Calilog Privacy Policy

Last updated: May 2026 · Version 1

This Privacy Policy explains what personal data Calilog ("we", "us", "Calilog") collects when you use the Calilog mobile application and related services (the "Service"), why we collect it, how it's stored and shared, and the rights you have over it. By using the Service you consent to the practices described below.

1. Who runs Calilog

Calilog is operated by Nordic Bytes AB (org. no. 559048-9406), a company registered in Sweden. Nordic Bytes AB is the data controller for the personal data described in this Policy. To exercise the rights described in section 9 or for any privacy-related question, email support@calilog.com.

2. Data we collect

We deliberately collect as little as we can while still running the Service. Concretely:

• ›Account data. Your email address, optional display name, optional birth year, optional gender, optional avatar image, and optional unit-system preference. This is set up the first time you sign in and is editable from Settings.
• ›Authentication identifiers. When you sign in with Apple, the Apple-relayed email or unique identifier issued by Apple. We do not receive your full Apple ID password or any biometric data.
• ›Training journal. The workouts, sets, exercises, routines, sessions, and challenge runs you record. This is the core of the Service and the reason most users sign up.
• ›Instruction and form videos. Videos you record or upload to attach to exercises. These are stored in our cloud storage so they can sync between your devices and (if you publish them) become visible to other users.
• ›Subscription state. Your current tier (Free, Pro, Coach), trial start/expiry dates, and the platform that issued the subscription (Apple or Google). Calilog never sees your card or bank details — those are handled by Apple or Google directly.
• ›Push token. If you enable notifications, the device push token issued by Apple Push Notification Service or Firebase Cloud Messaging. We use it solely to send you notifications you've opted into (rest timer, streak reminder, challenge reminder).
• ›Diagnostic crash data. If you experience a crash and have not opted out, anonymised stack traces are sent to our error-reporting tool (Sentry) so we can fix the bug. Crash reports do not include your training data.

We do not collect:

• ›Advertising identifiers (IDFA / GAID).
• ›Cross-app or cross-website tracking data.
• ›Health Kit, Google Fit, or wearable-device data.
• ›Your contacts, calendar, or location.

3. Why we collect it

• ›To operate your account and the Service (training journal, sync, sharing).
• ›To process subscriptions through Apple and Google.
• ›To send notifications you've opted into.
• ›To respond to support requests and content reports.
• ›To detect, investigate, and prevent abuse, fraud, and security incidents.
• ›To comply with legal obligations.

The legal basis for processing under EU/UK GDPR is contract performance for everything tied to running your account, and legitimate interest for fraud prevention and crash reporting. You can opt out of crash reporting in Settings.

4. Who we share it with

We use a small number of third-party processors. We share only the minimum necessary for them to do their job, under data-processing agreements that bind them to use the data only to deliver the service to us.

• ›Supabase (PostgreSQL database, authentication, storage). Hosts the Calilog backend. Region: EU.
• ›Apple Inc. and Google LLC (in-app purchase processing). They handle billing for subscriptions; we receive only the receipt and entitlement state.
• ›RevenueCat (subscription management). Receives a hashed user identifier and the subscription event payload; bridges Apple/Google receipts into our entitlement model.
• ›Resend (transactional email). Used to email you support replies and to email our internal support inbox when content reports come in.
• ›Sentry (error reporting). Receives anonymised crash stack traces from devices that have crash reporting enabled.

We do not sell or rent your personal data to anyone, ever. We do not share your data with advertisers.

5. How long we keep it

• ›Account data and training journal. Kept for as long as your account exists. When you delete your account from Settings → Delete account, this data is purged from our active database within 24 hours and from backups within 30 days.
• ›Subscription history. Apple and Google retain billing history independently of us. We retain entitlement records as long as your account exists.
• ›Content reports. Kept indefinitely on a moderation log so we can detect abuse patterns. Personally identifiable information in content reports may be redacted upon account deletion.
• ›Crash reports. Anonymised, retained for 90 days, then purged automatically.

6. Where it's stored

Calilog data is stored on Supabase infrastructure in the European Union. Some processors (Apple, Google, RevenueCat, Sentry) operate globally; data routed through them may be processed in the United States or other regions. All cross-border transfers rely on Standard Contractual Clauses or equivalent safeguards.

7. Children

Calilog is not intended for children under 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has created an account, email support@calilog.com and we will delete it.

8. Cookies and tracking

The mobile app does not use cookies. The Calilog website (calilog.com) is a static marketing site and does not set tracking cookies; it stores only a theme preference in localStorage if you toggle dark mode. We do not run cross-site analytics.

9. Your rights

Depending on your jurisdiction (notably the EU/UK under GDPR and California under CCPA), you have the following rights:

• ›Access — request a copy of the personal data we hold about you.
• ›Correction — ask us to fix data that is inaccurate.
• ›Deletion — delete your account and all associated data. You can do this yourself in-app from Settings → Delete account; alternatively email us.
• ›Portability — request an export of your training journal in a machine-readable format. Email us and we'll send a JSON archive within 30 days.
• ›Objection — object to processing for legitimate-interest reasons. We'll consider the request and either honour it or explain why we can't.
• ›Withdraw consent — for processing based on consent (notifications, crash reporting), opt out from the relevant Settings section any time.

Exercise these rights by emailing support@calilog.com.

10. Security

We follow industry-standard practices: TLS for transport, RLS-protected database access on Supabase, encryption at rest in Supabase storage, scoped service-role access for backend functions, and two-factor authentication on all administrator accounts. No system is perfectly secure; if we discover a breach affecting your data we will notify you and the relevant authorities as required by law.

11. Changes to this Policy

We will update this Policy from time to time. Material changes are surfaced inside the app via a re-acceptance prompt the next time you open it. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Questions, complaints, or rights requests? Email support@calilog.com. If you are in the EU/UK and are not satisfied with our response, you have the right to lodge a complaint with your local data-protection authority.