§ Legal · 01

Privacy Policy

On-device by default. Opt-in everything else. Plain-English by intent.

Effective · Version 1.0

The short version

PassFit counts your reps using on-device pose AI. Your camera feed is processed inside the app and discarded — it never reaches our servers, because we don't have any. The only data that leaves your phone is what a working social and backup feature actually requires, and you control every piece of it.

  • Camera frames — processed in memory, never written to disk, never uploaded.
  • Workout summaries (date, reps, duration, exercise) — sync to your private iCloud account by default. You can turn this off.
  • Profile, friendships, gifts, challenges — stored in our public CloudKit container so the social layer can work. You can delete all of it from inside the app at any time.
  • Pose recordings — kept on-device for thirty days, then auto-deleted. Never uploaded unless you explicitly opt in to the research donation feature (default off).
  • No advertising. No third-party analytics. No data sales. No tracking SDKs.

Who we are

PassFit ("we", "us") is the iOS app that publishes this privacy policy. You can reach us about anything in this document at privacy@passfit.win.

What we collect, and why

1. Stays on your device

  • Camera frames. Pose detection runs inside the app using Apple Vision and MediaPipe. Frames are read from the camera, processed in memory, and discarded. They are not written to disk and are not uploaded.
  • Pose recordings. When you record a set, the per-frame skeleton (33 landmark coordinates) is saved as a JSON file in the app's sandboxed Documents folder. These files are auto-pruned after thirty days regardless of any other setting.
  • App settings. Theme, daily goal, framing-coach state, onboarding progress. Stored in iOS UserDefaults and never leave the device.

2. Syncs to your iCloud (default on, you can turn it off)

Workout summaries — the date, exercise, duration, and rep count of each completed set — are mirrored to your private iCloud database so your history follows you across devices. We can't read your private CloudKit database; only you can. You can disable this sync from Profile → Privacy & data → Sync workout history to iCloud.

The per-set landmark recordings described above never travel through this path. Workout-history sync is summary metadata only.

3. Stored in our shared CloudKit container (the social layer)

So that you can add friends, send rep gifts, and run challenges, the following lives in our public CloudKit container:

  • Your display name and 4-character share code (e.g. PASSFIT-K3X9).
  • Your CloudKit user identifier.
  • Friendship records linking you to the friends you accept.
  • Rep gifts you send or receive (rep count, optional short note, sender, recipient).
  • Challenges you create or participate in (target reps, duration, current counts).
  • Block and report records you create.

We treat these categories as: Name, User ID, Fitness, and Other User Content in our App Store privacy questionnaire — exactly what's declared in the app's PrivacyInfo.xcprivacy manifest.

4. Pose-data donation (default off, explicit consent)

PassFit improves over time when its rep signatures are tested against real bodies doing real exercises. You can choose to donate your anonymized landmark recordings for research. This is opt-in only: we ask once, in a dedicated consent sheet, and nothing is uploaded unless you accept.

If you opt in, each donated recording carries:

  • The 33-point skeleton time-series for that set.
  • The exercise label you assigned.
  • App, engine, and model version stamps.
  • A salted, install-scoped bucket token used to deduplicate uploads. It is not derived from your device UUID, advertising ID, or iCloud user ID, and cannot be reversed back to identify you.
  • The consent version and the date you accepted it.

What is not attached to a donation:

  • Your name, email, profile, friends, share code, or any social record.
  • Your camera image. Pixels are still discarded — the donation contains only the geometry.
  • Your device UUID, IDFA, or any persistent advertising identifier.

You can stop future donations at any time from Profile → Privacy & data. Already-donated recordings remain in the research dataset; if you'd like a specific donation removed, email privacy@passfit.win and we will remove it.

Pose data is biometric data even though it does not include your face. We treat it that way, both in how we ask for consent and in how we store it. If the disclosure ever materially changes, we will re-prompt before uploading any further recordings.

What we never do

  • We do not run third-party analytics SDKs, attribution SDKs, or advertising SDKs.
  • We do not sell, rent, or trade your data.
  • We do not upload your camera frames.
  • We do not scrape your contacts, photo library, calendar, or location.
  • We do not collect or share an advertising identifier (IDFA).

Your control

  • Delete your account. Profile → Delete account cascades across your profile, friendships, sent and received gifts, challenges, and block/report records in a single sweep, and signs you out.
  • Block and report. Any user-visible profile has a context menu with Block and Report. Blocked users disappear from your friend graph immediately.
  • Toggle iCloud sync. Profile → Privacy & data → Sync workout history to iCloud.
  • Toggle pose-data donation. Profile → Privacy & data → Donate pose data for research. Default is off.
  • Withdraw consent. Email privacy@passfit.win to revoke a prior donation consent or to request specific records be removed from the research dataset.

Where data is stored

On-device data lives in the app's iOS sandbox. iCloud-synced data lives in your Apple iCloud account, in the United States or in the region Apple has provisioned for your iCloud. Public CloudKit data lives in our PassFit iCloud container, hosted by Apple.

How long we keep data

  • Pose recordings on your device: 30 days, then auto-deleted.
  • Your private iCloud workout history: as long as you keep it. You can disable sync or delete entries from inside the app.
  • Your social graph (profile, friends, gifts, challenges): until you delete your account.
  • Donated pose recordings (if you opted in): retained for research as long as the dataset is in use, unless you ask us to remove specific records.

Children

PassFit is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, email privacy@passfit.win and we will delete it.

Your legal rights

Depending on where you live, you may have rights under laws like the GDPR (EU/UK), CPRA (California), or BIPA (Illinois): to access the data we hold about you, to correct or delete it, to object to certain processing, and to withdraw consent. To exercise any of these, email privacy@passfit.win. We aim to respond within 30 days.

Changes to this policy

If we change this policy in a way that materially expands what we collect or how we use it, we will update the version and effective date above and notify you in-app. For the pose-data donation specifically, we will re-prompt for consent before uploading any further recordings.

Contact

Privacy questions, requests, or removals: privacy@passfit.win.
General support: hello@passfit.win.