Privacy Policy
Last Updated: May 30, 2026
1. Data Controller
The Data Controller for account management and app infrastructure is: Elevate Development Team (elevate.gym.app@gmail.com), an independent developer based in Italy.
2. Legal Basis for Processing
We process your personal data under the following legal bases as defined by GDPR (Regulation EU 2016/679):
- Contract Performance (Art. 6.1.b): Account creation, authentication, service delivery, and backup functionality.
- Consent (Art. 6.1.a): Personalized advertising, optional analytics, and location-based features.
- Legitimate Interest (Art. 6.1.f): Crash reporting, security monitoring, and fraud prevention.
3. Data Collected & Device Permissions
To provide our fitness tracking services, the App requires access to certain device features. Usage is strictly limited to the purposes described below:
A. Device Permissions
- INTERNET: Required for all network communications including authentication, cloud synchronization, AI food analysis, product database queries, and advertising.
- ACTIVITY_RECOGNITION: Required for step counting and daily activity monitoring. Data remains on your device.
- ACCESS_COARSE_LOCATION: Optional and requested only when using the Food AI scanner. It improves AI recognition accuracy by identifying local and regional products based on your general area. This data is processed transiently and not saved. Also used by advertising providers (Google AdMob) for relevant ads, subject to your consent.
- ACCESS_FINE_LOCATION: Optional and requested only when using the GPS Running Tracker feature. Provides precise location data for real-time route tracking, distance calculation, pace monitoring, and route visualization on OpenStreetMap maps. GPS data is stored locally on your device and in your personal cloud backup. It is never transmitted to Developer servers or shared with third parties. This permission can be revoked at any time from device Settings.
- CAMERA: Required for:
- Barcode scanning to identify food products and retrieve nutritional information
- AI-powered food recognition and calorie estimation (Gemini)
- READ/WRITE_EXTERNAL_STORAGE: Required for:
- Temporary image storage before AI food analysis
- Workout data export (PDF, backup files)
- Local app cache for performance optimization
- VIBRATE: Provides haptic feedback for workout timers, rest period alerts, rep counters, and notification alerts to enhance user experience during training.
- WAKE_LOCK: Prevents the device from sleeping during active workout sessions, recovery timers, and cardio activities to ensure continuous tracking.
- FOREGROUND_SERVICE: Enables Recovery Timer and Step Counter to function when the app is in the background.
- POST_NOTIFICATIONS: Displays notifications for timer alerts, scheduled workout reminders, water intake reminders, and weight check notifications.
- RECEIVE_BOOT_COMPLETED: Automatically restores scheduled notifications (workout reminders, water intake alerts, weight check reminders) after device restart, ensuring you don't miss important fitness goals.
- health.READ_STEPS (Health Connect / Apple HealthKit â Optional): Optional permission to read the official daily step count from Google Health Connect (Android) or Apple HealthKit (iOS). When granted, the app reads only the total step count from midnight to the current time, providing a perfectly accurate count that matches the system trackers. No other health data is accessed. This permission can be revoked at any time from device Settings, or directly from within the app (Settings â Permissions â Health Connect / Apple Health).
- health.READ_SLEEP (Health Connect / Apple HealthKit â Optional): Optional permission to read sleep data from Google Health Connect (Android) or Apple HealthKit (iOS). When granted, the app reads only sleep duration and stages to populate your sleep history and target goals. This data is used strictly for tracking purposes and remains on your device or in your personal backups. It is not transmitted to our servers or used for any other purpose.
B. Data Processed by Developer (Cloud)
- Account Identifiers: Email address, Firebase User ID, username (via Firebase Authentication).
- Advertising Data: Google Advertising ID (GAID/IDFA), ad interaction data, consent preferences (via Google AdMob).
- Purchase Data: Transaction identifiers, subscription status, entitlements (via RevenueCat). We do not have access to your payment method details.
C. Data Controlled EXCLUSIVELY by User
The following fitness and health data is stored locally on your device (using Hive encrypted database) and/or on your personal Google Drive. The Developer has no access, read, copy, or processing rights to this data:
- Workout plans, exercise history, and personal records
- Body weight, measurements (17 body parts: chest, waist, hips, neck, shoulders, biceps, forearms, wrists, thighs, calves, ankles), and biometric calculations (BF%, LBM, FFMI, WHtR, RFM, Wilks Score)
- Somatotype classification and natural muscle potential estimates (Casey Butt, Creff formulas)
- Daily step counts and activity data
- Nutrition diary, food logs, and calorie tracking
- Water intake records
- Cardio sessions and exercise logs
- Badges, achievements, and gamification progress
- Strength milestones and personal bests for key lifts (bench press, squat, deadlift)
- App preferences and custom settings (theme, language, notification schedules)
â ď¸ Important: While automatic Google Drive backup is enabled by default with weekly frequency (configurable in app settings), it may fail due to network issues, insufficient storage, or authentication problems. We strongly recommend performing manual backups periodically (Settings â Cloud Sync â Backup Now) to ensure your data is safely preserved.
D. AI Processing (Google Gemini)
When you use AI-powered features (Food Recognition, Recipe Generator), images and text prompts are sent to Google's Gemini API servers for processing. This data is processed transiently to generate nutritional estimates and recipe suggestions. According to Google's API Terms, data sent via the API is not used to train their AI models. Images are not stored permanently and are not used for biometric identification purposes.
E. User-Contributed Content (Optional)
When you manually create new food items or exercises not present in the global database, you have the option to share this data with the Developer to help improve the application. If the "Send to Developer" option is enabled, the name, category, and nutritional/technical details of the entry are sent via Formspree. No personal identifiers are attached to these submissions. This data is used solely to enrich the official app database for future updates. This feature is active by default but can be disabled for each entry at your discretion.
4. Cookies and Local Storage
Our website uses localStorage to store your language preference (English or Italian). This is a technical requirement to ensure a consistent browsing experience across sessions. We do not use tracking cookies or third-party marketing cookies on this static website.
5. Purpose of Processing
- Service Delivery: Enabling workout tracking, timers, step counting, food diary, nutrition analysis, and cloud backup functionality.
- Account Security: User authentication, password reset, and account management.
- AI Analysis: Calorie estimation from food images and personalized recipe generation based on available ingredients.
- App Stability: Identifying and fixing bugs to maintain service quality. Error logs are processed locally during development builds only.
- Advertising: Displaying banner and rewarded video ads (AdMob) to keep the app free, subject to user consent in applicable regions.
- Purchase Management: Processing in-app purchases and subscription management via RevenueCat.
6. Third Party Services
We integrate the following third-party services to provide app functionality. Each service processes data according to its own privacy policy:
-
Google Drive API
Used exclusively for the Backup & Restore feature, initiated only by user action. Elevate transfers data directly from your device to your personal Google Drive storage. The developer has no access to your backup files.
The use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. -
Google Firebase (Authentication, Crashlytics, Analytics, Firestore)
Used for secure authentication, crash reporting, anonymous usage analytics, and user profile storage. Data collected includes: Device ID, crash logs, installation UUID, authentication tokens, email address, and anonymous usage patterns.
Firebase Privacy Policy -
Google AdMob
Used to display advertisements. AdMob may use the Advertising ID (AAID/IDFA) and cookies to serve ads. Personalized advertising is subject to your consent via the GDPR consent dialog (UMP). You can modify your ad preferences at any time from the app settings.
Google Ads Policy -
RevenueCat
Used for in-app purchase management and subscription handling. RevenueCat processes transaction identifiers and subscription status. We do not have access to your payment details (credit card, billing address).
RevenueCat Privacy Policy -
Open Food Facts
Open and collaborative database used to retrieve nutritional information via barcode scanning. Queries are made anonymously using only the product barcode. No personal data is transmitted to Open Food Facts servers.
Open Food Facts Terms -
OpenStreetMap
Used to display interactive maps and running route visualization. Map tiles are downloaded from OpenStreetMap tile servers and cached locally on your device for offline use. No personal data, GPS coordinates, or location information is transmitted to OpenStreetMap servers beyond standard tile requests (which contain only map coordinates of the visible area).
OpenStreetMap Privacy Policy -
Google ML Kit (On-Device)
Used for on-device image labeling (content safety) and text recognition (OCR for product labels). All processing happens entirely on your device. No images or recognition data are sent to external servers through this service.
-
FreeRASP (Talsec)
Used for Runtime Application Self-Protection (RASP) to ensure the integrity and security of the App. Detects rooted/jailbroken devices, emulators, debugging tools, and app tampering. Security status checks are processed locally on your device. No personal data is collected or transmitted by this service.
-
USDA FoodData Central
Used to retrieve nutritional values for generic foods and raw ingredients. The data is provided by the U.S. Department of Agriculture and is in the public domain. Queries are anonymous.
USDA FoodData Central -
Google Gemini API
Used for AI-powered features including food recognition, calorie estimation, and recipe generation. Images and text prompts are sent to Google servers for processing. Google does not use API data to train their models. Data is processed transiently and not stored permanently.
Gemini API Terms -
Formspree
Used to collect user-submitted food and exercise data for application improvement. Submissions are processed as form data and sent to the Developer.
Formspree Privacy Policy -
Elevate Open Database (GitHub)
The application utilizes an "offline-first" architecture powered by the Elevate Open Database. This database (containing offline food data, created and compiled by the Developer) is created, maintained, and authored by the Developer. All foods present offline are sourced directly from this custom database created by the Developer. It is hosted on a public GitHub repository and made available to the public under the Open Database License (ODbL). The app downloads this data to ensure core tracking functionality works without an active internet connection.
7. Data Retention
Account Data: Retained until you delete your account. Upon account deletion, your Firebase authentication data and Firestore profile are permanently erased.
Advertising Data: Google Advertising ID and ad interaction data are managed by Google AdMob according to their retention policies. You can reset your Advertising ID in your device settings.
Local Fitness Data: Retained on your device until you uninstall the app or manually clear app data.
Google Drive Backups: Retained in your personal Drive storage until you manually delete them. We have no control over backup retention in your Drive.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- All network communications use TLS/HTTPS encryption
- Firebase Authentication with secure token management
- Local data stored using Hive encrypted database
- Google Drive backups protected by your Google account security
- Automatic Google Drive backup enabled by default with weekly frequency, configurable in app settings
- No plain-text password storage
9. International Data Transfers
By using services like Google (Firebase, AdMob, Gemini) and RevenueCat, some technical data may be processed on servers located outside the European Union, primarily in the United States. These transfers are conducted in compliance with the EU-US Data Privacy Framework and/or Standard Contractual Clauses approved by the European Commission.
10. Your Rights Under GDPR
As a user in the European Union, you have the following rights regarding your personal data:
- Right of Access (Art. 15): Request a copy of your personal data we process.
- Right to Rectification (Art. 16): Request correction of inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to Restriction (Art. 18): Request limitation of processing in certain circumstances.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interest.
- Right to Withdraw Consent: Withdraw consent for personalized advertising at any time via app settings.
To exercise these rights, contact us at elevate.gym.app@gmail.com. We will respond within 30 days.
11. Account & Data Deletion
A. In-App Account Deletion (Recommended)
If you have access to your account, you can permanently delete it directly from the app: Settings â Account â Delete Account. This process will:
- Delete your Firebase Authentication credentials
- Erase your profile data from Cloud Firestore
- Optionally delete your Google Drive backup folder
â ď¸ This action is irreversible.
B. Email-Based Deletion (No Account Access Required)
If you are unable to access your account (e.g., forgotten password with no recovery option, lost access to email), you may request deletion via email:
Send an email to:
Required information:
- Email address associated with the account
- Firebase UID (if known - can be found in Settings â Account)
- Subject line: "Account Deletion Request"
Upon verification, we will delete all data accessible to us within 30 days, including:
- Firebase Authentication record
- Cloud Firestore profile data
â ď¸ Data That Remains Your Responsibility
The following data is stored outside of our control and must be deleted manually by you:
- Local Device Data: Uninstall the app or clear app data from device settings
- Google Drive Backups: Access your Drive and delete the "Elevate" folder manually
12. Advertising & Consent Management
Elevate displays advertisements via Google AdMob to keep the app free for users. In the European Economic Area (EEA/UK), you will be presented with a consent dialog (Google UMP) before personalized ads are shown.
Your Choices:
- Accept personalized ads based on your interests and activity
- Reject personalized ads and receive generic, non-targeted ads
- Upgrade to Premium to remove all advertisements
You can modify your advertising preferences at any time from Settings â Privacy â Ad Preferences.
13. Children's Privacy
Elevate is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at elevate.gym.app@gmail.com and we will take steps to delete such information.
14. Automated Decision Making
Elevate uses algorithms for fitness calculations (TDEE, body composition, strength estimates) and AI for food recognition. These are informational tools only and do not make legally binding decisions about you. All AI-generated content (recipes, nutritional estimates) should be verified by the user and are not intended to replace professional advice.
15. Changes to This Policy
We may update this Privacy Policy periodically. Significant changes will be communicated via in-app notification or email. The "Last Updated" date at the top indicates when the policy was last revised. Continued use of the app after changes constitutes acceptance of the updated policy.
16. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority. For users in Italy, this is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).
Contact
For privacy inquiries or to exercise your rights:
Email: elevate.gym.app@gmail.com