Privacy Policy

Iron Avatar ("we," "us," or "our") operates the Iron Avatar website at ironavatar.com and the Iron Avatar mobile application (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the Service.

2.1 Account & Profile Information

• Name, email address, and authentication credentials (via email/password, Google OAuth, or Apple Sign-In)
• Profile details: username/handle, avatar photo, date of birth, sex, city, state, and region
• Lifting preferences: weight class, equipment type (raw or equipped), drug testing preference, preferred weight unit
• Social media links you choose to provide (Instagram, X/Twitter, YouTube, TikTok, Bluesky, Facebook, Snapchat, personal website)
• Privacy preferences: display name style, leaderboard visibility settings (regional, state, national)

2.2 Performance & Training Data

• Competition meet results: meet name, date, location, federation, bodyweight, weight class, squat/bench/deadlift attempts and totals, equipment, and drug testing status
• Gym personal records (PRs): lift name, weight, reps, RPE (rate of perceived exertion), date, and notes
• Workout logs: exercises performed, sets, reps, weight used, load adjustments, rest times, and workout feedback

2.3 Coach & Client Data

If you use Iron Avatar as a coach or are a client of a coach on our platform, we collect:

• Coach profile information: display name, avatar, branding preferences
• Client information provided by coaches: name, email, phone number, body measurements, health and medical history notes, emergency contact information
• Coach-client relationship status and assignment history
• Workout programs, exercise assignments, and training progressions

2.4 Messages & Communications

• Direct messages between coaches and clients, including text content, images, and video attachments (up to 50 MB per file)
• Read receipts and mute preferences
• Contact form submissions: name, email, phone number, subject, and message content

2.5 Billing & Payment Information

• Invoice records: amounts, descriptions, due dates, payment status
• Recurring plan details: plan name, frequency, billing day, amount
• Payment processing is handled entirely by Stripe. We do not store credit card numbers, bank account details, or other sensitive financial information on our servers. Stripe's privacy policy governs their handling of your payment data.

2.6 Automatically Collected Information

• Device information: browser type, operating system, device type, screen resolution
• Usage analytics: page views, feature interactions, navigation patterns (collected via Vercel Analytics)
• Aggregated engagement metrics: listing page views, CTA clicks, contact clicks (stored as anonymized daily/monthly summaries without individual user identifiers)
• Authentication event logs: login/logout events, user agent, and referrer information (used for security and debugging)

We use the information we collect to:

• Provide, maintain, and improve the Service, including user accounts, workout tracking, PR history, and leaderboards
• Facilitate coach-client relationships, program assignments, messaging, and billing
• Display your information on public or privacy-filtered leaderboards according to your visibility preferences
• Send transactional emails: invite notifications, message alerts, invoice reminders, and account-related communications
• Process payments and manage billing through Stripe
• Analyze aggregated usage patterns to improve the Service
• Detect, prevent, and address security issues and abuse
• Respond to your inquiries via the contact form

We do not sell your personal information. We share information only in the following circumstances:

4.1 With Your Coach or Clients

If you are part of a coach-client relationship, your coach can view your contact information, workout logs, assigned programs, performance data, health notes, and messages. Clients can view their coach's profile and branding information, assigned programs, and shared messages.

4.2 Public Leaderboards & Profiles

If you opt in (configurable in your privacy settings), your name (displayed according to your chosen display name style), meet results, and region may appear on public leaderboards. You can control visibility at the regional, state, and national level, or make your profile fully private at any time.

4.3 Service Providers

We use trusted third-party services to operate the platform:

• Supabase — database hosting, authentication, file storage, and real-time features
• Vercel — application hosting and performance analytics
• Stripe — payment processing for coach-client billing
• Google — OAuth authentication (Google Sign-In)
• Mapbox — map rendering and location visualization for events and regions
• Gmail/Nodemailer — transactional email delivery (invites, notifications, contact form responses)

These providers access your data only as necessary to perform their services and are bound by their own privacy policies.

4.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Iron Avatar, our users, or the public.

Iron Avatar incorporates publicly available competition results from the OpenPowerlifting project. This data includes lifter names, meet results, federations, and weight classes from public powerlifting competitions. This information is already publicly available and is used to enrich the platform experience (e.g., search and result import features).

6.1 Cookies

We use essential cookies to manage your authentication session. These include Supabase access and refresh tokens, which are required for the Service to function. We do not use advertising or third-party tracking cookies.

6.2 Local & Session Storage

We use browser local storage to save workout log drafts so you don't lose progress if you navigate away. Session storage is used for temporary state during authentication flows.

6.3 Mobile App Storage

The Iron Avatar mobile app uses secure on-device storage (Expo SecureStore) to store your authentication tokens. These tokens are encrypted by the operating system and are not accessible to other apps.

We implement appropriate technical and organizational measures to protect your personal information:

• All data is transmitted over HTTPS/TLS encrypted connections
• Database access is enforced through Supabase Row Level Security (RLS), ensuring users can only access data they are authorized to view
• Passwords are hashed using industry-standard algorithms (managed by Supabase Auth)
• Invite tokens are cryptographically hashed and single-use
• Authentication tokens on mobile devices are stored in OS-level secure storage
• Payment information is handled exclusively by Stripe and never touches our servers

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

• Account deletion: When you delete your account, your profile, meet results, gym PRs, workout logs, and associated data are permanently deleted via cascading deletion
• Coach-client relationships: Ended relationships are marked as "former" rather than deleted, preserving historical context for both parties
• Messages & attachments: Deleted when the associated conversation is removed
• Invoices: Voided invoices are retained for bookkeeping and audit purposes
• Aggregated analytics: Engagement summaries (anonymized, without user identifiers) are retained indefinitely for platform analytics
• Stripe webhook logs: Retained for payment audit and dispute resolution

You have the following rights regarding your data:

• Access & portability: You can view all your personal data through your account settings and profile pages
• Correction: You can update your profile information, preferences, and privacy settings at any time
• Deletion: You can delete your account directly from the app settings or by contacting us. This will permanently remove your personal data from our systems
• Leaderboard opt-out: You can control your visibility on regional, state, and national leaderboards through your privacy settings, or hide your profile entirely
• Communication preferences: You can mute message notifications for specific conversations

The Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know: You may request details about the categories and specific pieces of personal information we have collected about you
• Right to delete: You may request deletion of your personal information, subject to certain exceptions
• Right to opt-out of sale: We do not sell your personal information to third parties
• Non-discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at the email address below.

If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States where our servers and service providers are located. By using the Service, you consent to the transfer of your information to the United States.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

If you have questions about this Privacy Policy, your data, or wish to exercise any of your rights, please contact us:

• Email: privacy@ironavatar.com
• Website: ironavatar.com/contact