Privacy Policy

1. Definitions

Capitalized terms used in this Policy have the meanings below.

• Account means your Squadletics account, profile, login, mobile account, connected wallet identity, or other credentials used to access the Service.
• Challenge means a fitness, activity, accountability, competition, daily competition, perpetual challenge, multiplayer challenge, running challenge, sponsored challenge, private challenge, creator challenge, or similar activity offered through Squadletics.
• Controller means Linas Lekavicius, the person responsible for deciding why and how Squadletics processes personal data, except where a third-party service acts as its own controller under its own policy.
• Health and Fitness Data means health, fitness, movement, workout, exercise, sensor, wearable, step, distance, pace, calorie, heart-rate, route, activity, proof, or related data that can relate to your body, activity, or fitness participation.
• Personal Data means information that identifies, relates to, describes, can reasonably be linked to, or can reasonably identify a person, household, device, wallet, account, or user.
• Service means Squadletics websites, web apps, mobile apps, APIs, challenge systems, computer-vision systems, account systems, wallet features, payment features, leaderboards, notifications, support channels, and related services.
• Third-Party Services means services, software, platforms, networks, wallets, blockchains, payment processors, health data providers, analytics providers, infrastructure providers, app stores, and APIs not controlled by Squadletics.

2. Data We Collect

We collect data you provide, data generated when you use the Service, data from your device and permissions, data from connected accounts and integrations, and data from Third-Party Services used to operate Squadletics.

• Account and contact data: email address, phone number, username, display name, profile details, country, language, avatar, support messages, and communication preferences.
• Authentication and identity data: login tokens, session data, Apple sign-in data if used, mobile auth data, connected wallet address, smart wallet address, World App or MiniPay identifiers, Base App or Farcaster identifiers, verification status, account ownership proofs, and related metadata.
• Challenge data: challenge entries, exercise type, targets, scores, reps, distances, deadlines, streaks, missed days, penalties, rewards, rankings, leaderboards, entry history, status, appeals, and settlement history.
• Camera and proof data: camera permission status, camera frames processed on device, pose landmarks or movement signals, screenshots, proof frames, clips, recordings, rep metadata, timestamps, device orientation, lighting or visibility indicators, and review notes where needed for challenge verification, fraud prevention, support, safety, or dispute review.
• Running and activity integration data: Strava athlete ID, Strava activity ID, sport type, activity type, distance, moving time, elapsed time, average speed, average pace, start time, timezone, manual/trainer/private flags, validity status, invalid reason, daily totals, sync status, and similar data from future running, walking, cycling, wearable, route, or activity integrations.
• Health platform data: if enabled and permitted by you, data from Apple HealthKit, Apple Motion and Fitness, Google Health Connect, Google Fit, Strava, wearables, or similar sources, such as steps, workouts, distances, activity timestamps, movement metrics, calories, heart-rate-related metrics, route-related metrics, source metadata, and sync metadata, depending on the feature and permissions you grant.
• Payment and financial data: payment status, checkout sessions, payment method references, saved payment method identifiers, payment processor account IDs, Whop-related payment and payout records, mobile wallet balances, top-ups, cashouts, refunds, chargebacks, transaction IDs, payment amounts, currencies, tax and accounting records, and fraud-prevention signals. We do not store full card numbers or full bank account credentials on our own servers.
• Crypto and wallet data: wallet addresses, chain IDs, token types, transaction hashes, smart contract interactions, network confirmations, public blockchain activity relevant to your use of Squadletics, and wallet or payment signatures used for authentication or transaction authorization.
• Device, usage, and diagnostic data: IP address, browser type, device model, operating system, app version, device identifiers where available and permitted, locale, referral source, pages or screens viewed, events, crashes, logs, performance data, network status, and timestamps.
• Cookies and local storage data: authentication cookies, language preferences, security cookies, local storage, session storage, secure storage, install and onboarding preferences, and analytics identifiers where analytics are enabled.
• Notification data: push notification tokens, notification provider tokens, Farcaster or mini-app notification tokens, notification preferences, delivery status, and related device metadata.
• User content and community data: profile content, challenge names, comments, social posts, referrals, shared proof posts, leaderboard entries, reports, and other content you submit or choose to share.
• Fraud, safety, and compliance data: multiple-account signals, payment fingerprints or hashed payment references if provided by a processor, device and network signals, geolocation or location checks where required, sanctions or eligibility checks, abuse reports, integrity review outcomes, and enforcement history.

3. Camera, Proof Media, and Exercise Recognition

Camera-based challenges require camera access so Squadletics can count exercises, verify movement, and detect invalid or suspicious activity. We process camera frames on your device where possible. Some proof media and metadata may be transmitted to Squadletics when needed for challenge verification, fraud review, dispute resolution, customer support, product debugging, safety review, service improvement, or enforcement of our Terms.

Proof media is not public by default. Authorized staff, contractors, and service providers may access proof media only when reasonably necessary for the purposes described in this Policy. We do not use proof media for facial recognition identification unless we separately disclose that use and obtain any consent required by law or platform policy.

If the App shows an in-app disclosure before a workout or recording feature, that disclosure supplements this Policy. Declining camera access may prevent you from joining or completing camera-based Challenges, but you may still be able to use other features where available.

4. Health, Fitness, and Activity Integrations

We request Health and Fitness Data only when it is needed for a feature you use, such as challenge verification, progress display, fraud prevention, safety, or support. You can grant, deny, or revoke permissions through your device settings or the relevant third-party integration settings.

For Apple HealthKit and Apple Motion and Fitness, we use the data you authorize only for disclosed fitness, challenge verification, fraud prevention, safety, support, and service operation purposes. We do not use or disclose Apple HealthKit, Apple Motion and Fitness, or Apple health and fitness framework data for advertising, marketing, or data brokerage. We do not store Apple HealthKit personal health information in iCloud. If we ever write data to HealthKit, we will write only data intended to be accurate for the relevant feature.

For Google Health Connect, Google Fit, and Android health or fitness permissions, we treat the data as personal and sensitive user data. We use it only for the feature you enabled and for security, fraud prevention, support, and legal compliance. We do not sell it, use it for advertising, or transfer it except to service providers acting on our behalf, as required by law, or as specifically directed by you.

For Strava and similar third-party fitness integrations, we access only the data allowed by the permissions you grant and the integration's API. You may disconnect Strava where the Service provides that option. Disconnecting may stop future syncs and may remove stored integration proof data where possible, subject to retention needed for settled Challenges, fraud prevention, disputes, accounting, safety, or legal compliance.

5. How We Use Data

• To provide, maintain, secure, and improve the Service.
• To create and manage Accounts, authentication, sessions, profiles, preferences, language settings, and account deletion requests.
• To operate Challenges, verify activity, count reps, sync running activity, calculate scores, enforce rules, maintain leaderboards, settle rewards, and process appeals.
• To process payments, top-ups, payouts, refunds, chargebacks, taxes, accounting records, wallet balances, crypto transactions, and payment processor requirements.
• To detect and prevent cheating, fraud, multiple-account abuse, payment abuse, security incidents, unsafe activity, and violations of our Terms.
• To send transactional messages, service notices, security alerts, challenge reminders, payout notices, and push notifications you enable.
• To provide support, troubleshoot bugs, test safety and integrity systems, respond to disputes, and improve usability and reliability.
• To analyze aggregated or de-identified usage trends, measure product performance, and improve exercise recognition and anti-fraud systems in ways permitted by law and platform policy.
• To comply with legal obligations, tax obligations, sanctions requirements, app store rules, payment processor rules, court orders, and lawful requests.
• To send marketing communications only where permitted by law and your preferences. We do not use Health and Fitness Data for marketing profiling.

6. Analytics and Product Improvement

Squadletics uses computer vision and related systems to count exercise, evaluate movement, and detect potential abuse. Those systems may run on device, on our servers, or through service providers depending on platform and feature design.

We may use aggregated, de-identified, or operational data to improve exercise recognition, anti-cheat systems, safety checks, and product quality. We do not sell proof media or Health and Fitness Data, and we do not share Health and Fitness Data with third parties for advertising, marketing, or data brokerage. If we ever seek to use identifiable proof media for a new purpose that requires separate consent, we will ask for that consent first.

Where analytics tools such as PostHog, Google Analytics, or similar providers are enabled, we use them to understand product usage, diagnose issues, measure feature performance, and improve the Service. Analytics configurations may vary by platform and region.

7. How We Share Data

We share Personal Data only as needed for the purposes described in this Policy, as directed by you, or as permitted or required by law.

• Service providers: infrastructure, hosting, database, storage, security, analytics, payment, payout, notification, customer support, identity verification, tax, accounting, fraud prevention, and app infrastructure providers, such as Supabase, Whop, Stripe, Expo, PostHog, Google Analytics, Alchemy, WalletConnect, and similar providers where used.
• Payment and payout partners: Whop, card processors, wallet providers, payout providers, banks, onramp providers, chargeback processors, and tax or compliance providers may receive data needed to process payments, payouts, disputes, refunds, and compliance checks.
• Fitness integrations: Strava, Apple HealthKit, Apple Motion and Fitness, Google Health Connect, Google Fit, wearable providers, and similar integrations may receive or provide data only as enabled by your permissions and the relevant feature.
• Wallets, blockchains, and mini-app platforms: World App, MiniPay, Base App, Coinbase, Alchemy, public blockchains, wallet providers, and smart contract networks may process wallet, transaction, identity, and app interaction data according to their own policies when you use those features.
• Other users and the public: challenge participation, username, country, leaderboard position, scores, completion status, public profile data, and shared content may be visible to other users or the public. Proof media is not public by default.
• Legal, safety, and enforcement: we may disclose data to comply with law, court orders, payment processor investigations, app store review, tax obligations, fraud investigations, safety issues, abuse prevention, security incidents, or to protect rights, users, and the public.
• Professional advisers and business transfers: lawyers, accountants, auditors, insurers, prospective financing partners, or future operators may receive data where reasonably necessary and legally permitted, including in connection with a future company formation, financing, restructuring, sale of assets, transfer of rights, or transfer of the Service.
• With your direction or consent: we may share data when you connect an integration, request a payout, share proof, invite others, publish content, contact support, or otherwise direct us to share it.

We require service providers that process Personal Data for us to protect it and use it only for the services they provide to Squadletics, unless they act as independent controllers under their own policies.

8. Payments, Wallets, and Financial Records

Payments and payouts may be processed by Whop, Stripe, wallet providers, blockchain networks, banks, onramp providers, or other Third-Party Services. We receive and store transaction records, payment status, payment method references, payout status, wallet balances, refund records, dispute records, and related identifiers needed to operate the Service.

We do not store full card numbers or full bank account credentials on our own servers. Sensitive payment details are handled by the relevant Payment Processor or financial provider. Blockchain transactions are public by design and may be visible to anyone through public ledgers and block explorers.

9. Cookies, Local Storage, and Tracking Choices

We use cookies, local storage, session storage, secure storage, and similar technologies for authentication, security, wallet sessions, language preferences, onboarding state, referrals, analytics, fraud prevention, and service functionality.

You can control some browser cookies through your browser settings. Blocking cookies or storage may break authentication, wallet connection, challenge entry, language preferences, or other core features. Mobile apps may use secure storage, device storage, app identifiers, and push tokens instead of browser cookies.

We do not currently use Personal Data for cross-app targeted advertising. If we introduce tracking that requires App Tracking Transparency, Google Play consent, cookie consent, or similar permission, we will request it where required.

10. Legal Bases for Processing

If GDPR, UK GDPR, or similar laws apply, we process Personal Data under one or more legal bases depending on the data and purpose.

• Contract: to provide the Service, operate Challenges, maintain Accounts, process payments, calculate rewards, and provide support.
• Consent: for health and fitness permissions, camera permissions where required, push notifications, optional marketing, optional integrations, and other processing where consent is required. You can withdraw consent where applicable, but some features may stop working.
• Explicit consent: where Health and Fitness Data or other special-category data requires explicit consent under GDPR or similar laws.
• Legitimate interests: for security, fraud prevention, anti-cheat review, service improvement, analytics, abuse prevention, legal claims, and product safety, where those interests are not overridden by your rights.
• Legal obligation: for tax, accounting, consumer protection, sanctions, payment, app store, court, law enforcement, and regulatory obligations.
• Vital interests or public interest: where necessary to protect someone's life, safety, or comply with exceptional legal requirements.

11. Retention

We keep Personal Data only as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law. Retention periods can vary by data type, platform, challenge status, payment status, fraud risk, legal obligation, and backup schedule.

• Account data is generally retained while your Account is active and for up to 3 years after closure where needed for disputes, security, fraud prevention, support, or legal claims.
• Challenge records, activity records, proof metadata, leaderboard records, and settlement records may be retained while your Account is active and for up to 3 years after closure, or longer where needed for payments, disputes, fraud prevention, accounting, tax, or legal compliance.
• Proof media such as screenshots, clips, and recordings may be retained while needed for challenge verification, anti-cheat review, support, disputes, safety, or service improvement, and may be archived or deleted according to our operational retention rules.
• Financial, payment, payout, accounting, tax, chargeback, and compliance records may be retained for as long as required by applicable accounting, tax, payment, anti-fraud, and legal obligations, which may be up to 10 years or longer depending on the record and jurisdiction.
• Fraud prevention, safety, security, and enforcement records may be retained for up to 7 years or longer where needed to prevent repeat abuse, resolve disputes, or protect users and the Service.
• Notification tokens are retained while notifications are enabled or your Account is active, and are deleted or disabled when you revoke permissions, disable notifications, or delete your Account, subject to backup and legal exceptions.
• Analytics and diagnostic data may be retained according to the settings of the relevant analytics or logging provider, then deleted, aggregated, or de-identified.
• Backups may retain data for a limited period after deletion from live systems before they are overwritten or deleted according to backup cycles.

If you delete your Account, we will delete or de-identify Personal Data associated with the Account unless retention is needed for legal obligations, financial records, fraud prevention, security, dispute resolution, completed Challenges, chargebacks, tax, accounting, or enforcement of our Terms.

12. Your Choices and Rights

• Access, correction, and portability: you may request access to Personal Data we hold about you, ask us to correct inaccurate data, or request a portable copy where required by law.
• Deletion: you may request deletion through the App where available, at https://squadletics.com/account-deletion, or by contacting linas@squadletics.com. Some records may be retained as described in this Policy.
• Consent withdrawal: you may revoke camera, notification, HealthKit, Motion and Fitness, Health Connect, Google Fit, Strava, location, or similar permissions through device settings, integration settings, or the Service where available.
• Objection and restriction: where applicable, you may object to or request restriction of certain processing, including processing based on legitimate interests.
• Marketing opt-out: you may opt out of marketing emails or push notification marketing where available. Transactional and security messages may still be sent.
• California and similar US rights: where applicable, you may request to know, access, correct, delete, or opt out of sale or sharing of Personal Data. We do not sell Personal Data or share it for cross-context behavioral advertising as those terms are commonly used in US privacy laws.
• Complaints: if you are in the EEA, UK, or Switzerland, you may complain to your local data protection authority. In Lithuania, you may contact the State Data Protection Inspectorate.

To exercise rights, contact linas@squadletics.com with the subject Privacy Request. We may need to verify your identity, Account, wallet, payment ownership, or authority before responding.

13. Security

We use reasonable technical and organizational measures designed to protect Personal Data, including TLS encryption in transit, access controls, authentication, service-provider security controls, and encryption or protected storage where appropriate. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

You are responsible for securing your device, Account, wallet, private keys, seed phrases, passkeys, payment methods, and login credentials. We will never ask you for a seed phrase or private key.

14. International Transfers

Squadletics is operated from Lithuania, and our service providers may process data in Lithuania, the European Economic Area, the United States, and other countries. Data protection laws in those countries may differ from the laws where you live.

Where required, we rely on adequacy decisions, standard contractual clauses, data processing agreements, user consent, contractual necessity, or other lawful transfer mechanisms to transfer Personal Data internationally.

15. Children and Age Restrictions

Squadletics is not intended for anyone under 18 years old or under the age of legal majority in their jurisdiction, whichever is higher. We do not knowingly collect Personal Data from children under 18. If you believe a child has provided Personal Data to Squadletics, contact us and we will take appropriate steps to delete it and terminate the Account where required.

16. Third-Party Links and Services

The Service may link to or integrate with Third-Party Services. Their privacy practices are governed by their own privacy policies, not this Policy. You should review their policies before connecting accounts, making payments, using wallets, joining integrations, or sharing data through them.

17. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will make reasonable efforts to notify you through the Service, email, app store release notes, or another reasonable method. The updated Policy will show a new Last updated date.

18. Contact Us

For privacy questions, data protection requests, support requests, or legal notices, contact Squadletics at linas@squadletics.com. Please include Privacy Request or Data Protection in the subject line where relevant.

Operator and privacy contact: Linas Lekavicius, Untuliu 28, Vilnius, Lithuania. Email: linas@squadletics.com. Phone: +37068761654.