Effective date: November 11, 2025
This Privacy Policy explains how Loopday Labs Private Limited (“Loopday”, “we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you use the Loopday mobile application (the “App”), our website, and related services. Loopday is the data controller for the App. By using the App or providing personal information you agree to the terms below.
Quick summary — in plain terms
We build a consistency-first gym workout tracker. We collect only the data necessary to operate the service: account info, workout logs, minimal device identifiers, integrations (Apple Health / Google Fit), analytics, and payment info when you buy upgrades.
We treat health and fitness data as sensitive — we never use HealthKit / Google Fit data for advertising or sell it. We request explicit permission before accessing HealthKit/Google Fit and we explain what we will do with that data.
We support user rights: access, correction, deletion, portability, and opt-outs required under GDPR/CCPA. We keep a record of processing activities and respond to rights requests promptly.
We publish this policy and the App Store / Play Console Data Safety answers and keep them aligned — what we declare in the app store forms matches what’s in this policy.
1. Data we collect (categories)
We describe the types of data we may collect from you and the reason for each collection.
Account & identity
Name, email, chosen username, profile photo (optional).
Why: create and secure your account, sign-in, support.
Authentication & security
Password hashes, two-factor data (if enabled), account recovery data.
Why: account security.
Workout & usage data
Workout logs (exercises, sets, reps, weights), templates, loop/streak status, quick-mode entries, timestamps, calendar events, and shareable summary images (if you create them).
Why: core functionality — tracking, streaks, weekly summaries.
Health & fitness integrations (sensitive)
Only with your explicit permission: HealthKit or Google Fit data (workout metadata, activity, step counts, heart rate, weight, other fitness metrics). We request only the data types necessary for features you enable. We will never access health data without your opt-in and system-level permission.
Contacts & social
Optional: if you invite friends or create Pacts, we may access contact emails you explicitly provide or allow to send invites. We do not harvest your whole address book without explicit consent.
Device & technical
Device identifiers, OS version, mobile advertising IDs (if you opt into personalized features), crash reports, logs, IP address, approximate location derived from IP (only when needed for fraud prevention or localization).
Why: performance, debugging, fraud detection, analytics.
Payments
We do not store full payment card data on our servers. Payment processing is handled by third-party payment processors (e.g., Apple/Google IAP or Stripe) and subject to their privacy terms. We may retain payment receipts and billing metadata for accounting and legal compliance.
Communications
Support emails, message history with us, notification preferences.
2. Sources of data
Data you provide directly (account, workouts, invites).
Data generated by your use of the App (logs, usage).
Third parties you connect (Apple Health/Google Fit, payment providers).
Third-party services (analytics, crash reporting) as described below.
3. How we use your data (purposes & legal basis)
We process personal data only for limited purposes necessary to provide the App and comply with legal obligations.
Provide core service (account, save workouts, streaks, pacts). (Contract performance / legitimate interest)
Sync integrations (HealthKit/Google Fit) when you consent. (Consent / contract)
Payments & billing (fulfill purchases, refunds). (Contract)
Analytics & product improvement (aggregate product usage; not used to identify you unless required for support). (Legitimate interest / consent for certain tracking)
Security & fraud prevention (protect accounts, detect abuse). (Legitimate interest / legal compliance)
Legal obligations (tax, financial reporting, law enforcement requests). (Legal compliance)
If you are an EU/EEA resident we will specifically rely on lawful bases required by GDPR (consent, performance of contract, legitimate interest, legal obligation). We will document lawful bases per processing activity.
4. Sharing & disclosures
We do not sell personal data. We share personal data only in limited cases:
Service providers / subprocessors — e.g., hosting, analytics, crash reporting, email delivery, payment processors. We require contracts that restrict their use to providing services for Loopday.
Apple & Google — when you use in-app purchases or HealthKit/Google Fit integrations, data flows to those platforms per their rules. We follow App Store and Play Store requirements and declare our practices in the Data Safety forms.
Legal requests — to comply with lawful requests from authorities.
Business transfers — in case of a merger, sale, or asset transfer; we will notify users where required.
We will never share HealthKit / Google Fit data for advertising or monetize it. If we ever propose a change to share sensitive data, we will publish the change and obtain explicit consent where required by law.
5. Third-party SDKs, analytics, and advertising
We use third-party tools for analytics, crash reporting, performance monitoring, and email. These vendors may process personal data on our behalf. We keep a current list of vendors and their purposes in our privacy center. You can request that list or unsubscribe from analytics tracking via in-app settings (where feasible). For Google Play distribution we will ensure the Data Safety information accurately reflects these third-party processing activities.
6. HealthKit & Google Fit — special handling
Access to HealthKit and Google Fit is opt-in only and uses platform consent screens. We request the minimum set of data types required by the feature you enabled. We never access health data in the background without permission, and we never use it for advertising.
If you disconnect an integration we will stop syncing and — subject to retention policies below — delete synced data upon request.
7. Data retention
We retain personal data only as long as necessary to provide the service, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention guidelines:
Account & workout data: retained while account active + 2 years after deletion (unless you request earlier deletion).
Billing & receipts: retained for required tax/accounting periods (region dependent).
Logs & diagnostics: retained short term (e.g., 30–90 days) unless required for an investigation.
Exact retention periods will be documented in our internal Record of Processing Activities and available on request.
8. Security
We implement commercially reasonable administrative, physical, and technical safeguards: encryption in transit (TLS), encryption at rest for sensitive fields, access controls, regular security reviews, and least-privilege access for staff and vendors. We run periodic audits and maintain an incident response plan. No system is 100% secure; in the event of a qualifying data breach we will notify affected users and authorities as required (e.g., GDPR: within 72 hours where feasible).
9. Your rights and choices
Depending on your jurisdiction, you have rights including:
Access: request a copy of your personal data.
Correction: correct inaccurate data.
Deletion: delete your account and personal data (subject to retention for legal reasons).
Portability: export a machine-readable copy of your data (workouts, account metadata).
Opt-out: withdraw consent for certain processing (e.g., analytics tracking) where applicable.
California consumers: right to know categories collected, right to delete, right to opt out of sale (we do not sell data).
To exercise rights: email hello@onloopday.com (or use in-app settings). We will verify requests to prevent fraud and respond within the legal timeframes.
10. Children’s privacy
Loopday is intended for adults. We do not knowingly collect personal information from children under 16 (or the applicable age in your jurisdiction). If we learn we collected such data without parental consent we will delete it promptly. If you are a parent who believes we have collected your child’s data, contact hello@onloopday.com.
11. International transfers
Loopday is headquartered in India (Loopday Labs Private Limited). Personal data may be transferred to and processed in countries outside your residence (e.g., our cloud providers). Where applicable, we rely on appropriate safeguards (standard contractual clauses, adequacy decisions) to protect transfers.
12. Cookies and similar technologies
We use cookies and similar local storage for essential app/website functionality and optional analytics. You can control cookies via in-app settings and your browser.
13. Legal bases, lawful processing & DPIAs
For sensitive processing (health & fitness data), we follow privacy-by-design, keep processing minimal, and will conduct a Data Protection Impact Assessment (DPIA) if required by law. We document our lawful bases (consent, contract, legitimate interest, legal obligation) per GDPR guidance.
14. App Store & Play Store compliance
We will:
Maintain an accurate public privacy policy and keep the App Store privacy labels and Google Play Data Safety fields aligned with this policy and actual processing. Apple requires apps to disclose all data collection and purpose in App Privacy details; Play requires a Data Safety form and an in-app privacy policy link.
Use Apple HealthKit only after explicit system permission and explain HealthKit usage in this policy.
15. Changes to this policy
We may update this policy. If changes are material we will notify users via the App and email and post a new effective date.
16. Contact & DPO
If you have questions, requests, or complaints:
Email: hello@onloopday.com
Data Protection Officer: Anubhav Girdhar
Registered office: S 916, Rajtilak appartment, near panas gam, citylight, surat, GJ, India 395007
