ASCENDLIFTING LEAGUE REQUEST ACCESS

REGULATIONS//PRIVACY POLICY

Privacy
Policy

EFFECTIVE JULY 2, 2026· LAST UPDATED JULY 2, 2026· DOC ASC‑PP· REV 1.0

Ascend Log — by Ascend Lifting League. What we collect, why we collect it, how it's protected, and the controls you have over it.

01 · WHO WE ARE01/13

Who we are

Ascend Log is a strength-training tracker published by Ascend Lifting League ("we," "us," or "our"). This Privacy Policy describes what personal information we collect when you use the Ascend Log mobile application (iOS and Android, bundle identifier com.ascendliftingleague.log) and the associated website at ascendlifting.com, why we collect it, how it is used and protected, and your rights over it.

Contact us at support@ascendlifting.com with any questions about this policy. We aim to respond to general inquiries within 2 business days.

02 · SCOPE02/13

Scope of this policy

This policy covers:

  • The Ascend Log mobile application.
  • The account and data infrastructure we operate on your behalf (Supabase cloud database).
  • Our crash-reporting integration (Sentry), which is off by default and only active if you opt in.

This policy does not cover third-party services you independently access (e.g., Google's own privacy practices when you use Google Sign-In — those are governed by Google's policy).

03 · DATA WE COLLECT03/13

What information we collect and why

3.1Account identity

When you create an account you authenticate through one of two methods:

  • Google Sign-In — we receive your email address, display name, and profile avatar from Google. We store these in your Ascend profile.
  • Email one-time-code (passwordless) — you enter your email address; we send a one-time numeric code via Supabase Auth. No password is ever created or stored.

Why: We need a verified identity to associate your training data with your account, enforce per-user data isolation (row-level security), and allow you to access your data across devices. Account creation requires a 16+ age self-attestation (see Section 6).

Legal basis (GDPR): Performance of a contract (providing the service you have signed up for).

3.2Training and fitness data you enter

Everything you log in Ascend Log is stored in your personal, isolated data partition in our Supabase database. This includes:

CategoryWhat it contains
Workouts and sessionsEvery workout you log — name, date, duration, session type
ExercisesStandard library exercises plus any custom exercises you create
SetsWeight, reps, RPE (rate of perceived exertion), and any per-set notes
MesocyclesTraining-block folders and periodization structure
Personal recordsDetected PRs and last-performance history per exercise
Bodyweight logDate-stamped bodyweight entries you enter manually
Recovery and readinessRecovery-day ratings and readiness inputs you log
Gyms and equipmentGym locations and machine/equipment tags you create
Per-exercise preferencesRest-timer durations, unit preferences, muscle-map customisations per exercise
Saved presetsSet-type and burn-preset configurations you save
Import batchesData imported from third-party apps (e.g., a Strong CSV)

Why: This is the core purpose of the application — to track your lifting history and provide training insights. None of this data is read from, or written to, Apple Health or Google Health Connect in this version of the app. All entries are made manually by you.

Legal basis (GDPR): Performance of a contract; legitimate interests (providing the features you use).

3.3Social and League feed data

When you connect with friends inside the app, we store:

  • Friend connections — the accepted friend relationship between your account and another user's.
  • Shared-session memberships — your participation in a live joint training session.
  • Activity feed posts — workout activity visible to your accepted friends in the League feed. This feed is friend-gated: content is only surfaced to users you have accepted as friends.
  • Shared-workout grants — when you share a specific workout with another user.
  • Visibility preferences — your settings controlling who can see your activity.

The app does not currently expose public or link-shareable workout posts in the user interface, even though the data model supports it. Only the friend-gated feed is active in this version.

Why: The social features let you train alongside friends and share progress within a trusted circle.

Legal basis (GDPR): Performance of a contract; legitimate interests (enabling the social features you opt into).

3.4Camera

We request camera access solely to scan a friend's QR code to join their live training session. The camera is not used for any other purpose. No images or video are captured, stored, or transmitted.

Legal basis (GDPR): Consent (you grant camera permission at the OS prompt).

3.5Notifications

We request notification permission to deliver rest-timer alerts — a notification that fires when your configured rest period ends. On Android, the rest timer may run as a foreground service with an ongoing chronometer notification. No notification content is transmitted off-device for marketing or tracking purposes.

Legal basis (GDPR): Consent (you grant notification permission at the OS prompt); legitimate interests (delivering the timer feature you activated).

3.6Crash reporting (opt-in only)

The app includes an integration with Sentry (see Section 7) for crash diagnostics. This integration is off by default. You can enable it in Settings. When enabled:

  • Sentry captures exception stack traces and technical context (device model, OS version, app version) at the moment of a crash.
  • sendDefaultPii is explicitly set to false — Sentry does not capture personally identifiable information such as your name, email, or training data.
  • Crash reports are used solely to diagnose and fix application bugs.

When disabled (the default), no data is sent to Sentry.

Legal basis (GDPR): Consent (explicit opt-in toggle in Settings).

3.7What we do NOT collect

To be precise about the boundaries:

  • No advertising data. We have no ad SDK. We do not collect data for advertising purposes and do not display ads.
  • No third-party analytics platform. There is no Google Analytics, Firebase Analytics, Mixpanel, Amplitude, or equivalent analytics SDK in the application.
  • No health platform data. The app does not request HealthKit (Apple Health) or Health Connect (Google) permissions and does not read from or write to either platform in this version.
  • No cross-app or cross-site tracking. We do not track your activity across other companies' apps or websites.
  • No biometric identifiers, payment card data, or government identifiers of any kind.
04 · HOW WE USE IT04/13

How we use your information

We use the information described above exclusively to:

  1. Provide and operate the app — display your workout history, compute personal records, run the mesocycle engine, and power the social features.
  2. Sync your data across your devices — your data is stored server-side so you can access it on any device where you are signed in.
  3. Secure your account — authenticate you and enforce row-level security so only you (and explicitly invited participants in a shared session) can read your data.
  4. Deliver rest-timer notifications — fire the alert you requested when your rest period ends.
  5. Diagnose application crashes (only if you have opted in to crash reporting) — identify and fix software defects.

We do not use your data for advertising, do not build advertising profiles, and do not sell or rent your data to any third party.

05 · HOW WE SHARE IT05/13

How we share your information

We do not sell, trade, or rent your personal information. We share data only with the following service providers in order to operate the application:

5.1Supabase (database and authentication infrastructure)

All application data described in Section 3 is stored in Supabase (Supabase Inc., a managed Postgres cloud platform). Supabase acts as our data processor. Your data is isolated by row-level security policies — every row in our database is scoped to your user identifier and cannot be accessed by other users. Supabase's data infrastructure operates in AWS us-east-2 (Ohio, USA). Supabase's privacy policy is available at supabase.com/privacy.

5.2Sentry (crash reporting — opt-in only)

If you have enabled crash reporting, application crash data (stack traces, device context — no PII) is transmitted to Sentry (Functional Software, Inc.). Sentry processes this data solely for crash diagnostics on our behalf. Sentry's privacy policy is available at sentry.io/privacy.

5.3Google (authentication — if you use Google Sign-In)

If you choose to sign in with Google, the authentication token is processed by Google and by Supabase Auth (which validates it server-side). We receive only the profile information listed in Section 3.1. Google's privacy policy governs Google's own processing.

5.4Legal and safety disclosures

We may disclose information if required by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of our users or the public.

No other sharing occurs.

06 · MINIMUM AGE06/13

Children and minimum age

Ascend Log is not directed at children. You must be at least 16 years old to create an account. Account creation (the step that creates a server-side user record) requires a self-attestation that you meet the minimum age. We chose 16 as the age floor in accordance with the GDPR Article 8 default — it is the conservative, internationally safe minimum.

If you are under 13 (or the minimum age in your jurisdiction), do not use this application.

If we become aware that we have collected personal information from a child below the minimum age, we will delete that information promptly. Contact us at the address in Section 1.

07 · SECURITY07/13

Security

We take the following measures to protect your information:

  • Row-level security (RLS) — every table in our database enforces server-side policies that restrict read and write access to the authenticated owner of each row. No query from another user account can reach your data.
  • Encryption in transit — all communication between the application and Supabase uses TLS (HTTPS/WSS). Data is not transmitted in cleartext.
  • Authenticated access only — the API enforces authentication on every request. There are no unauthenticated read paths to user data.
  • Crash reporting with no PII — the Sentry integration is explicitly configured with sendDefaultPii: false, so even opted-in crash reports do not transmit your personal information.
  • Minimal permission footprint — the app requests only the device permissions listed in Section 3 (camera, notifications, and Android alarm/service permissions for the rest timer). No microphone, location, contacts, or health permissions are requested.

No security system is perfect. If you discover a security vulnerability, please contact us at support@ascendlifting.com.

08 · RETENTION08/13

Data retention

Your data is retained for as long as your account exists. If you delete your account (see Section 9), all of your application data is permanently deleted. We do not retain app-side data after deletion beyond what applicable law requires.

Backups. Deleted data may persist in encrypted, access-restricted backups for up to 30 days before being purged completely — a standard operational buffer for disaster recovery, not an active-use retention.

Authentication credential cleanup (deletion of the user record from Supabase Auth) completes as part of the server-side account-deletion cascade.

09 · YOUR RIGHTS09/13

Your rights and controls

Regardless of where you are located, we provide the following controls. Users in the European Union, United Kingdom, and California have additional rights under GDPR and CCPA respectively (see below).

9.1In-app controls available to all users

Export your data (free, no paywall)
In Settings → Your data, you can request a full export of your training data as CSV and JSON files. This includes:

  • Your profile settings
  • Every workout session you have logged
  • The exercises in each workout
  • Every set (weight, reps, RPE, notes)
  • Custom exercises you created
  • Mesocycle folders
  • Personal records and last-performance history
  • Bodyweight log and recovery/readiness days
  • Your gyms and equipment

The export is free — we do not place it behind any subscription or fee. A web-based export page is also available at ascendlifting.com/export for users who cannot access the in-app control.

Delete your account and all data
In Settings → Your data, you can permanently delete your account and every piece of application data we hold. Deletion requires you to type the word DELETE to confirm (defense against accidental activation). The deletion is executed server-side in a single transaction that removes every data row associated with your user identifier. It is permanent and irreversible.

Following deletion, the app signs you out and clears your local device state. There is also a web-based deletion page at ascendlifting.com/delete-account for users who cannot access the in-app control.

Crash-reporting consent
Enable or disable Sentry crash reporting at any time in Settings (off by default).

9.2GDPR rights (EU/UK users)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access — request a copy of the personal data we hold about you. Use the in-app export feature (Section 9.1) or contact us.
  • Right to rectification — correct inaccurate data. Most data can be edited directly in the app; contact us for account-level corrections.
  • Right to erasure ("right to be forgotten") — delete your account and all data using the in-app control (Section 9.1) or by contacting us.
  • Right to restriction of processing — in certain circumstances, request that we restrict processing of your data while a dispute is resolved.
  • Right to data portability — receive your data in a structured, machine-readable format. Use the in-app export feature.
  • Right to object — object to processing based on legitimate interests. Given that processing is primarily to provide the service you signed up for, objecting may require account deletion.
  • Right to withdraw consent — where processing is based on consent (crash reporting, camera, notifications), you may withdraw consent at any time via the in-app controls or device OS settings.

To exercise rights not covered by an in-app control, contact us at support@ascendlifting.com. We will respond within 30 days.

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with your local data protection authority. In the EU, a list of supervisory authorities is available at edpb.europa.eu.

9.3CCPA rights (California residents)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) grants you the following rights:

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you, and how we use it. This policy constitutes our disclosure; the in-app export provides the specific data.
  • Right to delete — request deletion of your personal information. Use the in-app control (Section 9.1) or contact us.
  • Right to correct — request correction of inaccurate personal information.
  • Right to opt out of sale or sharing — we do not sell personal information and do not share it for cross-context behavioral advertising. No opt-out action is required.
  • Right to non-discrimination — we will not discriminate against you for exercising any of the above rights.

To submit a verifiable consumer request, use the in-app controls or contact us at support@ascendlifting.com. We will respond within 45 days (with a possible 45-day extension if needed).

Categories of personal information collected (CCPA disclosure):

  • Identifiers (email address, user ID)
  • Personal information described in California Civil Code § 1798.80(e) (name, if provided via Google Sign-In)
  • Health or fitness-related information (bodyweight entries, training data — entered manually by you)
  • Internet or other electronic network activity (crash diagnostics — opt-in only)
  • Inferences drawn from the above to create a profile (personal records, readiness scores — computed and displayed to you within the app only)

Sale/sharing of personal information: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

10 · TRANSFERS10/13

International data transfers

Our primary data processor, Supabase, stores data in AWS us-east-2 (Ohio, USA). If you are located in the EU or UK, your data may be transferred to and processed in the United States. Where such transfers occur, we rely on the EU-US Data Privacy Framework and/or standard contractual clauses as the legal transfer mechanism. Supabase maintains applicable compliance certifications; see supabase.com/privacy for details.

11 · COOKIES11/13

Cookies and local storage

The mobile application does not use web cookies. It uses the following on-device storage:

  • expo-sqlite — a local SQLite database that mirrors your training data for offline access. This is a device-local replica of your server data; it is cleared when you sign out or delete your account.
  • expo-secure-store — encrypted on-device key-value storage used for authentication tokens and your crash-reporting consent preference.

No tracking cookies or third-party trackers are used anywhere in the application.

12 · CHANGES12/13

Changes to this policy

We may update this policy to reflect changes to the application, applicable law, or our practices. When we do, we will update the "Last updated" date at the top and, for material changes, notify you via an in-app notice or email. Continued use of the app after the effective date of a revised policy constitutes acceptance of the changes.

13 · CONTACT13/13

Contact

For privacy questions, data-rights requests, or to report a security concern:

Ascend Lifting League

United States

Email: support@ascendlifting.com

Web: ascendlifting.com/support