§ Legal·Document 01·Rev. 2026-04

Privacy,
in plain
english.

Effective
April 19, 2026
Jurisdiction
Global · GDPR · CCPA
Reading time
~5 minutes
Contact
support@liftmaxapp.com
§ 01

The short version

TL;DR

We collect what we need to run the app — your lifts, your macros, your rank. We do not sell your data. We do not run ads. We never train AI models on your personal data. You can export or delete everything, any time.

This document explains exactly what LiftMax collects, why, who we share it with, and how to make it disappear. If something here is unclear, email us — we will rewrite it.

§ 02

What we collect

Account

  • Email address — for login and account recovery
  • Username — displayed on leaderboards and to friends
  • Profile photo — optional, stored securely
  • Custom profile colors and biography — optional

Training & Health Data

  • Workout logs: exercise, sets, reps, weight, RPE
  • Personal records and strength rank history
  • Body stats: height, weight, age, gender — used for calorie and BMR estimates only
  • Calorie and macro entries from manual input or AI analysis
  • Step count — only if you explicitly grant permission

Social

  • Friend connections, follows, likes, and comments
  • Shared workouts and posts

Technical

  • Device model and OS version
  • Anonymous usage statistics and crash reports — no personal data attached

Health data note: Workout logs, calorie data, and body measurements are treated as sensitive personal data. This data is never shared with third parties for advertising or profiling, and is used solely to provide app functionality.

§ 03

How we use it

  • To run your account and keep you logged in
  • To compute XP, promote ranks, and render your profile
  • To calculate personalized metrics: BMR, TDEE, calorie targets, strength ranks
  • To power friend feeds, leaderboards, and social features
  • To run AI calorie estimates on meal descriptions and photos
  • To process premium subscriptions and manage entitlements
  • To detect and prevent fraud, abuse, and unauthorized access
  • To diagnose crashes and ship fixes
  • To comply with applicable legal obligations

We do not sell your data. We do not share it with advertisers. We do not use it to train third-party AI models.

§ 04

Legal basis
for processing

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases under GDPR:

  • Contract performance — To deliver the core features of the Service you signed up for
  • Legitimate interests — App security, fraud prevention, crash diagnostics, and service improvement
  • Consent — Analytics tracking and marketing communications. You may withdraw consent at any time with no effect on prior processing
  • Legal obligation — To comply with applicable laws and regulations
§ 05

Third parties

We do not sell your data. We share information only with the following processors, solely to operate the Service:

Firebase (Google)
Authentication, cloud database (Firestore), file storage, and push notifications. Google is certified under the EU–U.S. Data Privacy Framework.
Encrypted
RevenueCat
Premium subscription billing and entitlement management. Receives anonymized purchase event data only — no personal profile data.
Anonymized
Anthropic (Claude)
AI-powered food photo and text analysis. Submissions are anonymous, not linked to your account, and deleted immediately after the response is returned. Never used for model training.
Anonymous · Deleted
Apple / Google
Install and purchase metrics per their own platform privacy policies. We receive only aggregated, anonymous numbers.
Aggregated only
Legal authorities
We may disclose data if required by law, court order, or governmental authority. We will notify you where permitted by law.
If required
§ 06

International transfers

Your data may be transferred to and processed in the United States, where our service providers (Firebase, RevenueCat, Anthropic) operate their infrastructure.

We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission, consistent with GDPR Chapter V. Firebase (Google) is additionally certified under the EU–U.S. Data Privacy Framework.

§ 07

Data retention

  • Your data is retained for as long as your account is active
  • If you delete your account, all personal data is permanently deleted within 30 days
  • Anonymized, aggregated analytics data may be retained indefinitely as it cannot identify you
  • Certain records may be retained longer where required by applicable law or for fraud prevention
  • Food photos submitted for AI analysis are deleted immediately after the response is returned — they are never stored

You can export all your data before deletion: Profile → Settings → Data → Export.

§ 08

Security

  • All traffic is encrypted in transit using TLS 1.3
  • Data at rest is stored within Google Firebase with infrastructure-level encryption
  • Passwords are hashed by Firebase Authentication — never stored in plain text
  • Access to your data is controlled by Firestore security rules and role-based authorization
  • Profile photos and media are stored in Firebase Storage with strict access controls

If you discover a security vulnerability, please report it to support@liftmaxapp.com. We respond within 24 hours.

§ 09

Children's privacy

LiftMax is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a user is under 13, we will immediately delete their account and all associated data.

If you believe we have inadvertently collected information from a child under 13, contact us immediately at support@liftmaxapp.com.

For users between 13 and 17, parental or guardian consent may be required depending on your jurisdiction.

Compliant with COPPA (U.S.) and applicable child protection laws.

§ 10

Your rights

All users

Right to
Access
Request a copy of all personal data we hold about you.
Right to
Correct
Fix any inaccurate or incomplete data in your profile.
Right to
Delete
Wipe your account and all personal data within 30 days.
Right to
Export
Download your training history as JSON or CSV — one tap.

EEA / UK users — GDPR

  • Restriction — Request that we restrict processing of your data in certain circumstances
  • Objection — Object to processing based on legitimate interests
  • Withdraw consent — Withdraw consent at any time without affecting prior lawfulness
  • Lodge a complaint — Complain to your local data protection authority. EU residents: edpb.europa.eu

California users — CCPA

  • Know — The right to know what personal data we collect and why
  • Delete — The right to request deletion of your personal data
  • Opt-out of sale — We do not sell your personal data to any third party
  • Non-discrimination — We will never treat you differently for exercising your rights

Most controls live inside the app under Profile → Settings → Data. For anything else, email support@liftmaxapp.com. We respond within 30 days at no charge.

§ 11

Our pledge

01
No sale
We will never sell, rent, or broker your personal data to third parties — not to advertisers, data brokers, or anyone else.
02
No ads
LiftMax will never display advertisements inside the app. Your data will never be used for ad targeting.
03
Your exit
Delete your account and everything goes within 30 days. Export first if you want a backup — it is one tap.
§ 12

Contact

Questions, complaints, data requests — one inbox, real humans. We respond to all privacy requests within 30 days at no charge.

Privacy inquiries
Write to us →
General support
Write to us →

This policy may be updated periodically. Material changes will be communicated via in-app notification before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.