence to ensure that any third-party service providers or vendors adhere to the same stringent data protection standards, including contractual agreements that define their security obligations.

In the event of a data breach, we will take swift action, including detection, containment, and notification to relevant authorities and affected individuals within mandated timelines. For GDPR, this means notifying the supervisory authority within 72 hours of becoming aware of the breach, and affected individuals if there is a high risk to their rights. For LGPD, notification to the ANPD and data subjects is required within a reasonable time period. For PIPL, notification to affected subjects and authorities is required.

8. Children’s Privacy

This app is not intended for individuals under the age of 16 (or the age defined by your local regulations). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16 without verifiable parental consent, we will take steps to delete that information as quickly as possible. If you believe we may have collected information from a child under 16, please contact us.

9. Data Protection Officer (DPO) / Representative

Given the global nature of the app and the processing of sensitive health data, certain data protection regulations may require the appointment of a Data Protection Officer (DPO) or a designated representative.

  • GDPR: A DPO is typically required if an organization processes large volumes of sensitive data or systematically monitors individuals on a large scale. Non-EU businesses offering goods or services to EU/EEA residents or monitoring their behavior must also appoint an EU-based representative.
  • LGPD: While generally not required for single entrepreneurs unless performing high-risk data processing activities, the appointment of a DPO is considered good practice.
  • PIPL: Foreign entities processing personal information of Mainland China residents outside of China (e.g., for providing services or analyzing behavior) must establish a dedicated institution or designate a representative within China, and their contact information must be registered with authorities.

As a single entrepreneur operating a global app that handles sensitive health data, we recommend consulting with a legal professional to determine the specific requirements for appointing a DPO or representative in relevant jurisdictions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected on this page with a new effective date. We encourage you to review this policy periodically. For CCPA/CPRA, policies are updated at least once every 12 months.

11. Contact Information

If you have questions about this Privacy Policy or your data rights, contact us at:

Timo Weber

Hauptstraße 233f

28816 Stuhr

Germany

📧 support@elvthypertrophy.com