PRIVACY POLICY

When you create an account, we store:

• Your email address (used for sign-in and account recovery)
• Your full name (shown on the leaderboard and your profile)
• Your country (drives the flag chip next to your name)
• A bcrypt hash of your password (we can't see or recover the original)

When you use the app, we store:

• Your scores, comments, and other content you submit
• Timestamps of when you signed in and last used the app
• Aggregated activity for the admin engagement dashboard

We don't use third-party analytics, advertising trackers, or fingerprinting in v1.0.

• Payment information (CAP is free during v1.0 preview)
• Health, biometric, or medical data
• Your location beyond the country code you provide at signup
• Data from third-party fitness trackers unless you explicitly connect one

• To authenticate you and keep your session
• To display your name, flag, and scores to other CAP users on leaderboards
• To send transactional emails (verification, password reset, invitations)
• To produce aggregated engagement metrics for affiliate owners
• To investigate abuse or violations of the Terms of Service

We never sell your data. We don't share it with marketing partners. Period.

We use Resend to deliver transactional email (sign-up confirmation, password reset, invitations). Resend processes the recipient address and message content as a sub-processor; their privacy practices are at resend.com/legal/privacy-policy.

We don't send marketing email in v1.0. If we ever start, you'll be opted out by default with an explicit opt-in toggle.

We use one essential cookie: an encrypted session cookie (cap_session) that identifies you while you're signed in. It's HttpOnly and Secure. We don't use tracking cookies, advertising cookies, or third-party cookies.

You can, at any time:

• View and edit your profile data on your profile page
• Request a copy of all data we hold on you (email us)
• Request deletion of your account (email us; processed within 30 days)
• Withdraw consent for any processing not strictly necessary to operate the service

EU/UK residents have additional rights under GDPR. California residents have additional rights under CCPA. Contact us for either and we'll respond within statutory timelines.

Active account data is kept indefinitely. After account deletion, your personal data is purged within 30 days, except: (a) anonymized aggregate metrics that can't identify you, and (b) audit logs we're legally required to retain (e.g., financial records · not applicable in v1.0 since we don't process payments).

Passwords are hashed with bcrypt. Sessions are encrypted with iron-session. The database and Redis cache are hosted on Railway behind a private network. Full-disk encryption is enabled on Railway's Postgres add-on. Despite all that, no online service is 100% secure · if a breach occurs, we'll notify affected users within 72 hours.

CAP is for users 18 and older. We don't knowingly collect data from anyone under 18. If you believe a minor has created an account, email us and we'll delete it.

Privacy questions, data requests, or breach reports: crossfitapinfo@gmail.com.