Privacy Policy

Carbyne Lab ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Carbyne Lab progressive web application (the "Service"), accessible at carbynelab.com. Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy.

If you do not agree with the terms of this Privacy Policy, please discontinue use of the Service immediately.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and any profile information you choose to provide, such as your display name, avatar image, and preferred language setting. Authentication is handled through Supabase Auth, which supports email-based login and social sign-in providers. We store your user profile data in our Supabase PostgreSQL database.

1.2 Fitness and Health Data

As you use the Service, we collect and store fitness-related data that you voluntarily input, including:

• Workout logs: exercises performed, sets, reps, weights, rest times, workout duration, and estimated calorie burn.
• Training programs: training cycles, weekly schedules, and program configurations.
• Nutrition logs: meals, calorie counts, macronutrient breakdowns (protein, carbohydrates, fats), meal photos, and meal group timestamps.
• Body metrics: body weight, body fat percentage, and other physical measurements you choose to record.

1.3 Progress Photos

Progress photos that you upload within the app may be encrypted on your device and stored in private cloud storage linked to your account. These photos are used to show your own progress gallery on the device where they were added and are not shared with trainers through trainer-facing views. If you choose to use an AI analysis feature, the selected photo may be sent to an AI service provider to estimate fitness-related metrics such as body fat percentage.

1.4 Camera and Motion Analysis Data

When you use the AI motion analysis feature, your device camera captures video of your movements. This video is processed entirely on your device (client-side) using computer vision models running in your browser. No video footage, images, or raw camera data is transmitted to our servers or any external service. The only data derived from the motion analysis that may be stored are aggregate metrics such as rep counts, movement quality scores, and form feedback summaries, which are stored as part of your workout logs.

1.5 Communication Data

If you use the in-app messaging feature to communicate with your trainer or trainees, the content of those messages is stored in our database. Messages are only accessible to the sender and intended recipient. If you submit feedback through our contact form, we collect your name, email address, phone number (optional), and message content.

1.6 Automatically Collected Information

When you access the Service, we may automatically collect certain information about your device and usage, including your IP address, browser type, operating system, referring URLs, pages visited, and timestamps. This information is collected through standard web server logs and analytics tools to help us improve the Service.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Service, including workout tracking, nutrition logging, motion analysis, and trainer dashboard features.
• To personalize your experience, including generating AI-powered training programs tailored to your goals and fitness level.
• To facilitate communication between trainers and trainees through the in-app messaging system.
• To respond to your inquiries, feedback, and support requests.
• To monitor usage patterns and analyze trends to improve our features and user experience.
• To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity.
• To comply with applicable legal obligations and enforce our Terms of Service.

3. Data Storage and Security

Your account data, workout logs, nutrition records, body metrics, messages, and trainer relationships are stored in a Supabase PostgreSQL database. Supabase provides enterprise-grade security with row-level security (RLS) policies, meaning your data is only accessible to you and users you have explicitly authorized (such as your assigned trainer). All data transmissions between your device and our servers are encrypted using TLS (Transport Layer Security).

The Service is deployed on Cloudflare Workers, which provides additional security benefits including DDoS protection, SSL/TLS encryption, and edge caching for performance.

Progress photos may be stored in private Supabase Storage linked to your account after being encrypted on your device. Access is restricted by row-level security and storage policies, and the decryption key remains in local browser storage on the device where the photo was added.

While we implement industry-standard security measures to protect your information, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but will promptly notify affected users in the event of a data breach as required by applicable law.

4. Third-Party Services

We use the following third-party services that may collect information as described in their respective privacy policies:

4.1 Supabase

We use Supabase for authentication, database storage, and backend services. Supabase processes your account data and application data in accordance with their privacy policy. For more information, visit Supabase Privacy Policy.

4.2 Cloudflare

Our application is deployed on Cloudflare Workers. Cloudflare may process certain request data (IP addresses, request headers) for security and performance purposes. For more information, visit Cloudflare Privacy Policy.

4.3 Google Gemini AI

If you request AI analysis of a progress photo, the selected image may be sent to Google Gemini for processing. The analysis is used to generate an estimated fitness metric and should not be treated as medical advice or a clinical measurement. For more information, visit Google Privacy Policy.

4.4 Google Ads

We use Google Ads (conversion tracking ID: AW-17952919821) to measure the effectiveness of our advertising campaigns. Google may use cookies and similar technologies to collect information about your interactions with our ads and website. This data helps us understand how users find and engage with our Service. You can manage your Google ad preferences at Google Ad Settings. For more information, visit Google Privacy Policy.

4.5 Meta Pixel

We use the Meta Pixel (ID: 664571836718432) for advertising analytics and conversion tracking on Meta platforms (Facebook and Instagram). The Meta Pixel may collect information about your browsing behavior, device information, and interactions with our Service to help us measure ad effectiveness and deliver relevant advertising. You can manage your Meta ad preferences in your Facebook settings. For more information, visit Meta Privacy Policy.

4.6 Google AdSense

We may display advertisements through Google AdSense. Google AdSense uses cookies to serve ads based on your prior visits to our website and other websites. You may opt out of personalized advertising by visiting Google Ads Settings.

5. Cookies and Local Storage

The Service uses cookies and similar technologies for the following purposes:

• Authentication cookies: to keep you logged in and manage your session securely.
• Preference cookies: to remember your language preference, theme settings, and other user preferences.
• Analytics cookies: used by Google Ads and Meta Pixel to understand how users interact with our Service and measure advertising effectiveness.
• IndexedDB: may be used to cache certain application state locally on your device when local browser storage is needed.
• Local Storage: used by Zustand state management to persist certain application preferences on your device and, for progress photos, to keep a device-local encryption key.

You can control cookies through your browser settings. Disabling certain cookies may affect the functionality of the Service, particularly authentication and session management.

6. Trainer-Trainee Data Sharing

If you are a trainee assigned to a trainer, your trainer will have access to the following data: workout logs, nutrition logs, body metrics, and in-app messages you exchange with them. Trainers can also log workouts and nutrition data on your behalf as part of the coaching relationship. Your trainer does not have access to your progress photos or your account credentials.

If you are a trainer, you will have access to the data described above for each of your assigned trainees. You are responsible for handling your trainees' data in accordance with applicable privacy laws and maintaining the confidentiality of their information.

7. Data Retention

We retain your account data and associated fitness data for as long as your account is active. If you choose to delete your account, we will permanently delete all of your data from our database, including workout logs, nutrition records, body metrics, progress photo records, messages, and profile information. This deletion is irreversible. Browser-local cache or application state may also be cleared through your browser settings.

Feedback submitted through our contact form is retained for customer service and product improvement purposes and may be deleted upon request.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right to Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can update or correct your personal data through your account settings at any time.
• Right to Deletion: You can request deletion of your account and all associated data. The app provides a built-in account deletion feature that permanently removes all your data.
• Right to Data Portability: You can request your data in a structured, machine-readable format.
• Right to Object: You can object to the processing of your personal data for certain purposes, such as direct marketing.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at support@carbynelab.com.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us at support@carbynelab.com.

10. International Data Transfers

Your data may be processed and stored in locations outside your country of residence, including the United States. Our service providers (Supabase, Cloudflare, Google, Meta) operate globally and may transfer data to their facilities in various countries. By using the Service, you consent to the transfer of your information to these locations. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you through the Service or via email. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: