TheTrackerApp

Privacy

Privacy Policy

Last Updated: June 1, 2026 Effective Date: June 1, 2026

This policy explains in plain language what TheTrackerApp ("we," "us") collects, how we use it, and the choices you have. Questions? Email support@thetrackerapp.io.

1. Information we collect

We collect only what's needed to run the service:

  • Account identifiers — phone number (for SMS / iMessage / WhatsApp users), email address (optional, captured during text onboarding), username, age (when provided), and account creation timestamps.
  • Workout, nutrition, hydration, and body-measurement logs — anything you text, type, or send via image to the bot, plus values from connected wearables (Pebble, Fitbit, Whoop, Oura, Apple Watch) when you authorize the integration.
  • Subscription & billing metadata — Stripe customer ID, subscription status, plan key, last payment date, next billing date. We never see or store full card numbers — Stripe handles that.
  • Affiliate & community data — referral codes, group memberships, leaderboard opt-in state, and PT/coach relationships.
  • Support & operational logs — message timestamps, parse outcomes, AI invocation traces, and error reports. Used to debug issues and improve reliability.

2. How we use data

We use the data above to:

  • Authenticate you and route messages back to the right account.
  • Parse your logs and render them in the dashboard and weekly snapshots.
  • Process payments (via Stripe) and handle subscription changes.
  • Provide AI-assisted parsing and coaching when you opt in (see Section 4).
  • Surface leaderboards, brackets, and community features when you opt in.
  • Respond to support requests and detect abuse.

3. Sharing & service providers

We share necessary data with the third-party services that power the product. We do not sell personal information. Subprocessors we currently use:

  • Stripe — billing, subscription management, payment processing.
  • Twilio — SMS and WhatsApp delivery (where you've chosen those channels).
  • Apple iMessage / Telegram — message delivery on those networks.
  • Google Gemini — AI parsing of your messages when you opt in (Section 4).
  • Vercel — hosting for the marketing site and dashboard frontend.
  • Cloudflare — DDoS protection and CDN.

We disclose data when legally required (subpoena, court order) and will notify you when permitted to do so.

4. AI processing of your messages

TheTrackerApp uses Google Gemini to parse natural-language messages ("I had a chicken bowl", "deadlifted 315x5", "took 5g creatine") into structured logs. By default this happens automatically. Two important details:

  • Opt-out (EEA / UK): if you're in the EEA, UK, or Switzerland, AI processing is opt-in. You'll see a separate consent checkbox at signup. If you decline, you can still log entries using slash commands (/water 20, /log Bench 3x10 at 185) — those work without AI.
  • What gets sent to Gemini: only the inbound message text. We do not include your full history, identity, or other users' data in the prompt. Gemini responses are not used to train Google's models when called via the paid API tier we use.
  • Image processing (Premium): when you snap a photo of a meal/scale/workout, the image is sent to Gemini Vision for parsing and then deleted from our servers within 24 hours.

5. Data retention

We retain account and product data for as long as your account is active and as long as reasonably necessary to:

  • Operate the service and provide your historical logs.
  • Comply with tax, accounting, and other legal obligations.
  • Resolve disputes and enforce agreements.

On account deletion (Section 7), we delete or anonymize personal data within 30 days, except where retention is legally required (e.g. financial records for 7 years).

6. Security

We use industry-standard safeguards: TLS in transit, encrypted at rest, hashed credentials, least-privilege access, audit logging, and regular dependency updates. No system is perfectly secure, and we don't claim ours is. If you suspect your account was compromised, email support@thetrackerapp.io immediately.

7. Your rights & choices

You can, at any time:

  • Access — request a copy of the data we hold on you.
  • Correct — fix anything inaccurate via the dashboard or by emailing support.
  • Delete — delete your account in-app (Account tab → "Delete account" on iOS / Android, or /delete-account on the web). Deletion is permanent: we revoke all sessions, scrub identifiers, detach Stripe, and disconnect your Google Sheet. We do not unlock or transfer an account where the phone number / confirmed email is no longer accessible — keep these current.
  • Export — download your data via the Export tab in the dashboard.
  • Opt out — pause outbound messages with /stop, resume with /resume.

8. Cookies & analytics

The marketing site uses essential cookies only (e.g. auth session, feature-flag cache). The dashboard uses localStorage for performance reasons (caching prices, supplement lists, etc). We do not use third-party tracking or advertising cookies.

9. Children's data

TheTrackerApp is not directed at children under 13 and we do not knowingly collect data from them. If you believe a child has signed up, contact us and we'll delete their data.

10. International transfers

Our infrastructure is hosted in the United States. If you use the service from outside the US, your data will be transferred to and processed in the US. Where required, we use standard contractual clauses with our subprocessors to safeguard cross-border transfers.

11. California & state-specific rights

California residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, opt-out of sale (we do not sell), and non-discrimination. Other US states with comparable laws (Virginia, Colorado, Connecticut, Utah) extend similar rights. To exercise any of these, email support@thetrackerapp.io with the subject "Privacy Request".

12. Changes to this policy

We'll update the "Last Updated" date at the top whenever we change this policy. For material changes we'll also notify you by message on your primary channel. Continued use of the service after a change means you accept the updated policy.

13. Not medical advice

TheTrackerApp is a fitness and lifestyle tracking product. It is not a medical device, nor a substitute for professional medical, nutritional, or psychological advice, diagnosis, or treatment. Always seek the advice of a qualified physician or other licensed healthcare provider with any questions about a medical condition, dietary needs, supplement use, or fitness program. If you think you are having a medical emergency, call your local emergency number immediately (in the US: 911 or 988 for mental-health crises). Do not rely on TheTrackerApp for emergency communication.

14. Mobile applications (iOS and Android)

Our iOS and Android apps (bundle id io.thetrackerapp.app) are read-only companions to the web dashboard. The following disclosures apply specifically to the mobile apps and supplement everything above.

  • What the apps collect: exactly the same data the web dashboard reads — your phone number / email / username (whichever you signed in with), your workout, calorie, water, weight, and body-fat logs, your subscription status, and your linked Google Sheet URL. The apps do not ask for additional permissions (no location, no contacts, no camera, no microphone, no health-kit integration in v1).
  • On-device storage: after you sign in, the apps store one item locally: your bearer session token, plus a small snapshot of your account profile so screens render before the network responds. On iOS this is stored in the iOS Keychain; on Android in the Android Keystore. Both are encrypted by the operating system and tied to your device unlock. Signing out wipes both immediately.
  • No tracking: the apps do not include third-party analytics SDKs, advertising SDKs, or attribution SDKs. Apple's App Tracking Transparency (ATT) prompt is not shown because we do not track. No data is shared with data brokers or used for advertising on other apps/sites.
  • External browser links: tapping "Manage subscription" opens the Stripe customer-portal URL in an in-app Safari View Controller (iOS) or Custom Tab (Android). Tapping "Open Sheet" opens your Google Sheet URL the same way. These are short-lived URLs scoped to your account; we do not pass any other identifying data to Stripe or Google through these links beyond what the URL contains.
  • Network endpoints: all mobile traffic goes to https://api.thetrackerapp.io over TLS 1.2+, authenticated with a bearer token in the Authorization header. No cookies are used by the apps.
  • Deletion from mobile: the Account tab includes a "Delete account" button that calls DELETE /api/account and permanently deletes your data as described in Section 7. Uninstalling the app alone does not delete your data — you must use the in-app button or /delete-account on the web.
  • Crash reports: v1 ships with no third-party crash reporting. Apple's App Store Connect and Google Play Console show us anonymized crash statistics (device type, OS version, stack trace) that we use to fix bugs; we cannot tie these to individual users.

15. Contact

Privacy questions, data requests, or anything else: support@thetrackerapp.io.

Last Updated: June 1, 2026 · Terms of Service · System Status · Contact support