§ Legal·Document 01·Rev. 2026-04

Privacy,
in plain
english.

Effective
April 19, 2026
Jurisdiction
Global · GDPR · CCPA
Reading time
~5 minutes
Contact
support@getliftmax.app
§ 01

The short version

TL;DR

We collect what we need to run the app — your lifts, your macros, your rank. We do not sell your data. We never train AI models on your personal data. Free users see ads via Google AdMob; premium subscribers do not. You can export or delete everything, any time.

This document explains exactly what LiftMax collects, why, who we share it with, and how to make it disappear. If something here is unclear, email us — we will rewrite it.

§ 02

What we collect

Account

  • Email address — for login and account recovery
  • Username — displayed on leaderboards and to friends
  • Profile photo — optional, stored securely
  • Custom profile colors and biography — optional

Training & Health Data

  • Workout logs: exercise, sets, reps, weight, RPE
  • Personal records and strength rank history
  • Body stats: height, weight, age, gender — used for calorie and BMR estimates only
  • Calorie and macro entries from manual input or AI analysis
  • Step count — only if you explicitly grant permission

Social

  • Friend connections, follows, likes, and comments
  • Shared workouts and posts

Technical

  • Device model and OS version
  • Anonymous usage statistics and crash reports — no personal data attached

Health data note: Workout logs, calorie data, and body measurements are treated as sensitive personal data. This data is never shared with third parties for advertising or profiling, and is used solely to provide app functionality.

§ 03

How we use it

  • To run your account and keep you logged in
  • To compute XP, promote ranks, and render your profile
  • To calculate personalized metrics: BMR, TDEE, calorie targets, strength ranks
  • To power friend feeds, leaderboards, and social features
  • To run AI calorie estimates on meal descriptions and photos
  • To process premium subscriptions and manage entitlements
  • To detect and prevent fraud, abuse, and unauthorized access
  • To diagnose crashes and ship fixes
  • To comply with applicable legal obligations

We do not sell your data. We do not use your personal health or training data for ad targeting. We do not use it to train third-party AI models. Free users see ads served by Google AdMob — see §5b for details.

§ 04

Legal basis
for processing

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases under GDPR:

  • Contract performance — To deliver the core features of the Service you signed up for
  • Legitimate interests — App security, fraud prevention, crash diagnostics, and service improvement
  • Consent — Analytics tracking and marketing communications. You may withdraw consent at any time with no effect on prior processing
  • Legal obligation — To comply with applicable laws and regulations
§ 05

Third parties

We do not sell your data. We share information only with the following processors, solely to operate the Service:

Firebase (Google)
Authentication, cloud database (Firestore), file storage, and push notifications. Google is certified under the EU–U.S. Data Privacy Framework.
Encrypted
Google AdMob
Advertising for free-tier users. May collect Advertising Identifier (IDFA/AAID), approximate IP-derived location, device info, and ad interaction data. Premium subscribers are not shown ads. See §5b for full details and opt-out instructions.
Free tier only
RevenueCat
Premium subscription billing and entitlement management. Receives anonymized purchase event data only — no personal profile data.
Anonymized
Anthropic (Claude)
AI-powered food photo and text analysis. Submissions are anonymous, not linked to your account, and deleted immediately after the response is returned. Never used for model training.
Anonymous · Deleted
Apple / Google
Install and purchase metrics per their own platform privacy policies. We receive only aggregated, anonymous numbers.
Aggregated only
Legal authorities
We may disclose data if required by law, court order, or governmental authority. We will notify you where permitted by law.
If required
§ 5b

Advertising
AdMob

ATT

On iOS, Apple's App Tracking Transparency framework will ask whether to allow tracking before any personalized ad is shown. If you decline, you will still see ads — they just won't be personalized. Premium subscribers do not see any advertisements.

LiftMax displays advertisements to free-tier users through Google AdMob. To deliver and measure ads, AdMob and its partners may collect and process the following data:

  • Advertising Identifier — IDFA on iOS, AAID on Android — used to serve and measure personalized ads
  • Approximate location — derived from IP address only, not precise GPS
  • Device information — model, OS version, language settings
  • Ad interaction data — views, clicks, and conversion events

Opt-out of personalized advertising

  • iOS — Settings → Privacy & Security → Tracking → disable "Allow Apps to Request to Track"
  • Android — Settings → Google → Ads → "Opt out of Ads Personalization"
  • Premium upgrade — subscribing to LiftMax Premium removes all advertisements entirely

Tracking technologies

AdMob uses device identifiers (IDFA/AAID) functionally similar to cookies to deliver and measure ads. These can be managed or reset through your device's operating system settings at any time.

For information on how Google processes this data, see Google's Privacy Policy.

§ 06

International transfers

Your data may be transferred to and processed in the United States, where our service providers (Firebase, RevenueCat, Anthropic) operate their infrastructure.

We ensure appropriate safeguards through Standard Contractual Clauses (SCCs) approved by the European Commission, consistent with GDPR Chapter V. Firebase (Google) is additionally certified under the EU–U.S. Data Privacy Framework.

§ 07

Data retention

  • Your data is retained for as long as your account is active
  • Your account, profile, posts, comments, photos, and personal data are deleted immediately upon request. Firebase infrastructure backups are purged within 30 days as part of standard data lifecycle
  • Anonymized, aggregated analytics data may be retained indefinitely as it cannot identify you
  • Certain records may be retained longer where required by applicable law or for fraud prevention
  • Food photos submitted for AI analysis are deleted immediately after the response is returned — they are never stored

You can export all your data before deletion: Profile → Settings → Privacy & Legal → Export.

§ 08

Security

  • All traffic is encrypted in transit using TLS 1.3
  • Data at rest is stored within Google Firebase with infrastructure-level encryption
  • Passwords are hashed by Firebase Authentication — never stored in plain text
  • Access to your data is controlled by Firestore security rules and role-based authorization
  • Profile photos and media are stored in Firebase Storage with strict access controls

If you discover a security vulnerability, please report it to support@getliftmax.app. We respond within 24 hours.

§ 09

Children's privacy

LiftMax is not directed to children under the age of 13 (or 16 in the European Union). We do not knowingly collect personal information from children under 13. If we become aware that a user is under 13, we will immediately delete their account and all associated data.

If you believe we have inadvertently collected information from a child under 13, contact us immediately at support@getliftmax.app.

For users between 13 and 17, parental or guardian consent may be required depending on your jurisdiction.

AdMob advertisements served within the app are configured as non-child-directed and are filtered accordingly.

Compliant with COPPA (U.S.), GDPR-K (EU), and applicable child protection laws.

§ 10

Your rights

All users

Right to
Access
Request a copy of all personal data we hold about you.
Right to
Correct
Fix any inaccurate or incomplete data in your profile.
Right to
Delete
Wipe your account and all personal data within 30 days.
Right to
Export
Download your training history as JSON or CSV — one tap.

EEA / UK users — GDPR

  • Restriction — Request that we restrict processing of your data in certain circumstances
  • Objection — Object to processing based on legitimate interests
  • Withdraw consent — Withdraw consent at any time without affecting prior lawfulness, including consent for personalized advertising
  • Lodge a complaint — Complain to your local data protection authority. EU residents: edpb.europa.eu

California users — CCPA

  • Know — The right to know what personal data we collect and why
  • Delete — The right to request deletion of your personal data
  • Opt-out of sale — We do not sell your personal data to any third party
  • Non-discrimination — We will never treat you differently for exercising your rights

Most controls live inside the app under Profile → Settings → Privacy & Legal. For anything else, email support@getliftmax.app. We respond within 30 days at no charge.

§ 11

Our pledge

01
No sale
We will never sell, rent, or broker your personal data to third parties — not to advertisers, data brokers, or anyone else.
02
No profiling
Your health and training data is never used for ad profiling or targeting. Free users see non-intrusive ads via AdMob. Premium subscribers get a fully ad-free experience.
03
Your exit
Delete your account and everything goes within 30 days. Export first if you want a backup — it is one tap.
§ 12

Contact

Questions, complaints, data requests — one inbox, real humans. We respond to all privacy requests within 30 days at no charge.

Privacy inquiries
Write to us →
General support
Write to us →

This policy may be updated periodically. Material changes will be communicated via in-app notification before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.