Musclefy

FITNESS PLATFORM

Sign in

Privacy Policy

Last updated: August 30, 2025

At Musclefy we protect the privacy of three primary user groups: self‑directed individuals, professional coaches, and small / boutique gym teams. This policy explains what we collect right now, what is planned but NOT YET available (clearly marked), why we collect the data we do, and the controls you have.

1. Information We Collect

What data we gather and how we obtain it

Personal & Account

  • Name & email (required for account)
  • Password hash (bcrypt — we never store the raw password)
  • Email verification status & timestamp
  • Profile image (optional)

Training Data

  • Trainings & items (exercise references, ordering, days)
  • Exercise execution sets (load, reps, speed, notes)
  • Scheduling metadata (days of week, created timestamps)
  • Progress indicators (counts, summaries)

Analytics (Optional)

  • "We may collect aggregated usage metrics via Vercel Analytics only after consent"
  • No device fingerprinting or granular behavioral profiling
  • No third‑party marketing trackers
  • Consent can be changed anytime in Cookies page

We only collect the data needed to deliver core training features and optional aggregated usage metrics (with consent).

2. How We Use Your Data

The purposes for which we process your information

✅ Service Provision

  • Create and manage your account
  • Provide training management features
  • Enable client progress tracking

🔄 Service Improvement

  • Enhance application performance
  • Develop new features
  • Fix bugs and issues
  • Optimize user experience

We do not sell your personal data to third parties

3. Data Protection & Security

Current safeguards (no exaggerated promises)

A

Password Hashing

Passwords hashed with bcrypt (never stored in plain text)

B

Transport Security

All traffic intended to be served over HTTPS (encryption in transit)

C

Token Hardening

Email & reset tokens stored as hash (after schema migration)

Infrastructure / database “encryption at rest” depends on the hosting provider configuration. We do not yet perform field‑level encryption of training notes or execution metrics. Fine‑grained role enforcement and formal security audits are planned but not fully implemented today.

4. Cookies

Essential vs optional

We use a minimal set of cookies:

  • musclefy_cookie_consent – stores your consent choice (accepted / rejected); duration: 12 months; purpose: remember analytics preference.
  • NextAuth session cookies – essential for authentication; duration: session / configured max age; purpose: keep you signed in.
  • Optional analytics – Vercel Analytics may set its own lightweight cookie(s) only after you accept.

You can change or revoke analytics consent anytime on the Cookies page or by clearing the consent cookie.

5. Your Privacy Rights

Access & Control

  • View and update your personal information
  • Export your data (planned – not yet available)
  • Delete your account & data (planned – not yet available)
  • Opt-out of optional analytics (via cookie consent)

Data Requests

To exercise your privacy rights, contact us at musclefy@tiagoas.dev.br

We respond to legitimate requests within 30 days. Until self‑service export & deletion ship, requests will be processed manually.

Data Retention: We retain account & training data until you request deletion or the account remains inactive for 12 consecutive months (then scheduled for removal – planned policy).

6. Contact Information

Privacy Questions

For any privacy-related questions or concerns, contact our Data Protection Officer:

musclefy@tiagoas.dev.br

Legal Inquiries

For formal legal requests or data protection authority communications:

musclefy@tiagoas.dev.br
Back to home

Policy Changes

We may update this Privacy Policy periodically. We will notify you of significant changes by posting a notice within the application or sending you an email. Your continued use of Musclefy after any changes constitutes acceptance of the updated policy.