LevelUp Privacy Policy

Last Updated: 2025-08-24

This Privacy Policy explains how LevelUp ("we", "us", "our") collects, uses, discloses, and safeguards information when you use the LevelUp iOS app (the "App"). Please read this policy carefully. By using the App, you agree to the practices described here.

If you do not agree with this policy, please do not use the App.

1. Information We Collect

• Account Information: When you sign in, we collect identifiers provided by our authentication provider (Supabase Auth with Google Sign-In), such as user ID, email, and display name, where available.
• Profile & App Content: We store data you create in the App, including your goal, habits, streaks, avatar selections/states, badges, and feedback you submit.
• Usage Data: We may collect limited usage information (e.g., timestamps of actions, feature usage) to improve the App.
• Purchase Information: If you subscribe or purchase through Apple In‑App Purchase, RevenueCat provides information like product identifiers and subscription status. We do not receive your full payment details.
• Generated Media: We can generate images and text (e.g., avatar images, journey plans) using OpenAI via a Supabase Edge Function proxy. Input prompts and generated outputs may be processed to provide these features.

We do not knowingly collect sensitive personal data unless you provide it within prompts or profile fields. Please avoid entering sensitive information.

2. How We Use Information

• Provide, operate, and personalize the App (e.g., onboarding, habit tracking, avatar states, journey plans)
• Authenticate users and maintain sessions
• Sync and store your content across devices using Supabase
• Process purchases, restore access, and manage entitlements using RevenueCat
• Generate suggested content and images using OpenAI (via Supabase Edge Functions)
• Communicate with you (e.g., in‑app messages, feedback responses)
• Monitor, analyze, and improve App performance and reliability
• Prevent fraud, enforce terms, and comply with legal obligations

3. Legal Bases (EEA/UK)

If you are in the EEA/UK, we process your data under these legal bases: performance of a contract (providing the App), legitimate interests (improving and securing the App), and consent where applicable (e.g., marketing communications if any).

4. Sharing and Disclosure

We share information with service providers to operate the App:

• Supabase (hosting, authentication, database, storage): stores your account, profile, habits, avatar states, badges, and generated media storage references. Access is protected by Row Level Security and access controls configured in our project.
• OpenAI (via Supabase Edge Function proxy): processes text and image generation requests. We proxy requests through our Supabase project to avoid exposing your device’s API keys. Prompts and outputs are transmitted to and processed by OpenAI to fulfill requests.
• RevenueCat: manages in‑app purchase entitlements, subscription status, and purchase history necessary to unlock features. We do not receive your payment card details.
• Apple: App Store and StoreKit infrastructure for purchases and device services.

We may also disclose information: (i) to comply with law or legal process; (ii) to protect rights, property, or safety of us, users, or others; (iii) in connection with a merger, acquisition, or asset sale (your data may be transferred as part of that transaction).

5. Data Retention

We retain your data for as long as you maintain an account or as needed to provide the App. If you delete your account (see Your Choices), we will delete or anonymize personal data within a reasonable period, unless we must retain it for legal or legitimate business purposes.

• Standard retention: account, profile, and content data are typically deleted or anonymized within 30–60 days after confirmed account deletion.
• Backup retention: backups and logs may persist for up to 90 days, after which they are purged on a rolling basis.

6. Your Choices & Rights

• Access and Update: You can view and update certain profile information within the App (e.g., username, goal, avatar).
• Delete Account: You can sign out at any time. To request account deletion and data removal, contact us using the details in Contact Us. If the App exposes an in‑app delete account option, you may use it; otherwise email us.
• Marketing: The App does not currently send marketing emails. If this changes, you will be able to opt out.
• Permissions: You may disable device permissions (e.g., photos) in iOS settings, which may limit functionality.
• EEA/UK Rights: Where applicable, you may request access, rectification, erasure, restriction, portability, or object to processing. You also have the right to lodge a complaint with your supervisory authority.

US State Privacy Rights (e.g., CA, CO, CT, UT, VA)

Depending on your state of residence, you may have rights to:

• Know what categories of personal information we collect, the sources, purposes, and categories of third parties with whom we share it
• Access and obtain a portable copy of certain personal information
• Request deletion of personal information, subject to legal exceptions
• Correct inaccuracies in your personal information
• Opt out of certain processing (e.g., sale or sharing for cross‑context behavioral advertising). We do not sell personal information.

To exercise these rights, contact us as described in Contact Us. We will verify your request consistent with applicable law. You may designate an authorized agent where permitted.

7. Children’s Privacy

The App is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information, please contact us so we can delete it.

8. Security

We use reasonable administrative, technical, and organizational safeguards appropriate to the nature of the data we process. These include authentication and authorization controls, encrypted transport (HTTPS), and least‑privilege access practices for our service providers. No method of transmission or storage is 100% secure.

9. International Transfers

Our service providers (including Supabase, OpenAI, and RevenueCat) may process data in countries other than your own. Where required, we take steps to ensure appropriate safeguards for international transfers.

10. Third‑Party Services and Links

The App integrates with third‑party services subject to their own terms and privacy policies. Please review their policies:

• Supabase: https://supabase.com/privacy
• OpenAI: https://openai.com/policies/privacy-policy
• RevenueCat: https://www.revenuecat.com/privacy
• Apple: https://www.apple.com/legal/privacy/
• Google Sign‑In: https://policies.google.com/privacy

In‑App Purchases

Purchases are processed by Apple via StoreKit and managed for entitlements by RevenueCat. Apple and RevenueCat may process limited personal information to complete transactions and manage your subscription. You can manage or cancel subscriptions in your Apple ID settings.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version in the App and update the "Last Updated" date. Your continued use of the App after changes means you accept the updated policy.

12. Contact Us

If you have questions or requests (including account deletion), contact:

Email: support@levelup.app
Mailing Address: LevelUp, Attn: Privacy, 123 Example Street, San Francisco, CA 94100, USA