Privacy Policy | Ascend Fitness

Ascend Fitness (“we”, “us”, or “Ascend”) is operated by Sam Wilson, based in Auckland, New Zealand. This Privacy Policy explains what personal information we collect when you use Ascend, how we use it, who we share it with, how long we keep it, and the rights you have under New Zealand’s Privacy Act 2020, the EU/UK General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA).

We collect the minimum data needed to run the app. We never sell, rent, license, or share your personal data with advertisers, insurers, data brokers, or third-party marketers.

What we collect

Account data: email address, hashed password (Argon2id), display name, optional avatar.
App data: workouts, exercises, sets, reps, weights, meals, water intake, sleep entries, goals, streaks, progress photos you upload.
Health platform data (only with your explicit permission): steps, workouts, heart rate, active calories, sleep, and body measurements from Apple Health on iOS or Health Connect on Android.
Device + diagnostics: anonymised crash reports, app version, OS version, device model. No advertising identifier is collected.
Subscription data: in-app-purchase receipts from Apple App Store, Google Play, or Stripe — used to verify entitlement only.
Server logs: IP address and basic request metadata, retained for 30 days for security and abuse prevention.

Why we collect it

To provide the core service: tracking, visualising, and saving your training and nutrition data.
To authenticate you and keep your account secure.
To deliver premium features when you have an active subscription.
To detect and prevent abuse (rate limiting, bot detection).
To improve the product via aggregated, anonymised usage statistics — never linked to your identity.

Our legal bases under GDPR are: contract (running the app for you), consent (health data, optional analytics), and legitimate interests (security, fraud prevention).

We use a small number of vetted third-party processors. Each has signed data-processing agreements with us:

Railway / hosting: infrastructure and database hosting (United States & EU regions).
Sentry: anonymised crash reporting (EU region).
Resend / email: transactional email (account, billing, password resets).
Stripe, Apple App Store, Google Play: subscription billing; we never see your card details.
Upstash: rate-limiting and ephemeral cache.

We do not use Google Analytics, Facebook Pixel, or any advertising SDK.

How long we keep it

Account + app data: for as long as your account is active.
After account deletion: purged from production within 30 days; from encrypted backups within 90 days.
Server logs: 30 days.
Anonymised aggregate analytics: retained indefinitely (no link back to you).

International transfers

Your data is stored on servers in the United States and/or European Union. Where applicable we rely on the EU Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum.

Your rights

You have the right to:

Access a copy of all data we hold about you (in-app: Settings → Export data).
Correct inaccurate data.
Delete your account and all associated data (in-app: Settings → Delete account).
Object to or restrict certain processing.
Port your data to another service (JSON export).
Lodge a complaint with the Office of the Privacy Commissioner (NZ), your local EU data-protection authority, the UK ICO, or the California Attorney General.

We respond to verified rights requests within 30 days. To exercise any of these, email hello@getascend.club.

Cookies & local storage

On the website we use only first-party local storage to remember your theme preference (light/dark) and authentication state. We do not set tracking cookies or third-party advertising cookies.

Children

Ascend is not directed to children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has provided us data, email hello@getascend.club and we will delete it immediately.

Security

Passwords are stored hashed with Argon2id. All traffic is encrypted with TLS 1.3. Data at rest is encrypted by our hosting provider. We follow the principle of least privilege — only the founder has production database access.

Data breach notification

If we discover a data breach affecting your personal information, we will notify the Office of the Privacy Commissioner (NZ) within 72 hours where required, and you directly if there is a likely risk of serious harm.

Changes to this policy

We will notify you of material changes by email and/or an in-app notice at least 14 days before they take effect. The “Last updated” date above always reflects the current version.

Contact

Sam Wilson, Auckland, New Zealand — hello@getascend.club.