Privacy Policy

What we collect

• Account: your email (from Google, Microsoft, or magic link).
• Body profile: sex, age, height, weight, activity level — optional, entered during onboarding.
• Training data: workouts you log (exercises, sets, reps, weight, RPE, notes, felt energy).
• Nutrition data: meals you log (name, calories, macros, timestamps) and the photos you snap.
• Body measurements: weight, waist, chest, arms, hips, thighs, body fat % when you log them.
• Progress photos: before/after shots stored privately in Supabase Storage.
• Whoop data (if you connect Whoop): recovery score, HRV, sleep hours, sleep performance, strain — pulled via Whoop OAuth.
• Push subscription: if you enable notifications, we store the browser-provided push endpoint + keys so we can send you pushes.
• Device info: user agent string of devices that subscribe to push.

How we use it

• Log your training + nutrition and show it back to you in the app.
• Compute your macro targets from body stats via Mifflin-St Jeor.
• Generate your training prescription (recovery + feedback + program).
• Send a coaching brief via Claude (Anthropic) using your 7-day summary.
• Estimate macros from your meal photos via Claude vision.
• Send morning/lunch/weekly/monthly/PR push notifications.

We don't sell your data. We don't share it with advertisers. We don't use it to train models.

Who we share it with (third parties)

• Supabase — hosts our database, auth, and private file storage. Your data lives here.
• Vercel — hosts the website and runs our serverless functions.
• Anthropic (Claude) — when you use the camera macro estimator, voice parsing, weekly coach, or AI program generator, the relevant data (meal photo, transcript, or week-summary JSON) is sent to Claude to produce the response. Anthropic's data-use policy applies.
• Google / Microsoft — if you sign in via OAuth, we receive your email address from them.
• Whoop — if you connect Whoop, we use their API to read the recovery/HRV/sleep data listed above.
• Push notification providers (Apple, Google, Mozilla) — receive an encrypted payload when we send you a push.

That's the full list. No analytics, no tracking pixels, no data brokers.

Whoop data, specifically

Your Whoop access token is stored encrypted at rest in our Supabase database. We pull your recovery, HRV, resting heart rate, sleep, and strain on demand — not on a polling schedule. You can disconnect Whoop at any time from Settings, which deletes the stored token.

How long we keep it

Your data stays in the database as long as your account is active. Delete your account (email pedro@omnify.me) and we erase everything — workouts, food logs, photos, Whoop tokens, push subscriptions. Within 30 days, gone.

Your rights

• Export: email us and we'll send you a JSON dump of your data.
• Correct: you can edit everything in-app. If you can't, email us.
• Delete: full wipe on request, no questions.
• Disconnect integrations (Whoop, push notifications) any time from Settings.

Security

Authenticated access only. Supabase Row-Level Security ensures users can only read their own rows. Progress photos live in a private bucket scoped to the user's UUID — no other user can see them. Passwords? We don't have any — auth is via OAuth or magic link.

Kids

Omnify is for adults who lift seriously. Don't create an account if you're under 16.

Changes

We'll update this page and bump the date above when policy changes. Material changes get an in-app or email notice.

Contact

pedro@omnify.me — I read every email.