Privacy Policy
Spotter ("we", "our", "the app") is an iOS app that coaches you through gym workouts via your AirPods. This policy explains, plainly, what data the app handles, where it goes, and what choices you have. We've written it to be honest, not lawyerly.
1. Who we are
Spotter is published by Haroto, a small app studio based in Greece. You can reach us at harotoapps@gmail.com for any privacy-related question, including data access, correction, or deletion requests.
2. Data we collect, in plain English
2.1 Stored on your device only
- Profile you fill in during onboarding: name, optionally age, sex, height, weight, training experience, goals, available equipment, injuries, aspirations, and coaching preferences. Stored in iOS UserDefaults — never leaves your phone unless we mention otherwise below.
- Workout history: the workouts the app has generated, which sets you completed, prescribed weights, and the date/time. Stored in iOS UserDefaults.
- Last working weights per exercise: a small lookup so the trainer can anchor today's plan on yesterday's numbers.
- App settings: language, units, voice provider, paired heart-rate sensor identifier, premium tier override (testing only).
- An anonymous device identifier: a random UUID generated on first launch and stored in the iOS Keychain. Used as a bearer token to our backend proxy so we can rate-limit per device. It is not tied to your name, email, or any account.
2.2 Sent to our backend proxy (Cloudflare Workers)
Our backend exists for one reason: to keep the upstream API keys (Anthropic, ElevenLabs) off your phone, where they could otherwise be extracted. Every request from the app passes through our proxy, which adds the upstream credentials and forwards the request. The proxy:
- Receives your anonymous device ID (above) as a bearer token.
- Counts requests per device per day to enforce a rate limit, stored in Cloudflare KV under that device ID. The counter resets daily.
- Does not log request bodies, response bodies, or any user content.
- Does not associate your device ID with you in any external system.
2.3 Sent to Anthropic (Claude API), via our proxy
When you generate a workout or talk to the trainer mid-set, we send the following to Anthropic's Claude API:
- Your profile fields (so the plan fits your experience, goals, equipment, injuries).
- The text of your "today" prompt (e.g. "60-minute push day").
- The transcribed text of anything you say into the microphone with the talk button held.
- Your generated workout plan (so the trainer can refer to it during the session).
- Recent workout history summaries (so the trainer can balance volume across the week).
- Your live heart rate, when a paired sensor is active, prefixed to coach turns as a bracketed metadata tag.
Anthropic's API policies (as of writing) state that input/output is retained for up to 30 days for Trust & Safety review and is not used to train Anthropic's models. Anthropic's privacy notice: anthropic.com/legal/privacy.
2.4 Sent to ElevenLabs, via our proxy
When you select an ElevenLabs voice (a Spotter Premium feature) and the trainer speaks, we send the trainer's text (not your input — the words the AI is speaking aloud) to ElevenLabs to synthesize the audio. We also fetch the list of available voices from ElevenLabs when you open the voice picker. ElevenLabs's privacy notice: elevenlabs.io/privacy.
2.5 Sent to Apple
Subscription purchases happen via Apple's StoreKit. Apple receives the transaction details directly — we receive only an anonymized transaction identifier and entitlement status. We do not see your payment method, full name, or Apple ID. Apple's privacy policy: apple.com/legal/privacy.
2.6 Sent to Sentry (release builds only)
Release-channel builds (TestFlight, App Store) report uncaught crashes and a small number of non-fatal error events to Sentry, a third-party error-monitoring service. Each event includes:
- Error type and stack trace
- App version and iOS version
- Device model (e.g. "iPhone 15 Pro")
- Anonymous error fingerprints
It does not include your profile data, workout content, voice transcripts, request/response bodies, IP address, or screenshots. Sentry's privacy notice: sentry.io/privacy.
2.7 Voice and microphone
While you hold the "Talk" button, the iOS Speech framework (SFSpeechRecognizer) transcribes your speech to text. Apple performs this on-device when supported by your iPhone model and language; for some languages or older devices Apple may use its servers. Spotter never stores or transmits raw audio. Only the transcribed text leaves your device, and only via the path described in §2.3.
2.8 Heart rate
If you pair a Bluetooth heart-rate sensor, the app reads your live heart rate during workouts using the standard Bluetooth Heart Rate Service. Samples are not written to Apple HealthKit. Each sample is sent only as part of the live-coaching context described in §2.3 — we don't keep a separate database of your HR over time.
3. What we don't collect
- We don't ask for an email, phone number, or social login.
- We don't track your location.
- We don't use third-party advertising or analytics SDKs.
- We don't fingerprint your device beyond the anonymous Keychain UUID we generate ourselves.
4. How long data is kept
- On your device: until you reset your profile (Settings → Reset profile) or uninstall the app.
- Anthropic / ElevenLabs: per their policies. Anthropic retains API content up to 30 days for safety review.
- Cloudflare KV (rate-limit counters): 36 hours from last write, then automatic expiry.
- Sentry: 90 days at default retention.
- Apple: per Apple's policies for App Store transactions.
5. Your rights
If you are in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with similar law (including GDPR), you have the following rights:
- Access: substantively all your data lives on your phone — open the app's Profile, Past sessions, and Saved weights screens to see it.
- Correction: edit your profile any time in Settings → Profile.
- Deletion: Settings → Reset profile clears profile, weights, and session history. Uninstalling the app deletes the rest, including the Keychain device ID. To request deletion of any data you believe we hold elsewhere, email harotoapps@gmail.com and we'll respond within 30 days.
- Portability: a JSON export feature is on our roadmap. In the meantime, email us and we'll provide your data manually.
- Objection / restriction: stop using the app at any time. We have no contract that obligates you to.
- Complaint: you have the right to lodge a complaint with your local data-protection authority. In Greece, that's the Hellenic Data Protection Authority (www.dpa.gr).
6. Children's privacy
Spotter is not directed at children under 13 (or under the equivalent age in your jurisdiction). We do not knowingly collect data from children under 13. If you believe a child has provided information to the app, contact us and we will delete it.
7. Security
Network traffic uses TLS (HTTPS). API credentials live only as Cloudflare secrets on our backend, never in the app bundle. The anonymous device identifier is stored in the iOS Keychain with the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly attribute, so it is not synchronized across devices and is encrypted at rest by iOS.
No system is perfectly secure. If you discover a vulnerability, please email harotoapps@gmail.com. We respond to legitimate reports within a few days.
8. International transfers
Anthropic and ElevenLabs operate primarily from the United States. Cloudflare and Sentry have global infrastructure. If you are in the EEA, your data may be transferred outside the EEA when you use the app. We rely on standard contractual clauses (or equivalent safeguards) put in place by these vendors.
9. Changes to this policy
If we materially change how we handle data, we'll update this page, change the "Last updated" date at the top, and surface a notice in the app prompting you to re-acknowledge. Minor clarifications may be made without notice.
10. Contact
Questions or requests: harotoapps@gmail.com.