Saetta — Privacy Policy

Effective date: 2026-05-17 · Version: 2026-05-17.1 · Beta

This is the privacy policy for the Saetta beta — a closed, invitation-only test with a small group of friends in Israel. Saetta is fitness logging and planning software. It is not a medical device and makes no medical interpretation of your data.

1. Who we are and how to contact us

Saetta is operated by Yarden Carmel ("we," "us," "our"). We are the controller of the personal data described here.

For any privacy question or to exercise your rights (access, correction, deletion, portability, or any other request), use the contact form at the bottom of this page. We do not publish an email address; the form is the way to reach us. We respond within 30 days.

2. What data we collect

Account data. Your email address and the authentication provider you used to sign in (Google, or email and password). If you sign in with Google, the identifier and email Google returns under your settings.
Your training data. The plans, training days, exercises, set logs (reps, weight), and notes you enter. This is stored encrypted.
Anonymous usage analytics (only if you turn it on — off by default). Which screens you open and which in-app actions you take, as a fixed, limited set of events. It never includes your weights, reps, exercise names you typed, your name, or your email. The full list of events is published and fixed; new categories require a fresh prompt before they are collected.
Crash reports (only if you turn them on — off by default). If the app crashes, the technical error, the stack trace, your device model, and your OS version. User-entered text (custom exercise or plan names), your email, and your account ID are scrubbed before a crash report leaves your device.
A device identifier. A random identifier generated on first launch (a UUID, not a hardware ID, not an advertising ID) used only to deduplicate analytics and crash events if you have turned those on. It is a pseudonymous identifier and is treated as personal data. We do not promise "no identifiers."

Local-only first-launch window. When you first install Saetta there may be a brief period, before you create an account or sign in, where the data you enter exists only on this phone. During that window nothing has been sent to any server and we hold no copy of it. Server-side data about you begins to exist only at your first sync after sign-in.

We do not collect: precise location, your contacts, your photos or files, voice or video, advertising identifiers, or any health or biometric data. The beta does not connect to Apple Health, Health Connect, or any wearable.

3. Legal bases for processing

Performance of a contract — your account, your training data, and syncing them so they persist across reinstalls and devices. This is necessary to provide the service you signed up for.
Consent — anonymous usage analytics and crash reporting. Both are off by default. You give consent by turning a toggle on, and you can withdraw it at any time in Settings → Privacy & data. Withdrawing consent does not affect anything you did before withdrawing.
Legal obligation — where applicable law requires us to retain or disclose specific records.

4. Who processes the data

Supabase, Inc. — our backend: managed database, authentication, and the functions that receive analytics, crash reports, and privacy requests. Supabase is our sole data processor; it is the only third party we engage to process your data on our behalf. We are bound to Supabase by an executed Data Processing Agreement (Supabase Data Processing Terms, version 5 August 2025; executed 2026-05-17; document reference BGJQA-WCLSK-XVBWB-4D46W). Our Supabase project is hosted in the European Union region. Supabase in turn engages its own downstream sub-processors (for example, infrastructure and email providers); these are Supabase's sub-processors, not separate processors of ours, and the authoritative, complete list is enumerated in Schedule 3 of that executed Data Processing Agreement (document reference BGJQA-WCLSK-XVBWB-4D46W, dated 2026-05-17), which we hold on file.
Google LLC — only if you choose Sign in with Google, and only for authentication. Covered under Google's developer terms.
The host of this privacy-policy page (Cloudflare, Inc. — Cloudflare Pages). This page is hosted on Cloudflare Pages and served over Cloudflare's content delivery network; Cloudflare also provides DNS and the reverse proxy for the saetta.app domain and terminates the HTTPS connection. Because of this, Cloudflare can see the IP address of visitors to this page. That is inherent to loading any web page through a CDN and is disclosed here for completeness; we do not use it.

We use no third-party analytics SDK, no advertising networks, and no data brokers. We do not sell your data and we do not share it for advertising.

5. Where data is stored and transferred

Our backend is hosted in the European Union region. If you are in Israel, the transfer between Israel and the EU relies on the EU's adequacy decision for Israel. We do not expect production data to be accessed from outside the EU or Israel during the beta.

6. How long we keep data

Account and training data — kept while your account exists. When you delete your account, it is removed promptly (see §7 — account deletion is an immediate hard erasure, not the routine 90-day sync cleanup).
Routine soft-deleted records — when you delete an individual plan or session, it is tombstoned for sync and hard-deleted from the server within 90 days. This is the ordinary sync mechanism and is separate from account deletion.
Analytics and crash events — kept up to 90 days, then deleted. We may keep aggregate counts only longer (for example, how many people used the app on a given day, or how many people completed onboarding). These aggregates contain no identifier and no training data, and any count that would describe a group small enough to point to an individual is suppressed before the aggregate is stored — they cannot be traced back to you. If you turn analytics or crash reporting off, the events already collected are hard-deleted (not anonymized) from our servers within 30 days, and the unsent buffer on your device is purged immediately.
Backups. Our backend provider keeps encrypted backups for disaster recovery. A deletion may remain in a backup until that backup is rotated out on the provider's normal schedule; deleted data is swept from backups on the next rotation and is not restored into the live system.

7. Your rights and how to use them

You can, at any time:

Export your data — Settings → Privacy & data → Export my data produces a machine-readable copy of your plans, days, sessions, and set logs that you can save off-device.
Delete your account — Settings → Privacy & data → Delete account. This is a deliberate, confirmed action that immediately and permanently erases your account, plans, sessions, sets, and any analytics/crash events linked to you, on our servers and on your device. It is not the routine 90-day cleanup and it is not recoverable. The only thing not erased is the identifier-free aggregate counts described in §6 (e.g. daily active-user totals) — these never contained your training data or any identifier, are suppressed so they cannot point to an individual, and so are not personal data about you. (Backups follow the rotation in §6.)
Access, correct, or restrict your data, object to processing, or request portability — most data is directly editable in the app; for anything else, use the contact form below.
Withdraw analytics/crash consent — Settings → Privacy & data, at any time.

For EU/EEA/UK testers: you also have the right to lodge a complaint with your local data protection authority. For Israeli testers: you have access and correction rights under the Privacy Protection Law (including amendment 13) and may contact the Privacy Protection Authority.

All requests that are not self-service go through the contact form at the bottom of this page (§1). We respond within 30 days.

8. Children

Saetta is not directed to children. You must be at least 18 to use the beta (or the age of digital majority where you live; not below 16 in any case). We do not knowingly collect data from children. If you believe a child has used the beta, contact us via the form below and we will delete the data.

9. Security

Your local database on the device is encrypted at rest (SQLCipher).
Data in transit between the app and our backend is encrypted (TLS).
Server-side data is protected by row-level security so one user's account cannot read another user's data.
Analytics and crash events are inserted only through a server-side function; the app never has direct write access to those tables, and your IP address is discarded by that function before insertion — it is not stored with those events.
When you submit the privacy contact form, the server does not store your IP address. To stop one person flooding the form, it derives a short-lived one-way fingerprint of your IP — a salted hash whose salt changes every day — and stores only that fingerprint, solely to limit the form to one request per hour. The IP itself is never written down or logged, and the daily salt change means the fingerprint cannot be used to track you across days.

No system is perfectly secure. You are responsible for the security of your device and your sign-in credentials.

10. Changes to this policy and how we tell you

We may update this policy. The version and effective date at the top change when we do. If a change is material — a new category of data, a new processor, data leaving the EU region, or a longer retention period — we will re-prompt you in the app before it takes effect. Clarifying text-only changes show an in-app "Privacy policy updated" notice with a link, without re-prompting.

11. Effective date and version

This version: 2026-05-17.1. Effective date: 2026-05-17. This is a beta policy for a closed Israel-only friend test and will be replaced before any public launch.

12. Israel-specific note

This beta is operated for a small Israel-based group under the Israeli Privacy Protection Law 5741-1981, including amendment 13 (effective 2024-08-14). Based on the cohort size (~50 testers) and the absence of sensitive/health data in the beta, Privacy Protection Law §8 database registration is not assessed as mandatory at this scale (this assessment is recorded in our internal compliance file). This will be re-assessed by human counsel before any broader launch. No Data Protection Officer is appointed for the beta; for the cohort size and data types this is not required.

Make a privacy request

Use this form for any access, correction, deletion, portability, or other privacy request. We respond within 30 days. We do not publish an email address — this form is how you reach us.