Privacy Policy

Overview

This Privacy Policy explains how False Summit Solutions LLC ("PostureMax," "we," "us," or "our") collects, uses, stores, and shares your information when you use the PostureMax mobile application (the "App") and related services. We've tried to write this in plain language. If anything is unclear, email us at support@posturemaxapp.com.

In short: we collect what we need to make the App work — your account, your posture data, and the photos you take during scans. Photos are used for AI analysis and discarded; only the results are kept. You can delete everything from inside the App at any time.

1. Information We Collect

1.1 Account Information

You can sign in using Apple Sign-In or Google Sign-In. When you do, we receive:

• Your email address (or, with Apple Sign-In, a private relay address if you choose)
• Your name, if provided by the sign-in service
• A unique account identifier from Firebase Authentication

1.2 Profile Information

During onboarding and in Settings, you may provide:

• Gender
• Height and weight
• Age (must be 13 or older — see Section 8)
• Activity level
• Daily reminder preferences
• Where you heard about the App (referral source)

1.3 Posture & Activity Data

• Daily check-ins: dates, completion counts, and reminder responses
• Streak data: current streak, best streak, last active date
• Training drills: drill type, duration, completion timestamps
• AirPods posture sessions: session date, duration, average / best / worst score, and head-orientation samples used to compute posture scores (see Section 1.5)
• Posture scan reports: the numerical Shell Score, identified problem zones, summary text, and recommended drills generated from your scans (the source images are not retained — see Section 1.4)

1.4 Camera & Photo Data (Posture Scans)

When you run an AI Posture Scan, the App captures one or two photos (front and side) using your device camera. These photos are:

• Resized and compressed on your device before transmission;
• Sent over an encrypted (HTTPS / TLS) connection to our backend, which forwards them to OpenAI's GPT-4 family Vision API (in some configurations via the AIProxy proxy service) for analysis;
• Held in memory only for as long as the analysis takes, and then discarded — neither we nor our backend store the photos persistently;
• Never written to your device's Photo Library, never shared with anyone other than the AI provider described above.

Only the textual / numeric analysis results (your Shell Score, problem zones, and recommended drills) are saved on your device and synced to your account.

1.5 Motion Data (AirPods)

If you start an AirPods posture monitoring session, we use the Headphone Motion API (compatible with AirPods Pro, AirPods Max, AirPods 3rd generation, and other headphones supporting head tracking) to read head orientation while the session is active. This motion data:

• Is processed entirely on your device to compute a real-time posture score;
• Is summarized into a session record (averages, durations, score samples) that is saved locally and synced to your account;
• Is not transmitted to OpenAI, Anthropic, or any other third party.

1.6 Gamification Data

The App includes a mascot-evolution gamification layer. We collect and store:

• Your shrimp's display name (defaults to "Shrimpy"; you can rename it)
• Your chosen shell color
• Total XP, current evolution stage, and highest stage reached
• XP events (source, amount, timestamp) and daily XP totals
• Streak length and last-active date

1.7 Subscription & Purchase Data

If you purchase a subscription, Apple's App Store handles the transaction. We use RevenueCat to receive your subscription entitlement status (active / expired / trial) keyed to an anonymous user ID. We do not see, receive, or store your full payment card or Apple ID credentials.

1.8 Diagnostics & Usage Data

We automatically collect:

• Crash logs and performance diagnostics (Firebase Crashlytics)
• Aggregate feature-usage events (Firebase Analytics) — e.g. which screens are opened, which features are used, how often the App is launched
• Device model, operating system version, App version, language, and region

1.9 Push Notifications

If you grant notification permission, we send local and remote notifications for posture reminders, streaks, milestones, and evolution events. You can disable these in iOS Settings or in the App's settings at any time.

1.10 Advertising & Tracking Data

The App integrates the Meta (Facebook) iOS SDK for advertising attribution and campaign measurement. On first launch you will see an Apple App Tracking Transparency (ATT) prompt. The data we share with Meta depends on your choice:

• If you allow tracking: we may share your Identifier for Advertisers (IDFA), purchase events (e.g. trial start, subscription started), and product-interaction events with Meta to measure ad effectiveness and optimize campaigns.
• If you deny tracking: the IDFA is not shared. We may still use Apple's privacy-preserving SKAdNetwork and Meta's Aggregated Event Measurement (AEM) to receive anonymized, aggregate conversion signals.

Denying tracking does not change any core functionality of the App.

2. How We Use Your Information

We use your information to:

• Operate the App's core posture-monitoring, scanning, and coaching features;
• Compute Shell Scores, generate drills, and award XP;
• Track streaks, evolve your mascot, and deliver gamification rewards;
• Sync your data across devices when you are signed in;
• Send notifications you've opted in to;
• Process subscription purchases and manage entitlements;
• Diagnose crashes, fix bugs, and improve performance;
• Prevent abuse and enforce our Terms;
• Provide customer support;
• Comply with legal obligations.

We do not sell your personal information. We do not use your posture data, scans, or motion data to train AI models.

3. Where Your Data Lives

3.1 On Your Device

• Core Data stores your check-ins, sessions, profile, and gamification data locally;
• iOS Keychain stores authentication tokens securely;
• UserDefaults stores small preference values.

3.2 In the Cloud

When you are signed in, your data is synchronized to Firebase Firestore, hosted by Google Cloud in the United States. Stored items include your profile, check-ins, streaks, training drill history, AirPods session summaries, posture report results (no images), gamification data, and XP events. Firestore is governed by security rules that prevent any user from reading or writing another user's data.

3.3 Security

• All network traffic uses HTTPS / TLS encryption;
• Authentication tokens are stored in the iOS Keychain;
• Server-side requests to our backend are authenticated using Firebase ID tokens;
• Firestore security rules restrict every user to their own documents.

No system is perfectly secure. We work to protect your data, but we cannot guarantee absolute security.

4. Third-Party Services

We use the following service providers ("processors") to run the App. Each operates under their own privacy policy.

4.1 Firebase (Google LLC)

• Firebase Authentication — Apple / Google sign-in and account identity
• Cloud Firestore — encrypted storage of your account data
• Firebase Analytics — aggregate, pseudonymous usage events
• Firebase Crashlytics — crash reports and stack traces

Privacy: firebase.google.com/support/privacy

4.2 OpenAI (OpenAI, L.L.C.)

• Posture-scan photos and the analysis prompt are sent to OpenAI's GPT-4 family Vision API for analysis.
• Only the data needed to perform the analysis is sent. We do not include your name, email, or any other identifying profile data.
• Per OpenAI's API data-usage policy, prompts and outputs are not used to train OpenAI's models.

Privacy: openai.com/privacy

4.3 AIProxy

In some configurations, posture-scan requests are routed through AIProxy, a proxy that authenticates and forwards requests to OpenAI on our behalf without exposing our API keys. AIProxy does not retain image content beyond what is required to deliver the request.

Privacy: aiproxy.com/privacy

4.4 Anthropic

Our backend supports the Anthropic Claude API as an alternative coaching provider. If a feature you use is configured to call Claude, the relevant text prompt will be sent to Anthropic. Photos are never sent to Anthropic.

Privacy: anthropic.com/legal/privacy

4.5 RevenueCat

Manages App Store subscriptions and entitlements. Receives transaction metadata (product ID, period, status). RevenueCat does not receive your name, email, posture data, or scan photos.

Privacy: revenuecat.com/privacy

4.6 Meta Platforms (Facebook)

Used solely for advertising attribution and campaign measurement, subject to your ATT choice (see Section 1.10). Tracking domains are facebook.com, facebook.net, fb.com, and fb.gg.

Privacy: facebook.com/privacy/policy

4.7 Apple & Google

Apple provides Sign in with Apple, the App Store, in-app purchase processing, push notifications (APNs), and SKAdNetwork. Google provides Google Sign-In and the Firebase services listed above.

4.8 WishKit

If you submit a feature request or feedback through the in-App feedback view, that submission is processed by WishKit so we can collect and triage feedback.

Privacy: wishkit.io/privacy

4.9 Backend Hosting

Our backend API (which proxies AI requests, performs authentication, and applies rate limits) is hosted on Render in the United States.

5. Your Rights & Choices

5.1 Inside the App

• View your data: Your check-ins, sessions, drills, scan reports, XP history, and profile are all accessible inside the App.
• Delete individual items: Delete any saved posture report from the report list.
• Delete your account: Settings → Delete Account permanently removes your Firebase account, all your Firestore data, and all local Core Data on the device. This action cannot be undone. If you have an active App Store subscription, you must cancel it separately in iOS Settings → [your name] → Subscriptions — Apple does not allow developers to cancel subscriptions on your behalf.

5.2 In iOS Settings

• Camera, Motion & Notifications: manage permissions in Settings → PostureMax. Revoking the camera disables AI scans; revoking motion disables AirPods sessions; revoking notifications disables reminders. The rest of the App continues to work.
• Tracking: change your ATT choice in Settings → Privacy & Security → Tracking.
• Apple Advertising Personalization: manage in Settings → Privacy & Security → Apple Advertising.

5.3 GDPR (EEA / UK Residents)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation gives you the right to:

• Access the personal data we hold about you;
• Have inaccurate data corrected;
• Have your data erased;
• Restrict or object to certain processing;
• Receive a copy of your data in a portable format;
• Withdraw consent (where processing is based on consent) at any time;
• Lodge a complaint with your local supervisory authority.

Our legal bases for processing are: (i) performance of contract for delivering the App's features, (ii) legitimate interests for diagnostics and abuse prevention, (iii) consent for advertising tracking and notifications, and (iv) legal obligation where required.

To exercise any of these rights, email support@posturemaxapp.com. The fastest way to delete your data is in-App (Settings → Delete Account).

5.4 CCPA / CPRA (California Residents)

California residents have the right to know what personal information we collect, to request deletion of that information, to correct inaccuracies, and to opt out of "sale" or "sharing" of personal information. We do not sell personal information. We do "share" certain identifiers with Meta for cross-context behavioral advertising only when you have granted ATT permission; you can opt out at any time by denying ATT or by emailing support@posturemaxapp.com. We will not discriminate against you for exercising any of these rights.

5.5 Other Jurisdictions

If your jurisdiction grants you additional privacy rights, you may exercise them by contacting us. We will respond within the timeframes required by applicable law.

6. Data Retention

• Account data: retained while your account is active. Deleted permanently within 30 days after you delete your account.
• Local data on your device: retained until you delete the App, sign out, or use the in-App account-deletion option.
• Posture-scan photos: not retained — held only in memory during analysis and then discarded.
• Crash and analytics data: retained according to Google's default Firebase retention periods (typically up to 14 months for analytics; longer for crash reports until cleared).
• Backups and logs: may persist in encrypted backups for a short additional period as required for security and operational continuity.

7. International Data Transfers

PostureMax is operated from the United States. Your data is transferred to and processed in the U.S. and may be processed in any country where our service providers operate (including Google Cloud regions). Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms approved under applicable law.

8. Children's Privacy

PostureMax is intended for users 13 years of age or older. We do not knowingly collect personal information from children under 13. The App enforces a minimum age of 13 during onboarding. If you are a parent or guardian and believe a child under 13 has provided us with personal information, please contact support@posturemaxapp.com and we will delete it promptly. Users under 18 should obtain a parent or guardian's permission before using the App.

9. Health Information

PostureMax is a general wellness product and is not a medical device. The posture data, scores, and recommendations the App generates are for informational and motivational purposes only. They are not medical records, are not protected health information ("PHI") under HIPAA, and should not be used to make medical decisions. See our Terms & Conditions for the full health disclaimer.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we'll change the "Last updated" date above. For material changes, we will provide additional notice — for example, an in-App alert or email. Your continued use of the App after a change becomes effective indicates acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy, your data, or our practices, please contact us:

• Email: support@posturemaxapp.com

False Summit Solutions LLC
Developer of PostureMax