KOVA Privacy Policy
Effective date: 2026-05-27 Last updated: 2026-05-27
Plain-language summary (not part of the legal policy): KOVA stores your workout, nutrition, and account data on Supabase servers. If you choose to connect Apple Health, KOVA reads a few daily metrics (steps, resting heart rate, HRV, sleep, active energy) to estimate your recovery, and writes your workouts and bodyweight back to Apple Health — this is off until you turn it on. We use Apple Sign-In, Google Sign-In, and OpenAI for AI features such as food photo analysis and coach chat. We don't sell your data, we never use Apple Health data for advertising, and we don't run ad tracking. You can export or delete your account anytime.
KOVA ("KOVA", "we", "us") provides the KOVA fitness application and related services (the "Service"). This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over your data.
This policy is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act / CPRA (CCPA), Apple App Store Privacy Nutrition Labels + iOS Privacy Manifest, and Google Play Data Safety.
1. Data controller
The data controller for personal data processed through the Service is:
KOVA Email: kopnickydavid@gmail.com
If you have any privacy question, complaint, or wish to exercise your rights, contact us at the email above.
2. What data we collect
2.1 Data you provide to us
| Category | Examples |
|---|---|
| Account identifiers | Email address, username, display name, password (stored hashed by Supabase Auth or via Apple/Google Sign-In) |
| Profile data | Bio, city, avatar image, locale, units (metric/imperial), training goal, training experience, weekly training frequency, training weekdays, height, weight, sex, date of birth |
| Health & fitness data | Workout sessions, exercises performed, sets, reps, weights, rest times, cardio sessions, body measurements (weight, body fat, waist, etc.), progress photos, supplement intake, water intake |
| Apple Health data (optional, iOS only) | If you connect Apple Health, we read daily steps, resting heart rate, heart-rate variability (HRV), active energy, and sleep duration to estimate recovery, and we write your completed workouts and bodyweight to Apple Health. Off unless you enable it in Settings → Connect Apple Health. See §12. |
| Nutrition data | Meal entries, foods logged, custom recipes, macro/calorie targets, dietary preferences, AI food-scan photos, scanned nutrition labels, barcode submissions |
| Social content | Posts, comments, likes, reactions, follows, direct messages, social profile fields you mark public |
| Coaching data (if you use the coaching feature) | Athlete/coach relationships, coaching notes, programs, comments, coach-chat messages |
| Support data | Tickets you submit through Settings → Help & support, including subject, message, app version, OS, device model, locale |
| Contacts (optional) | If you grant Contacts permission to invite friends, we match phone numbers/emails locally and never store the underlying contact list on our servers |
2.2 Data collected automatically
| Category | Examples | Notes |
|---|---|---|
| Device & app info | App version, build number, OS and version, device model, language preference, time zone | Used for support, debugging, error reports |
| Diagnostics | Crash and error reports, including stack traces, the in-app route at time of error, and an error fingerprint | Generated by our in-house crash reporter (no Sentry, no third-party SDK) |
| Usage analytics | Screen views, taps on key features (workout started/completed, meal logged, food scanned), counts and timings — written to your own user record | Only if you opt in via the in-app consent prompt; can be revoked anytime in Settings → Analytics |
| AI usage events | Counters of how many AI scans you used (for quota enforcement on the free tier) | Stored per-user; not shared |
| Network identifiers | IP address (transiently observed by Supabase/Edge functions for security and rate-limiting) | Not stored long-term tied to your profile |
We do not use device advertising identifiers (IDFA/AAID). We do not track you across other apps or websites — App Tracking Transparency (ATT) is not requested because no tracking occurs.
2.3 What we do not collect
- We do not access Apple Health unless you explicitly connect it (see §12) — it is off by default, and we only read the specific metrics listed there.
- We do not access Google Fit or Android Health Connect.
- We do not collect precise location (GPS).
- We do not collect biometric identifiers (no FaceID/TouchID telemetry beyond the OS handling the unlock).
- We do not collect contact lists on our servers.
- We do not collect data from children under the digital-consent age in your jurisdiction.
3. Legal bases for processing (GDPR / UK GDPR)
For users in the EU/EEA, UK, and Switzerland, we process personal data on the following legal bases:
| Processing purpose | Legal basis |
|---|---|
| Creating and operating your account | Contract (Art. 6(1)(b)) |
| Storing your workouts, nutrition, profile | Contract |
| Subscription billing (Apple/Google/RevenueCat receipts) | Contract + Legal obligation (tax/accounting) |
| Health, fitness, and body-composition data | Explicit consent (Art. 9(2)(a)) — you provide this when you log workouts/meals/measurements |
| Apple Health metrics (steps, heart rate, HRV, sleep, energy) | Explicit consent (Art. 9(2)(a)) — granted when you connect Apple Health; withdrawable anytime |
| Crash & error reports | Legitimate interest (Art. 6(1)(f)) — keeping the App stable |
| In-app analytics events | Consent (Art. 6(1)(a)) — opt-in via the consent modal |
| AI food-scan / coach chat / AI features | Contract + Consent for sending content to AI providers |
| Support tickets | Contract + Legitimate interest |
| Fraud / abuse prevention, security | Legitimate interest |
| Marketing emails (if you opt in) | Consent, withdrawable at any time |
| Compliance with legal requests | Legal obligation |
You may withdraw any consent at any time without affecting the lawfulness of prior processing.
4. How we use your data
We use personal data to:
- Operate the Service: store your workouts, meals, photos, social activity, coaching data;
- Sync data across your devices;
- Provide AI-powered features (food photo analysis, coach chat, plateau detection, routine generation, recipe macros, meal suggestions, weekly recap, supplement recommendations, food substitution, deload suggestions);
- Process subscriptions and entitlements via Apple/Google/RevenueCat;
- Send transactional notifications (workout reminders you enabled, daily streaks, coach replies);
- Provide support and answer your tickets;
- Detect and prevent abuse, fraud, and security incidents;
- Maintain stability through crash and error reports;
- Improve the Service through aggregated, non-identifying analytics (if you consent);
- Comply with legal obligations.
We do not use your personal data for advertising or sell it to third parties.
5. Who we share data with
We only share personal data with third parties that act as our data processors under written agreements, or where required by law.
| Recipient | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Backend hosting, database, authentication, file storage, edge functions | EU (Frankfurt) primary region |
| Apple Inc. | App Store subscriptions, Apple Sign-In, push notifications (APNs), Live Activities | EU/global Apple infrastructure |
| Google LLC | Google Sign-In, Firebase Cloud Messaging for Android push | EU/US |
| OpenAI, L.L.C. | AI features — food photo analysis, coach chat, routine generation, plateau detection, recipe macros, meal suggestions, weekly recap, supplement recommendations, food substitution, deload suggestions | US |
| RevenueCat, Inc. | Subscription receipt validation, entitlement management, paywall analytics | US |
| Open Food Facts | Reading product data from the public food catalog (we send a barcode; we do not transmit personal data) | EU |
| Vercel / GitHub Pages | Hosting of legal and marketing pages (no personal data) | US |
We may also share data:
- With other users — your social-feed posts, public profile fields, coach/athlete data, and direct messages are visible to the people you share them with by design.
- To enforce our Terms — when reasonably necessary to investigate or address violations.
- For legal reasons — to comply with valid legal process (court order, subpoena), enforce our rights, or protect the safety of users or the public.
- In a corporate transaction — if KOVA is acquired or merged, your data may transfer to the new entity, subject to this Policy and applicable law.
We do not sell your personal data and do not "share" it for cross-context behavioral advertising under the CCPA/CPRA.
6. International data transfers
Personal data may be transferred to and processed in countries outside your country of residence, including the United States. Where we transfer data outside the EU/EEA or UK, we rely on:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with our processors, or
- the EU–US Data Privacy Framework for participating US processors, or
- another lawful transfer mechanism under GDPR Chapter V.
Copies of the relevant safeguards are available on request at kopnickydavid@gmail.com.
7. How long we keep data
| Data | Retention |
|---|---|
| Account profile | While your account is active |
| Workout, nutrition, measurement history | While your account is active |
| Progress photos | While your account is active or until you delete them |
| Apple Health daily metrics cache | While your account is active and Apple Health stays connected; removed when you disconnect Apple Health or delete your account |
| Direct messages | Until you or the other party deletes them, or your account is deleted |
| Social posts | Until you delete them or your account is deleted |
| Subscription records | While your account is active + up to 10 years thereafter for tax/accounting (Slovak law) |
| Support tickets | Up to 3 years after resolution |
| Crash & error reports | Up to 90 days |
| Analytics events | Up to 24 months |
| Account-deletion audit log | Up to 7 years for fraud and abuse prevention (user_id + timestamp only) |
| Backups | Encrypted backups may retain copies for up to 30 days beyond active deletion |
After deletion, residual copies may persist in backups for the period above and will be purged on schedule. Some data may also be retained in anonymized or aggregated form indefinitely.
8. Your rights
Subject to applicable law, you have the following rights:
| Right | What it means | How to use it |
|---|---|---|
| Access | A copy of the personal data we hold about you | Request via Settings → Help & support, or email kopnickydavid@gmail.com |
| Rectification | Correct inaccurate or incomplete data | Most fields are editable in the App; otherwise email us |
| Erasure ("right to be forgotten") | Delete your account and personal data | Settings → Account → Delete Account |
| Restriction | Limit how we process your data | Email us |
| Portability | Receive your data in a structured, machine-readable format | Email us — we provide JSON export |
| Objection | Object to processing based on legitimate interests | Email us |
| Withdraw consent | Stop analytics or any consent-based processing | Settings → Analytics; or email us |
| Lodge a complaint | Complain to a supervisory authority | Slovak Office for Personal Data Protection (Úrad na ochranu osobných údajov SR), or your local EU/EEA authority |
| CCPA/CPRA (California residents) | Know, delete, correct, opt out of sale/share, limit use of sensitive data, non-discrimination | We do not sell or share data, but you can still exercise know/delete/correct rights by emailing kopnickydavid@gmail.com |
| Automated decision-making | We do not make decisions producing legal or similarly significant effects about you using solely automated processing | — |
We respond to verifiable requests within 30 days (EU) or 45 days (CCPA), with possible extension where allowed by law. We do not charge for these requests unless they are manifestly unfounded or excessive.
9. Security
We use industry-standard measures to protect your data:
- TLS 1.2+ encryption in transit;
- AES-256 encryption at rest (Supabase managed Postgres + Storage);
- Row-Level Security (RLS) policies on every user-data table, keyed to your authenticated user ID;
- Server-side admin role checks on all administrative RPCs;
- Hashed passwords (Supabase Auth uses bcrypt by default);
- Secrets stored in the iOS Keychain / Android Keystore via
expo-secure-store; - Image EXIF (including GPS) stripped before upload;
- Rate limiting and abuse detection on AI features;
- In-house crash reporting on a separate access-controlled table;
- Principle of least privilege for staff access.
No system is perfectly secure. If you discover a vulnerability, please contact kopnickydavid@gmail.com.
10. Children
The Service is not directed to children under the digital-consent age in your jurisdiction (typically 13–16 in the EU, 13 in the US). We do not knowingly collect personal data from children below that age. If you believe a child has provided us data, contact us and we will delete it.
11. Cookies and similar technologies
The mobile App does not use browser cookies. It uses:
- AsyncStorage / MMKV for preferences and React Query cache;
- Secure storage for sensitive tokens;
- SQLite (Drizzle) for offline data;
- App Group container for sharing data with iOS widgets and Live Activities.
These are first-party local storage mechanisms and not used for cross-app or cross-site tracking.
12. AI features — additional notes
When you use AI features:
- The relevant input (e.g. a food photo for AI scan, your message for coach chat, your routine constraints) is sent to OpenAI via our Edge Functions.
- We send only what's needed for the feature. Photos are compressed and EXIF is stripped client-side before upload.
- OpenAI processes the request under its API terms and Enterprise Privacy commitments. As stated in OpenAI's API data usage policy, OpenAI does not use API inputs or outputs to train its foundational models unless the account explicitly opts in — KOVA does not opt in.
- Outputs are stored only in your own account data and (where applicable) anonymized counters for quota enforcement.
- API requests may be retained by OpenAI for up to 30 days for trust & safety / abuse-monitoring purposes, after which they are deleted, in line with OpenAI's standard API retention policy. Zero-Data-Retention (ZDR) may be negotiated separately.
13. Apple Health (HealthKit)
KOVA integrates with Apple Health on iOS. This integration is optional and off by default — it activates only after you turn on Connect Apple Health in Settings and grant permission in the iOS Health permission sheet. It is not available on Android or the web.
Data we read from Apple Health (only the specific types you authorize):
- Step count
- Resting heart rate
- Heart-rate variability (HRV, SDNN)
- Active energy burned
- Sleep analysis (sleep duration)
We use these to estimate your daily recovery / readiness score and to personalize training and rest-day suggestions.
Data we write to Apple Health:
- Completed workouts (as workout samples)
- Bodyweight (body mass)
Where Apple Health data goes. So your recovery score stays consistent across your devices, a small daily summary of the metrics above (date, steps, resting heart rate, HRV, sleep hours, active energy) is cached on our Supabase backend in a row tied to your account and protected by Row-Level Security. Apple Health data is processed only to provide these health and fitness features.
Apple Health restrictions we follow. In line with Apple's requirements, we never use Apple Health data for advertising or marketing, never sell it, never share it with third parties for advertising or data-mining, and never use it for any purpose other than the health and fitness features described above.
Turning it off. You can disconnect at any time in Settings → Connect Apple Health, or in iOS Settings → Privacy & Security → Health → KOVA. Disconnecting stops all reads and writes; the cached daily summary is removed when you disconnect or delete your account.
14. Changes to this Policy
We may update this Privacy Policy. Material changes will be announced through the App or by email at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent change. Continued use after the effective date constitutes acceptance.
15. Contact
Email (privacy, legal, security): kopnickydavid@gmail.com In-app support: Settings → Help & support
Supervisory authority (Slovakia): Úrad na ochranu osobných údajov Slovenskej republiky Hraničná 12, 820 07 Bratislava 27, Slovak Republic https://dataprotection.gov.sk
See also: Terms of Service.