Privacy Policy

• We collect your email address, your password (stored only as a one-way hash, never in plaintext), and the workout data you log (lifts, weights, sets, reps, sessions). That is essentially all of it.
• We do not sell, rent, or share your data with anyone for advertising, marketing, profiling, or any other commercial purpose. There are no ad networks, no analytics trackers, and no behavioural cookies in this product.
• You own your data. You can export it or delete it at any time, on your own, without contacting us.
• You can delete your account and every single thing we have on you with a single button in Settings. When you do, it is gone. Permanently. Within 30 days.
• We are a one-person operation. The fewer secrets we have to keep about you, the better we sleep.

Liftcraft is a strength-training tracker available on the web (liftcraft.io), iOS, and Apple Watch. The service is operated by Nick Naczinski as a personal project (“Liftcraft,” “we,” “us”). For any privacy question, write to [email protected].

For the purposes of California, EU, and UK privacy law, Nick Naczinski is the business and the data controller for personal information collected through Liftcraft.

This is the complete list. There is nothing else.

What we do NOT collect

We want to be specific, because in 2026 most of this is unusual:

• No real name, address, phone number, or date of birth.
• No location data. We do not use GPS. We do not derive your location from your IP.
• No photos, contacts, calendar, or microphone data.
• No HealthKit data. (Liftcraft does not currently integrate with Apple Health. If we ever do, we will update this policy and ask for explicit permission first.)
• No advertising identifiers (IDFA, AAID, etc.).
• No third-party analytics. There is no Google Analytics, no Mixpanel, no Amplitude, no Sentry, no Firebase, no Meta Pixel, no TikTok Pixel — none of it.
• No behavioural or marketing cookies. The only cookies we use are the strictly-necessary session cookies that Supabase Auth sets so you stay logged in.
• No crash telemetry sent to third parties.
• No biometric data. No “neural data.” No sensitive personal information of any kind.

We use your data only to:

1. Run the app for you — show your workout plan, log your sets, calculate your next training max.
2. Authenticate you (verify your password, keep your session active, let your watch talk to your account).
3. Send you transactional email when you specifically take an action that needs it (e.g., a password reset link). We do not send marketing email.
4. Diagnose problems if you write to us at [email protected]. In that case, we use the email and any details you share with us to help you.

We do not profile you, score you, recommend things to you based on inferences about you, or use your data to train any machine-learning model.

Liftcraft itself does not share your data with anyone for their own purposes. To run the service we use the following infrastructure providers, who act as processors on our behalf and are bound by their respective data-processing agreements:

• Supabase, Inc. — runs our Postgres database, authentication, and storage. Your workout data and account live here. Supabase processes this data only on our instructions.
• Vercel, Inc. — hosts the web frontend at liftcraft.io. Vercel sees standard web request metadata (IP address, user-agent) when you load the site. Vercel does not have access to the contents of your workout data or your account credentials.
• Apple, Inc. — distributes the iOS and watchOS apps. Apple’s relationship with you is governed by Apple’s own privacy policy.

If we ever add a new sub-processor, we will update this list before they touch your data.

We will disclose your personal information to law enforcement, a court, or a regulator only if we are legally compelled to. If we receive such a request and are not legally prohibited from telling you, we will let you know.

We do not sell your personal information. We do not share it for cross-context behavioural advertising. We have no advertising business and no plans to build one.

For California residents specifically: in the past 12 months, Liftcraft has not sold personal information and has not shared personal information for cross-context behavioural advertising, as those terms are defined in the California Consumer Privacy Act (Cal. Civ. Code § 1798.140). We have never done either of these things, and we have no plans to.

We do not use sensitive personal information for any purpose other than what is strictly necessary to run the service for you (i.e., we use your email and password hash to log you in — that’s it).

We do not offer financial incentives in exchange for personal information.

We do not keep data beyond what is necessary to provide the service or to comply with the law.

You can do this yourself, without asking us. You do not need to explain why.

On the web: Go to Settings → Account → Delete Account. Confirm. The button does what it says: it deletes your account record, your workout history, your settings, and your watch tokens, immediately. Backups roll off within 30 days.

On iOS / Apple Watch: Open the app → Settings → Account → Delete Account. (Apple requires that any app with account creation also offer in-app account deletion. We comply.)

If for some reason the button is broken or you can’t reach it, email [email protected] from the address on your account and we will delete it manually within 30 days.

Deletion is permanent. We cannot un-delete an account.

Wherever you live, you have these rights with respect to the data we hold about you:

• Know what we have (you already do — section 2 above is the full list, and the app shows everything in your dashboard).
• Get a copy of your data in a portable format. Email [email protected] and we will send you a JSON export. (We will also build a one-click export in Settings shortly. If it is there when you read this, use it.)
• Correct anything that is wrong. Most of it you can edit in the app directly. For anything you cannot, email us.
• Delete your data. See section 7.
• Opt out of sale or sharing. There is nothing to opt out of, because we do not do these things. If that ever changes, we will give you a real opt-out before it does.
• Limit the use of sensitive personal information. We do not collect or use sensitive personal information beyond what is necessary to provide the service, so there is nothing to limit.
• Not be discriminated against for exercising any of these rights. We will not charge you a different price, give you a worse product, or refuse service because you asked us to delete your data.

For California residents (CCPA / CPRA)

The categories of personal information we collected about you in the past 12 months, in CCPA terminology (Cal. Civ. Code § 1798.140(v)):

• Identifiers — your email address, an internal account ID. In plain English: the email you signed up with.
• Customer records — none beyond the identifiers above.
• Commercial information — none. We do not sell anything.
• Internet or other electronic network activity — none. We do not log your browsing, do not track clicks, and do not run analytics.
• Geolocation data — none.
• Sensory data — none.
• Professional or employment information — none.
• Inferences — none. We do not profile you.
• Sensitive personal information — your account password (stored only as a hash). We use it solely to log you in. We do not use it for any secondary purpose, and you have the right to limit its use to that purpose (which is already the only use).

Sources of this information: you. We collect it directly from you when you sign up and use the app.

Purposes: providing the service to you, as described in section 3.

Recipients: only the sub-processors listed in section 4. We do not disclose, sell, or share personal information for advertising or any commercial third-party purpose.

To exercise any CCPA right, email [email protected] with the subject line “CCPA Request” and tell us what you want. We will verify it is really you (typically by sending a confirmation to the email on the account), and we will respond within 45 days as required by law. You can also designate an authorized agent in writing to act on your behalf.

We do not currently process the Global Privacy Control signal because we do not engage in any sale or sharing of personal information. If that changes, we will honour GPC.

For users in the EU, UK, or Switzerland (GDPR / UK GDPR)

Liftcraft is operated from the United States. We do not specifically target users in the EU, UK, or Switzerland with marketing, EU-language localisation, or EU pricing. However, if you are in those regions and you choose to use Liftcraft, the following applies:

• Controller: Nick Naczinski (contact: [email protected]). We have not appointed an EU representative or DPO; as a personal-scale project that does not target EU users, we are not required to.
• Legal bases for processing (GDPR Art. 6):
  • Performance of a contract (Art. 6(1)(b)) — for processing your email, password, and workout data to deliver the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to keep the service secure (e.g., issuing watch pairing tokens, rate-limiting auth). Our legitimate interests are minimal because we collect and process so little.
• International transfer: if you choose a US Supabase region, your data is stored in the United States. Supabase’s standard contractual clauses cover this transfer.
• Your rights (GDPR Arts. 15–22): access, rectification, erasure, restriction, portability, objection. Email [email protected]; same process as above.
• Right to lodge a complaint: with your local supervisory authority.

Passwords are stored only as salted one-way hashes by Supabase Auth — we cannot see them, and neither can Supabase staff. Connections to liftcraft.io and our APIs are encrypted in transit with TLS. The Supabase database is encrypted at rest. Row-level security policies in Postgres ensure that one user’s data is never returned to another user’s session.

That said: no system is perfectly secure. If we ever experience a data breach affecting your personal information, we will notify you and the relevant regulators within the timeframes the law requires (72 hours for GDPR; without unreasonable delay for US state laws).

Liftcraft is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has created an account, write to [email protected] and we will delete it.

We may update this policy. When we do, we will change the “Last updated” date at the top and, if the changes are material (for example, if we ever start collecting a new category of data, or add a sub-processor that materially affects your privacy), we will notify you by email before the change takes effect, so you can decide whether to keep using the service.

We will never quietly expand what we collect or who we share it with. If our practices change in a way that matters to you, you will hear about it from us first.

Email: [email protected]

We are one person. We will read your email. We will reply.