Privacy Policy

Momentum Fitness is a training, nutrition, and recovery app. We collect only what the app needs to function, store it in your own account, and don't sell, rent, or share it with advertisers. There are no third-party analytics or ad SDKs in the app.

• Account — email address, username, and a securely hashed password managed by our auth provider (Supabase).
• Profile — optional fields you provide: height, age, gender, date of birth, starting weight, goal weight, profile settings.
• Training data — workouts, exercises, sets, reps, weights, and durations you log.
• Nutrition data — food entries, macros and micronutrients, meal times, and custom foods you create.
• Body metrics — weight, body fat, and body measurements you log.
• Supplement logs — water, creatine, and other supplement entries.
• Social — friend connections you initiate, activity feed items, reactions, and nudges.
• AI Coach chats — messages you send to the AI Coach and the AI's replies are saved to your account so history persists across devices.
• Push token — if you enable notifications, an Expo push token is stored so we can deliver reminders and social notifications.

• Camera — used only when you open the barcode scanner to look up a food. No images are saved or sent to our servers.
• Apple Health — if you grant access, the app reads steps, active energy, and heart rate to display your daily activity. This data stays on your device unless you explicitly log something derived from it.
• Notifications — optional; used for rest-timer reminders, friend activity, and AI coach responses.

• To display your own data back to you — workouts, stats, charts, progress over time.
• To power the AI Coach: when you send a chat message, we send your message along with a summary of your recent workouts and profile to Google Gemini via our own server. We don't send your email, name, or friends' data.
• To look up barcoded foods via public nutrition APIs (Open Food Facts, USDA FoodData Central). These APIs see only the barcode you scanned, not who you are.
• To show friend activity to you (and your activity to the friends you've added).

We use a small number of service providers to operate the app. None of them receive your data for their own advertising purposes.

• Supabase — hosts the database and handles authentication. All of your data is stored there under your user account.
• Google Gemini API — processes AI Coach requests. Queries include your workout context and the message you typed. Google's data-use terms apply to API traffic.
• Open Food Facts & USDA — public nutrition databases used for barcode lookups. They see only the barcode.
• Expo Push Service — delivers push notifications to your device token.
• Apple — App Store Connect for distribution; Apple Health for on-device health data. Apple does not receive your training or nutrition data from us.

• No third-party analytics (Firebase Analytics, Mixpanel, etc.).
• No advertising SDKs or ad tracking.
• No selling, renting, or trading of user data.
• No data sharing for cross-app tracking.

• All network traffic uses HTTPS/TLS.
• Passwords are hashed by Supabase Auth — we never see them in plaintext.
• Database access is gated by Row-Level Security policies: each user can only read and write their own rows.
• Your session token is stored in the device's secure keychain (iOS) / Keystore (Android) via expo-secure-store.

• Access — the app shows you everything we store about your account. For an export, email us.
• Deletion — you can delete your account from the app's profile settings. This removes your profile, workouts, nutrition, body metrics, AI chats, and social connections.
• Revoke Health access — iOS Settings → Privacy → Health → Momentum.
• Turn off notifications — iOS/Android system settings or inside the app's profile.

Momentum Fitness is not intended for users under 13 years old. We don't knowingly collect personal information from children. If you believe we've received data from a child, contact us and we will delete it.

Data is stored on Supabase servers. By using the app you consent to your data being processed in the region where those servers are hosted. We honour deletion and access requests regardless of region.

We'll update this page and change the "Last updated" date above when anything material changes. For significant changes that affect how your data is used, we'll notify you in-app before the change takes effect.

Questions, requests, or concerns: bevan.shajan@flinders.edu.au