Skip to main content

Privacy Policy

Last updated: June 20, 2026

This Privacy Policy explains how Havasi Holding LLC ("BodyTree", "we", "us", "our") collects, uses, shares, and protects information when you use the BodyTree mobile application (the "App"), the website https://bodytree.app (the "Site"), and related services (collectively, the "Services"). By using the Services you agree to this Policy.

Contact: privacy@bodytree.app · Havasi Holding LLC, 7533 S Center View St, Ste N, West Jordan, UT 84084, United States.

At a glance

  • BodyTree is a calisthenics skill-progression app. We collect what we need to run your account, deliver workouts, sync progress across devices, process subscriptions, send notifications, and moderate uploads.
  • We do not sell personal information. We do not run third-party advertising.
  • Payments are processed by Apple App Store, Google Play, and RevenueCat. We never see your card details.
  • AI Coach conversations are processed by OpenAI under their enterprise terms. Your prompts and recent workout history are sent to generate responses.
  • You can delete your account from inside the App. See Account deletion & data export.

Table of contents

  1. Information we collect
  2. How we use information
  3. Who we share information with
  4. Subprocessors and third-party services
  5. AI Coach and automated processing
  6. Content moderation
  7. Cookies and tracking (Site only)
  8. Children's information
  9. Data retention
  10. Data security
  11. International transfers
  12. Your privacy rights
  13. Account deletion & data export
  14. Do Not Track
  15. Changes to this policy
  16. Contact us

1. Information we collect

Information you provide

  • Account: email address, password (hashed by Firebase Authentication), display name, and a username you choose. If you sign in with Apple or Google, we receive your name and email from those providers; Apple may issue a private relay email.
  • Profile picture: if you upload one, it is stored in Firebase Storage. We scan it with Google Cloud Vision SafeSearch before publication.
  • Training preferences: gender (optional; "male", "female", or unspecified), experience level, training goals (target skills and categories), available equipment, training days per week, scheduled days, and your IANA time zone.
  • Workout data: exercise logs (sets, reps, weight, perceived effort), session metadata (date, duration, RPE), skill progression status, completed challenges, XP and streaks, and rehab session logs if you use that feature.
  • User-generated content: video proofs of skill progressions (re-encoded server-side, thumbnail extracted), comments and likes on activity posts, feature requests and votes, and AI Coach chat messages.
  • Feedback: messages you submit through the in-app feedback form are sent to our error and feedback monitoring service (Sentry), together with the email and display name on your account.
  • Referral codes: the code you redeem or share.

We do not collect health records, biometric identifiers, body measurements, date of birth, height, weight, precise location, contacts, calendar entries, or financial account details.

Information collected automatically

  • Device and usage: device model, operating system and version, app version, language, crash diagnostics, and product analytics events (screens viewed, features used). Collected via Firebase Analytics, Firebase App Check, and Sentry.
  • Advertising identifier (Android): our Android manifest includes the AD_ID permission required by Google Play for analytics SDKs. Firebase Analytics may collect your Android Advertising ID. We do not use it for ad targeting. iOS does not prompt for App Tracking Transparency because we do not track you across other apps; the IDFA is not collected.
  • IP address: recorded server-side when you sign in or perform certain actions (such as referral identity checks) for security and fraud prevention. We do not derive precise location from your IP.
  • Device fingerprint (referrals): when you redeem a referral code, the App computes a one-way SHA-256 hash of installation and device identifiers plus a server-supplied salt. We store this hash to prevent abuse. We cannot reverse it to recover the underlying identifiers.
  • Push token: if you grant notification permission, we store your Expo push token to deliver notifications.
  • Camera, microphone, photo library (mobile permissions): used only when you actively choose to record a video proof or pick a profile picture. Media is uploaded only when you confirm the action.

Information received from third parties

  • Apple Sign In, Google Sign In: we receive your name and email (or Apple private relay email) when you authenticate.
  • RevenueCat: we receive your subscription entitlement state (active, trial, expired), product ID, billing period, and renewal status. Card details are never shared with us.

2. How we use information

  • Create and authenticate your account; sync your data across devices.
  • Generate and adapt personalized training programs.
  • Track progression, XP, streaks, and milestones.
  • Process subscription entitlements and verify trial eligibility.
  • Operate the AI Coach (see Section 5).
  • Send transactional, lifecycle, and re-engagement emails (welcome, onboarding-complete, first workout, trial-ending, weekly digest, inactivity nudges). You can unsubscribe from non-essential emails at any time.
  • Deliver push notifications you have opted into.
  • Moderate uploads for safety (see Section 6).
  • Detect and prevent fraud, abuse, and referral manipulation.
  • Diagnose crashes, fix bugs, and measure product performance.
  • Comply with legal obligations.

3. Who we share information with

We do not sell personal information. We share information only with the subprocessors listed in Section 4, with other users when you choose to make content public (public profile, public program, comment on an activity post, follow), with law enforcement when required by valid legal process, and with an acquirer if our business is sold or merged.

4. Subprocessors and third-party services

We rely on the following service providers. Each processes data under written contracts that restrict use to providing the service.

  • Google / Firebase (Google LLC): Authentication, Firestore (primary database), Cloud Storage (uploads), Cloud Functions (server logic), Analytics (GA4), App Check, Remote Config, and Cloud Vision (SafeSearch image moderation). Data is hosted on Google Cloud, primarily in the United States. See Firebase privacy.
  • RevenueCat, Inc.: subscription management. We share your Firebase user ID and country. RevenueCat receives subscription events from Apple and Google. See RevenueCat privacy.
  • Apple Inc. and Google LLC: in-app purchase billing, Sign in with Apple, Google Sign-In. See Apple and Google privacy policies.
  • OpenAI, L.L.C.: AI Coach. See Section 5 and OpenAI privacy.
  • Functional Software, Inc. (Sentry): crash reporting and in-app feedback intake. See Sentry privacy.
  • Loops, Inc.: transactional and lifecycle email delivery. We share your email, user ID, and display name. See Loops privacy.
  • Expo, Inc.: push notification delivery via the Expo Push Service, which fronts Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM). See Expo privacy.
  • YouTube (Google LLC): exercise demonstration videos may be embedded via the YouTube iframe player. YouTube may set cookies and collect data per its own policy.

5. AI Coach and automated processing

Our AI Coach is powered by OpenAI's models. When you send a message, we transmit to OpenAI:

  • Your message text (capped at 8 KB).
  • Your display name and training context: experience level, training goals, scheduled days, total XP, level, current streak, branch progression rollups, and summaries of your last 14 days of workouts (capped at roughly 4 KB).
  • Prior messages in the current conversation.

OpenAI processes this data under its API terms and does not use it to train their models. We retain transcripts in Firestore under your account so you can resume chats.

AI Coach outputs are generated automatically and may be inaccurate. They are not medical advice. They do not produce decisions with legal or similarly significant effect on you within the meaning of GDPR Article 22.

6. Content moderation

Profile pictures and uploaded video proofs are automatically scanned by Google Cloud Vision SafeSearch (for videos, we sample 2 to 8 frames across the duration). Uploads flagged as adult, violent, or otherwise unsafe are rejected or held for review. Administrators may review flagged content manually.

7. Cookies and tracking (Site only)

The Site uses minimal first-party storage required for it to function. We do not run advertising trackers on the Site. The mobile App does not use HTTP cookies; it uses native SDKs as described above. Some embedded YouTube videos on the Site may set their own cookies; see Google's policies.

8. Children's information

The Services are intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact privacy@bodytree.app and we will delete it. If you are between 13 and the age of majority in your jurisdiction, use the Services only with the involvement of a parent or guardian.

9. Data retention

We retain your account data while your account is active. When you delete your account, we delete the data enumerated in Section 13 within 30 days. Some data persists after deletion for legitimate operational reasons:

  • Anonymized analytics events (Firebase Analytics) cannot be tied back to you once your user ID is deleted, but aggregate counts persist.
  • Crash reports in Sentry are retained per Sentry's default retention (currently 90 days for events).
  • RevenueCat retains subscription records as required for billing audits.
  • Server logs (Cloud Functions, Cloud Run) typically retain request metadata including IP for 30 days.
  • Backups are rotated and may temporarily contain your data after deletion until the backup cycle expires.
  • We retain records necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

10. Data security

We use commercially reasonable safeguards including TLS in transit, encryption at rest provided by Google Cloud, App Check attestation to block requests from non-genuine clients, server-side Firestore security rules, and least-privilege access for our team. No system is perfectly secure; you use the Services at your own risk.

11. International transfers

We are based in the United States and our Services and most subprocessors are hosted in the United States. If you use the Services from outside the U.S., you consent to the transfer of your information to the U.S. and to processing under U.S. law. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on each subprocessor's Standard Contractual Clauses or equivalent safeguards.

12. Your privacy rights

Depending on where you live, you may have the right to access, correct, delete, or port your personal information; to object to or restrict certain processing; to opt out of targeted advertising, profiling, or "sale" or "sharing" of personal information; and to appeal denials of these rights. Exercise any of these rights by emailing privacy@bodytree.app. We respond within the time frames required by applicable law (generally 30 to 45 days).

U.S. state privacy laws: residents of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia may exercise the rights granted by their state laws. We do not sell personal information and do not share it for cross-context behavioral advertising. California residents may also invoke "Shine the Light" (Cal. Civ. Code § 1798.83).

EEA / UK / Switzerland (GDPR): our lawful bases for processing are (i) performance of a contract with you, (ii) your consent (for optional features such as push notifications and certain analytics), (iii) our legitimate interests in operating, securing, and improving the Services, and (iv) compliance with legal obligations. You may lodge a complaint with your supervisory authority.

13. Account deletion & data export

Deletion: open the App, go to Settings, and select "Delete account". You will be asked to reauthenticate. The App then deletes your Firebase Authentication record and the following Firestore and Cloud Storage data: profile, preferences, stats, skill node progress, workout logs and sets, programs and program sessions, video proofs, activity posts, comments, follows, feed items, rehab state and session logs, AI Coach threads and messages, your private settings document (including stored push token and IP), profile pictures, and uploaded video files. If you are a paying subscriber, your RevenueCat record will be retained for billing audits and your subscription will continue to renew until you cancel through the App Store or Google Play.

Export: to receive a copy of your data, email privacy@bodytree.app from the email address on your account. We will respond within 45 days.

14. Do Not Track

Because there is no industry-wide standard for Do Not Track signals, our Services do not respond to them.

15. Changes to this policy

We will update the "Last updated" date when we make material changes. If a change materially expands how we use your information, we will provide additional notice (such as an in-App banner or email) before it takes effect.

16. Contact us

Havasi Holding LLC
7533 S Center View St, Ste N
West Jordan, UT 84084
United States
privacy@bodytree.app