# Privacy Policy
**Last updated: April 24, 2026**
YallaGym ("we", "our", "the app") is a social gym accountability app for small friend groups. This policy explains what personal data we collect, why, how we protect it, and your rights.
If you have any questions, contact us at **[email protected]**.
---
## 1. Who we are
YallaGym is operated by Shachar (Individual Apple Developer, Team ID `3UZ5NB7ZYC`), acting as the data controller for the purposes of GDPR and comparable privacy laws.
## 2. What we collect
We collect only the data necessary to run the service.
| Data | Source | Purpose | Required? |
|---|---|---|---|
| **Phone number** | You, at sign-in | Account identity + OTP login | Yes |
| **Display name** | You, during onboarding | Show who posted in your group | Yes |
| **Profile photo (optional)** | You | Avatar in feed and leaderboard | No |
| **Check-in photos** | You, via camera or gallery | The core "I went to the gym" post shared with your group | Per post |
| **Group membership & activity** | Derived from app use | Feed, leaderboard, streaks, points | Yes |
| **Push notification token** | Generated by your device | Deliver group activity alerts | Optional (you can disable push) |
| **Device metadata** | Generated automatically | Crash diagnostics, notification delivery — does **not** include contact list, precise location, or advertising identifiers | Automatic |
We do **not** collect: your contacts, precise location, advertising IDs, browsing history, health/fitness sensors, or any data used for third-party advertising.
## 3. How we use your data
- **Provide the service**: authenticate you, show your group's feed and leaderboard, deliver notifications.
- **Generate group-tone messages**: big-moment copy (e.g. weekly recap) is generated by our server using Anthropic's Claude API based on group activity counters. Personal identifiers (phone, photos, names) are **not** sent to Anthropic — only anonymized group event data.
- **Protect the service**: detect abuse, prevent spam, debug crashes.
We do **not** sell your data, do **not** share it with advertisers, and do **not** use it to build cross-app profiles.
## 4. Who processes your data on our behalf
We use the following sub-processors, each bound by their own terms and data-protection agreements:
- **Supabase, Inc.** — hosts our database, authentication, storage (photos), and realtime services. Data is stored in Supabase's production region.
- **Apple Push Notification service (APNs)** and **Firebase Cloud Messaging (FCM)** — deliver push notifications to your device.
- **Anthropic, PBC** — processes anonymized group event metadata to generate flavor-text copy via the Claude API. No personally identifiable data is sent.
- **Expo / EAS** — build and delivery infrastructure; receives crash reports if you opt in.
## 5. Legal basis (GDPR)
We process your data based on: (a) **contract** — we need this data to provide the service you signed up for; (b) **consent** — for optional features like push notifications and photo uploads; (c) **legitimate interests** — preventing abuse and debugging crashes.
## 6. Retention
- **Account data** (phone, profile, group membership): retained while your account is active. Deleted within 30 days of account deletion.
- **Check-in photos**: retained until you delete the post or delete your account.
- **Push tokens**: deleted when you disable notifications or uninstall the app.
- **Crash logs**: retained for up to 90 days.
## 7. Your rights
Under GDPR, the CCPA, Israel's Privacy Protection Law, and similar frameworks, you have the right to:
- **Access** the data we hold about you.
- **Correct** inaccurate data.
- **Delete** your account and associated data.
- **Export** your data in a machine-readable format.
- **Object** to processing or withdraw consent.
To exercise any of these rights, email **[email protected]** from the phone number associated with your account. We respond within 30 days.
In-app, you can delete your account at any time from the Profile screen. Account deletion is permanent and cannot be undone.
## 8. Children
YallaGym is not intended for children under 13 (under 16 in the EU). We do not knowingly collect data from children. If we learn that a child has created an account, we will delete it.
## 9. Security
Data is encrypted in transit (HTTPS/TLS 1.2+) and at rest on Supabase's managed infrastructure. Access is restricted to the minimum necessary for operating the service. You are responsible for keeping your phone and OTP codes secure.
No system is perfectly secure. If a breach occurs, we will notify affected users and the relevant authorities within the timeframes required by law.
## 10. International transfers
Your data may be processed in countries outside your own (for example, Supabase regions in the US or EU). We rely on standard contractual clauses and the sub-processors' privacy frameworks to ensure equivalent protection.
## 11. Changes to this policy
We may update this policy as the service evolves. Material changes will be announced in-app or via push notification at least 14 days before taking effect. The "Last updated" date at the top always reflects the current version.
## 12. Contact
Questions, complaints, or data requests: **[email protected]**
You also have the right to lodge a complaint with your local data-protection authority (in Israel: the Privacy Protection Authority; in the EU: your national DPA).