Legal
Privacy Policy
The short version
- If you don't sign in, your data never leaves your phone. The app is fully usable offline.
- If you sign in with Apple or Google, we store your account identity and the training data you back up — only to sync it to your own devices.
- No analytics, no advertising, no trackers, no data sales. We use no third-party SDKs.
- You're in control. Delete your account and all of its data from inside the app, any time.
01 Who we are
IronLifts (“we”, “us”) is a strength-training app for iPhone, operated by [operator's legal name — confirm before publishing], based in New Zealand. This policy explains what we collect, why, and the choices you have. It covers the IronLifts app and this website.
02 The app is local-first
IronLifts is designed to work entirely on your device. Your workouts, bodyweight log, and settings are stored locally on your iPhone. If you never sign in, we collect nothing about you — there is no account, and your training data is never transmitted to us.
Signing in is entirely optional and exists for one purpose: to back up your data and restore it on a new phone or after reinstalling.
03 What we collect when you sign in
Account identity
When you use Sign in with Apple or Sign in with Google, we receive and store:
- your email address;
- your name or display name, if the provider supplies it;
- a stable identifier for your account from that provider (so we can recognise you on return).
We never see or receive your Apple or Google password. If you use Apple's Hide My Email, we only ever store the private relay address Apple gives us. We do not store a profile photo.
Training data you back up
When you're signed in, the data you choose to sync includes:
- your workout history (sessions, exercises, sets, reps, and weights);
- your bodyweight log;
- optional body metrics you may enter, such as age and height;
- your app preferences (program, units, schedule, rest-timer lengths, accent, working weights, and notes).
04 What we do not collect
- No analytics or usage tracking, and no advertising or ad identifiers.
- No third-party tracking SDKs of any kind.
- No location, contacts, photos, or health-app data.
- No payment or financial information (the app takes no payments).
- No precise device fingerprinting.
05 How we use your data
We use your account identity and backed-up data solely to operate the backup-and-sync feature: to authenticate you, to store your training data against your account, and to return it to your devices. That's it.
We do not sell your data, share it for advertising, use it to build profiles, or process it for any purpose unrelated to syncing your own training.
IronLifts' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
06 Who processes your data
We keep the list of third parties deliberately short. They act as our service providers, not independent controllers:
- Apple and Google — only when you choose their sign-in. They verify your identity; their handling of your account is governed by their own privacy policies.
- Cloudflare — our hosting and database provider. Your backed-up data is stored in Cloudflare's database (D1) and served through Cloudflare's network.
We do not use any analytics, advertising, crash-reporting, or marketing processors.
07 Where it's stored & how it's protected
- All traffic is encrypted in transit with HTTPS/TLS.
- Each account's data is strictly isolated; every request is scoped to your own user record.
- Sign-in tokens are short-lived; long-lived refresh tokens are stored only as a one-way hash and are rotated on every use, with automatic revocation if a token is ever reused.
- On your device, session tokens are held in the iOS Keychain, never in plain preferences.
- We store the minimum personal data needed — essentially your email and a provider identifier.
No method of transmission or storage is ever perfectly secure, but we design to keep the stored footprint small and access tightly scoped.
08 Keeping and deleting your data
We keep your backed-up data for as long as your account exists. You have direct control:
- Sign out stops syncing and keeps your data safely on your device.
- Delete account, from inside the app, permanently removes your account and all associated data from our database.
You can also request deletion by emailing us (see below), and we will action it.
09 Your rights
Under the New Zealand Privacy Act 2020 — and equivalent laws such as the GDPR if you're in their scope — you have the right to access, correct, and delete the personal information we hold about you, and to complain to a regulator. Most of this is built into the app: your data is visible to you in IronLifts, and you can delete all of it yourself. For anything else, contact us.
10 Children
IronLifts is not directed at children under 13, and we do not knowingly collect personal information from them. If you believe a child has signed in, contact us and we'll delete the account.
11 International users
We're based in New Zealand and our infrastructure provider operates a global network, so your data may be processed on servers outside your country. Wherever it's processed, this policy applies.
12 Changes to this policy
If we make material changes, we'll update the “Last updated” date above and, where appropriate, notify you in the app. Continued use after an update means you accept the revised policy.
13 Contact us
Questions, requests, or privacy concerns: privacy@ironlifts.putake.nz [confirm this mailbox exists / routes before publishing].