Privacy Policy

Effective Date: February 18, 2026

X2machines, LLC ("Company," "we," "us," or "our") operates the Korza Training mobile application ("App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App. We are committed to protecting your privacy, especially given the sensitive nature of health and fitness data.

1. Information We Collect

1.1 Information You Provide

Account information: Name, email address, and authentication credentials (including Sign in with Apple)
Profile data: Age, fitness goals, injury history, and workout preferences
Workout data: Exercise logs, sets, reps, weights, session duration, and pain/RPE ratings
Readiness assessments: Daily self-reported sleep quality, stress levels, soreness, and motivation
Feedback: App ratings, feedback text, and support communications

1.2 Information from Apple Health

With your explicit permission, we read and write the following Apple Health data:

Heart rate and HRV: Used for readiness scoring and recovery insights
Sleep data: Duration and quality metrics for recovery recommendations
Workout data: Synced to and from Apple Health for unified tracking
Step count and activity: Used for engagement and activity metrics

Apple Health data is never sold, shared with advertisers, or used for purposes other than providing App functionality. You can revoke Apple Health access at any time in your device Settings.

1.3 Information from Wearable Devices

If you connect a wearable device (e.g., WHOOP, Oura), we collect recovery, strain, and sleep data through their authorized APIs. This data is used solely to enhance your readiness and recovery insights within the App.

WHOOP Integration: If you choose to connect your WHOOP account, we may collect heart rate variability (HRV), strain scores, recovery scores, and sleep performance data from your WHOOP device via the WHOOP API. This data is used to calculate daily readiness scores and provide personalized recovery insights within the App. Connecting your WHOOP account is entirely optional. You may disconnect your WHOOP account at any time through the App's Settings, at which point we will cease collecting new data from WHOOP. Previously synced WHOOP data will be retained in accordance with Section 5 (Data Retention) of this policy unless you request its deletion.

1.4 Automatically Collected Information

Device information: Device model, operating system version, and app version
Crash and performance data: Collected via Sentry for stability improvements (no personal health data included)
Usage analytics: Feature usage patterns, session duration, and navigation flows (anonymized)

2. How We Use Your Information

Purpose	Data Used
Provide workout programs and tracking	Profile, workout logs, exercise data
Calculate daily readiness scores	HRV, sleep, self-reported assessments
Generate recovery recommendations	Health data, workout history, readiness
Enable therapist-patient communication	Workout data, progress metrics, notes
Improve App stability and performance	Crash reports, performance metrics
Process subscriptions and purchases	Apple ID (via StoreKit — we never see payment details)
Send workout reminders and notifications	Notification preferences, schedule data

3. How We Share Your Information

We do not sell your personal information. We share data only in these limited circumstances:

With your Therapist: If you are linked to a licensed healthcare provider through the App, they can view your workout data, progress metrics, and readiness scores to guide your care. This sharing requires your explicit consent.
Service providers: We use Supabase (database hosting), Sentry (crash reporting), and Apple (authentication and payments). These providers process data on our behalf under strict contractual obligations.
Legal requirements: We may disclose information if required by law, subpoena, or court order.
Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change.

4. Data Security

We implement industry-standard security measures to protect your data:

Encryption in transit: All data transmitted between the App and our servers uses TLS 1.3 with certificate pinning
Encryption at rest: Data stored on our servers is encrypted using AES-256
Row-Level Security: Database access is enforced at the row level — you can only access your own data
Biometric protection: Sensitive health data access within the App can be protected by Face ID or Touch ID
Secure credential storage: Authentication tokens are stored in the iOS Keychain
HIPAA-aligned practices: Audit logging of all data access for compliance

5. Data Retention

Active account: Your data is retained for as long as your account is active
After deletion: Personal data is permanently deleted within 30 days of account deletion
Anonymized data: Aggregated, de-identified data may be retained indefinitely for analytics and product improvement
Audit logs: Access logs are retained for 7 years per HIPAA requirements
Crash reports: Retained for 90 days, then automatically purged

6. Your Rights and Choices

You have the following rights regarding your data:

Access: Request a copy of your personal data (available in App Settings > Export Data)
Correction: Update your profile information at any time
Deletion: Delete your account and all associated data (Settings > Account > Delete Account)
Portability: Export your workout and health data in standard formats
Consent withdrawal: Revoke Apple Health access, notification permissions, or therapist data sharing at any time
Opt out of analytics: Disable anonymized usage analytics in App Settings

7. Children's Privacy

The App is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us.

8. Third-Party Services

The App integrates with the following third-party services:

Service	Purpose	Data Shared
Apple Health	Health data sync	HRV, sleep, workouts, heart rate
Supabase	Backend infrastructure	All app data (encrypted)
Sentry	Crash reporting	Device info, crash traces (no health data)
Apple StoreKit	Subscription management	Transaction IDs (no payment details)
Apple Sign In	Authentication	Email (can be hidden via Apple relay)
WHOOP	Wearable data sync (optional)	HRV, strain, recovery scores, sleep data

9. Tracking and Advertising

We do not track you for advertising purposes. We do not use advertising identifiers (IDFA), and our App does not contain any third-party advertising SDKs. Our privacy manifest declares NSPrivacyTracking = false.

10. International Data Transfers

Your data is processed and stored on servers located in the United States. If you access the App from outside the United States, your data will be transferred to and processed in the United States. By using the App, you consent to this transfer.

11. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of personal information (we do not sell your data)
Non-discrimination for exercising your privacy rights

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area, you have additional rights under the GDPR, including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object. Our legal basis for processing is your consent (for health data) and legitimate interest (for App functionality and security).

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or by email. The "Effective Date" at the top of this page indicates when the policy was last revised. Your continued use of the App after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at:

X2machines, LLC
Email: privacy@getkorza.app