Privacy Policy

Effective Date: 31 May 2026

Overview

OpenBook is built with a privacy-first philosophy.

Your training data lives on your device by default, remains under your control, and is never sold or shared for advertising.

This Privacy Policy explains what data we collect, why we collect it, how it is handled, and your rights.

OpenArcX is the data controller for personal data collected through OpenBook.

Data You Create

When you use OpenBook, you may create:

• Workout data - exercises, sets, reps, weight, duration, and other metrics
• Session notes - free-text notes attached to entries
• Routines and plans - custom routines and workout structures
• App preferences - settings such as dark mode, preferred units, and display options

All data you create remains under your control.

Where Your Data Is Stored

On Your Device (Default)

By default, all data is stored locally on your device in an SQLite database.

It does not leave your device unless you explicitly choose to sync or export it.

No account is required to use the app in this mode.

Cloud Sync (Optional)

If you create an account and subscribe to a paid plan, you may enable Cloud Sync.

When enabled:

• Data is encrypted in transit using HTTPS/TLS
• Data is stored securely on our backend powered by Supabase
• Cloud infrastructure may be located outside your country of residence

Disabling Cloud Sync stops future syncing between your device and our servers.

Previously synced cloud data remains stored until you request account deletion.

Account Information

If you create an account, we collect:

• Email address - used for authentication and one-time passcodes
• User ID - an internal identifier generated upon account creation

We do not collect your name, phone number, date of birth, or other direct personal identifiers.

Subscriptions and Payments

OpenBook offers optional monthly and yearly subscriptions.

Payments are processed entirely by:

• Apple App Store (iOS)
• Google Play Store (Android)

We do not receive or store your payment card details.

We use RevenueCat to manage subscription status and feature access.

RevenueCat receives a device-anonymous app user identifier and subscription-related metadata required to manage entitlements. If you create an OpenBook account, your email address is also shared with RevenueCat to support customer service and account recovery.

RevenueCat is a US-based service; subscription metadata is processed on US infrastructure.

RevenueCat also forwards subscription lifecycle events, such as renewals, cancellations, and billing issues, to our product analytics processor PostHog so we can understand subscription usage and diagnose subscription issues. These forwarded events may include RevenueCat subscriber attributes that we set for support and diagnostic joins, such as your email address if you create an OpenBook account, and an OpenBook analytics identifier. We do not use this data for advertising, marketing, or tracking across other companies' apps or websites.

RevenueCat's Privacy Policy: https://www.revenuecat.com/privacy

Data Export

You may export your workout data at any time (Settings -> Export Data).

Exports are generated on your device and shared using your device's native share options.

We do not receive a copy.

Third-Party Services

We use a limited number of service providers:

Supabase - authentication and optional Cloud Sync storage

(Data shared: email address, user ID, workout data for Cloud Sync users)

Supabase's Privacy Policy: https://supabase.com/privacy

RevenueCat - subscription management (US-hosted)

(Data shared: device-anonymous user ID, subscription metadata. If you create an OpenBook account, your email address is also shared.)

RevenueCat's Privacy Policy: https://www.revenuecat.com/privacy

PostHog - product analytics (EU-hosted)

(Data shared: a device-anonymous analytics identifier; if you create an OpenBook account, your internal OpenBook account identifier; in-app events such as screens viewed and features used; approximate location derived from IP address for analytics and reliability purposes; and server-side subscription lifecycle events forwarded from RevenueCat. PostHog data is hosted in the European Union.)

We use PostHog to understand how OpenBook is used so we can improve features and stability. PostHog data is not sold, shared with advertisers, or used for behavioural ad targeting.

PostHog's Privacy Policy: https://posthog.com/privacy

Sentry - crash and error reporting

(Data shared: pseudonymous user ID, device and app metadata, error stack traces, breadcrumbs of recent in-app activity. Used only to diagnose crashes and bugs; no commercial or marketing use.)

Sentry's Privacy Policy: https://sentry.io/privacy/

Postmark - transactional email delivery (sign-up confirmation codes, password reset codes)

(Data shared: email address)

Postmark's Privacy Policy: https://postmarkapp.com/privacy-policy

Apple App Store / Google Play - payment processing

(We do not receive payment details)

Meta (Meta Platforms, Inc.) - advertising attribution and measurement for OpenBook's own app-promotion campaigns

(Data shared: device identifiers and advertising identifiers where available and authorized; app install, activation, and session or default app events; and related technical diagnostics. Used only to measure and improve OpenBook's own advertising on Meta platforms such as Facebook, Instagram, and Threads.)

We use the Meta SDK to understand whether our advertising campaigns are working and to improve ad delivery. On iOS, OpenBook asks for permission under Apple's App Tracking Transparency (ATT) framework before enabling advertiser tracking; if you do not allow tracking, advertiser tracking remains disabled. We do not send workout content to Meta - including exercise names, session notes, set values, hold times, weights, reps, routine names, or body metrics. We do not use the Meta SDK to log purchases; subscription and billing information is handled by Apple, Google, and RevenueCat.

Meta's Privacy Policy: https://www.facebook.com/privacy/policy

Aside from the Meta SDK described above, which we use solely for advertising attribution and measurement of OpenBook's own app-promotion campaigns, we do not use other advertising networks, advertising SDKs, or data brokers. We do not display third-party ads inside the app, and we do not sell personal information.

We do not sell personal information.

Some service providers may process your IP address when your device connects to their services and may derive approximate location information, such as country, region, or city, from that IP address. We use this approximate location information only for app functionality, service reliability, diagnostics, security, support, and product analytics. OpenBook does not request access to your device's Location Services, does not collect precise GPS location, and does not use location information for advertising, marketing, tracking, or location-based personalization.

Device Permissions

OpenBook may request:

Haptics - provides tactile feedback when logging sets and interacting with controls.

We do not request access to camera, microphone, location, contacts, photos, calendar, Health/HealthKit, or other sensitive device capabilities.

Children's Privacy

OpenBook is not directed at children under 13 (or 16 in the EU).

We do not knowingly collect personal data from children.

If you believe a child has provided personal information, please contact us and we will delete it promptly.

Data Retention and Deletion

• On-device data remains on your device until you delete the app or clear its data. Uninstalling the app permanently deletes all on-device data. There is no recovery mechanism for data that has not been synced to the cloud.
• Cloud data remains stored while your account exists.
• You may request deletion of your account and associated cloud data either in-app (Settings → Account → Delete Account) or by contacting us at the email below. We may verify account ownership before processing deletion.
• Deletion requests are processed within 30 days.

Security

We implement reasonable safeguards, including:

• Encryption in transit (HTTPS/TLS)
• Secure, access-controlled cloud storage
• Separation of authentication and subscription systems

No system is completely secure. We comply with applicable laws regarding breach notification.

Legal Basis (Where Applicable)

Where required by law (such as the GDPR), we process personal data:

• To provide account authentication and Cloud Sync (performance of contract), and
• Based on your consent when enabling Cloud Sync.

Your Rights

Depending on your location, you may have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your account and associated data
• Export your data (available in-app)
• Withdraw consent for Cloud Sync by disabling it

To exercise these rights, contact us at the email below.

Changes to This Policy

We may update this Privacy Policy from time to time.

If material changes are made, we will update the Effective Date and notify users where appropriate.

Continued use of OpenBook after changes constitutes acceptance of the revised policy.

Contact

If you have questions about this Privacy Policy:

Email: support@openbook.fit

Developer: OpenArcX