Privacy Policy

LoseStreak ("we," "our," or "us") operates the LoseStreak mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. Please read this policy carefully. By using the App, you consent to the data practices described in this policy.

1. Information We Collect

We collect information you provide directly, information collected automatically, and information from third-party sources.

1.1 Account Information

When you create an account, we collect:

• Email address — for account authentication, password recovery, and transactional communications
• Password — stored using industry-standard hashing (bcrypt); we never store plaintext passwords
• Username — your unique public identifier, searchable by other users
• Display name — optional name shown to friends (may differ from username)
• Profile photo — optional avatar image

1.2 Body & Biometric Data

To support competition features and personalized scoring, we collect:

• Height, weight, age, and biological sex — used for relative scoring calculations (e.g., % body weight change)
• Daily weight entries — logged by you, tracked over time for trend analysis and competition scoring
• Fitness goals — your selected goal type (weight loss, maintenance, etc.) and target weight
• Progress photos — optional photos you upload, processed by AI for visual comparison in verdict cards

Important: Progress photos may be considered biometric data in some jurisdictions. We process these photos solely for the purpose of generating AI-powered visual comparisons between Day 1 and final day of a competition. We do not use facial recognition technology to identify individuals. Photos are stored encrypted and can be deleted at any time.

1.3 Health & Fitness Data (HealthKit)

With your explicit permission, we read data from Apple HealthKit, including:

• Workouts — activity type, duration, calories burned, distance (from Apple Workouts, Strava, Peloton, Nike Run Club, Garmin, or any HealthKit-connected app)
• Active energy burned — daily calorie expenditure
• Heart rate — average and max during workouts
• Step count — daily steps for step-based challenges
• Exercise minutes — for activity-based challenges

We access HealthKit data in read-only mode — we never write to your HealthKit store. HealthKit data is used solely to support competition features within the App and is never used for advertising, marketing, or sale to third parties.

1.4 Meal & Food Data

When you log meals using the AI food scanning feature:

• Meal photos — uploaded to our servers for AI processing
• AI-estimated nutritional data — calories, macronutrients (protein, carbs, fat), and portion size
• Timestamps — when meals were logged
• User adjustments — any corrections you make to AI estimates

Meal photos are stored in encrypted cloud storage. They are not stored permanently on your device after upload. Meal data is visible to your competition opponents during active competitions.

1.5 Competition & Social Data

• Competition records — challenge types, durations, bet descriptions, outcomes, and AI-generated verdicts
• Friend connections — your friends list and friendship status
• Live Battle Feed activity — votes, comments, and spectator interactions
• Badges and XP — achievements earned and level progression
• Streaks — daily logging and win streak counts

1.6 Device & Usage Data

We automatically collect:

• Device information — device model, operating system version, app version, unique device identifiers
• Usage analytics — screens viewed, features used, session duration, crash reports
• Push notification tokens — to send competition updates and reminders
• IP address — for security, fraud prevention, and approximate location (country/region level)

2. How We Use Your Information

We use your information for the following purposes:

2.1 Core App Functionality

• Create and manage your account
• Authenticate your identity and secure your account
• Facilitate 1v1 competitions between you and your friends
• Calculate competition scores based on challenge type and user data
• Generate AI-powered verdicts at competition end
• Estimate calories and macronutrients from meal photos using AI
• Sync and display workout data from Apple HealthKit
• Maintain leaderboards, streaks, badges, and XP progression
• Power the Live Battle Feed (spectating, voting, trash talk)

2.2 Communications

• Send push notifications for competition updates, challenge requests, and reminders
• Send transactional emails (password reset, account verification)
• Send optional weekly recap emails (if enabled)

2.3 Service Improvement

• Analyze usage patterns to improve App features and user experience
• Diagnose technical issues and fix bugs
• Develop new features based on aggregated, anonymized usage data

2.4 Safety & Security

• Detect and prevent fraud, abuse, and unauthorized access
• Enforce our Terms of Service
• Comply with legal obligations

3. Data Sharing & Visibility

3.1 With Other Users

LoseStreak is a social competition app. By design, certain data is visible to other users based on your relationship and privacy settings:

• Competition opponents — can see your meal logs, weight entries, progress photos, and workout data during active competitions
• Friends — can see your profile (based on visibility settings), stats, win/loss record, streaks, badges, level, and leaderboard rank
• Spectators — friends can view active battle data, vote on outcomes, and comment on battles where spectating is enabled
• Public — your username is searchable; no other account information is discoverable without a friend connection

You control your profile visibility (Public, Friends Only, or Private) and can disable spectating on individual competitions.

3.2 With Third-Party Service Providers

We use the following third-party services to operate the App:

• Supabase — backend database, authentication, and file storage (all data encrypted at rest and in transit)
• Anthropic (Claude API) — AI processing for food scanning and verdict generation. See Section 4 for details
• Apple StoreKit — subscription payment processing (we do not see or store your payment card details)
• Apple Push Notification Service (APNs) — push notification delivery

3.3 Legal & Safety Disclosures

We may disclose your information if required to do so by law or in response to valid legal process, including:

• Subpoenas, court orders, or other legal process
• Requests from government agencies with legal authority
• To protect the rights, property, or safety of LoseStreak, our users, or others
• To investigate or prevent suspected illegal activity or violations of our Terms

3.4 Business Transfers

If LoseStreak is involved in a merger, acquisition, asset sale, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the App before your information becomes subject to a different privacy policy.

3.5 What We Do NOT Do

• We do not sell, rent, or trade your personal data to third parties
• We do not share your data with advertising networks, data brokers, or marketing companies
• We do not use your health data for advertising or marketing purposes
• We do not share HealthKit data with any third party except as described in Section 4 (AI processing)

4. AI Data Processing

We use Anthropic's Claude API for AI-powered features. Here's exactly what happens:

4.1 Meal Scanning (Claude Vision)

• What we send: The meal photo you capture
• What we receive: Estimated calorie count, macronutrient breakdown, food identification
• Data retention by Anthropic: Per Anthropic's API data policy, API inputs are not used to train models and are retained for up to 30 days for trust & safety purposes

4.2 Competition Verdicts

• What we send: Both competitors' aggregated data for the competition period (weight change, calorie logs, workout summaries, logging consistency), progress photos (if uploaded)
• What we receive: AI-generated verdict text, winner determination, per-card commentary
• What we do NOT send: Email addresses, phone numbers, location data, or other identifying information beyond usernames

4.3 Progress Photo Analysis

• What we send: Day 1 and final day progress photos
• What we receive: Visual comparison commentary for "The Glow Up Check" verdict card
• What the AI does NOT do: Facial recognition, identification of individuals, or storage of biometric templates

Anthropic's data usage is governed by their Privacy Policy and Usage Policy. Anthropic does not use API data to train their models.

5. Apple HealthKit Compliance

In strict accordance with Apple's HealthKit requirements:

• HealthKit data is never used for advertising, marketing, or any purpose other than improving your health or fitness experience within the App
• HealthKit data is never sold, licensed, or otherwise disclosed to third parties except as necessary to provide App functionality (AI processing) or as required by law
• HealthKit data is never stored in iCloud
• HealthKit data is stored on encrypted servers with Row-Level Security ensuring only you and your authorized competition opponents can access it
• We only request HealthKit data types that are actively used in the App (workouts, active energy, heart rate, steps, exercise minutes)
• HealthKit access can be revoked at any time through your device's Settings > Privacy & Security > Health
• We do not use HealthKit data to make inferences about your health status, insurance eligibility, or employability

6. Contacts & Friend Discovery

LoseStreak offers an optional contact-based friend discovery feature. Here's how it works:

• On-device hashing: If you choose to find friends via contacts, phone numbers are hashed (using SHA-256) on your device before being sent to our servers
• Raw contacts never leave your device: We never see, store, or transmit your actual contact names, phone numbers, or email addresses
• Server matching: Hashed phone numbers are compared against hashed phone numbers of existing users to find matches
• Deletion: Hashes are used only for matching and are not retained after the matching process completes

Friends can also be added by username search — no contact access required.

7. Betting & Financial Information

LoseStreak supports optional betting between friends on an honor system:

• We track bet descriptions only (amount, type, terms) — text you enter
• We do not process, hold, escrow, or transfer any money, cryptocurrency, or financial instruments
• We do not collect bank account numbers, credit card numbers, or any payment information for bets
• All bet settlement is between friends — we are not a party to any wager

Subscription payments are processed entirely through Apple's App Store. Apple handles all payment processing — we never see or store your payment card details.

8. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
• Encryption at rest: All data stored in our database and file storage is encrypted using AES-256
• Row-Level Security (RLS): Database policies ensure users can only access their own data and authorized competition data
• Secure authentication: Passwords are hashed using bcrypt with individual salts
• Access controls: Strict role-based access controls for internal systems
• Regular security audits: We periodically review our security practices and infrastructure

Despite these measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security. If you believe your account has been compromised, contact us immediately.

9. Data Retention & Deletion

9.1 Retention Periods

• Account data: Retained for as long as your account is active
• Meal photos: Retained while your account is active; deleted within 30 days of account deletion
• Progress photos: Retained while your account is active; deleted within 30 days of account deletion
• Competition history: Retained for historical records; anonymized upon account deletion
• Usage analytics: Aggregated and anonymized data may be retained indefinitely
• Server logs: Retained for up to 90 days for security and debugging purposes

9.2 Account Deletion

You can request deletion of your account and all associated data at any time by:

• Using the "Delete Account" option in the App's Settings
• Emailing us at [email protected]

Upon deletion:

• Your account, profile, and all personal data will be permanently deleted
• Meal photos, progress photos, and weight entries will be removed from our servers
• Competition history involving your account will be anonymized (opponent records preserved with "Deleted User")
• Comments you made in the Live Battle Feed will be anonymized
• Data deletion is processed within 30 days of the request
• Some data may be retained longer if required by law (e.g., financial records)

9.3 Data Export

You can export your data at any time using the "Export My Data" feature in Settings. The export includes your profile, weight history, meal logs, workout data, and competition history in a machine-readable format (JSON).

10. Children's Privacy

LoseStreak is not intended for users under the age of 18. We do not knowingly collect personal information from anyone under 18 years of age. If we learn that we have collected data from a user under 18, we will:

• Delete that user's account and all associated data promptly
• Notify the user (or their parent/guardian if contact information is available)

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

11. International Data Transfers

LoseStreak is operated from the United States. If you are accessing the App from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

By using the App, you consent to the transfer of your information to the United States and other countries, which may have different data protection laws than your country of residence. We take appropriate safeguards to ensure your information remains protected in accordance with this Privacy Policy.

12. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data
• Portability: Export your data in a machine-readable format
• Restriction: Request that we limit processing of your data in certain circumstances
• Objection: Object to certain types of data processing
• Withdrawal of consent: Withdraw consent for HealthKit access, push notifications, or contacts access at any time through your device settings

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner if required by applicable law).

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

13.1 Right to Know

You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the business purposes, and the categories of third parties with whom we share your data.

13.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention).

13.3 Right to Correct

You have the right to request correction of inaccurate personal information.

13.4 Right to Opt-Out of Sale/Sharing

We do not sell or share your personal information for cross-context behavioral advertising as defined by the CCPA/CPRA. Therefore, there is no need to opt out — we simply don't engage in these practices.

13.5 Right to Limit Use of Sensitive Personal Information

We collect sensitive personal information (health data, biometric data via progress photos) only as necessary to provide App functionality. We do not use this information for purposes beyond those disclosed in this policy.

13.6 Non-Discrimination

We will not discriminate against you for exercising your privacy rights (e.g., by denying services, charging different prices, or providing different quality).

13.7 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require verification of your identity and written authorization from you.

13.8 Categories of Information Collected

In the past 12 months, we have collected the following categories of personal information:

• Identifiers: email address, username, device identifiers, IP address
• Personal information under Cal. Civ. Code 1798.80(e): name (display name)
• Characteristics of protected classifications: age, sex/gender (optional)
• Commercial information: subscription status, promo code redemptions
• Biometric information: progress photos (for AI visual comparison)
• Internet or network activity: usage analytics, device information
• Geolocation data: approximate location from IP address (country/region level)
• Sensory data: meal photos, progress photos
• Inferences: competition predictions, AI-generated verdicts
• Sensitive personal information: health data (weight, HealthKit data), precise geolocation (not collected)

To submit a CCPA/CPRA request, email [email protected] with "California Privacy Request" in the subject line.

14. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) provides you with additional rights.

14.1 Legal Basis for Processing

We process your data based on the following legal grounds:

• Contract: Processing necessary to provide the App and its features (account management, competitions, AI services)
• Consent: Processing of HealthKit data, contacts access, push notifications, and progress photos (you may withdraw consent at any time)
• Legitimate interests: Service improvement, security, fraud prevention (balanced against your privacy rights)
• Legal obligation: Compliance with applicable laws

14.2 Your GDPR Rights

• Access (Art. 15): Obtain confirmation of whether we process your data and access to that data
• Rectification (Art. 16): Correct inaccurate or incomplete data
• Erasure (Art. 17): Request deletion ("right to be forgotten")
• Restriction (Art. 18): Restrict processing in certain circumstances
• Portability (Art. 20): Receive your data in a structured, machine-readable format
• Objection (Art. 21): Object to processing based on legitimate interests
• Withdraw consent (Art. 7): Withdraw consent at any time without affecting the lawfulness of prior processing
• Lodge a complaint: File a complaint with your local data protection authority

14.3 International Transfers

Your data may be transferred to the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures to ensure adequate protection of your data.

14.4 Data Protection Officer

For GDPR-related inquiries, contact our privacy team at [email protected].

15. Other U.S. State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), or other states with comprehensive privacy laws, you may have similar rights to access, correct, delete, and port your data.

To exercise your rights under any state privacy law, email [email protected]. We will respond within the timeframe required by applicable law (typically 30-45 days).

You may appeal our decision regarding your request by contacting us at the same email address.

16. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Because there is no common industry standard for DNT, we do not currently respond to DNT signals. However, we do not engage in cross-site tracking or targeted advertising, so the practical effect is the same.

17. Third-Party Links & Services

The App may contain links to third-party websites or services (e.g., Anthropic's privacy policy, Apple's App Store). We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

18. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last updated" date at the top of this policy
• We will notify you via email and/or prominent notice in the App
• For significant changes affecting your rights, we may require your affirmative consent

Your continued use of the App after changes constitutes acceptance of the updated policy. If you do not agree, you should stop using the App and delete your account.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, contact us at: