LiftTrack ("the app") is a personal fitness + nutrition tracker developed and operated by Yash Gupta ("we", "us"). This policy explains what data the app collects, how it is stored, who it is shared with, and how to delete it.
Contact: yash.gupta.developer@gmail.com.
1. Data we collect
When you create a LiftTrack account we collect:
- Email address (required) — login identifier + account recovery.
- Display name (optional) — shown in the app UI; leave blank if you prefer.
- Body metrics you choose to log — weight, body-fat %, waist, chest, arm, thigh, calf, neck — each timestamped. All optional. You decide which to track.
- Onboarding profile — height, age range, biological sex (for macro defaults only), training goal (bulk / cut / maintain), preferred unit (kg / lb).
- Workout data — routines you build, weeks, days, exercises selected, sets logged (weight, reps, drop-set flags, warm-up flags), rest timer intervals, PR markers, free-text workout notes.
- Nutrition data — meals you log (calories, protein, carbs, fat, meal slot, timestamp, optional attached photo), macro overrides you make.
- Meal photos — only when you tap the meal camera. Downscaled to 640px on-device before upload.
LiftTrack does not collect:
- Your location.
- Your contacts.
- Your device advertising ID.
- Your browsing history.
- Any third-party app data.
- Biometric data (fingerprints, face data, etc.).
- Health data from Apple Health / Google Fit / Health Connect (not integrated).
2. How AI meal photos work
- On-device prep: when you tap the meal camera, the image is captured at native resolution, then immediately downscaled to a 640px-wide JPEG at quality 0.45 (typical size: 50-120 KB) before any upload happens.
- Upload: the downscaled image is sent over HTTPS to our server, which proxies it to an AI parsing service. The AI returns calorie + macro estimates.
- Retention: the photo is retained on our server only to render the meal detail screen. When you delete the meal or your account, the photo is permanently erased.
- Camera permission is requested only at the point of use and can be revoked at any time in your device's OS settings.
3. Where data is stored
- Provider: Oracle Cloud Infrastructure VM, region
Mumbai (ap-mumbai-1). - Database: PostgreSQL, scoped to a per-tenant
liftfuelschema. - Transport: HTTPS (TLS 1.2+) for every client ↔ server call.
- At rest: database disk volumes are encrypted by the cloud provider.
- Image storage: meal photos are stored on Cloudflare R2 with private access — only the server can sign URLs.
We do not use any third-party analytics, advertising, or marketing SDKs.
4. Third parties
| Sub-processor | Purpose | Data shared |
|---|---|---|
| AI parsing service (server-side) | Meal photo macro extraction + Ask-AI query answering | The downscaled meal image OR the text of your question + a redacted snapshot of your own logs. The provider does not retain or train on this data per its terms. |
| Cloudflare R2 | Meal photo blob storage | The downscaled meal JPEG only. Private bucket; no public URLs. |
We do not sell or rent your data. We do not share it with advertisers.
5. Your rights
- Export your data: in-app, Settings → Privacy & data → Export data. Produces a JSON file with every workout, set, meal, body metric, and routine you've logged.
- Delete your account: in-app, Settings → Privacy & data → Delete account — or via the public deletion page. Server data is wiped within 7 days; backups within 30.
- Request a copy of any data we hold on you: email yash.gupta.developer@gmail.com.
- Correct inaccurate data: edit it directly in the app, or email us.
6. Retention
- Active account data: retained as long as the account exists.
- Deleted account data: erased from primary database within 7 days; erased from backups within 30 days.
- Server access logs (nginx): 14-day rolling retention. Used only for abuse / DDoS detection. Not tied to your account identity.
7. Children's privacy
LiftTrack is not directed to children under 18 and we do not knowingly collect data from them. If you believe a child has provided us data, contact yash.gupta.developer@gmail.com and we will delete it.
8. Security
- TLS in transit, encryption at rest.
- Passwords are stored hashed (bcrypt).
- Auth tokens (JWT, short-lived) are kept in the device secure enclave (
expo-secure-store), never in plainAsyncStorage. - Server access is restricted to the developer; no third-party operator has shell access to the database.
We cannot guarantee absolute security; no online service can. We commit to disclosing any confirmed breach affecting your data within 72 hours of confirmation.
9. International transfers
Our server is hosted in India (Mumbai). If you use the app from outside India, your data will be transferred to and stored in India. We do not transfer data to any other jurisdiction.
10. Changes to this policy
We will update the "Last updated" date above when we change this policy. Material changes will be surfaced in-app via a notice on next launch.
11. Contact
Questions, requests, or complaints: yash.gupta.developer@gmail.com.
Postal address available on request.