Privacy Policy

IronSage (“we”, “us”, “our”) is committed to protecting your privacy. This policy explains what we collect, how we use it, and your choices.

What we collect

• Account data — your email address and profile name when you create an account using Firebase Authentication.
• Workout data — exercises, sets, reps, weight, notes, timers, and workout history you create in the app.
• Device & app data — crash logs, performance metrics, and diagnostic information to maintain service reliability.
• Usage analytics — anonymized event data about app usage patterns (e.g., routine views, workout starts/completions) to improve features. You can opt out of analytics in Settings → Privacy. Analytics data is aggregated and never includes personally identifiable information.
• Optional sensor data when you enable related features:
  • Body sensors — heart rate data from Health Connect or Bluetooth LE devices for live workout metrics.
  • Activity recognition — movement patterns for auto-pausing rest timers.
  • Bluetooth — to pair with heart rate monitors and fitness devices. On Android 11 and below, location permission is required by Android for Bluetooth LE scanning, but IronSage does not track your location.
  • Camera — to scan QR codes for importing workout templates.
  • Media access — photos you choose to attach to workout notes (images only, never accessed without your explicit selection).

How we use data

• Provide core features — workout logging, rest timers, heart rate monitoring, device sync, and workout history.
• Maintain service reliability and security — crash diagnostics, performance monitoring, and abuse prevention.
• Improve the product — analyze aggregate usage patterns via Firebase Analytics to enhance features and understand which routines and exercises are most popular. Analytics can be disabled in Settings → Privacy. We never sell your personal data.
• Communicate essential updates — account changes, security notices, and service announcements (no marketing spam).

Processing & storage

• On-device storage: All workouts are stored locally first using Room database for offline-first functionality. Sensitive data (authentication tokens, session data) is protected using Android Keystore and encryption where supported by your device.
• Cloud sync: When you sign in, your workout data is synchronized to Firebase Firestore to keep your devices in sync. Local changes are prioritized, and conflicts are resolved by timestamp. All network traffic uses TLS 1.2+ encryption.
• Third-party services: We use Firebase (Google) for authentication, database, crash reporting, and analytics. Heart rate data may be accessed via Health Connect (Google) if you enable that feature. Firebase Analytics is subject to Google's Firebase Privacy policies.

Sharing & disclosure

We do not sell your personal data. We may share data only in these limited circumstances:

• Service providers: Firebase (Google Cloud) for authentication, database, and crash reporting. These providers are bound by data processing agreements and only process data on our behalf.
• Legal compliance: If required by law, court order, or governmental request, or to protect the rights, property, and safety of IronSage, our users, or the public.
• Business transfers: If IronSage is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you via email or in-app notice before your data becomes subject to a different privacy policy.

We never share your workout data with advertisers or data brokers.

Retention & deletion

• Active accounts: We retain your account and workout data while your account is active and for as long as needed to provide the service.
• Inactive accounts: If you don't use IronSage for 24 months, we may delete your account after notifying you via email.
• Manual deletion: You can delete your account and all associated data at any time via the app (Settings → Account → Delete Account) or by emailing support@ironsage.xyz. See our Data Deletion page for details.
• Soft deletes: Deleted workouts are soft-deleted (marked as deleted but retained for 30 days) to allow recovery. After 30 days, they are permanently removed.
• Backups and logs: Backup copies and diagnostic logs may be retained for up to 90 days for reliability, security, and legal compliance purposes.

Android permissions

IronSage requests only the permissions needed for features you choose to use. All permissions are optional except those required for core functionality (internet access for sync, storage for offline data). See our Permissions page for detailed explanations of each permission and when it's requested.

Children's privacy

IronSage is not intended for use by children under 13 years of age (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@ironsage.xyz and we will delete it promptly.

Your privacy rights

Depending on your location (such as the EU, UK, California, or Canada), you may have the following rights:

• Access: Request a copy of your personal data
• Correction: Update incorrect or incomplete data
• Deletion: Request deletion of your personal data (see Data Deletion)
• Export: Receive your data in a portable format
• Objection: Object to certain data processing activities
• Withdrawal: Withdraw consent for data processing

To exercise any of these rights, contact us at support@ironsage.xyz. We will respond within 30 days.

Data security

We implement appropriate technical and organizational measures to protect your data:

• TLS 1.2+ encryption for all network traffic
• Android Keystore for secure token storage on supported devices
• Firebase Authentication with industry-standard security practices
• Regular security audits and updates
• Biometric authentication support for app access

However, no method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

• In-app notification
• Email to your registered address
• Notice on this website

The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of IronSage after changes take effect constitutes acceptance of the updated policy.

Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, contact us at:

Email: support@ironsage.xyz
Subject line: "Privacy Inquiry" for faster routing

We aim to respond to all inquiries within 30 days.

This Privacy Policy is provided for transparency. It does not constitute legal advice. If you have specific legal questions, please consult an attorney.