Privacy Policy

1. INTRODUCTION

Welcome to THE CELL. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you about how we look after your personal data when you use our app and tell you about your privacy rights. Libertas Labs LLC ("we", "us", "our") is a Wyoming limited liability company and is the data controller responsible for your personal data.

We follow the principle of data minimization: we collect only the information necessary to provide the service and your requested features.

2. DATA WE COLLECT

We collect the following types of information:

• Account Information: Name, email address, authentication provider (Google or Apple Sign-In)
• Profile Image: Mugshot photo (optional, uploaded by you during onboarding, hosted on Cloudinary)
• Physical Data: Age, height, weight (required during onboarding to personalize workouts and nutrition; age used for age-gating and fitness calculations)
• Self-Assessment Data: "Crimes" (e.g. complacency, obesity, addiction — self-selected character flaws you want to address), chosen cellmate/mentor, sentence length
• Goals Data: Custom goals, primary fitness goal, parole goals, daily targets
• Fitness Data: Workout logs, exercise history, gym type, equipment, training schedules, injuries, exercise blacklist
• Nutrition Data: Meal logs, nutrition goals, hydration logs, custom recipes, meal templates
• Health Data: Health check-ins (sleep, energy, pain, symptoms), supplement logs, body measurements (circumference, body fat), progress photos
• Mental Health Data: Mood levels, stress levels, psych evaluations, journal entries (warden's log)
• Social Data: Friend connections, posts, comments, likes, challenges, cell block memberships, crew wars participation, yard posts
• Subscription Data: Purchase history and subscription status (managed by RevenueCat, billed via Apple/Google)
• Financial Tracking Data: Transactions, budgets, debts, income sources, receipt images (receipts stored locally on device only)
• Learning Data: Reading logs, focus sessions, library items, quest progress
• Referral Data: Your unique referral code and the code of whoever referred you
• Usage Data: App features used, screens viewed, settings preferences (via PostHog)
• Device Information: Device type, operating system, app version
• Audio Data: Voice recordings for quick logs (stored locally on your device only)
• Crash Data: Error logs and crash reports for app improvement (via Sentry)
• Health Integration Data: Steps, workouts, and health metrics from Apple HealthKit or Android Health Connect (with your explicit permission)

3. HOW WE USE YOUR DATA

We use your data to:

• Provide personalized workout and nutrition plans
• Track your progress and calculate statistics
• Send notifications and reminders (with your permission)
• Improve our app and user experience
• Ensure app security and prevent fraud

3.1 SENSITIVE HEALTH DATA (GDPR Article 9)

We process health-related data (body measurements, health check-ins, supplement logs, mood/stress evaluations, data from Apple HealthKit or Android Health Connect) based on your EXPLICIT CONSENT. You provide this consent by entering the data or granting health integration permissions. You may withdraw consent at any time by:

• Revoking health integration permissions in device settings
• Deleting the relevant entries in the app
• Deleting your account (via Settings > Danger Zone or thecell.app/delete-account)

Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

3.2 AUTOMATED DECISION-MAKING AND AI PROFILING (GDPR Article 22)

The app uses AI (Google Gemini) to generate:

• Personalized workout plans based on your goals, experience, and equipment
• Supplement stack recommendations based on your health goals
• Weekly parole board evaluations (grade, verdict)

These AI-generated outputs are informational only and do not produce legal or similarly significant effects. However, you have the right to:

• Request human review of any AI-generated recommendation
• Contest AI-generated evaluations
• Express your point of view

Contact support@thecell.app to exercise these rights. We will respond within 30 days.

4. THIRD-PARTY SERVICES

We use the following third-party services:

• Supabase: Database, authentication, and backend infrastructure
• Cloudinary: Image hosting and processing
• OpenFoodFacts: Open-source nutrition database for food information
• USDA FoodData Central: U.S. government nutrition data
• Google Gemini AI: AI-powered workout generation and coaching features
• Google Sign-In: Account authentication via Google
• Apple Sign-In: Account authentication via Apple ID
• RevenueCat: Subscription management and purchase verification
• PostHog: Product analytics (usage events, session tracking)
• Sentry: Crash reporting and error monitoring
• OneSignal: Push notification delivery
• Resend: Transactional email delivery (account deletion confirmations)
• Google ML Kit: Receipt scanning and text recognition (on-device)
• Shopify: Commissary product catalog (storefront only — no user data sent)
• Apple HealthKit / Android Health Connect: Health data integration (with your permission)

These services may collect data according to their own privacy policies. We do not control how these third parties use your data.

5. DATA SHARING

We do not sell your personal data. We may share data with:

• Service providers who help us operate the app (listed in Section 4)
• Legal authorities when required by law
• With your explicit consent

5.1 Visibility to Other Users

Some features make certain data visible to other users of the app:

• Yard posts, comments, and likes are visible to other users based on post visibility settings
• Friend connections share activity data (workouts, achievements) with your friends
• Cell block memberships show your profile to other members
• Crew wars and challenges display your scores to other participants
• Global leaderboards display your inmate number, stats, and mugshot (only if your profile is set to public)

You can control visibility via your Profile privacy settings. Setting your profile to private hides your mugshot from leaderboards and other users but you may still appear in friend-only contexts.

6. DATA SECURITY

We implement appropriate security measures including:

• Encrypted data transmission (HTTPS/TLS)
• Certificate pinning to prevent man-in-the-middle attacks
• Secure cloud storage with Supabase
• Authentication and access controls (OAuth2/OIDC via Google and Apple)
• Local storage encryption via device keystore (Flutter Secure Storage)
• Row-level security policies on all user data tables
• Regular security updates

6.1 DATA BREACH NOTIFICATION

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the competent supervisory authority within 72 hours as required by GDPR Article 33
• Notify affected users without undue delay when the breach is likely to result in high risk
• Describe the nature of the breach, likely consequences, and measures taken

You can report suspected security issues to support@thecell.app.

7. YOUR RIGHTS

You have the right to:

• Access your personal data
• Download your data (Data Portability) — use Settings > Privacy & Data > Download My Data
• Delete your account and data — use Settings > Danger Zone or thecell.app/delete-account
• Correct inaccurate personal data
• Restrict or object to processing
• Opt-out of non-essential data collection
• Withdraw consent at any time
• Lodge a complaint with your local data protection authority

7.1 RESPONSE TIMES

We will respond to verified rights requests within:

• 30 days (GDPR/UK GDPR requirement)
• 45 days (CCPA/CPRA requirement)

For complex requests, we may extend by an additional 30/45 days with written notice.

7.2 IDENTITY VERIFICATION

To protect your data, we verify the identity of rights requesters. For in-app requests, verification happens via your authenticated session. For web requests (e.g. account deletion at thecell.app/delete-account), we verify via email confirmation link sent to the account's registered email address.

8. DATA RETENTION

We retain your data for as long as necessary to provide the service and fulfill the purposes described in this policy:

• Active accounts: Data retained while your account is active so you can access your history and progress
• Deleted accounts: 30-day grace period (during which you can cancel deletion by signing back in), then permanent deletion
• Backups: Removed within 30 days of account deletion
• Aggregated/anonymized data: May be retained indefinitely for analytics (contains no personal identifiers)
• Legal requirements: Some data may be retained longer if required by law (e.g. tax records for subscriptions)

You can delete specific entries (workouts, meals, photos, etc.) individually at any time within the app. To delete all your data, delete your account.

9. CHILDREN'S PRIVACY

THE CELL is not intended for users under 13 years of age. We do not knowingly collect data from children.

10. CHANGES TO THIS POLICY

We may update this policy from time to time. We will notify you of significant changes via email or app notification.

11. CONTACT US

If you have questions about this privacy policy, please contact us at:

support@thecell.app

12. GDPR COMPLIANCE (EU/UK USERS)

If you are in the European Union or United Kingdom, you have rights under the General Data Protection Regulation (GDPR), including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure / "right to be forgotten" (Article 17)
• Right to restrict processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

Legal basis for processing: We process your personal data based on (a) your consent, (b) performance of our contract to provide the app's services, and (c) our legitimate interests in app security and improvement.

Data Protection Contact: support@thecell.app

You also have the right to lodge a complaint with your local data protection authority.

13. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA)

If you are a California resident, under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), you have the right to:

• Know what personal information we collect, use, disclose, and sell
• Access your personal information
• Delete your personal information
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information
• Limit the use of sensitive personal information
• Non-discrimination for exercising these rights

We do not sell or share personal information within the meaning of the CCPA/CPRA. To exercise any of these rights, contact support@thecell.app or use the in-app data export and account deletion features.

14. INTERNATIONAL DATA TRANSFERS

Your data may be processed in the United States where our service providers (Supabase, Cloudinary, PostHog, RevenueCat, Sentry, Resend) are located. By using the app, you consent to the transfer of your data to the United States. We rely on Standard Contractual Clauses (SCCs) or equivalent safeguards for transfers from the EU/UK.

15. OTHER US STATE PRIVACY RIGHTS

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA) have substantially similar rights to California residents, including access, deletion, correction, and opt-out of sale. Contact support@thecell.app to exercise these rights.