Privacy Policy — Zor
Zor ("the app", "we", "us") is a strength-training app: it helps you follow a structured training program, log your workouts, and track your recovery. This policy explains what data the app collects, why, where it is stored, and how you can delete it. We have tried to write it in plain language.
⚠️FOUNDER — legal entity: replace "we/us" identity below with the actual operating entity (sole trader name or company name + registered address/jurisdiction). Operated by: [ENTITY NAME, ADDRESS, COUNTRY].
The short version
- We collect your email address (to create your account) and the training and wellness data you enter (workouts, bodyweight, sleep/soreness ratings, and similar).
- We use this data for one purpose: to run the app for you — showing your program, your history, and your recovery trends.
- We do not use third-party analytics or advertising trackers, and we do not sell your data. Ever.
- Deleting your account deletes your data.
Data we collect
Account data
- Email address and password. You sign up with an email address and password. Authentication is handled by our service provider Supabase; your password is processed and stored (in hashed form) by Supabase's authentication service and is never seen by our own application servers.
- A short numeric code is emailed to you to confirm your address at sign-up.
- (Applies when sign-in with Google/Apple ships — planned, not yet in the app.) If you choose to sign in with Google or Apple, your sign-in provider learns that you use Zor. We receive only your name and email address from them — never your contacts, files, or activity.
Profile data (entered during onboarding, editable later)
- Your training goal (bodybuilding, strength/powerlifting, or sport) and an optional goal end date (e.g. a competition date).
- How long you have been weight training and whether you have used RPE (a training intensity scale) before.
- Bodyweight at sign-up (optional).
- Optional preference fields: gender (male/female, or leave unset — unset means "prefer not to say"), height, an intensity-vs-volume training preference, your target session length, training days per week, and your gym environment (home / quiet / busy).
Training and wellness data (entered as you use the app)
- Training programs you create or that the app generates for you (blocks, weeks, training days, exercises, target sets/reps/RPE), and any custom exercises you add to your library (their names and details).
- Logged sets: for every working set you record — the exercise, date and time, weight lifted, reps completed, and your reported RPE (perceived effort).
- Workout sessions: when a session started and ended, its duration, and the session difficulty rating (1 easy – hard) you give at the end.
- Daily check-ins: your bodyweight, and 1–5 ratings for yesterday's nutrition, last night's sleep, how strong you feel, your readiness to train, and per-muscle soreness across 15 muscle groups.
- Derived values we compute from the above, such as estimated one-rep-max strength figures and recovery/training-load metrics. These are calculated from your own data only.
This is health-and-fitness data and we treat it as sensitive: it is used only to provide the app's features to you, it is visible only to you (there are no social or sharing features), and it is protected by the security measures below.
Data we do NOT collect
- No third-party analytics SDKs, no advertising identifiers, no ad tracking.
- No location data, contacts, photos, or microphone access.
- No data from other health platforms (e.g. Apple Health / Google Fit) — the app does not currently connect to them. If that changes, this policy will be updated first.
How we use your data
We use your data solely to provide the app:
- Run your account — sign you in, keep your data attached to you.
- Show you your own training — your program, workout history, progression charts, weekly training volume, and check-in trends.
- Compute your recovery and training-load metrics — the app's recovery model runs on our servers using your logged sets, check-ins, session difficulty, and session duration, and adjusts guidance (e.g. suggested weights) accordingly.
- Send you essential account emails — sign-up confirmation and similar account/security messages. We do not send marketing email. ⚠️FOUNDER — confirm this stays true, or add a marketing-email section with opt-in/out.
We do not use your data for advertising, we do not build profiles for third parties, and we do not sell or rent your data to anyone.
Where your data is stored (service providers)
We use a small number of infrastructure providers to run the app. They process data on our behalf under their own security and privacy commitments; none of them may use your data for their own purposes.
| Provider | What it does | Where |
|---|---|---|
| Supabase | Account authentication and our database (all data listed above) | ⚠️FOUNDER — region TBD: state the Supabase project region (EU/US) once chosen |
| Google Cloud (Cloud Run) | Hosts our API servers, which process your requests | us-east4 (Northern Virginia, USA) ⚠️FOUNDER — confirm final region at deploy time; keep in the same metro as the Supabase project per the architecture decision |
| Resend | Delivers account emails (e.g. the sign-up confirmation code) — processes your email address | ⚠️FOUNDER — confirm Resend remains the production email sender and its processing region |
⚠️FOUNDER — international transfers: once the Supabase region is fixed, add a sentence for EU/UK users about where their data is processed and the transfer mechanism (e.g. SCCs) if any of the above is outside their region. This matters if you have EU/UK users; get legal input here.
Data in transit is encrypted (HTTPS/TLS). Access to production systems is restricted to the operator.
Data stored on your device
The app works offline: workouts and check-ins you log without an internet connection are stored on your device and synced to our servers when you are back online. Your device also caches your program and recent data so the app loads quickly. This on-device data is the same data described above — it is not an extra category — and it is removed when you delete the app, sign out, or delete your account. ⚠️FOUNDER — verify sign-out actually clears the local queue/cache before publishing this sentence.
Deleting your account and your data
You can delete your account in two ways:
- In the app: Settings → Account → Delete account. (This feature is currently being built; it will be available at launch — both app stores require it.) ⚠️FOUNDER — do not publish until the in-app deletion flow actually ships; store reviewers check it.
- By email: send a deletion request from your account email address to support@zor.training (auto-filled from domain purchase — founder verify routing works). We will verify the request came from your address and process it within [30 days ⚠️FOUNDER — confirm timeline].
Deleting your account deletes your authentication record and all data linked to it — profile, programs, custom exercises, workout sessions, logged sets, check-ins, soreness ratings, and derived strength/recovery values. This is enforced at the database level (all your data is keyed to your account and is removed with it). Residual copies in encrypted database backups are purged on the provider's backup rotation schedule, within [X days ⚠️FOUNDER — confirm Supabase backup retention for the chosen plan].
See also the step-by-step instructions on our account deletion page.
Data retention
We keep your data for as long as your account exists, because the app's purpose is your long-term training history. We do not have time-based deletion of old training data — your history is the product. When you delete your account, everything goes with it (see above).
Your rights
Depending on where you live (e.g. GDPR in the EU/UK, CCPA in California), you may have rights to access, correct, export, or delete your personal data, and to complain to a supervisory authority. You can exercise access and deletion directly: the app shows you all your data, and account deletion is described above. For an export of your data, or any other request, email support@zor.training (auto-filled from domain purchase — founder verify routing works). ⚠️FOUNDER — legal review should tailor this section to the jurisdictions you actually launch in.
Children
Zor is not directed at children. You must be at least [16 ⚠️FOUNDER — confirm minimum age; align with the store age rating and, if launching in the EU, GDPR parental-consent ages] to create an account. We do not knowingly collect data from children below that age; if you believe a child has created an account, contact us and we will delete it.
Not medical advice
Zor provides fitness and training information only. It is not medical advice, and it is not a medical device. The app's recovery scores, training recommendations, and any other guidance are for general fitness purposes. Consult a qualified healthcare professional before starting a training program, and stop and seek medical advice if you experience pain, injury, or other symptoms. You are responsible for training within your own limits.
Changes to this policy
If we change what we collect or how we use it, we will update this policy and change the "Last updated" date before the change takes effect, and — for significant changes — tell you in the app. In particular, if the app ever starts sharing data with a new category of provider, this policy will be updated before that happens.
Contact
Questions about this policy or your data: support@zor.training (auto-filled from domain purchase — founder verify routing works) — see also our support page.