PRIVACY POLICY
Plain English: Your health data stays on your device. We never sell your data. We never share it with advertisers. We use it only to build your personalised training plan. You can delete everything at any time.
1. Who We Are
SynchroFit is operated by Luca Delucchi, trading as SynchroFit, based in the United Kingdom. We build performance intelligence software for night shift workers.
This Privacy Policy covers the SynchroFit iOS application and the website at synchrofit.app (and synchrofit.co.uk).
For questions or data requests, contact: luca.delucchi92@gmail.com
2. Health & Fitness Data (Apple HealthKit)
SynchroFit requests access to Apple Health data to calculate your daily Readiness Score and build training recommendations. This is the core function of the app.
Data we read from HealthKit
| Data type | Why we use it | Where it stays |
|---|---|---|
| Sleep duration & quality | Primary recovery signal for Readiness Score | Device only |
| Heart Rate Variability (HRV) | Recovery quality indicator (requires Apple Watch) | Device only |
| Resting Heart Rate | Secondary recovery indicator (requires Apple Watch) | Device only |
What we never do with health data
- We never upload raw HealthKit data to our servers
- We never share HealthKit data with third parties, advertisers, or data brokers
- We never use HealthKit data for advertising targeting
- We never sell health data under any circumstances
- HealthKit data is processed entirely on your device
This is consistent with Apple HealthKit developer guidelines, UK GDPR Article 9 (special category health data), and MHRA guidance on wellness applications.
Revoke access
You can revoke HealthKit permissions at any time in: Settings → Privacy & Security → Health → SynchroFit. The app continues to function using shift pattern data as the readiness signal.
3. Account Data
SynchroFit uses email and password authentication, with email confirmation on sign-up. Your account is stored on Supabase, our database provider, hosted in the EU.
| Data type | Why we use it | Where it lives |
|---|---|---|
| Email address | Authentication & account recovery | Supabase EU |
| Profile (name, age, sex, profession, fitness level, training days, goals) | Personalise training, nutrition, and recovery | Supabase EU + device |
| Work rota (shift type, start/end time, dates) | Drives the weekly plan across all four pillars | Supabase EU + device |
| Weekly workout plan (plan name, intensity, duration, shift context, date) | Sync your plan across devices | Supabase EU + device |
| Meal plan (free-text content) | Personalise nutrition guidance | Supabase EU + device |
| HealthKit data (HRV, sleep, heart rate) | Daily readiness adjustment | Device only, never sent to our servers |
| Training session logs (completed workouts, duration) | ACWR & training-load calculations | Device only |
| Generated sleep, nutrition, recovery schedules | Cache the weekly plan for offline use | Device only |
All server-stored data is protected by Row Level Security (RLS): each user can only access their own records. Data is encrypted at rest and in transit (TLS 1.3).
HealthKit biometrics never leave your device. When the app generates an AI-tailored workout, only a derived readiness score (a single number 0–100) is sent to the AI proxy, never the raw HRV, sleep, or heart-rate values that produced it.
We use PostHog (EU region) for anonymous product analytics: which screens get used, where users get stuck, nothing more. No HealthKit data, no rota, no plan content is ever sent to PostHog. You can switch it off any time from Profile → Share anonymous analytics in the app; when the toggle is off, the app no-ops every analytics call and no event is generated or transmitted.
This same PostHog project also captures two anonymous events on the landing pages at synchrofit.app and synchrofit.co.uk: a landing_viewed event (path + persona-page name) when a page loads, and a waitlist_submitted event when the form is sent. The landing client runs in memory-only mode (no cookies, no localStorage, no IP capture, no identification, no session replay), so a visitor cannot be linked across page loads or matched to a real person from their browsing alone. UK GDPR legal basis: Article 6(1)(f) legitimate interest in understanding which pages convert. The app's in-product consent toggle does not control these landing events because they're already strictly anonymous; if you'd rather they didn't fire at all, use a browser extension such as Privacy Badger or block eu.i.posthog.com.
We use Sentry (EU region, Frankfurt) for crash and error reporting. When the app crashes or hits an unhandled error, the SDK sends the stack trace, the iOS version, the device model, and the app version so we can fix the bug. We have explicitly disabled IP collection (sendDefaultPii = false) and we never attach HealthKit data, your rota, your plan content, or your email to crash reports. Crash reporting runs under the UK GDPR legitimate interest basis (Article 6(1)(f)) because it's necessary to keep the app stable and secure, not for tracking your behaviour.
Supabase privacy policy: supabase.com/privacy
4. Subscription & Payments
Subscriptions are managed entirely through Apple's App Store and RevenueCat. SynchroFit never sees or stores your payment card details.
- Payment processing: Apple App Store (Apple's privacy policy applies)
- Subscription management: RevenueCat (stores anonymous purchase receipts only)
- SynchroFit receives only: subscription status (active / expired) and anonymised transaction IDs
Manage or cancel your subscription in: Settings → [Your Name] → Subscriptions → SynchroFit
5. AI Workout Generation
SynchroFit uses Claude (Anthropic) via a secure proxy to generate personalised workout plans. The data sent to generate a workout includes:
- Your Readiness Score (a number, not raw biometrics)
- Your shift pattern and fitness level
- Your training goals and days-per-week preference
Raw HealthKit data (sleep records, HRV values, heart rate) is never transmitted to AI services. Only the derived Readiness Score number is used.
API calls are routed through our server-side proxy; your data never goes directly to Anthropic's API from your device. Anthropic's data policy applies to prompt content: anthropic.com/privacy
6. Your Rights (UK GDPR)
As a UK resident, you have the following rights under the UK GDPR:
Right to Access
Request a copy of all data we hold about you.
Right to Deletion
Request permanent deletion of your account and all associated data.
Right to Rectification
Correct any inaccurate personal data we hold.
Right to Portability
Receive your data in a machine-readable format.
Right to Object
Object to processing of your personal data.
Right to Restrict
Request restriction of processing in certain circumstances.
To exercise any of these rights, email luca.delucchi92@gmail.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
Legal basis for processing: performance of contract (account & subscriptions); legitimate interest (personalised training); consent (HealthKit, revocable at any time).
7. Data Retention
- HealthKit data: never stored on our servers; processed on device and discarded
- Workout logs: retained while your account is active; deleted within 30 days of account deletion request
- Email address: retained until account deletion request
- Anonymous analytics: retained for 12 months, then automatically purged
You can delete your account at any time from within the app: Settings → Delete Account. This permanently removes all your data from our servers and your device. No email or contact required.
8. Children
SynchroFit is not designed for or marketed to children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has provided us with personal data, contact us and we will delete it immediately.
9. Changes to This Policy
We may update this policy to reflect changes in the app or legal requirements. Material changes will be notified via in-app notice. The date at the top of this page reflects the latest revision.
Continued use of the app after changes constitutes acceptance of the updated policy.
10. Contact
SynchroFit
Operated by: Luca Delucchi, United Kingdom
Email: luca.delucchi92@gmail.com
Website: synchrofit.app
For data subject requests, please include "Data Request" in the subject line and allow up to 30 days for a response.