Privacy Policy

Effective Date: February 1, 2026 Last Updated: April 15, 2026

Slate Fitness ("Slate," "we," "us," or "our") operates the Slate mobile application (the "App"). This Privacy Policy describes how we collect, use, disclose, and protect your information when you use the App. By accessing or using the App, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

We encourage you to read this Privacy Policy carefully and contact us at support@slatefitness.app if you have any questions.

1. Information We Collect

We collect information in several ways depending on how you interact with the App. We categorize the data we collect as follows:

1.1 Account Information

When you create an account, we collect:

  • Email address — provided during registration or obtained through Apple Sign-In or Google Sign-In.
  • Display name — provided by you during onboarding.
  • Authentication credentials — managed securely through our authentication provider (Supabase) or through third-party sign-in services (Apple, Google). We do not store your password in plaintext.

1.2 Workout and Fitness Data

When you use the App to track workouts, we collect:

  • Exercise names, sets, repetitions, weight, duration, distance, and other performance metrics.
  • Workout notes and tags.
  • Training program selections and progress.
  • Exercise preferences, including favorites and usage frequency.
  • Rest timer settings and workout duration.

1.3 Body and Biometric Data

Slate collects basic body and biometric data in two places:

Collected during onboarding (required to complete sign-up). When you create a Slate account, the onboarding flow asks for the following. Each field is pre-filled with a default value, and you must walk through each screen to finish setup:

  • Biological sex (male or female — used for physiologically calibrated workout defaults).
  • Date of birth (used to calculate age).
  • Body weight (pounds or kilograms).

You can change any of these values later in the App's Settings.

Collected optionally after sign-up. You may later choose to record additional body stats inside the App, including:

  • Updated body weight entries (a history log).
  • Body measurements (e.g., chest, waist, arms, hips).
  • Body fat percentage (user-entered).

This data is used to provide you with analytics and progress tracking within the App and — if you choose to use them — to personalize AI-generated workout and program suggestions (see Section 1.6). You can delete this data at any time through the App or by deleting your account.

1.4 Health Data (Apple HealthKit)

With your explicit permission, the App may read from and write to Apple HealthKit. Specifically:

  • Data we write to HealthKit: Workout samples (activity type, start time, end time, duration), active energy burned (estimated calories), and body weight.
  • Data we read from HealthKit: Body weight (most recent entry, used to keep your in-app weight log in sync with other apps and smart scales).

HealthKit integration is optional. You are prompted to grant access on first launch and can enable or disable it at any time in the App's settings. Body weight imported from HealthKit is added to your in-app weight log and synced to our cloud servers as part of your normal account data, subject to the same protections described in this Privacy Policy. Workout data written to HealthKit stays in your personal Apple Health database on your device.

Important: Data obtained from HealthKit is used solely to provide health and fitness features within the App. We do not use HealthKit data for advertising, marketing, or sale to third parties. We do not use HealthKit data to build user profiles, serve advertisements, or for any purpose other than providing health and fitness features directly to you. These restrictions on HealthKit data use continue to apply even if you stop using the App.

1.5 Voice Data

The App offers voice-to-text exercise entry powered by Apple Speech Recognition. Speech-to-text conversion occurs entirely on your device. Raw audio recordings are never transmitted to our servers or to any third party.

Transcript transmission. The text output from on-device speech recognition is sent to our servers for the purpose of matching your spoken input to an exercise in our database. When our on-device and server-side matching logic cannot confidently identify the exercise on its own, the transcript is forwarded to a third-party AI service (xAI / Grok) which returns a best-match suggestion. xAI acts as our data processor for this purpose. xAI receives only the transcript, the candidate exercise list, and limited context (such as exercises planned for your current session); it does not receive your name, email address, account identifier, or authentication token. xAI's retention and use of transmitted content are governed by xAI's own terms — see Section 1.6 and x.ai/legal/privacy-policy for details.

Transcript storage. We store voice transcripts in our database, linked to your account, in the following circumstances:

  • LLM fallback — whenever the transcript is forwarded to xAI because on-device matching was not confident enough.
  • Match correction — when you swap a suggested match for a different exercise, reject a suggested match, or tap "Wrong match?" to report an incorrect result.

Each stored record contains the transcript, the parsed exercise name, the suggested match, any correction you made, a confidence score, the action taken, a timestamp, and your user identifier. We use these records solely to diagnose failing transcripts, improve our speech normalization and matching pipeline, and identify exercises that are frequently misrecognized. These records are visible to our internal operations staff through an administrative dashboard.

Retention. Voice match records are retained for as long as your account exists. When you delete your account (see Section 5.3), all voice match records associated with your account are automatically deleted.

What is not stored. Voice commands that are matched confidently on-device, without any LLM fallback or user correction, are processed in memory and are not written to our database. Operational logs maintained by our hosting provider (Cloudflare Workers) may briefly contain transcript text for debugging purposes; these logs are short-lived and are not used for any purpose other than operational monitoring.

1.6 AI-Generated Content Data

When you use AI workout generation features, the App sends the following information to our servers, which is then forwarded to a third-party AI service (xAI / Grok) to generate workout and program suggestions:

  • Workout parameters — muscle groups, workout duration, intensity preferences, priority muscles, and any custom instructions you provide.
  • Fitness profile — your experience level, fitness goal, available equipment, preferred units, biological sex, and body weight. Biological sex and body weight are collected during onboarding (see Section 1.3) and are therefore present in AI requests in nearly all cases. Experience level, fitness goal, and equipment are collected only if you choose the "personalize" path during onboarding (or later edit these preferences in Settings); if you skip personalization, these fields use default values and are sent to xAI as defaults rather than user-specific values.
  • Performance context (single workouts only). For single-workout generation, the request also includes a compact summary derived from your recent training: estimated per-muscle-group strain over the past several days, up to 20 personal records (exercise identifier, weight, reps) for exercises in the candidate pool, and the identifiers of exercises you have performed in the past 14 days. This context helps the AI avoid overworking a fatigued muscle group and vary exercise selection. Performance context is not sent when you generate a multi-week training program.
  • Injury and limitation information — the injury areas you have selected and any free-text injury notes you have entered. Because injury information is health data, we treat it as special-category data under GDPR Article 9 and only send it to the AI service after you give explicit, informed consent through an in-app prompt (see Section 1.11).

We do not send directly identifying information to the AI service. The request contains no name, email address, account identifier, device identifier, or authentication token. xAI receives only the fitness inputs described above.

Our own servers do not persistently log the body of these AI generation requests. We do store aggregate, non-identifying metadata (token counts, muscle groups requested, exercise pool sizes) for operational and quality monitoring purposes.

xAI's role. xAI acts as our data processor for the purpose of generating workout and program suggestions. We are the data controller; xAI processes the inputs on our instructions.

xAI retention and use. We currently use xAI's standard API tier. Once a request leaves our servers, it is processed by xAI according to xAI's own terms and privacy policy. On the standard API tier, xAI may retain API request and response content for a limited window (typically on the order of 30 days) for abuse monitoring, safety review, and service improvement. "Service improvement" as used in xAI's terms may include the use of API content to improve xAI's models; you should review xAI's current policy for the authoritative scope. We do not control xAI's retention or use of content once it has been transmitted. You can review xAI's policy at x.ai/legal/privacy-policy before deciding whether to use AI features. If you do not wish to share injury information with xAI, do not add injuries in the App, or remove them (which withdraws your consent for future AI requests — see Section 5.4). Note that removal does not retrieve copies already transmitted and retained by xAI under xAI's own terms.

1.7 User-Generated Content

The App may allow you to create and share content, including:

  • Workout share cards (image summaries of workouts shared to social media).
  • Progress photos attached to workouts (stored in your account).
  • Social posts, comments, likes, and profile information (when social features are available).

1.8 Subscription and Transaction Data

We use RevenueCat to manage subscriptions. We collect:

  • Subscription status (free or Pro tier).
  • Subscription type (monthly, annual, or lifetime).
  • Transaction identifiers provided by the App Store or Google Play.

We do not directly collect or store your payment card information. All payment processing is handled by Apple (App Store), Google (Google Play), and RevenueCat.

1.9 Device and Technical Data

We may collect:

  • Device type, operating system version, and app version.
  • Crash reports and diagnostic data (via Sentry — see Section 3.1).

We do not collect precise geolocation data. We do not access your contacts or phone call logs.

1.10 Push Notification Tokens

If you opt in to push notifications, we collect your device push notification token to send you workout reminders, social activity notifications, and other service-related communications.

1.11 Injury and Limitation Information

If you choose to enter injury or limitation information — for example, flagging injured body regions on the in-app body map or writing free-text notes about physical limitations — we collect and store this information on our servers as part of your fitness profile. This data is used solely to adapt AI-generated workout and program suggestions so that they avoid exercises likely to aggravate the areas you have flagged.

Injury information is health data. Under GDPR Article 9, health data is a "special category" of personal data that requires additional safeguards. We process this data only on the basis of your explicit consent, which we obtain through an in-app prompt the first time you add an injury region. The prompt tells you which third party receives the data (xAI) and what else is included in the request (your fitness profile). You may remove injury information at any time in the App; doing so prevents it from being included in any future AI requests, but does not retrieve copies of information that have already been transmitted to xAI and processed under xAI's own terms (see Section 1.6).

You are never required to enter injury information to use the App.

Consent record. When you grant consent via the in-app prompt, we store a consent record — consisting of a consent version identifier and the date and time of acceptance — as part of your fitness profile on our servers. This record allows us to demonstrate the lawfulness of processing under Article 7(1) GDPR and is deleted along with the rest of your fitness profile when you delete your account.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service. To operate, maintain, and improve the App, including workout tracking, analytics, training programs, cloud sync, and AI-powered features.
  • Account Management. To create and manage your account, authenticate your identity, and maintain your preferences.
  • Personalization. To customize your experience, including exercise suggestions, workout analytics, and AI-generated recommendations.
  • Injury-Aware Exercise Adaptation. To adapt AI-generated workouts and programs so they avoid exercises likely to aggravate areas you have flagged. This use is based on your explicit consent and applies only if you choose to enter injury information (see Sections 1.11 and 6).
  • Sync and Backup. To synchronize your data across devices and provide offline-first functionality with cloud backup.
  • Communication. To send you service-related communications, including push notifications (with your consent), account security alerts, and responses to your support inquiries.
  • Analytics and Improvement. To understand how users interact with the App, diagnose technical issues, and improve our features and user experience.
  • Safety and Compliance. To detect and prevent fraud, enforce our Terms of Service, and comply with legal obligations.

We do not use your data for third-party advertising, and we do not sell your personal information to any third party.

3. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We may share your information only in the following limited circumstances:

3.1 Third-Party Service Providers

We use the following third-party services (sub-processors) to operate the App:

Service Location Purpose Data Shared Privacy Policy
Supabase United States Database, authentication, file storage Account data, workout data, body stats, fitness profile (including injury information), progress and exercise photos, subscription status supabase.com/privacy
Cloudflare Workers / R2 United States (global edge network) API hosting, exercise media delivery, edge routing AI request bodies (transient, not logged), exercise media requests, request IP for rate limiting (in-memory, not persisted) cloudflare.com/privacypolicy
xAI (Grok) United States AI workout and program generation Workout parameters, fitness profile, and — with your explicit consent — injury information. See Sections 1.6 and 1.11. x.ai/legal/privacy-policy
RevenueCat United States Subscription management and entitlement checks Subscription status, transaction identifiers, App Store / Google Play customer identifier, app usage events related to subscription state, country of last seen purchase (for regional pricing and EU/EEA detection). RevenueCat's "app user ID" for your account is your Supabase user identifier, so RevenueCat's records are linkable to your Slate account. revenuecat.com/privacy
Google (Google Analytics) United States / Ireland Marketing website analytics (applies only when you visit slatefitness.app in a web browser, not inside the App) IP address (truncated where available), pages visited, device and browser type, approximate geography. See Section 10. policies.google.com/privacy
Sentry United States Crash reporting and error diagnostics Crash stack traces, device type, OS version, app version, and your Supabase user identifier (attached to crash events for attribution). No name, email, or workout content is sent. sentry.io/privacy
Apple United States Sign In with Apple, on-device Speech Recognition, HealthKit, App Store Authentication tokens, on-device voice processing, health data (only with your explicit HealthKit permission) apple.com/privacy
Google United States Google Sign-In, Google Play billing Authentication tokens, purchase receipts policies.google.com/privacy

Each sub-processor is bound by its own privacy policy and data processing terms. We select providers that maintain industry-standard security practices. Data shared with xAI is processed according to xAI's privacy policy, including any retention or model-improvement practices described therein (see Section 1.6).

Crash report purging on account deletion. When you delete your account, we issue a server-side request to Sentry to purge crash events previously attributed to your Supabase user identifier, subject to Sentry's retention window.

3.2 Social Features

When social features are available, certain information you choose to make public — such as your display name, profile information, workout posts, and comments — will be visible to other users. You control what you share through your privacy settings.

3.3 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change in ownership or control of your personal information.

4. Data Storage and Security

4.1 Storage Location

Your data is stored on servers located in the United States, operated by our infrastructure provider, Supabase. Exercise demonstration videos are hosted on Cloudflare R2 (globally distributed).

4.2 Offline-First Architecture

The App is designed with an offline-first architecture. Your workout data is stored locally on your device and synchronized with our cloud servers when a network connection is available. You can use core features of the App without an internet connection.

4.3 Security Measures

We implement industry-standard security measures to protect your information, including:

  • Encryption of data in transit (TLS/SSL).
  • Encryption of data at rest on our servers.
  • Secure authentication protocols (including OAuth 2.0 for third-party sign-in).
  • Row-level security policies on our database to ensure users can only access their own data.
  • Regular security reviews of our infrastructure and codebase.

While we strive to protect your information, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security.

4.4 Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the App's services. Specifically:

  • Account data, workout data, body stats, fitness profile (including any injury information), and user-generated content are retained for the duration of your account. Upon account deletion, these are removed from our primary systems as part of the automated deletion flow and, except where law or sub-processor terms require otherwise, within one month at the latest.
  • Voice transcription text is processed in real time and not stored after the matching operation completes.
  • AI generation request bodies are not persistently logged on our servers. Aggregate, non-identifying metadata about AI requests may be retained for operational and quality monitoring. Data forwarded to xAI is subject to xAI's own retention policy (see Section 1.6).
  • Crash reports in Sentry are retained according to Sentry's retention window (typically 30 to 90 days depending on plan tier). When you delete your account, we instruct Sentry to purge crash events previously attributed to your user identifier.
  • Deletion from sub-processors. The automated deletion flow issues deletion requests to Supabase (database cascade and Storage bucket cleanup), RevenueCat, and Sentry as part of the same operation. Where a sub-processor's API returns an error, we log the failure and retry on a best-effort basis. Apple, Google, and RevenueCat may independently retain transaction and purchase records in accordance with their own legal, tax, and accounting obligations, which are outside our control; similarly, xAI's retention of any transmitted content is governed by xAI's own terms (see Section 1.6).
  • Encrypted backups. Residual copies of personal data may exist in encrypted database backups for no longer than 90 days after account deletion, after which they are overwritten as part of our standard backup rotation schedule.
  • Local data on your device is wiped automatically when you complete account deletion from within the App. If you uninstall the App without first deleting your account, local caches remain on the device until you reinstall or clear them manually through iOS or Android system settings.

4.5 Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

  • Investigate the incident promptly and take steps to mitigate any harm.
  • Notify affected users without undue delay and, where required under GDPR, within 72 hours of becoming aware of the breach.
  • Notify relevant supervisory authorities as required by applicable law (including GDPR and state breach notification laws such as the CCPA).
  • Provide information about the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach.

5. Your Rights and Choices

5.1 Access and Portability

You may access your workout data at any time within the App. The App provides a free, self-service data export feature (available to all users, regardless of subscription tier) that allows you to download your data in JSON format at any time through Settings. If for any reason the in-app export is unavailable to you, you may also contact us at support@slatefitness.app and we will provide a copy of your personal data in a commonly used, machine-readable format within one month of your request, free of charge. Where a request is particularly complex, we may extend this period by up to two further months in accordance with Article 12(3) GDPR, and will inform you of any such extension and the reasons for it.

5.2 Correction

You may update or correct your personal information (display name, body stats, workout data, fitness profile, injury information) at any time through the App.

5.3 Deletion

You may delete your account and all associated data through the App's settings. Upon account deletion:

  • Your account information, workout data, body stats, fitness profile (including any injury information), progress and exercise photos, and all associated content will be permanently deleted from our servers and sub-processors as described in Section 4.4.
  • Locally stored data on your device is wiped automatically as part of the deletion flow. No manual uninstall is required.
  • Genuinely anonymous, aggregated statistics (e.g. global totals that cannot be linked back to any individual) may be retained, in line with GDPR Recital 26.

5.4 Withdrawing Injury Consent

Because injury information is processed on the basis of your explicit consent (see Section 1.11), you may withdraw that consent at any time by removing injuries from the App. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal, and does not retrieve copies of information that have already been transmitted to xAI and processed under xAI's own terms (see Section 1.6).

5.5 Push Notifications

You may opt out of push notifications at any time through your device's settings.

5.6 HealthKit Permissions

You may revoke the App's access to Apple HealthKit at any time through your device's Health app settings. Revoking access will prevent the App from reading or writing HealthKit data but will not delete data previously synced.

5.7 Data Import and Export

You may import and export your workout data in JSON format through the App's settings. This supports your right to data portability and is available free of charge to all users.

6. Rights for Users in the European Economic Area and United Kingdom (GDPR / UK GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and the UK GDPR:

  • Right of Access. You may request a copy of the personal data we hold about you.
  • Right to Rectification. You may request correction of inaccurate or incomplete personal data.
  • Right to Erasure. You may request deletion of your personal data, subject to certain legal exceptions.
  • Right to Restrict Processing. You may request that we restrict the processing of your personal data under certain circumstances.
  • Right to Data Portability. You may request your personal data in a structured, commonly used, machine-readable format. A free JSON export is available to all users directly in the App.
  • Right to Object. You may object to the processing of your personal data for certain purposes, including processing based on our legitimate interests.
  • Right to Withdraw Consent. Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. For injury data specifically, see Section 5.4.
  • Right to Lodge a Complaint. You have the right to lodge a complaint with a data protection supervisory authority in the EEA member state or UK jurisdiction where you live, work, or where you believe an infringement has occurred. A directory of EEA supervisory authorities is maintained by the European Data Protection Board at edpb.europa.eu/about-edpb/about-edpb/members_en. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights (other than lodging a complaint with a supervisory authority), contact us at support@slatefitness.app. We will respond to your request without undue delay and, in any event, within one month of receipt, as required by Article 12(3) GDPR. Where a request is particularly complex or where we receive a high volume of requests, we may extend this period by up to two further months; we will inform you of any such extension and the reasons for it within one month of receiving your request.

6.1 Legal Bases for Processing

GDPR requires us to identify a lawful basis for each category of personal data we process. The following table summarizes how we rely on each basis:

Data / Processing Activity Lawful Basis
Account data (email, display name, authentication) Performance of a contract (Art. 6(1)(b)) — necessary to provide the App under our Terms of Service
Workout data, fitness profile (goal, experience, equipment, biological sex, body weight, body measurements) Performance of a contract (Art. 6(1)(b)) — see note below on classification
Injury and limitation information (health data) Explicit consent (Art. 9(2)(a)) — obtained via in-app prompt before the first use; withdrawable at any time (see Sections 1.11 and 5.4)
Apple HealthKit data (body weight read/write, workout samples written, active-energy written) Explicit consent (Art. 9(2)(a)) — obtained through the combination of (i) the iOS HealthKit permission dialog disclosing the specific data types we will read and write and (ii) in-app disclosure of the purposes of HealthKit integration. Withdrawable at any time via iOS Settings > Privacy > Health and/or via the App's Settings screen.
Subscription and transaction data Performance of a contract (Art. 6(1)(b)) and compliance with legal obligations (Art. 6(1)(c)) — tax, accounting, and consumer protection requirements
AI workout generation (non-health inputs, including performance context for single workouts) Performance of a contract (Art. 6(1)(b))
AI workout generation (injury inputs) Explicit consent (Art. 9(2)(a)) — see above
Crash reports and diagnostic data via Sentry (including Supabase user identifier attached for crash attribution) Legitimate interests (Art. 6(1)(f)) — our legitimate interest in identifying and fixing defects that would otherwise degrade the service. Crash events are pseudonymous (linked to your Supabase user identifier), and we have carried out a balancing test concluding that this processing is necessary, proportionate, and not overridden by your rights and freedoms.
Device and technical data (device type, OS version, app version, general usage diagnostics) Legitimate interests (Art. 6(1)(f)) — our legitimate interest in understanding technical compatibility and diagnosing issues across the device fleet
Security, fraud prevention, and abuse detection Legitimate interests (Art. 6(1)(f)) — our legitimate interest in protecting the service, our users, and our infrastructure from abuse
Push notifications Consent (Art. 6(1)(a)) — granted via the iOS / Android notification permission dialog
Service-related emails (account alerts, support replies) Performance of a contract (Art. 6(1)(b))

Note on body weight and biological sex. Body weight, biological sex, and body measurements are processed as ordinary personal data under Article 6(1)(b), not as special-category data under Article 9, because in this context they function as anthropometric and demographic inputs used to calibrate exercise recommendations rather than as "data concerning health" within the meaning of Article 4(15) GDPR (which refers to data that reveals information about a person's health status). Where these inputs are combined with explicitly-consented injury data in a request to xAI, the combined request is subject to the injury consent regime described in Section 1.11.

Where we rely on legitimate interests, we have carried out (or will carry out, on reasonable request) a balancing test documenting the specific interest pursued and confirming that it is not overridden by your rights and freedoms. You have the right to object to any processing based on legitimate interests; see Section 6.

6.2 Special-Category Data

We treat the following as special-category data under GDPR Article 9 and process each only on the basis of your explicit consent:

  • Injury and limitation information (see Sections 1.11 and 6.1).
  • Apple HealthKit data, when you grant HealthKit permission (see Section 1.4).

You may withdraw consent for either category at any time, as described in Section 5.

7. Rights for California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to Know. You may request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business or commercial purpose for collecting it, and the categories of third parties and service providers with whom it is shared.
  • Right to Correct. You may request that we correct inaccurate personal information we maintain about you. You can also correct most of your personal information yourself at any time through the App.
  • Right to Delete. You may request deletion of your personal information we have collected from you, subject to certain exceptions set out in the CCPA.
  • Right to Opt-Out of Sale or Sharing. We do not sell your personal information, and we do not share it for cross-context behavioral advertising. Because we do not engage in these activities, there is nothing for you to opt out of, but you retain the right under the statute to direct us not to.
  • Right to Limit Use and Disclosure of Sensitive Personal Information. You have the right to direct us to limit our use and disclosure of your sensitive personal information (SPI) to purposes specifically permitted under the CPRA. See the subsection on SPI below.
  • Right to Non-Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights, and we will not charge different prices or provide a different quality of service as a result of your exercising these rights.

To exercise any of these rights, contact us at support@slatefitness.app. We will verify your identity before processing your request and respond within 45 days of receipt. We may extend this period by an additional 45 days where reasonably necessary, and will notify you of any such extension.

7.1 Authorized Agents

You may designate an authorized agent to make a request on your behalf. To do so, provide the agent with written permission signed by you and instruct them to contact us at support@slatefitness.app with a copy of that permission. We may require you to verify your own identity directly with us, or to confirm that you have provided the agent with authority, before we process the request.

7.2 Categories of Personal Information Collected (Past 12 Months)

In the 12 months preceding the Last Updated date of this Privacy Policy, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers — email address, display name, Supabase user identifier, device identifier where provided by iOS/Android.
  • Demographic information — biological sex and date of birth, collected during onboarding.
  • Commercial information — subscription status and transaction identifiers.
  • Internet or other electronic network activity — general app and device usage data (device type, OS version, app version) and crash reports.
  • Audio, electronic, or similar information — text transcripts of voice commands you issue to the App's voice entry feature, stored when the transcript is forwarded to our AI matching service or when you correct or report a suggested match (see Section 1.5). Raw audio is not collected.
  • Geolocation data — coarse country/region derived from subscription records (we do not collect precise location).
  • Professional or employment-related information — none.
  • Education information — none.
  • Inferences — limited inferences drawn from your workout data for the purpose of providing analytics and AI recommendations within the App.
  • Sensitive personal information (SPI) — see Section 7.3 below.

7.3 Sensitive Personal Information (SPI)

The CPRA defines certain categories of personal information as "sensitive personal information." From that list, we collect the following:

  • Health data, specifically: body measurements and body weight entered by you; Apple HealthKit data you choose to share (body weight, workout samples, active-energy); and user-entered injury and limitation information.

We do not use or disclose your SPI for any purpose other than those permitted under the CPRA, including:

  • Performing the services you have requested (such as workout tracking, analytics, and — with your explicit consent — AI workout generation that accounts for your injuries);
  • Detecting security incidents and protecting against malicious or fraudulent activity;
  • Ensuring the physical safety of natural persons;
  • Short-term, transient use that does not build a profile about you;
  • Performing services on behalf of you (such as syncing your data across your devices); and
  • Verifying or maintaining the quality of our services.

We do not use SPI to infer characteristics about you beyond what is necessary to provide the services you have requested, and we do not sell or share SPI. You have the right, under the CPRA, to direct us to limit our use of your SPI to the purposes listed above. Because we already limit our use in this way, exercising this right will not materially change how we process your SPI, but you may still formally exercise it by contacting us at support@slatefitness.app.

7.4 Categories of Sources

We collect personal information from the following categories of sources:

  • Directly from you, when you create an account, enter workout or body stats data, use AI features, provide injury information, or contact support.
  • From your device, via mobile operating system APIs (including Apple HealthKit where you grant permission), device and app telemetry, and crash reporting libraries.
  • From third-party authentication providers (Apple, Google) when you use Sign In with Apple or Sign In with Google.
  • From payment processors and app stores (Apple, Google, RevenueCat) for subscription and purchase information.

7.5 Categories of Third Parties to Whom Personal Information Is Disclosed for a Business Purpose

We disclose personal information to the following categories of service providers for the business purposes described in Section 2 and detailed in Section 3.1:

  • Database, authentication, and storage providers (Supabase).
  • Infrastructure and edge delivery providers (Cloudflare).
  • Artificial intelligence service providers (xAI) — for AI workout generation only, and only with respect to the specific data described in Section 1.6.
  • Subscription management providers (RevenueCat).
  • Crash reporting and diagnostics providers (Sentry).
  • Platform providers (Apple, Google) for authentication, payment processing, and operating-system integrations.
  • Analytics providers for the marketing website only (Google Analytics — see Section 10).

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

8. Children's Privacy

The App is not directed to children under the age of 13, or to children under the applicable minimum digital consent age in your country. In the United States, the minimum age is 13 (COPPA). In the United Kingdom, the minimum age is 13 (Data Protection Act 2018). In the EEA, the minimum age may be anywhere from 13 to 16 depending on the member state — for example, 13 in Belgium, 14 in Spain, 15 in France, and 16 in Germany and the Netherlands.

We do not actively verify age at sign-up and rely on self-declaration by users through account creation and our Terms of Service. We do not knowingly collect personal information from children under the applicable minimum age. If we become aware that we have collected personal information from a child under the applicable minimum age, we will take steps to delete that information promptly and close the associated account. If you believe a child under the applicable minimum age has provided us with personal information, please contact us at support@slatefitness.app.

9. International Data Transfers

Slate Fitness is operated from the United States. Your information is transferred to, and processed in, the United States and other countries where our sub-processors operate (see the table in Section 3.1). These countries may have data protection laws that differ from the laws of your jurisdiction.

For transfers of personal data from the EEA to the United States and other third countries, we rely on the following safeguards, as applicable:

  • EU Standard Contractual Clauses (2021). We rely on the European Commission's Standard Contractual Clauses adopted in June 2021 (Commission Implementing Decision (EU) 2021/914) as incorporated into our agreements with sub-processors that process EEA personal data outside the EEA.
  • UK International Data Transfer Addendum. For transfers of personal data from the United Kingdom, we rely on the UK International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner's Office under section 119A of the UK Data Protection Act 2018.
  • EU-US Data Privacy Framework. Where a sub-processor is certified under the EU-US Data Privacy Framework (DPF), we also rely on that certification as an additional safeguard for transfers to the United States.
  • Transfer impact assessments. Where required by post-Schrems II guidance, we review the legal environment of the recipient jurisdiction and consider whether any supplementary technical, contractual, or organizational measures are necessary.

If you would like more information about the specific transfer mechanism we rely on for a given sub-processor, contact us at support@slatefitness.app.

10. Cookies and Similar Tracking Technologies

The Slate mobile App does not use cookies. The App stores data locally on your device using standard mobile storage APIs (such as AsyncStorage on iOS/Android), which are not cookies and are not shared with third parties.

Our marketing website at slatefitness.app uses Google Analytics (Google Tag Manager / gtag.js) to understand general site traffic and improve the website. Google Analytics sets first-party cookies and collects information such as your IP address (truncated where available), pages visited, and device and browser type. This is separate from the Slate App and applies only if you visit our marketing website in a web browser.

If you do not want your marketing-website visit measured by Google Analytics, you can:

  • Install the Google Analytics Opt-Out Browser Add-on at tools.google.com/dlpage/gaoptout.
  • Use your browser's built-in tracking-prevention features or a privacy-focused extension (for example, uBlock Origin) to block Google Analytics scripts.

We do not use advertising cookies, cross-site tracking pixels, or behavioral advertising networks. We do not sell or share marketing-website visitor data with advertisers.

Consent for EEA and UK visitors. We recognize that the ePrivacy Directive and its national implementations in the EEA and United Kingdom generally require consent before non-essential analytics cookies are set. A cookie consent mechanism for our marketing website is not currently deployed. Until it is, EEA and UK visitors who do not wish to be measured by Google Analytics should use one of the opt-out options listed above before visiting the site. We are working to deploy a compliant cookie consent banner and will update this section when it is live.

11. Third-Party Links and Services

The App may contain links to third-party websites, services, or content that are not operated by us. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of any third-party services you access through the App.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, features, or legal requirements. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this Privacy Policy.
  • Notify you through the App or via email (if you have provided an email address).

Your continued use of the App after the effective date of any changes constitutes your acceptance of the revised Privacy Policy, except that where a change materially affects processing that relies on your explicit consent under GDPR Article 9 (such as injury information or Apple HealthKit data), we will seek fresh explicit consent for the new processing through an in-app prompt rather than treating continued use as acceptance. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Slate Fitness Email: support@slatefitness.app

For GDPR-related inquiries, you may also contact your local data protection authority.

14. Additional Disclosures for Specific Features

14.1 AI-Powered Features

Our AI workout and program generation features use a third-party artificial intelligence service — xAI (Grok), acting as our data processor — to create workout and program suggestions. Section 1.6 is the primary disclosure for what data is transmitted, how it is handled, and xAI's retention practices; this section summarizes and adds the automated-processing disclosure required by GDPR Article 13(2)(f).

What xAI receives. xAI receives the workout parameters, fitness profile, performance context (for single-workout generation only), and — with your explicit consent — injury information described in Sections 1.6 and 1.11. This includes health-related data that we treat as special-category data under GDPR Article 9, and it is shared with xAI only on the basis of your explicit consent.

What xAI does not receive. xAI does not receive your name, email address, Supabase user identifier, device identifier, authentication token, or your full workout history. The performance context described in Section 1.6 is a derived summary (strain, recent PRs, recent exercise IDs), not a raw workout log.

Our servers' role. Our own servers do not persistently log the body of AI requests. We are the data controller; xAI is our data processor for the purpose of generating suggestions.

xAI's retention and use of content. See Section 1.6 for details, including our current xAI API tier, xAI's standard retention window, and our understanding of xAI's use of API content for service improvement. In short: we do not store AI request bodies on our servers, but xAI may retain transmitted content for a limited period under its own terms, and we do not control that retention.

Automated processing disclosure (Article 13(2)(f)). AI workout generation is a form of automated processing. It does not produce legal effects or similarly significant effects on you within the meaning of GDPR Article 22, because each AI-generated workout or program is a non-binding suggestion that you may accept, edit, discard, or ignore entirely. You remain in full control of what, whether, and how you train. We do not use automated decision-making to determine pricing, eligibility, access to features, account standing, or any other legally significant outcome.

Logic involved and consequences. The AI service receives your inputs (described in Section 1.6) and returns a list of suggested exercises, set counts, rep ranges, and rest periods. These suggestions are generated by a large language model — specifically, a trained machine-learning system operated by xAI — using your inputs and the equipment and constraints you have specified. The envisaged consequence of this processing is a workout or program suggestion displayed to you inside the App; no other consequences flow from it. The output is a recommendation, not a prescription, and is presented alongside standard disclaimers that it does not constitute professional fitness or medical advice. You may decline to use AI features entirely; they are never required to use the App.

14.2 Voice Input

Voice input is processed using Apple's on-device Speech Recognition framework. Audio is processed locally on your device and is not transmitted to Slate's servers. The resulting transcribed text may be sent to our servers to match your spoken input to exercises in our database. This text is processed transiently and is not stored after the operation completes.

14.3 Share Cards and Social Sharing

When you create a workout share card, the image is generated locally on your device. If you choose to share it to social media or other platforms, the sharing is handled by your device's native sharing functionality. We do not receive or store information about where you share your content.

14.4 Photo Attachments

Slate supports attaching photos to individual exercises during a workout (for example, to capture machine settings, form cues, or modifications). This is a paid feature available to subscribers. Photos are captured on your device using the iOS camera or photo library, stored locally in the App's private document directory, and uploaded to our cloud storage provider (Supabase Storage) as part of your normal account sync. Photos are private to your account, are not shared with other users, and are not used to train AI models or for any purpose other than displaying them back to you within the App. When you delete a photo in the App, or delete your account, the photo is removed from both your device and our cloud storage.

14.5 Apple Watch

When the Apple Watch companion app is available, it will access workout data and health metrics in accordance with the permissions you grant. Data collected by the Apple Watch app is subject to this same Privacy Policy.