← Home

Privacy Policy

Last updated: 2026-05-30

What we collect

  • Account: email, display name (via Clerk).
  • Training data: training maxes, every logged set (weight × reps × RPE × date), prescriptions, mesocycle progress, readiness check-ins, deload events, volume ledger, exercise-to-canonical-lift mappings.
  • Connector tokens: if you connect Hevy or another logging app, we store the OAuth/API token encrypted at rest (AES-256-GCM) to fetch your sets. Tokens are never exposed in plaintext to the client.
  • LLM context: when you use the custom-program generator or importer, the text you provide and a small slice of your engine state are sent to Anthropic's API. Anthropic does not train on data sent via their API (per their published policy).
  • Server logs: standard request metadata for debugging and abuse-prevention (IP, user agent, timestamps). Retained 30 days.

What we don't collect

  • No ad-network tracking.
  • No third-party analytics SDKs in the client beyond what Clerk uses for auth.
  • No selling of user data to anyone, ever.

Why we have it

All of it powers the engine: prescriptions, autoregulation, volume tracking, deload detection. Without your training data, there's no product. Connector tokens let us pull new sets without you re-pasting them. LLM context is needed only for the structured tools that parse pasted program text or map unfamiliar exercise names.

Who else sees it

  • Hosting / DB: Vercel (Next.js), Neon (Postgres), Clerk (auth). Each processes data on our behalf under their respective DPAs.
  • LLM: Anthropic, for the custom-program generator and program-importer calls.
  • Connectors: Hevy (and future-added providers) — we only request the OAuth scopes needed to read your sets.

We don't share with marketers, brokers, or advertisers.

Your rights

  • Export: Account → Download export. Full JSON dump of every row keyed to your user ID. Connector tokens return as length-only metadata, not cleartext.
  • Delete: Account → Delete my account. Permanently removes all rows on confirmation. Backups age out within 30 days.
  • Disconnect a connector: Account or Connections page → revoke. The encrypted token row is deleted; we stop syncing.
  • Correct: training data is editable in-app. For account fields (email, name), update via Clerk.

Security

TLS in transit, encryption at rest, AES-256-GCM for connector tokens with key rotation tooling. Auth via Clerk (industry-standard session + JWT). No plaintext secrets in client bundles.

Contact

Privacy questions, data-subject requests, or anything else: hi@liftinglabs.app.

Privacy Policy · LiftingLabs