Privacy Policy

Last updated: 26 April 2026

Short version: Grit stores your workouts and body data on your device. If you sign in, an encrypted copy is synced to our backend so you can use Social and Buddy Sync. We do not track you, do not sell data, do not serve ads, and do not use third-party analytics.

1. Who runs Grit

Grit is built and operated by Jacob Sprake (Milan, Italy), acting as data controller under the EU GDPR. Contact: jacob@sprake.co.

2. What we collect

If you don't sign in

Grit works fully offline. Your workouts, body measurements, progress photos, and PRs are stored on your device only. Nothing leaves your phone.

If you create an account

To enable Social, Buddy Sync, and cloud backup, we collect:

Account data: email address, display name, username. If you sign in with Apple and choose "Hide My Email", we only receive Apple's private relay address.
Workout data: completed sessions, sets, reps, weights, RPE, exercise notes.
Body data: weight, body fat %, circumference measurements, progress photos you choose to upload.
Social data: workout posts you publish, comments and likes you create, buddy connections you accept, blocks and reports you submit.

What we do not collect

Tracking identifiers across other apps or websites.
Advertising IDs.
Location.
Contacts.
Browsing or in-app behaviour for analytics.

3. Apple Health

If you grant Grit access to Apple Health, the app reads body weight, body fat %, steps, active calories, exercise minutes, heart rate, sleep, and water intake, and writes back completed workouts, body weight updates, and active calories. Apple Health data is processed on your device. We never transmit your raw HealthKit data to our backend.

4. Where data is stored

Cloud data is stored with our backend provider, Supabase (servers in the EU). Storage and transit are encrypted. Access is gated by row-level security so only you can read or modify your records, except for content you publish to the social feed, which is visible to other Grit users by your visibility setting.

5. How long we keep data

For as long as your account is active. When you delete your account, your auth user, profile, workouts, posts, comments, likes, body measurements, PRs, buddy connections, blocks, and progress photos are removed within 30 days. Aggregate, fully anonymous metrics (e.g. total app installs) may be retained.

6. Your rights

Under the GDPR you have the right to:

Access a copy of your data — email jacob@sprake.co.
Correct inaccurate data — most fields are editable in-app.
Delete your account and all associated data — Settings → Account → Delete Account, or by emailing us.
Port your data — CSV export of workouts is available in-app; full export by request.
Restrict or object to processing.
Lodge a complaint with your local data protection authority (in Italy, the Garante per la protezione dei dati personali).

7. Children

Grit is not directed to children under 13. The social features require account creation and are intended for users 17 and older. We do not knowingly collect data from children under 13.

8. Sharing with third parties

The only third parties that process your data are infrastructure providers acting under our instructions:

Supabase Inc. — backend hosting and authentication.
Apple Inc. — Sign in with Apple, App Store distribution, push delivery (none currently used).

We do not sell, rent, or share your personal data for advertising or marketing purposes.

9. Security

Tokens are stored in your device Keychain. Network requests are TLS-only with certificate pinning. Reports of suspected vulnerabilities can be sent to jacob@sprake.co.

10. Changes to this policy

We'll update this page with a new effective date and surface a notice in-app for material changes. Continued use after a change constitutes acceptance.

11. Contact

Questions or requests: jacob@sprake.co.