Italiano · English

Privacy Policy — CoreArc

Data controller: Gabriel Patras — contact: privacy@corearc.app

Last updated: 2 June 2026

1. What we collect

CoreArc is a fitness tracking tool. To function, it processes the following data, provided by you or generated through your use:

Category	Data	Source
Account	email, password (managed by Supabase Auth), optional name/username from Google OAuth	sign-up/login
Profile (health-related data)	date of birth, sex, weight, height, goal, training days, level, equipment	entered by you
Training	exercises, sets, reps, weight, time, distance, notes, history, personal records	app usage
Nutrition	meals, foods, calories, macros and micronutrients, water, meal photos	app usage
Feedback/wellbeing	post-workout RPE, weekly check-ins (recovery, sleep, energy, stress, motivation, pain)	entered by you
Form video (optional)	exercise videos uploaded for form analysis	entered by you
AI Coach	messages exchanged with the coach	app usage
Notifications	device token (FCM) and notification preferences	device
Subscription	tier (free/pro/lifetime) and status	in-app purchase

Profile and wellbeing data may constitute health-related data (a special category under Art. 9 GDPR): it is processed solely to provide you with the app's features, on the basis of your consent and the performance of the service.

2. Why we process it (purposes and legal basis)

Providing the service (tracking, stats, coaching) — performance of contract (Art. 6.1.b).
AI features (coach, meal photo analysis, video analysis) — performance of contract / consent.
Health-related data — explicit consent (Art. 9.2.a), revocable at any time.
Push notifications — consent (you can disable them from the device/settings).
Security and abuse prevention (rate limiting) — legitimate interest.

3. AI features and sharing with third parties

For AI features, some content is sent to model providers for processing:

Google (Gemini) — coach text, meal photos, form video.
Anthropic (Claude) — coach text (alternative/fallback provider).

Form videos are not stored: only the textual result of the analysis is saved. Meal photos are used to estimate foods. Please refer to the privacy policies of the respective providers.

4. Third-party services (processors/sub-processors)

Supabase — authentication and database (hosting in the EU — West EU, Ireland).
Firebase Cloud Messaging (Google) — push notifications.
RevenueCat — in-app subscription management (when active).
USDA FoodData Central and Open Food Facts — nutrition data (they receive only search terms/barcodes).
Sentry — crash reporting (when configured; technical diagnostic data).

5. Retention

We keep your data while the account is active. When the account is deleted, the data is erased (see §7). Technical/diagnostic logs have limited retention.

6. Transfers outside the EU

Your account and application data are hosted within the European Union (Supabase — West EU, Ireland). Some AI and diagnostics providers (Google, Anthropic, Sentry) may process data outside the EU (e.g. the United States), with adequate safeguards under the GDPR (Standard Contractual Clauses and/or the EU-US Data Privacy Framework).

7. Your rights (GDPR)

You have the right to access, rectification, erasure, restriction, portability and objection. Directly in-app, via Settings → Privacy and data:

Export my data → download a JSON file with all your data.
Delete account → permanent deletion of account and data.

You may also contact us at privacy@corearc.app or lodge a complaint with the Italian Data Protection Authority (www.garanteprivacy.it).

8. Minors

CoreArc is not intended for users under 16. We do not knowingly collect data from minors.

9. Changes

We will publish any changes at this address, updating the date above.

10. Contact

Gabriel Patras — privacy@corearc.app