Privacy Policy

Privacy Policy

Effective Date: April 30, 2026 App: Muscle Mirror Developer: Laberge Software Contact:[your@email.com]

1. Overview

Muscle Mirror (“we,” “our,” or “us”) is a physique progress tracking app. We take your privacy seriously. Your progress photos are private, stored securely, and never shared with anyone without your explicit action. This policy explains what data we collect, why we collect it, and how it is protected.

2. Information We Collect

2.1 Account Information

When you sign in with Apple, we receive:

  • A unique Apple user identifier (used to recognize your account)
  • Your name (only provided by Apple on first sign-in; optional)
  • Your email address (which Apple may proxy)

We do not receive your Apple ID password at any point.

2.2 Progress Photos

Photos you take or upload within the app are stored on secure, encrypted cloud storage (Amazon Web Services S3). Photos are:

  • Private by default — accessible only to you
  • Served exclusively through signed, time-limited URLs that expire automatically
  • Never publicly accessible or indexed

2.3 Body Measurements & Check-In Data

If you log weight, measurements, or submit check-ins, that data is stored on our servers and associated with your account.

2.4 Coach Relationship (Optional)

If you connect with a coach, your check-in submissions (photos and notes you explicitly attach) are shared with that coach. You control what is submitted. Coaches cannot access your full photo library — only what you choose to share in a check-in.

2.5 Usage & Crash Data

We use Sentry to collect anonymized crash reports and error logs. This helps us identify and fix bugs. Crash reports may include:

  • Device type and iOS version
  • App version
  • A screenshot of the screen at the time of the crash
  • Stack traces (technical error details, no personal content)

Sentry data is collected only in production builds and is never used for advertising.

2.6 Authentication Tokens

Your login tokens (JWT access and refresh tokens) are stored exclusively in your device’s iOS Keychain, which is sandboxed and encrypted by the operating system. We never transmit or log these tokens.

3. How We Use Your Information

DataPurpose
Apple ID / emailAccount creation, login, and recovery
NamePersonalizing your experience
Progress photosDisplaying your progress in the app
Measurements / check-insProgress tracking and coach feedback
Crash reportsDiagnosing and fixing bugs

We do not use your data for advertising, profiling, or sale to third parties.

4. Data Sharing

We do not sell, rent, or share your personal information with third parties except:

  • Service providers necessary to operate the app (AWS for storage, Sentry for crash reporting). These providers are bound by data processing agreements and may not use your data for their own purposes.
  • Your coach, but only for check-in content you explicitly submit.
  • Legal requirements, if we are compelled by law, subpoena, or court order.

5. Data Retention & Deletion

Deleting Your Account

You can delete your account at any time from Settings → Delete Account within the app. When you request deletion:

  • Your account is marked for deletion immediately
  • Your photos and personal data are permanently deleted from our servers within 60 seconds
  • Data is not recoverable after deletion is complete

Deleting Individual Photos

Photos you delete in the app are removed from your library immediately. The underlying file is permanently purged from cloud storage shortly after.

Retention

We retain your data only for as long as your account is active. We do not retain data after account deletion.

6. Security

We implement the following security measures:

  • Encryption in transit: All communication between the app and our servers uses HTTPS/TLS
  • Encryption at rest: Photos are stored in encrypted AWS S3 buckets
  • Signed URLs: Photos are never served via public URLs; all access requires a valid, time-limited signed URL
  • Keychain storage: Authentication tokens are stored in the iOS Keychain and never logged or transmitted
  • Rate limiting: API endpoints are rate-limited to protect against abuse

7. Children’s Privacy

Muscle Mirror is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (available directly in-app via Settings → Delete Account)
  • Export your data upon request
  • Object to certain processing

To exercise any of these rights, contact us at [your@email.com].

California residents (CCPA): We do not sell personal information. You have the right to know what data we collect and to request deletion.

EU/UK residents (GDPR): Our legal basis for processing your data is the performance of our contract with you (providing the app service). You may contact your local data protection authority if you have unresolved concerns.

9. Third-Party Services

ServicePurposePrivacy Policy
Apple Sign InAuthenticationapple.com/legal/privacy
Amazon Web Services (S3/CloudFront)Photo storage & deliveryaws.amazon.com/privacy
SentryCrash reportingsentry.io/privacy

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Effective Date” at the top and, for material changes, notify you within the app. Continued use of Muscle Mirror after changes constitutes acceptance of the updated policy.

11. Contact

If you have any questions or concerns about this Privacy Policy, please contact:

Laberge Software: TBD Create public email address.