Privacy Policy

Last Updated: October 2, 2025

1. Information We Collect

1.1 Personal Data You Provide

When you use Body Journey, you may provide:

• Progress Photos: Front, side, and back view photos you capture using the in-app camera or import from your device
• Weight Data: Weight measurements in your preferred unit (kg or lbs) with optional notes
• Workout Information: Custom workout routines, exercises, sets, reps, and workout session data
• Health Data: If you choose to enable Health app integration, weight and workout data may be synced with Apple HealthKit (iOS) or Health Connect (Android)
• Dates and Timestamps: When photos are taken, weight is logged, or workouts are completed
• Categories and Notes: Optional information you add to organize your data

1.2 Automatically Collected Information

Based on your consent level, we may collect:

• Device Information: Device type, operating system version (only with consent)
• Usage Analytics: App crashes, performance metrics, and feature usage (via Firebase Analytics - only if you select "Essential", "Performance", or "Full Analytics" consent level)
• Crash Reports: Automatic crash data via Firebase Crashlytics (only if you select "Essential", "Performance", or "Full Analytics" consent level)
• App Tracking: On iOS, cross-app tracking is only enabled if you grant permission through App Tracking Transparency and enable it in privacy settings

2. How We Use Your Information

Your data is used to:

• Display your progress photos (front, side, back views) in organized timelines
• Show weight trends in interactive charts and graphs
• Track workout sessions and display workout frequency analytics
• Generate progress videos and slideshows from your photos
• Provide statistics and motivational insights about your fitness journey
• Send workout and photo reminders via local notifications (if enabled)
• Sync with Apple HealthKit or Health Connect (if you grant permission)
• Improve app performance and fix bugs (based on your analytics consent level)
• Secure your data with biometric authentication (Face ID, Touch ID, fingerprint) if enabled

3. Data Storage and Security

3.1 Local Storage

All your photos, weight data, and workout information are stored locally on your device using Hive encrypted database. We use Flutter Secure Storage and industry-standard encryption to protect your sensitive information. Your data remains on your device and is never uploaded to our servers.

3.2 Biometric Authentication

If you enable biometric authentication (Face ID, Touch ID, or fingerprint), this data is handled entirely by your device's operating system and secure enclave. Biometric data never leaves your device and is never transmitted to our servers or any third party.

3.3 Health Data Integration

If you enable Health app integration:

• iOS: Data is synced with Apple HealthKit using Apple's secure health data framework
• Android: Data is synced with Health Connect using Google's secure health data APIs

Health data permissions are requested separately and you can choose to sync weight data and/or workout data. This data is governed by Apple's HealthKit privacy policy or Google's Health Connect privacy policy.

4. Data Sharing and Disclosure

We do not sell, rent, or share your personal data with third parties, except:

• With Your Consent: When you choose to export and share content
• Service Providers: Firebase (Google) for analytics and crash reporting
• Legal Requirements: If required by law or to protect our rights

5. Privacy Consent Levels

Body Journey implements granular privacy controls with four consent levels:

• No Analytics: No data collection or analytics. All features work locally on your device.
• Essential Only: Only crash reports for app stability via Firebase Crashlytics. No usage analytics.
• Performance: Crash reports + usage patterns to improve app performance via Firebase Analytics.
• Full Analytics: Complete analytics including crash reports, usage patterns, and personalization data to enhance user experience.

You can change your privacy consent level at any time in Settings > Privacy & Data. On first launch, you'll be prompted to choose your preferred level. GDPR and CCPA rights are fully supported.

6. Third-Party Services

Body Journey uses the following third-party services (based on your consent and feature enablement):

• Firebase Analytics: To understand app usage and improve performance (only with Performance or Full Analytics consent)
• Firebase Crashlytics: To detect and fix crashes (only with Essential, Performance, or Full Analytics consent)
• Apple HealthKit: For optional health data sync (iOS only, requires explicit permission)
• Health Connect: For optional health data sync (Android only, requires explicit permission)
• App Tracking Transparency (iOS): For cross-app tracking (only if you grant iOS tracking permission and enable in settings)

These services have their own privacy policies. We encourage you to review them:

• Firebase Privacy Policy: firebase.google.com/support/privacy
• Apple Privacy Policy: apple.com/privacy

7. Your Rights and Choices

You have complete control over your data with the following rights:

• Access Your Data: View all photos, weight entries, and workout data stored in the app
• Delete Your Data: Delete individual photos, weight entries, workout sessions, or all data from within the app
• Export Your Data: Export your progress as videos, slideshows, or share individual photos and statistics
• Manage Privacy Consent: Change your analytics level (No Analytics, Essential, Performance, or Full) at any time in Settings > Privacy & Data
• Reset Consent: Reset all privacy settings to go through the data protection setup again
• Revoke All Consent: Disable all data collection and analytics with one tap
• Manage Health Sync: Enable or disable HealthKit/Health Connect integration independently
• Control App Tracking (iOS): Manage cross-app tracking consent in privacy settings
• Disable Notifications: Turn off workout and photo reminders in app settings or device settings
• Enable Biometric Lock: Add Face ID, Touch ID, or fingerprint protection to secure the app

8. Children's Privacy

Body Journey is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected such information, please contact us to have it removed.

9. International Data Transfers

Your data is primarily stored on your device. If you enable analytics, data may be processed by Firebase (Google) servers in accordance with Firebase's data processing locations. These transfers are protected by appropriate safeguards including encryption and compliance with GDPR, CCPA, and other data protection regulations.

10. Data Retention

We retain your data according to the following policies:

• Local Data: Photos, weight entries, and workout data are retained on your device until you manually delete them
• Analytics Data: Firebase Analytics retains data for 14 months, after which it is automatically deleted
• Crash Reports: Firebase Crashlytics retains crash data for 90 days

You can delete all your data at any time from Settings within the app. Deleting the app will remove all local data from your device.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the new Privacy Policy on this website and in the app
• Updating the "Last Updated" date at the top of this policy
• Requesting renewed consent if required by applicable law (e.g., GDPR, CCPA)

Your continued use of the app after changes constitutes acceptance of the updated policy. If you do not agree with changes, you can revoke consent in Settings > Privacy & Data or delete the app.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at:

13. Additional Information for California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: Request what personal information we collect, use, disclose, and sell
• Right to Delete: Request deletion of your personal information (available in app settings)
• Right to Opt-Out: We do not sell your personal information, but you can opt out of analytics at any time
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• Right to Correct: Request correction of inaccurate personal information
• Right to Limit: Limit the use of sensitive personal information (managed via consent levels in the app)

Categories of Personal Information Collected:

• Visual information (progress photos)
• Physical characteristics (weight data)
• Activity information (workout sessions)
• Device identifiers (for analytics, only with consent)
• Usage data (for analytics, only with consent)

We do not sell or share your personal information for cross-context behavioral advertising.

14. Additional Information for European Users (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request a copy of your personal data (export feature in app)
• Right to Rectification: Correct inaccurate data (edit features in app)
• Right to Erasure: Delete your data ("right to be forgotten" - available in app settings)
• Right to Restrict Processing: Limit how we process your data (consent levels)
• Right to Data Portability: Receive your data in a structured format (export feature)
• Right to Object: Object to processing (revoke consent in settings)
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

Legal Basis for Processing:

• Consent: Analytics and crash reporting (GDPR Article 6(1)(a))
• Contract Performance: Core app functionality to provide fitness tracking services (GDPR Article 6(1)(b))
• Legitimate Interest: App security and fraud prevention (GDPR Article 6(1)(f))

To exercise these rights, please contact us using the information provided above or manage settings directly in the app.

15. Security Measures

We implement industry-standard security measures to protect your data:

• Encryption at Rest: All local data is stored in encrypted Hive databases using Flutter Secure Storage
• Encryption in Transit: Firebase communications use TLS/SSL encryption
• Biometric Protection: Optional Face ID, Touch ID, or fingerprint authentication to lock the app
• Secure Enclave: Biometric data is processed in your device's secure enclave and never leaves your device
• No Server Storage: We do not operate servers that store your photos, weight data, or workout information
• Permission-Based Access: Camera, photo library, and health data access require explicit user permission

While we implement strong security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to protecting your data using industry best practices.