Privacy Policy

1. Who We Are

BigZ ("BigZ," "we," "us," or "our") is a strength training application designed for serious powerlifting and strongman athletes. BigZ is operated by Metalab, a company incorporated in Estonia, and the entity responsible for your data under this Privacy Policy.

For privacy-related inquiries: support@bigz.training
Website: https://bigz.training

2. Scope

This Privacy Policy applies to:

• The BigZ mobile application (iOS and Android)
• The BigZ website at https://bigz.training
• Any related services, features, or communications

By creating an account or using BigZ, you acknowledge that you have read and understood this Privacy Policy.

3. Data We Collect

3.1 Account & Identity Data

• Email address
• Name or display name
• Profile photo (optional)
• Account creation date

Purpose: To create and manage your account, authenticate your identity, and enable personalized features.

3.2 Physical & Demographic Data

• Age and date of birth
• Biological sex / gender
• Bodyweight and height
• Weight class (if applicable)

Purpose: To calculate training loads, percentages, and recommendations accurately relative to your body and competitive category.

3.3 Training & Performance Data

• Exercise selection, sets, reps, weights, and RPE
• Personal records (PRs) and estimated one-rep maxes
• Training history, session logs, and program adherence
• Competition results and attempt strategies

Purpose: To power the rule-based coaching engine, generate personalized programs, track progress, and deliver accurate performance analytics.

3.4 Health-Adjacent & Recovery Data

• Self-reported fatigue levels
• Self-reported sleep quality and duration
• Self-reported pain levels and injury status
• Readiness scores

Purpose: To adjust training load and exercise selection based on your current recovery status. This data is used exclusively within the app to provide safer, more appropriate training recommendations. It is not shared with healthcare providers and is not treated as clinical health data.

3.5 Health Data (Apple Health / Health Connect)

When you grant BigZ permission to access health data, the app reads the following from Apple Health (iOS) or Health Connect (Android):

• Heart Rate Variability (HRV) - RMSSD measurement, last 24 hours and 30-day rolling baseline
• Sleep duration - total hours of sleep recorded during your last night (typically from 6 PM the previous evening to 12 PM the day of the session)
• Resting heart rate - when available, used to detect deviation from your personal baseline

Purpose: BigZ uses these signals to compute your readiness for today's training session, recommend volume or intensity reductions when recovery is compromised, and surface coaching nudges (e.g. "Your HRV is down 15% - we're cutting volume to protect recovery").

3.6 Notification Preferences

• Push notification opt-in status
• Notification type preferences

Purpose: To deliver training reminders, session prompts, and coaching updates you have consented to receive.

3.7 Subscription & Billing Data

• Subscription status (active, trial, expired)
• Subscription tier
• Transaction identifiers provided by Apple or Google

Purpose: To grant or restrict access to premium features. We do not collect, store, or process your payment card information. All billing is handled directly by Apple (App Store) or Google (Google Play).

3.8 Device & Technical Data

• Device type, model, and operating system version
• App version
• Crash logs and error reports
• Session duration and feature usage (anonymized or pseudonymized)
• IP address (used for rate limiting and security, not advertising targeting)

Purpose: To diagnose bugs, improve performance, and understand how features are used.

3.9 Community & User-Generated Content

• Leaderboard entries and performance stats you choose to make visible
• Any content you voluntarily submit in community features

Purpose: To enable competitive features and community engagement within the app.

4. How We Use Your Data

5. Third-Party Services

We use a limited set of carefully selected third-party processors. Each operates under its own data protection terms and is contractually bound to handle your data appropriately.

Supabase (supabase.com)

Role: Database storage and user authentication.
Data shared: Account data, training data, health-adjacent inputs, all app-generated content.
Privacy: supabase.com/privacy

RevenueCat (revenuecat.com)

Role: Subscription management and entitlement verification.
Data shared: Anonymous user ID, subscription status, transaction identifiers from Apple/Google. RevenueCat does not receive your payment card information.
Privacy: revenuecat.com/privacy

PostHog (posthog.com)

Role: Product analytics - understanding how features are used in aggregate.
Data shared: Pseudonymized event data, feature usage patterns, session metadata. PostHog is configured to minimize collection of personally identifiable information.
Privacy: posthog.com/privacy

Sentry (sentry.io)

Role: Crash reporting and error monitoring.
Data shared: Device type, OS version, app version, error stack traces. Personal data is minimized before transmission.
Privacy: sentry.io/privacy

OpenAI (openai.com)

Role: AI language model powering the in-app coaching assistant.
Data shared: Your coaching messages and a structured context summary (training level, PR data, fatigue status, training history). Messages are transmitted server-side via a Supabase Edge Function - they never leave our infrastructure directly from your device. Raw injury descriptions, surgery history, or pain-level scores are not included in AI prompts.
Data retention: OpenAI does not use API data to train models by default. Conversation content is not retained by OpenAI beyond the immediate API request.
Privacy: openai.com/policies/privacy-policy

Langfuse (langfuse.com)

Role: AI observability - monitoring quality and performance of coaching AI responses.
Data shared: Anonymized metadata about AI interactions: message length, response latency, presence/absence of injury context (boolean), number of PRs on record. Raw message content, injury descriptions, and health values are never sent to Langfuse.
Privacy: langfuse.com/docs/data-security-privacy

Apple / Google

Role: In-app purchase processing, push notification delivery.
Data shared: As required by platform for subscription and notification services.

6. Data We Do Not Collect

• We do not collect precise GPS location
• We do not access your contacts, camera roll, or microphone unless you explicitly upload a photo
• We do not collect biometric data from wearables
• We do not perform cross-app or cross-site behavioral tracking for advertising
• We do not sell personal data to any third party
• We do not collect heart rate during workouts (your wearable already tracks that independently)
• We do not collect ECG / EKG raw waveforms
• We do not write any data back to Apple Health or Health Connect (read-only access)
• We do not upload raw HRV, sleep, or heart rate values to our cloud servers

7. Legal Basis for Processing (GDPR)

Metalab is incorporated in Estonia, within the European Union. The General Data Protection Regulation (GDPR) applies to all users.

Improving and training our models

If you turn on "Improve our AI" (Settings → Privacy, which is off by default), we may use your training data (sessions, RPE, personal records, readiness, and coaching interactions) in pseudonymized form to improve and train the models that power BigZ's coaching and recommendations. This covers our own models only; our AI providers do not train on your data. You can withdraw this consent at any time in Settings → Privacy, and the data is removed from our training set when you withdraw or delete your account.

8. Data Retention

When you delete your account, your personal data and training history are permanently deleted from our primary systems within 30 days. Anonymized, non-identifiable aggregate data may be retained indefinitely as it cannot be linked back to you.

9. Your Rights

Under GDPR, you have the right to:

• Access a copy of the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your account and associated personal data (in-app: Settings → Account → Delete Account)
• Export a copy of your data in a portable JSON format anytime via Settings → Privacy → Export my data, or by email
• Withdraw consent for analytics, crash reporting, model improvement, or push notifications (Settings → Privacy, or device Settings)
• Object to processing based on legitimate interest
• Lodge a complaint with the Estonian Data Protection Inspectorate (AKI) or your local supervisory authority

To exercise any right, email support@bigz.training. We will respond to verified requests within 30 days.

10. Account Deletion

You can delete your BigZ account directly inside the app: Settings → Account → Delete Account

Upon deletion, your account is immediately deactivated and all personal data is permanently deleted within 30 days. See the full Account Deletion Policy for details.

11. Children

BigZ is not directed at users under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has created an account, contact us at support@bigz.training and we will delete it promptly.

12. Security

We implement industry-standard security measures including TLS encryption in transit, encrypted storage via Supabase with row-level security, and access controls limiting who can access production data. In the event of a data breach affecting your rights, we will notify you as required by GDPR (within 72 hours to the supervisory authority, and without undue delay to affected users).

13. Changes to This Policy

We may update this Privacy Policy. When we do, we will update the "Last Updated" date and, for material changes, notify you via email or an in-app notice. Continued use of BigZ after changes constitutes acceptance.

14. Contact

Metalab
Email: support@bigz.training
Website: https://bigz.training
Country of incorporation: Estonia