Privacy Policy
Last updated: June 23, 2026
The short version
1. What we collect
Account data: the email and display name you provide, your date of birth (collected to confirm you meet our minimum age and to limit public social features to adults), plus your Atlas user id and authentication tokens.
Workout data: the exercises, sets, reps, weights, rest times, notes, and dates you log; the templates and splits you create; achievements you unlock; per-muscle XP totals; and (for premium features) body measurements and progress photos you choose to record.
Device and usage data: approximate location (derived from your IP for rate-limiting and abuse prevention - we do not retain precise GPS), browser / OS user-agent, app version, and timestamps of events like opens, screen views, and feature usage.
Billing data: if you subscribe, your payment method is handled by Apple, Google, or Stripe. We receive a subscription id, status, and the last four digits of the card - never the full card number.
Customer support: messages you send us and any contact information you include.
Phone number (only if you opt in): Atlas has an optional phone-discoverability feature you can turn on in Settings → Social. It is off by default and available only for US and Canadian numbers. If you turn it on, you enter your own phone number so we can confirm you own it and let other lifters find you by it. To do this we send your number to our server and to our SMS provider, Twilio, which texts you a one-time verification code (standard message and data rates may apply). After you confirm the code, we store ONLY a one-way keyed hash of your number (an HMAC computed over a salted SHA-256 of the number) - we never store the raw phone number itself. We keep that hash until you turn phone discoverability off in Settings or delete your account, at which point it is removed. We never use your phone number to message you for marketing, and we never share it with the people who find you.
Finding friends from your contacts (only if you ask): If you tap "Find friends from your contacts," Atlas reads the email addresses and phone numbers in your device contacts so it can match them against lifters who have opted in. The matching is done with one-way hashes computed on your device: your raw contacts never leave your device and are never uploaded or stored, only the hashes are sent to us to look for matches, and we never message the people in your contacts. Nothing is read from your contacts unless you start this yourself.
2. Why we use it
- Run the Service: render your dashboards, fire celebrations, generate share cards, and - for Premium subscribers - sync your data across your devices. On the free tier, your detailed workout history is stored locally on your device and is not synced to our servers; we still collect limited account, usage-analytics, and diagnostic data as described in this policy.
- Improve the product: analyze aggregate, de-identified usage so we can ship the features lifters actually use.
- Send transactional and account messages you always receive (receipts, password resets, billing and trial notices). We may also send product and lifecycle emails (for example tips, trial reminders, and win-backs); these are optional, every one includes a one-click unsubscribe, and you can opt out at any time in Settings.
- Protect the Service from abuse (rate limiting, fraud detection, terms enforcement).
- Comply with legal obligations.
3. What we don't do
- We do not sell your personal information to advertisers, data brokers, or anyone else.
- We do not share your individual workout history with third parties for marketing.
- We do not place behavioral advertising cookies on our website.
- We do not run health surveillance, share data with insurers, or share data with employers.
4. Sharing and third-party processors
We use carefully selected vendors to operate the Service. Each is contractually bound to use your data only as we direct:
- Supabase - hosted database + authentication.
- Stripe - payment processing for Premium.
- Apple App Store / Google Play - in-app purchases on iOS / Android.
- Vercel - hosting + edge functions.
- PostHog (when enabled) - product analytics, configured to mask personally-identifying fields.
- Resend - transactional email delivery.
- Twilio Inc. (United States) - SMS verification provider for the optional phone-discoverability feature. If you opt in, Twilio receives the phone number you choose to add, solely to text you the one-time verification code.
- RevenueCat - subscription management and purchase-entitlement validation for in-app purchases.
- Sentry - crash and error diagnostics (an error report may include your Atlas user id to help us debug).
- Amazon Web Services (AWS Rekognition) - automated image-safety classification of photos you upload. We send the image content for this check; AWS does not perform facial recognition for us and does not retain the images for its own use.
- Cloudflare - content delivery and network security.
- GIPHY - the optional GIF picker for comments and posts. GIF searches are proxied through our server (GIPHY does not receive your identity from the search), but a chosen GIF is displayed directly from GIPHY’s content network, so your device requests it from GIPHY and GIPHY may receive your IP address when a GIF loads. GIF content is served at a “g” safe-content rating.
Apple Health and Android Health Connect. If you choose to connect Atlas to Apple Health or Android Health Connect (an explicit opt-in in Settings), your logged workouts are written to that health platform so they appear in your health timeline and contribute to your activity totals. Apple and Google process that data under their own privacy policies. Atlas does not use your health data for advertising, and you can disconnect at any time in Settings.
We may also share data when required by law, in connection with a merger or acquisition (in which case we'll notify you), or to protect the rights, property, or safety of Atlas, our users, or the public. Where we believe in good faith it is required by law or necessary to prevent harm (especially in child-safety matters), we may preserve and disclose your content and account identifiers - including your email, IP address, and device or user-agent - to NCMEC and to law enforcement without prior notice to you.
5. Public profiles and share cards
atlas.sigmatools.io/u/[handle]and generate share cards (PNG images) of your achievements. These surfaces show level, achievement counts, body-atlas heatmaps, and top lifts you have chosen to highlight. They never show individual session weights, body measurements, photos, or your email. You control whether your profile is public from in-app settings.6. Photos you upload and how we keep them safe
Some features let you upload photos that can be seen by other users, including media you attach to workout posts and the custom profile avatar you choose. Because Atlas is open to users 13 and older, we process every uploaded image for safety before it can be shown to anyone else. This processing is a core part of how we operate the photo features and meet our legal obligations.
- Metadata stripping. We remove EXIF and other embedded metadata - including GPS location and capture time - from your photo on upload, and we re-encode the image. The version we store and show to others does not carry the location or device metadata your camera may have embedded.
- Automated moderation. Every uploaded image is scanned by an automated explicit-content classifier before it is shown to anyone. New uploads stay private until they pass review, and confirmed child sexual abuse material is removed and reported to the National Center for Missing and Exploited Children (NCMEC).
- Possible human review. If an image is flagged or a check is uncertain, it is held and may be manually reviewed by us before any decision to show or remove it.
Legal basis. Where the GDPR or similar laws apply, we process uploaded images to perform our contract with you (to provide the photo features you use) and on the basis of our legitimate interest in keeping the Service and our community safe. Detecting and reporting CSAM is also a legal obligation. If we identify apparent CSAM, we preserve the relevant content and account information and report it to the National Center for Missing & Exploited Children (NCMEC) and cooperate with law enforcement as required by US law.
Retention of photos. Photos you upload are retained while your account is active. When you delete your account, we remove your uploaded photos from our production systems, with backups expiring on the schedule described in the Retention section below. We may retain content and related records longer where required to comply with law, including material preserved or reported in connection with a CSAM report.
For the plain-language rules on what you may and may not upload, see our Community Guidelines.
7. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you;
- Correct inaccurate data;
- Delete your account and personal data (the "right to erasure");
- Export your data in a machine-readable format;
- Object to certain processing or restrict it;
- Lodge a complaint with your local data-protection authority.
You can exercise the access, export, and deletion rights yourself from Profile → Account & Data. JSON and CSV export run immediately on-device. Account deletion cancels any active subscription, removes your profile from our servers, and signs you out. If you cannot open the app, see how to delete your account. For anything else, email privacy@sigmatools.io and we will respond within 30 days.
US state privacy rights (California and others). If you are a California resident, or live in a state with a comparable law, you also have the right to know the categories of personal information we collect and disclose, to delete it, to correct it, to opt out of any sale or sharing of it, to limit the use of sensitive personal information, and not to be discriminated against for exercising these rights. We do NOT sell your personal information, and we do NOT share it for cross-context behavioral advertising. You can manage your privacy choices, including analytics, any time in Settings → Privacy.
Global Privacy Control. We honor the GPC browser signal: when your browser sends GPC, we treat it as an opt-out of analytics and any data sharing automatically.
Watch apps. The Apple Watch / Wear OS app writes workout and live-session data directly to our servers; the phone mirrors only the current session for display.
What the in-app export covers. The instant in-app export contains the data stored on your device. For a complete copy of the personal data on our servers (for example social posts, your follow graph, and moderation or audit records), email privacy@sigmatools.io and we will provide it within 30 days.
8. Retention
9. Children's privacy
10. International transfers
11. Security
12. Cookies and local storage
- Essential cookies. Used to sign you in and keep your session secure. Required for the Service to work.
- Analytics cookie. With your consent, our analytics provider (PostHog) sets a first-party cookie/identifier so we can understand aggregate, de-identified product usage. It stays OFF until you accept it in the cookie banner, a Global Privacy Control signal keeps it off, and you can change it any time in Settings → Privacy.
- Local storage. The app stores data in your browser or device (for example your workout history on the free tier, your theme, and your consent choices) so it works offline and loads quickly.
- We do not use third-party behavioral advertising cookies.