Back

Privacy Policy

Last updated: June 8, 2026 · Effective: June 8, 2026

1. Who we are

Alto Athletics ("Alto Athletics," "we," "us," or "our") provides a mobile and web fitness, nutrition, and habit-tracking application (the "Service"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use the Service, our website, or interact with us.

Data controller / business: Alto Athletics
Contact: support@altoathletics.app
Privacy inquiries: privacy@altoathletics.app

If you are an EEA/UK user and require an EU/UK representative under the GDPR, please contact us at the address above and we will provide the most current designated representative.

2. Information we collect

Information you provide

  • Account data: email address, password (hashed), optional username and display name.
  • Profile and onboarding data: age, height, weight, sex (if provided), training experience, training frequency, goals, and dietary preferences.
  • Activity data: workouts, exercises, sets, reps, weights, run/cardio sessions, recovery status, nutrition logs, habits, notes, and photos you upload.
  • Social data: friend connections, direct messages, kudos, challenge participation, and feed posts you choose to share.
  • Support data: messages you send us and chat transcripts with our in-app help assistant.

Information collected automatically

  • Device and usage data: device type, OS version, app version, IP address, language, time zone, crash logs, and basic analytics events (screen views, feature usage).
  • Cookies and similar technologies: on the web app, strictly necessary cookies for authentication and session management. We do not use advertising cookies.

Information from third parties

  • Sign-in providers: if you choose to sign in with Apple or Google, we receive the limited profile information you authorize (typically email and a unique identifier; Sign in with Apple may provide a private relay email).
  • Payment processors: if and when paid features are offered, our processor (e.g., Apple App Store, Google Play, or Stripe) sends us a transaction confirmation and limited subscription metadata. We do not receive or store your full card number.

3. How we use your information

  • Provide, operate, and personalize the Service (recommended splits, recovery timers, progress charts, AI-generated nudges).
  • Authenticate you and secure your account.
  • Enable social features you opt into (friends, messages, challenges).
  • Process payments and manage subscriptions.
  • Provide customer support and respond to your requests.
  • Detect, prevent, and address fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our Terms.
  • Send transactional communications (e.g., password resets, account notices). We do not send marketing email without your consent.

We do not sell your personal information, and we do not use your data for cross-context behavioral advertising.

4. Legal bases for processing (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland, we process your personal data on these legal bases:

  • Performance of a contract — to provide the Service you signed up for.
  • Consent — for optional features such as health-related data entry, push notifications, and AI-powered features. You may withdraw consent at any time.
  • Legitimate interests — to secure the Service, prevent abuse, and improve features, balanced against your rights.
  • Legal obligation — to comply with applicable laws, tax, and accounting requirements.

5. Sharing and disclosure

We share personal information only as described below:

  • With other users, only what you choose to share: your username and display name, friend requests, challenge results posted to the feed, and direct messages you send to friends.
  • Service providers (processors) acting on our instructions — see Section 6.
  • Legal and safety — to comply with law, valid legal process, or to protect rights, safety, and the integrity of the Service.
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.
  • With your consent — for any other purpose disclosed at the time of collection.

6. Third-party service providers

We rely on the following sub-processors and platforms to operate the Service. Each is bound by contractual data-protection obligations:

  • Supabase — database, authentication, file storage, and realtime messaging infrastructure. Data may be stored in the United States and other regions where Supabase operates.
  • Cloudflare — content delivery, edge compute, and DDoS protection.
  • Apple Sign In — optional authentication (subject to Apple's privacy policy).
  • Google Sign In — optional authentication where enabled (subject to Google's privacy policy).
  • Apple App Store / Google Play — app distribution and, where applicable, in-app purchase and subscription processing.
  • Stripe — payment processing for web-based subscriptions and one-time purchases, where offered. Stripe is a PCI-DSS compliant processor; payment card data is sent directly to Stripe and is not stored on our servers. See stripe.com/privacy.
  • AI model providers — Google (Gemini) and OpenAI (GPT) models, accessed via the Lovable AI Gateway, power optional features such as help chat and AI nudges. Prompts and necessary context may be sent to these providers solely to generate a response; we do not authorize them to train on your data.
  • Email delivery — transactional email provider used for account verification, password resets, and service notices.

7. Payment processing

When you purchase a subscription or other paid feature, payment is processed by Apple (in-app purchase on iOS), Google (in-app purchase on Android), or Stripe (web). Payment card details and bank information are submitted directly to the payment processor and are never stored on our servers. We receive only confirmation of the transaction, the subscription product and status, the last four digits and brand of the card (from Stripe only, where applicable), and billing country. Refunds for App Store and Google Play purchases are handled by Apple and Google respectively.

8. International data transfers

We and our service providers operate globally. Your personal data may be transferred to, stored in, and processed in countries other than your country of residence, including the United States. Where required, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK Addendum.

9. Data retention

We retain personal data only as long as necessary for the purposes described in this Policy:

  • Account and profile data — for as long as your account is active.
  • Activity logs (workouts, nutrition, recovery) — for as long as your account is active, so you can review your history.
  • Direct messages — until deleted by you or the recipient, or until your account is deleted.
  • Support correspondence — up to 24 months after the last interaction.
  • Payment and tax records — for the period required by applicable tax and accounting law (typically 7 years).
  • Server, security, and crash logs — typically up to 90 days, unless needed longer to investigate an incident.
  • Deleted accounts — when you delete your account, your profile, activity logs, messages, friendships, challenge progress, and saved splits are erased immediately from active systems. Encrypted backups are overwritten within 30 days.

10. Security

We implement administrative, technical, and organizational measures designed to protect personal data, including encryption in transit (TLS) and at rest, hashed passwords, row-level security in our database, access controls, optional multi-factor authentication, and audit logging. No method of transmission or storage is 100% secure; you are responsible for keeping your account credentials confidential.

11. Your privacy rights

Depending on where you live, you may have the following rights:

EEA, UK, and Switzerland (GDPR / UK GDPR)

  • Access, correct, or delete your personal data.
  • Restrict or object to processing, including processing based on legitimate interests.
  • Data portability — receive a machine-readable copy of data you provided.
  • Withdraw consent at any time where processing is based on consent.
  • Lodge a complaint with your local supervisory authority.

California (CCPA / CPRA)

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete personal information we hold about you.
  • Right to correct inaccurate personal information.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising your rights.
  • Right to opt out of "sale" or "sharing" — we do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we do not knowingly process personal information of consumers under 16 for such purposes.

Other US states (Virginia, Colorado, Connecticut, Utah, Texas, and others)

You have analogous rights to access, correct, delete, and obtain a portable copy of your data, and to opt out of targeted advertising and profiling. We do not engage in targeted advertising.

To exercise any of these rights, email us at privacy@altoathletics.app or use the in-app Delete account flow. We will verify your identity before responding and reply within the time required by applicable law (typically 30–45 days). You may use an authorized agent where the law permits.

12. Children's privacy

The Service is not directed to children under 13 (or under 16 in the EEA/UK), and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, please contact privacy@altoathletics.app and we will delete the information promptly. Users aged 13–17 (or the equivalent local age of digital consent) should use the Service only with the involvement of a parent or guardian. The Service is rated accordingly in the Apple App Store.

13. Health and fitness data

Alto Athletics is a general consumer fitness app. It is not a medical device, electronic health record, or HIPAA-covered service. The health-related information you enter (weight, training volume, nutrition) is used solely to power the features you opted into. Do not rely on the Service for medical advice; consult a qualified professional for medical decisions.

14. Apple App Store disclosures

Consistent with Apple's App Privacy guidelines, the data types we collect, how they are used, and whether they are linked to your identity are disclosed on the Service's App Store product page. Sign in with Apple is offered where any third-party sign-in is offered. If you use Sign in with Apple's private relay email, we will communicate with you through the relay address.

15. Push notifications and tracking

With your permission, we send push notifications for workout reminders, social updates, and challenge events. You can disable them at any time in your device settings. We do not use the iOS IDFA, do not engage in cross-app tracking, and do not request App Tracking Transparency permission.

16. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you in-app or by email. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

17. Contact us

Questions, requests, or complaints about this Policy or our data practices? Contact:

Alto Athletics
Privacy: privacy@altoathletics.app
Support: support@altoathletics.app