Privacy Policy
Effective: March 26, 2026 ยท Last updated: March 26, 2026
TL;DR: EchoFit is local-first. Your workout data lives on your device.
Voice recordings are never stored โ only the text transcript is processed.
We don't sell your data. Ever.
1. Who We Are
EchoFit ("we", "us", "our") is a fitness tracking application available at
echofit.app and on the iOS App Store and Google Play Store.
We are committed to protecting your privacy and handling your data responsibly.
2. Data We Collect
What you provide:
- Account information (if you sign up): email address, display name
- Workout data: exercises, sets, reps, weights, dates โ stored locally on your device and optionally synced to your account
- Profile settings: body weight, height, age, fitness goals โ used solely to personalize your experience
What we process but do NOT store:
- Voice recordings: Your microphone input is processed by the device's Speech Recognition engine (iOS: Apple's on-device AVSpeechRecognizer; Web: browser's built-in API). The audio is never sent to our servers. Only the resulting text transcript is sent for AI extraction.
What we collect automatically:
- Crash reports and error logs (anonymized)
- App usage analytics (anonymized โ tab switches, feature usage counts, no personal identifiers)
3. How We Use Your Data
- To provide the core workout tracking and AI coaching features
- To sync your data across your devices (when signed in)
- To compute your Digital Twin score, recovery insights, and personalized recommendations
- To send you streak reminders and training notifications (only if you opt in)
- To process subscription payments (via Apple IAP, Google Play, or Stripe)
We never sell, rent, or share your personal data with third parties for advertising purposes.
4. Data Storage & Security
- Local storage: All workout data is stored locally on your device first
- Cloud sync: When signed in, data syncs to Supabase (hosted on AWS in the US) with end-to-end row-level security
- Encryption: All data in transit uses TLS 1.3. Data at rest is encrypted by the hosting provider.
- Access control: Only you can access your data. Our engineers cannot access individual user workout records.
5. Third-Party Services
- Supabase (auth + database) โ Privacy Policy
- Apple StoreKit / Google Play Billing โ for in-app subscriptions on native platforms
- Stripe โ for web subscriptions โ Privacy Policy
- RevenueCat โ purchase management โ Privacy Policy
- OpenAI Whisper API โ for Arabic voice transcription only. Audio is processed and immediately discarded per OpenAI's API terms. No training on your data.
6. Your Rights
You have the right to:
- Access all workout data you've logged (export as CSV from Settings)
- Delete your account and all associated data (Settings โ Account โ Delete Account)
- Opt out of push notifications at any time
- Request a copy of your personal data: privacy@echofit.app
If you are in the EU/EEA, you have additional rights under GDPR including data portability and the right to restrict processing. Contact us at privacy@echofit.app.
7. Children's Privacy
EchoFit is not directed to users under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.
8. Push Notifications
If you grant notification permission, we may send you:
- Daily streak reminders (configurable timing in Settings)
- Training window alerts
- Milestone celebrations (PRs, streak records)
You can revoke notification permission at any time in your device Settings.
9. Changes to This Policy
We may update this policy as our features evolve. We will notify you of significant changes via in-app notification. Continued use of EchoFit after changes means you accept the updated policy.