Privacy Policy

Last updated: May 19, 2026

This Privacy Policy explains how PROVE IT ("we", "us", "the app") collects, uses, stores, and protects your personal data when you use the mobile application. PROVE IT is operated by Atos Falcon, an individual developer based in Surrey, British Columbia, Canada.

1. Data we collect

Account data

• Email address — used to authenticate you. Collected from Apple, Google, or directly during email sign-up.
• Name — optional, provided by Apple/Google during OAuth or entered manually.
• User identifiers — internal IDs issued by Supabase (our backend) and the OAuth providers.
• Profile picture — optional, uploaded by you from your device's photo library.

Habit and progress data

• Habits you create (names, types, schedules, target values)
• Daily logs (completion status, values such as pages read, distance run, minutes spent)
• Streaks, milestones, identity statements you write

Fitness data (only if you connect Strava)

• Activity metadata: distance, duration, pace, calories
• Heart rate, cadence, elevation
• Route polylines (the GPS path of your run, used to draw the map preview in the app)

This data is fetched from your Strava account using OAuth scopes you explicitly authorize. We never request access to anything beyond running activities.

Community data

• Groups you join or create
• Friends you add
• Broadcasts you post (when you complete habits, hit milestones, etc.) — these are visible only to your friends and group members

Device data

• Expo push notification token — a device identifier used solely to deliver notifications you opted into
• Locally on Android: app usage statistics from Android's UsageStats API, used by the App Blocker feature. This data stays on your device and is not transmitted to our servers.

Subscription data

If you subscribe to PROVE IT Pro, RevenueCat manages your subscription state on our behalf. Google Play and Apple App Store process the payment directly — we never see your card number.

2. Data we do NOT collect

• We do not use third-party analytics (no Google Analytics, no Mixpanel, no Amplitude, no PostHog).
• We do not use any advertising SDKs. There are no ads in the app.
• We do not collect crash reports beyond what Apple/Google provide by default at the OS level.
• We do not access your contacts, calendar, microphone, camera (except via the system photo picker for your profile picture), or browser history.
• We do not read or transmit your screen time data to our servers — it is processed locally on your device.

3. How we use your data

All data is used solely to provide the app's functionality:

• Authenticate you and keep your session
• Sync your habits and progress across devices
• Display your fitness activity (when Strava is connected)
• Power the community features (cheer, broadcasts, groups)
• Send push notifications you opted into (streak reminders, milestone celebrations)
• Validate your subscription status

We do not profile, segment, or sell your data. We do not use your data for marketing or targeted advertising.

4. Who has access to your data

Your data is stored on:

• Supabase (US/EU regions) — our primary database and authentication provider
• RevenueCat — only your subscription state (no app content)
• Expo Push Notification Service — only your push token, used to route notifications
• Strava — your activity data is fetched on demand via their API; we cache a copy on our backend

Each of these providers has their own privacy policy. We selected them because they comply with industry standards (encryption at rest, encryption in transit, SOC 2 or equivalent).

5. Data retention

We keep your account and associated data for as long as your account is active. When you delete your account (see Delete account), we remove all of it within 30 days, with the exception of anonymized subscription transaction records that we are legally required to retain for tax purposes (up to 7 years).

6. Security

All data is encrypted in transit (TLS 1.2+) between your device and our backend. All data at rest in Supabase is encrypted using industry-standard AES-256. Authentication tokens are stored securely on your device using the platform's secure storage (Keychain on iOS, EncryptedSharedPreferences on Android).

7. Children

PROVE IT is intended for users aged 13 and over. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected data from a child under 13, please contact us and we will delete it immediately.

8. Your rights

You have the right to:

• Access your data
• Correct inaccurate data
• Delete your data (see Delete account)
• Export your data (email us)
• Withdraw consent for Strava sync at any time (in app → settings → disconnect Strava)

Residents of the European Union, United Kingdom, California, and other jurisdictions with applicable data protection laws have additional rights under GDPR, UK GDPR, CCPA, and similar frameworks. Contact us to exercise them.

9. International transfers

Our backend infrastructure (Supabase) may store data in regions outside your home country. By using PROVE IT you consent to this transfer. We take appropriate measures to ensure your data is protected wherever it is processed.

10. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. If a change is material, we will notify you in the app or via email.

11. Contact

If you have questions about this policy or how we handle your data, email atosfalcon@gmail.com.

Mailing address: 13750 100a Ave #2608, Surrey, BC, V3T 1K3, Canada.