Privacy Policy
Last updated: 11 May 2026
SpotMate is operated by LonelyMonkey OÜ, a company registered in Estonia, European Union (registry code 16722592, Harju maakond, Tallinn). In this policy "we", "us", and "our" mean LonelyMonkey OÜ. We are the data controller for the personal data described below.
This policy explains what personal data we collect when you use the SpotMate mobile app, why we collect it, who else processes it on our behalf, how long we keep it, and the rights you have over it. We aim for plain language — if anything is unclear, email support@spotmate.fit.
1. What data we collect
Account data
Email address, password (stored only as a hashed value — we never see your plain-text password), and the date you created your account.
Fitness profile
Name, date of birth, gender, height, weight, goal, experience level, training location and equipment, training days per week, focus areas, injuries (area, type, severity, painful triggers), food preferences, preferred communication style, and language.
Activity data
Workout logs (exercises, sets, reps, weights, RPE), body composition entries (weight, body fat %, muscle %, BMI, etc.), chat messages with the AI trainer, and saved programs. If you connect a Bluetooth smart scale, its readings are transferred directly from the scale to your phone and then to our servers — the scale manufacturer does not see your data.
Subscription and payment data
The subscription tier you hold, trial expiry, and renewal status. We do not store credit-card or banking details — all payments are handled by Apple App Store or Google Play, who pass us a receipt identifier via RevenueCat. See section 6.
Device and diagnostic data
Operating system version, app version, device model (no advertising identifier — we do not track for advertising), push notification token (if you opt in to notifications), and crash reports / error stacks captured by Sentry. Crash reports are configured to exclude personally identifying information by default.
Biometric data — stays on your device
If you enable Face ID or Touch ID for sign-in, the biometric template is stored and matched entirely by Apple's Secure Enclave on your device. It is never transmitted to our servers and we never see it.
2. Why we use your data and the legal basis
Under the EU General Data Protection Regulation (GDPR) we rely on these legal bases:
- Contract performance (GDPR Art. 6(1)(b)) — to provide the service you signed up for: AI coaching, program generation, workout tracking, progress analytics.
- Legitimate interest (GDPR Art. 6(1)(f)) — for service operation: crash reporting, fraud and abuse prevention, security, aggregate (non-identifying) product analytics.
- Consent (GDPR Art. 6(1)(a)) — for push notifications, Face ID / Touch ID sign-in, and any future optional features that require additional processing. You can withdraw consent at any time in the app settings or your device's OS settings.
- Explicit consent for special-category data (GDPR Art. 9(2)(a)) — when you provide health-related information such as injuries, body composition, or workout history, you give explicit consent for us to process it for AI coaching. You can revoke this consent by deleting your account.
- Legal obligation (GDPR Art. 6(1)(c)) — for tax and accounting requirements relating to your subscription receipts.
We do not sell your personal data, ever, under any definition (including the CCPA definition of "sale" or "sharing").
3. AI coaching and your chat messages
The AI trainer is the core of SpotMate. When you chat with the AI or it generates a program for you, the following is sent to our LLM provider:
- The current message you typed
- Recent conversation context (typically the last several messages)
- Relevant snippets of your fitness profile (goal, experience, injuries, equipment) so the response is personalised
Our LLM provider is Fireworks AI (Fireworks.ai, Inc., San Francisco, California, USA). Per their terms of service, content sent to their inference API is not used to train their models and is retained only briefly for abuse-prevention purposes. We have a Data Processing Agreement with Fireworks AI and rely on the European Commission's Standard Contractual Clauses for the transfer of personal data to the United States (see section 9).
If we change LLM provider in the future, we will update this policy and notify users by email at least 14 days before the change takes effect.
4. Sub-processors we use
We use the following sub-processors to run the service. Each one has signed a Data Processing Agreement (DPA) with us. We choose vendors that minimise the personal data they receive.
| Sub-processor | What we send | Purpose | Location |
|---|---|---|---|
| Fly.io | All app and database data | Application + database hosting | EU (Amsterdam) |
| Cloudflare | Static web assets, exercise media, IP for routing | Web hosting, CDN, asset storage | Global edge (EU primary) |
| Sentry (Functional Software, Inc.) | Crash reports, error stack traces (no user PII by config) | Error monitoring and bug tracking | EU (Germany) |
| Fireworks AI | Chat messages, conversation context, relevant profile snippets | LLM inference for the AI trainer | USA (SCCs) |
| RevenueCat | App user ID, purchase receipt events, subscription state | Subscription management and entitlement | USA (SCCs) |
| FatSecret Platform API | Food name / barcode queries (no user identifier) | Nutrition database lookup (Pro tier) | USA (SCCs) |
| Resend | Recipient email address and message body | Transactional email delivery | USA (SCCs) |
| Expo Push Service | Device push token, notification payload | Routing push notifications to Apple / Google | USA (SCCs) |
| Apple Push (APNs) / Google FCM | Push token, notification payload | OS-level notification delivery | USA / global (Apple / Google terms) |
An up-to-date list of sub-processors is available on request to support@spotmate.fit.
5. Push notifications
If you grant notification permission, we send you reminders about your workouts and occasional messages from your AI coach. The notification payload may contain a short message (for example, "Time for legs day — Coach") routed via Apple Push Notification service or Google Firebase Cloud Messaging. You can disable notifications at any time in the app settings or your device's OS settings.
6. Subscriptions and payments
All payments are processed by Apple App Store (iOS) or Google Play (Android). We never see your payment-card or bank details. The store sends us — through our subscription manager, RevenueCat — a receipt identifier, your purchase events, and your current subscription state. We use this only to grant or revoke access to paid features (Pro tier) and to provide customer support.
You manage and cancel your subscription directly in the App Store / Google Play account that purchased it. Refunds are also requested through the store, not from us.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account, fitness profile, activity history | While your account is active |
| Account after you delete it | Erased from live systems within 30 days; chat history erased immediately |
| Encrypted backups | Rolling 30 days, then permanently deleted |
| Subscription receipts (tax records) | 7 years (Estonian Accounting Act) |
| Sentry crash reports | 90 days, then auto-deleted |
| Email transactional logs (Resend) | 30 days delivery logs; message bodies not retained after send |
8. Security
All data is encrypted in transit (TLS 1.2+) and at rest. Database backups are encrypted. Application servers and database are in the European Union. Access to production systems is limited to authorised personnel and uses two-factor authentication. We do not store plain-text passwords — they are salted and hashed (bcrypt). If a breach affecting your personal data ever occurs, we will notify you and the Estonian Data Protection Inspectorate within 72 hours, as required by GDPR.
9. International transfers
Most of your data is stored and processed in the European Union. Some sub-processors (Fireworks AI, RevenueCat, FatSecret, Resend, Expo Push) are based in the United States. For transfers to the US we rely on the European Commission's Standard Contractual Clauses (2021/914) signed with each vendor. Apple and Google process push notifications under their own published privacy terms.
10. Your rights under GDPR
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — request deletion of your account and associated data.
- Portability — receive your data in a structured, commonly used, machine-readable format.
- Restriction — ask us to pause processing in specific circumstances.
- Objection — object to processing based on legitimate interest.
- Withdraw consent at any time for processing based on consent (this does not affect prior lawful processing).
You can exercise access, rectification, portability, and erasure rights directly from the app (Settings → Account). For anything else, email support@spotmate.fit and we will respond within 30 days (extendable by 60 days for complex requests, with notice).
If you believe we have mishandled your data you may lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), aki.ee, or with the supervisory authority of your EU country of residence.
11. California residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act: the right to know what categories of personal information we collect, the right to delete it, the right to correct inaccurate information, and the right to opt out of any "sale" or "sharing" of personal information for cross-context behavioural advertising.
We do not sell or share personal information for advertising. To exercise your CCPA rights, email support@spotmate.fit with "CCPA Request" in the subject line. We will verify your request using your account email and respond within 45 days.
12. Children
SpotMate is intended for users aged 17 and over. We do not knowingly collect personal data from anyone under 17. If you are a parent or guardian and believe a child under 17 has provided us with personal data, please contact us at support@spotmate.fit and we will delete it promptly.
13. Changes to this policy
We will update this policy when our practices change. The "Last updated" date at the top reflects the most recent revision. For material changes (new sub-processors that receive personal data, a change in the legal basis of processing, expanded data collection, or a change of data controller) we will notify you by email and via an in-app banner at least 14 days before the change takes effect. Continued use of the app after the effective date constitutes acceptance of the updated policy.
14. Contact
For any privacy question, request, or complaint:
LonelyMonkey OÜ
Estonia, European Union
Email: support@spotmate.fit
Legal: legal@spotmate.fit
Supervisory authority: Andmekaitse Inspektsioon (Estonian DPI), aki.ee.