App Privacy Policy

Last updated: 23 June 2026

This policy explains how the HyperFlow iOS app ("HyperFlow", "we", "us", "our") collects, uses, stores and protects your personal data, in compliance with the EU General Data Protection Regulation (GDPR) and Apple's App Store requirements. HyperFlow is operated from Belgium, European Union.

By using HyperFlow, you agree to the collection and use of information in accordance with this policy. We process your data only when we have a lawful basis to do so.

1. Data controller

HyperFlow is the data controller for personal data processed by the app. For any data-protection inquiry or request, contact [email protected].

2. Data we collect

Account information

• Email address (required for authentication)
• Password (securely hashed by our authentication provider, never stored in plain text)

Profile data (optional)

• Username, training experience level, and app settings
• Your exact weight, height, age and sex are stored only on your device and are never saved to our servers
• Only a general weight class and age group (derived from your weight and age) sync to our servers and may be used for AI personalization

Workout data

• Exercises performed, sets, reps and weights
• Workout duration and timestamps
• Custom exercises you create; workout templates and favorites
• Post-session feedback (how a session felt, soreness, sleep, nutrition, notes) and per-exercise feel ratings

Subscription information

• Subscription status, product, and renewal/expiry dates
• Purchases are processed by Apple via In-App Purchase — we never receive or store your payment card details

Technical data (automatically collected)

• IP address and approximate region (server-side logs)
• Device platform, app version, and device language
• A random per-install identifier used to sync your data across devices and detect conflicts (not a hardware ID, never used for advertising)
• Security and audit events, and rate-limit records

Diagnostics & crash reports

• In production builds, crashes and errors are reported to Sentry: error messages, stack traces, recent in-app events, your user ID, app version and platform
• Crash reports do not include your workout content or profile measurements

Push notifications (optional)

• If you enable notifications, we store a push token and your device platform to deliver them via Expo and the Apple Push Notification service (APNs)
• Your token is removed when you sign out and deleted with your account

Biometric unlock (optional)

• Face ID, Touch ID, or your passcode can protect sensitive actions (data export, account deletion)
• Only an on/off preference is stored, in the iOS Keychain. Your biometric data never leaves the device's Secure Enclave and is never accessed by the app

3. Legal basis for processing

• Contract performance — processing necessary to provide the HyperFlow service you signed up for.
• Legitimate interest — improving our service, security, and preventing fraud.
• Consent — for optional features you turn on, such as push notifications (via the iOS permission) and AI personalization.
• Legal obligation — compliance with financial regulations for subscription billing.

4. Third-party data processors

We use trusted third-party services to operate HyperFlow. Each is bound by a data processing agreement.

Provider	Purpose	Data	Location / Note
Supabase Policy	Authentication, database and sync	Account/auth identifiers, a random per-install device identifier (cross-device sync & conflict detection), email, profile (username, experience, settings, weight class & age group), workouts, exercises, sets, templates, favorites, feedback, push tokens, subscription mapping, security logs	EU (Frankfurt, Germany)
Apple Policy	In-App Purchase processing, Sign in with Apple, push delivery (APNs)	Payment processing (Apple handles card details), subscription receipts & status, authentication tokens, notification delivery	Payments processed by Apple. We never receive or store your card details.
RevenueCat Policy	Validates Apple purchase receipts and relays subscription events	User ID, App Store receipt, product ID, subscription status, renewal/expiry dates	—
Google AI (Gemini) Policy	Optional AI features (suggestions, weight recommendations, optimization, narration)	Exercise names & categories, derived weight class & age group, sex, experience, recent exercise history, session context, language	Your exact weight, height and age are never sent. We do not use your data to train third-party models.
Sentry Policy	Crash and error reporting (production builds only)	Error messages, stack traces, breadcrumbs, user ID, app version, platform	Crash reports do not include your workout content or profile measurements.
Expo (EAS) Policy	Push-notification relay and over-the-air app updates	Push token & platform (notifications); app/runtime version & platform (update checks)	—

5. Data retention

• Account data — retained until you delete your account.
• Workout history — retained until you delete your account or specific workouts.
• Subscription records — kept while active and as needed afterwards to meet accounting and legal requirements.
• On-device data — remains on your device until you sign out, delete your account, or uninstall the app.
• Security & audit logs — retained about 30 days; rate-limit records about 1 hour.

6. Your rights under the GDPR

• Access — request a copy of all personal data we hold about you.
• Rectification — correct inaccurate personal data via your Settings page.
• Erasure ("right to be forgotten") — delete your account and all associated data from Settings.
• Data portability — request your data in a machine-readable format (JSON).
• Object — object to processing based on legitimate interests.
• Withdraw consent — disable AI personalization at any time in Settings.

To exercise any of these rights, contact [email protected]. We respond within 30 days. You may also lodge a complaint with your local Data Protection Authority — in Belgium, the Autorité de protection des données / Gegevensbeschermingsautoriteit.

7. Security measures

• All data encrypted in transit (TLS)
• Passwords are handled and hashed by our authentication provider; we never store them
• Database access restricted per user via Row-Level Security (RLS)
• Session tokens and encryption keys stored in the iOS Keychain
• On-device app data encrypted with a 256-bit key
• Your exact weight, height, age and sex kept on your device only
• Temporary lockout after repeated failed sign-in attempts

8. International data transfers

Your data may be transferred to servers outside the EU/EEA. We ensure adequate protection through Standard Contractual Clauses (SCCs) with all processors, EU-US Data Privacy Framework certifications where applicable, and data processing agreements with all third-party services.

9. On-device storage

As a native iOS app, HyperFlow does not use browser cookies, localStorage or service workers. It stores data on your device using:

• Local database (SQLite) — your offline copy of workouts, exercises and your profile, including the exact weight, height, age and sex that never leave your device.
• Encrypted key–value store (MMKV) — app settings, preferences and cached subscription status, encrypted with a 256-bit key.
• iOS Keychain — session tokens, the encryption key, and your biometric-unlock preference.
• No tracking — we do not use advertising or analytics trackers, the Advertising Identifier (IDFA), or cross-app tracking.

10. Children

HyperFlow is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through a prominent notice in the app. The "last updated" date above reflects the current version.

12. Contact

For any question about this policy or to exercise your data rights: [email protected] · Response time: within 30 days · Brussels, Belgium.

← Back to HyperFlow