XMusclesXMuscles

Privacy Policy

Last updated: February 21, 2026

XMuscles ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal information when you use the XMuscles mobile application ("App"), available on the Apple App Store for iOS and watchOS devices.

This Privacy Policy complies with Apple's App Store Review Guidelines, the Apple Developer Program License Agreement, and applicable data protection laws including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Information We Collect

1.1 Account Information

When you sign in using Apple Sign-In or Google Sign-In, we collect:

  • Name (first and last)
  • Email address (may be a private relay address if using Apple Sign-In with "Hide My Email")
  • Authentication identifiers (managed securely; we do not see or store your Apple or Google password)

1.2 Profile Information

You may voluntarily provide:

  • Date of birth
  • Gender
  • Country
  • Height and weight
  • Fitness goals and target weight
  • Fitness level, injuries, and equipment preferences

1.3 Health and Fitness Data (Apple HealthKit)

With your explicit permission, we read and write data from Apple HealthKit. We request access to the following HealthKit data types:

  • Heart rate and resting heart rate
  • Heart rate variability (HRV)
  • Sleep analysis (duration, stages)
  • Step count and active energy burned
  • Respiratory rate
  • Blood oxygen saturation (SpO2)
  • Workout sessions and exercise data
  • Body mass and lean body mass

You choose which HealthKit data types to share with XMuscles. You can grant or revoke access to each data type individually through iOS Settings > Privacy & Security > Health > XMuscles at any time.

1.4 Workout Data

When you use the workout features, we collect:

  • Workout sessions (exercises, sets, reps, weight lifted)
  • Workout duration and rest times
  • Personal records (PRs)
  • Custom workout templates you create
  • AI coach chat conversations

1.5 Body Scan Data

If you use the Body Scan feature (Pro subscription required), we process:

  • Body photos (front and/or back poses) — uploaded to our secure servers for AI analysis
  • AI-analyzed body composition estimates (body fat %, muscle mass, etc.)
  • InBody machine scan results (if you upload them)

1.6 Device and Usage Data

  • Device type, model, and operating system version
  • Push notification device tokens (for delivering notifications)
  • Crash reports and performance diagnostics (via Sentry — no personal health data included)
  • Subscription status and purchase history (managed by Apple)

1.7 Data We Do NOT Collect

  • We do not collect your precise location or GPS data
  • We do not collect your contacts, call logs, or messages
  • We do not collect browsing history or data from other apps
  • We do not collect payment card numbers or banking details (Apple handles all payments)
  • We do not use tracking or advertising identifiers (IDFA)

2. How We Use Your Information

We use the collected information solely for the following purposes:

  • Provide, maintain, and improve the App's core functionality
  • Calculate health metrics using deterministic formulas (Body Battery, recovery score, sleep performance, etc.) — all calculations are transparent and reproducible
  • Generate AI-powered text recommendations and workout plans (AI generates text only, never metric values)
  • Sync workout data between your iPhone and Apple Watch via WatchConnectivity
  • Display workout progress via iOS Live Activities (Dynamic Island and Lock Screen)
  • Send push notifications (only with your consent, and you can disable them at any time)
  • Process and manage your subscription status
  • Diagnose technical issues via crash reports

3. Apple HealthKit Data — Special Protections

In compliance with Apple's HealthKit guidelines and App Store Review Guidelines Section 5.1.3, we apply the following strict protections to all HealthKit data:

  • HealthKit data is used exclusively to provide health and fitness insights within the App — it is the core functionality of the App
  • We do not sell, license, or share HealthKit data with any third party for any purpose
  • We do not use HealthKit data for advertising, marketing, or data mining purposes
  • We do not disclose HealthKit data to data brokers, information resellers, or advertising networks
  • HealthKit data is not stored in iCloud or any unencrypted storage
  • HealthKit data is transmitted securely using HTTPS/TLS encryption and stored on our servers with encryption at rest
  • We do not use HealthKit data to build user profiles for purposes unrelated to health and fitness
  • You can revoke HealthKit access at any time through iOS Settings > Privacy & Security > Health > XMuscles
  • When you delete your account, all HealthKit-derived data stored on our servers is permanently deleted within 30 days

4. Third-Party Services and Data Sharing

We use a limited number of third-party services to operate the App. We share only the minimum data necessary for each service to function. No HealthKit data is shared with any third-party service listed below.

4.1 Authentication Providers

  • Apple Sign-In — Apple manages your credentials. We receive only your name, email (or private relay), and a unique identifier. See Apple's Privacy Policy.
  • Google Sign-In — Google manages your credentials. We receive only your name, email, and a unique identifier. See Google's Privacy Policy.

4.2 Push Notifications

  • Firebase Cloud Messaging (FCM) — to deliver push notifications. We share only your device token with Firebase. No health or fitness data is sent. See Firebase Privacy Policy.

4.3 Error Monitoring

  • Sentry — to collect crash reports and performance data for debugging. Sentry receives device information and error stack traces only. No personal health data, HealthKit data, workout data, or personally identifiable information is sent to Sentry. See Sentry's Privacy Policy.

4.4 AI Services

  • Mistral AI — to generate text-based workout recommendations, health insights, and body composition analysis. We send anonymized context (fitness goals, general health status) without personally identifiable information. AI is used for text generation only — all metric values and scores are calculated deterministically on our servers. No HealthKit data, names, emails, or other PII is sent to Mistral.

4.5 Media

  • Unsplash — to provide cover images for workout templates. No user data of any kind is shared with Unsplash.

4.6 File Storage

  • DigitalOcean Spaces — for secure file storage (body scan images). Files are stored with server-side encryption and access is restricted to authenticated requests only.

4.7 Payment Processing

  • Apple App Store — all payment and subscription processing is handled entirely by Apple. We do not collect, process, or store any payment card numbers, bank account details, or billing addresses. We only receive subscription status information (active, expired, etc.) from Apple's servers.

5. Data Storage and Security

We implement the following security measures to protect your data:

  • Encryption in transit: All data transmitted between the App and our servers uses HTTPS/TLS encryption
  • Encryption at rest: Data stored on our servers is encrypted at rest
  • Secure token storage: Authentication tokens are stored on your device using iOS SecureStore (backed by the Secure Enclave)
  • Access controls: Database access is restricted and protected by authentication and authorization
  • Rate limiting: Sensitive endpoints are rate-limited to prevent abuse
  • Soft deletion: Data is soft-deleted first, allowing recovery in case of accidental deletion, before permanent removal

6. Data Retention and Deletion

  • Your account data is retained for as long as your account is active
  • Account deletion: You can delete your account at any time through the App (Settings > Delete Account). Upon deletion, we permanently remove all your personal data, health data, workout history, body scan images, and AI chat history from our servers within 30 days
  • Body scan images are deleted immediately upon account deletion
  • If your subscription expires and you do not use the App for 12 months, we may send a reminder email before deleting inactive account data
  • Anonymized, aggregated data (with no personally identifiable information) may be retained for analytics and service improvement

7. Your Rights and Choices

Depending on your jurisdiction (including under GDPR, CCPA, and other applicable laws), you have the following rights:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Correction: Correct inaccurate personal data (you can edit your profile directly in the App)
  • Right to Deletion: Delete your account and all associated data (via Settings > Delete Account, or by contacting us)
  • Right to Data Portability: Request your data in a portable, machine-readable format
  • Right to Withdraw Consent: Withdraw consent for data processing at any time (this does not affect processing that occurred before withdrawal)
  • Right to Object: Object to certain types of data processing
  • Right to Restrict Processing: Request that we limit how we use your data
  • Right to Opt Out of Sale: We do not sell your personal information. There is nothing to opt out of.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner as required by applicable law).

8. Advertising and Tracking

XMuscles does not display any advertisements. We do not use advertising identifiers (IDFA), tracking pixels, or any form of cross-app tracking. We do not participate in any advertising networks. We do not share your data with advertisers or data brokers.

9. Children's Privacy

The App is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

10. International Data Transfers

Our servers are hosted by DigitalOcean in the Frankfurt, Germany (EU) region. Your data may be transferred to and processed in countries other than your country of residence. Where required, we rely on appropriate legal mechanisms (such as Standard Contractual Clauses) to ensure your data is protected in accordance with this Privacy Policy and applicable data protection laws.

11. Apple Watch Companion App

XMuscles includes a companion app for Apple Watch. The Watch app:

  • Communicates with the iPhone app exclusively via Apple's WatchConnectivity framework — it does not connect to the internet or our servers directly
  • Reads heart rate data during workouts via Apple HealthKit on the Watch (with your permission)
  • Stores your login status locally on the Watch using UserDefaults (no credentials are stored)
  • All workout data recorded on the Watch is sent to the iPhone app, which handles server communication

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Post a notice within the App
  • If required by law, request your renewed consent

Your continued use of the App after changes are posted constitutes your acceptance of the revised Privacy Policy.

13. Terms of Use

Your use of the App is also governed by our Terms of Use (EULA), available at www.x-muscles.com/terms.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

Website: www.x-muscles.com

For Apple-specific privacy concerns, you may also contact Apple directly through their Report a Problem portal.