Introduction and scope
LiFit LLC ("LiFit," "we," "us," or "our") provides LiFit, a fitness platform for workout tracking, nutrition logging, progress analysis, gym communities, and social fitness features. This policy applies to the LiFit mobile app, https://lifit.app, and related services that link to it.
LiFit is a fitness technology service. It is not a healthcare provider, and the service is not a substitute for medical care or professional health advice.
Information you provide
The information we receive depends on the features you choose to use. Some profile and fitness fields are optional, while an email address and account credentials are needed for standard account access.
- Account details such as email address, username, display name, authentication provider, and account timestamps.
- Profile details such as biography, profile photo, fitness goal, training experience, preferred training days, gym, and visibility settings.
- Optional physical and demographic details such as birthday or birth year, sex or gender, height, bodyweight, and waist, neck, or hip measurements.
- Content and communications you submit, including posts, captions, comments, direct messages, reports, photos, videos, workout recaps, nutrition recaps, and support messages.
Account and authentication information
LiFit supports email-and-password authentication, Google Sign-In, Sign in with Apple, and phone-based Firebase authentication flows in the audited app. Authentication is provided through Firebase Authentication. Depending on the method you choose, Firebase and the identity provider may process your email address, phone number, provider identifier, display name, authentication tokens, and related sign-in information.
LiFit stores a username lookup record so users can sign in by username. The current implementation associates that record with the account email address and user ID.
Profile information and visibility
Your display name, username, profile photo, biography, gym affiliation, profile status, follower relationships, and selected activity may be shown to other signed-in users. LiFit offers public or private profile settings and separate controls to hide bodyweight, height, and gym information in the app interface.
A private profile generally requires another user to follow you before the interface shows restricted workouts, statistics, achievements, and posts. These controls govern the current app experience; the technical consistency report identifies backend access rules that must be tightened before launch so they enforce the same expectations.
Fitness and workout information
When you use workout features, LiFit stores workout names, dates and times, duration, exercises, sets, repetitions, weight, volume, notes, ratings, personal records, workout plans, custom exercises, favorites, active-workout state, training statistics, streaks, and achievements. Workout information is used to save your history, calculate summaries and trends, identify personal records, resume workouts, and generate recap cards.
Workout records are intended for your tracking experience unless you choose to share them in a post or make them available through your profile. A shared recap can contain workout title, exercises, duration, set or volume totals, personal records, and other details included in the generated card or post.
Nutrition and hydration information
LiFit stores foods, meal types, serving information, meal timestamps, calories, protein, carbohydrates, fat, recipes, ingredients, saved meals, favorite or recently used foods, nutrition targets, daily summaries, and water intake and targets. This information is used to maintain nutrition history, calculate daily and weekly summaries, show trends, and generate achievements or recap cards.
The codebase contains a U.S. Department of Agriculture FoodData Central integration, but the audit found no current call site. If that integration is activated, food-search terms would be sent to the USDA API to return food and nutrient information; the request would not include a LiFit user ID, though ordinary network information such as an IP address could be processed by the API operator.
Bodyweight, measurements, and progress
LiFit stores bodyweight history, height, waist, neck and hip measurements, sex or gender, birthday or birth year, fitness goals, training experience, streaks, and derived statistics when you provide or generate them. The data model also supports body-fat percentage and goal weight, but the audited app has no verified current writer for those two fields. The app uses available details to display progress charts and calculate fitness or body-composition estimates.
These estimates are informational only. They may be incomplete or inaccurate and are not medical measurements, diagnoses, or advice.
Photos, videos, and uploaded media
If you choose to add a profile image or social media, LiFit accesses the selected photo or video and uploads it to Firebase Storage. Social images may be resized or converted before upload, and videos may be compressed and may include a generated thumbnail. Profile photos, post media, and their download URLs are associated with your account or post.
LiFit may request camera access when you choose to take a photo for a workout, nutrition, or social post, and photo-library access when you choose existing media. The audited app does not use microphone audio as a separate feature, although a selected video may contain audio.
Deleting a post invokes server-side cleanup for its Firestore interactions and associated Firebase Storage image, video, and thumbnail files. A post-deletion backend trigger provides additional cleanup when a post is removed through another supported path. Account deletion removes the account's profile media and post-media folders from Firebase Storage.
Gym and location information
When you choose the nearby-gym feature, LiFit requests your current precise location while the feature is in use. The app uses the coordinates to query nearby gym records. When the build is configured with a Google Places API key, it may also send latitude, longitude, search terms, and search radius to Google Places to find gyms. The audited code does not store the device's raw current coordinates in your user profile.
If you join or create a gym community, LiFit stores the selected gym identifier and name, membership timestamp, and gym-related profile fields. Gym records can include a gym's business name, address, Google place identifier, and geographic coordinates. Other signed-in users may see gym membership, community activity, and leaderboard information subject to app controls.
You may deny or later disable location access in device settings. You can still use other LiFit features, but nearby-gym discovery may not work.
Device and technical information
Firebase and the app may process technical information needed to connect, authenticate, synchronize, secure, and troubleshoot the service. This can include IP address, platform, app version, Firebase installation or authentication identifiers, App Check attestation information, request timestamps, and operational logs.
LiFit uses Firebase App Check with Apple DeviceCheck in production on Apple platforms and Google Play Integrity in production on Android. Those services process device or app-attestation signals to help detect unauthorized clients. The app also creates short in-memory diagnostic messages and debug logs; some debug-only logging currently includes post payloads and user-document data and should not be enabled in production builds.
Push notifications
If you allow notifications, LiFit and Firebase Cloud Messaging process a push-notification token, a hashed token identifier, platform name, active status, timestamps, notification preferences, reminder times, and time-zone offset. Notification payloads may contain routing details such as a post, workout, actor, or meal identifier.
The app provides controls for social notifications, follow activity, workout reminders, and meal reminders. You can change those preferences in LiFit and can disable push notifications for LiFit in your device settings. Signing out or deleting an account deletes the current device's token record. LiFit also deletes permanently invalid or unregistered tokens reported by Firebase and runs a daily cleanup for token records that have not been created or refreshed for 30 days.
Analytics and diagnostics
The audited mobile build does not include Firebase Analytics or Firebase Crashlytics packages or initialization code. The web shell loads a Firebase Analytics compatibility script and includes a measurement identifier, but the audit found no call that initializes Analytics or records app events. The former anonymous-analytics preference has been removed from the current app. Firebase's active infrastructure services may still generate ordinary operational, security, and diagnostic records.
If LiFit later adds a dedicated analytics or crash-reporting service, this policy and applicable app-store disclosures should be updated before that collection begins.
Advertising and tracking
The current tracked source contains no Google AdMob integration, advertising SDK, App Tracking Transparency request, or code that tracks users across third-party apps or websites for advertising. A clean build from that source does not serve third-party behavioral ads.
LiFit version 1.0 was distributed through both the public App Store and TestFlight with Google AdMob and Apple's App Tracking Transparency flow enabled. The ATT prompt was presented, IDFA-based advertising or tracking was enabled for users who authorized it, and AdMob received ad requests. That historical processing could include an advertising identifier, consent status, device and app information, IP-derived information, and ad-request or interaction information handled by Google and Apple. LiFit no longer includes those features in the current tracked source.
A formal business commitment about selling personal information or sharing it for targeted advertising has not yet been finalized and must be confirmed before production. If LiFit's practices change, the policy and consent flows must be updated first.
Purchases and subscriptions
The current tracked source does not offer an active subscription or in-app purchase flow. An older packaged iOS build included StoreKit subscription products, purchase and restore flows, receipt refresh, and a Firebase receipt-verification call to Apple. The legacy receipt-verification Cloud Function identified during the audit was removed, and a live Firebase Function inventory on July 11, 2026 confirmed that it is no longer deployed.
The purchase-enabled version 1.0 build was distributed through both the public App Store and TestFlight. Subscriptions were offered, but there were no buyers or subscription transactions, the receipt-verification Function had no invocations, and no receipt-verification data was stored. Each account currently has a placeholder subscription status identifying it as a free account; those placeholder values do not indicate a purchase. If paid services are offered again, LiFit must update this policy and the store disclosures before collecting new purchase information.
Information stored on your device
LiFit uses shared preferences on the device to save an onboarding draft and legacy workout state such as workout history, personal records, totals, and bodyweight during migration to Firestore. Shared preferences are not secure storage. Completed onboarding clears its draft. Account deletion clears LiFit SharedPreferences, temporary files, and image caches and requests deletion of Firestore's local persistent cache on the device processing deletion.
How we use information
LiFit uses information described in this policy to:
- Create, authenticate, maintain, secure, and support accounts.
- Save and synchronize workouts, meals, progress, settings, and social activity across devices.
- Calculate totals, trends, estimates, achievements, streaks, personal records, and recap cards.
- Provide feeds, gym communities, follow relationships, messages, comments, likes, reports, and notifications.
- Find nearby gyms when requested and, if the currently unused food-search integration is activated, return external food-database results.
- Prevent abuse, enforce service rules, debug failures, and protect LiFit, users, and others.
- Comply with applicable law and respond to valid legal requests.
How information is disclosed
LiFit discloses information to service providers when needed to provide their functions; to other users when you use profiles, posts, gym, follow, leaderboard, comment, like, or messaging features; at your direction when you use the system share sheet; and when required for legal, safety, fraud-prevention, or rights-protection purposes.
Information may also be transferred as part of a merger, financing, acquisition, reorganization, bankruptcy, or sale of assets, subject to applicable law and appropriate notice where required.
Service providers and external services
Current services identified in the audited app include:
- Google Firebase: Authentication, Cloud Firestore, Firebase Storage, Cloud Messaging, Cloud Functions, App Check, and supporting infrastructure.
- Google Sign-In and Sign in with Apple: optional identity-provider authentication.
- Google Places: conditionally active nearby-gym and gym-search requests when the build includes an API key; requests can include location coordinates and search terms.
- USDA FoodData Central: an implemented but currently unreferenced integration that would process food-search terms if activated.
- Google Mobile Ads and Apple StoreKit: absent from the current tracked source, but historically present in the publicly distributed and TestFlight version 1.0 build. AdMob received requests; subscriptions had no buyers or transactions.
- Apple and Google platform services: app distribution, device permissions, notifications, integrity or attestation, and operating-system functions.
Data retention
LiFit generally keeps account information and associated data while your account remains open, unless you use an available control to delete particular content earlier. The current system does not apply a general automatic expiration period to account, workout, nutrition, social, message, media, or notification records.
LiFit does not maintain scheduled Firestore database backups. Firebase, Google Cloud, Apple, Google, and other infrastructure providers may still process limited operational, security, delivery, and diagnostic information under their own service terms and retention practices.
Posts, interactions, and uploaded media
When you delete a post, server-side cleanup deletes its supported Firestore interactions and associated Firebase Storage image, video, and thumbnail files. A backend deletion trigger provides additional cleanup when a post is removed through another supported path.
During successful account cleanup, the server deletes posts authored by the account, their supported Firestore interactions, and the account's profile and post-media folders from Firebase Storage.
Direct messages, reports, and activity
Successful account cleanup deletes direct-message threads containing the account and deletes the messages in those threads. This removes the conversation from the other participant's account as well.
The cleanup also deletes the account's likes and reports on other posts, comments identified by current or legacy account identifiers, activity records, social references, gym memberships, and recognized legacy default-database records. The backend checks supported database and Storage paths for residual account data and reports a failure when a known residual remains.
Notification tokens
When account deletion begins, LiFit deletes the current device's notification-token record and requests deletion of the device token from Firebase Cloud Messaging. Account cleanup also deletes the account's notification-token subcollection.
Uninstalling the app does not directly notify LiFit. If Firebase later reports that a token is invalid or unregistered, LiFit deletes the corresponding token record. LiFit also runs a daily cleanup that deletes notification-token records that have not been created or refreshed for 30 days.
Account deletion
You may start account deletion through the app. LiFit requires reauthentication using the account's password, Google, Apple, or phone sign-in method. The app then deletes the current notification-token record and calls the account-cleanup Cloud Function.
If Firestore cleanup succeeds, the app next deletes the Firebase Authentication account and signs out. If cleanup or Authentication deletion fails, the app displays an error so you can try again; because Firestore cleanup runs before Authentication deletion, partial cleanup is possible if a later step fails.
- The cleanup deletes the root user profile and supported workouts, plans, nutrition records, bodyweight history, statistics, preferences, achievements, notification records, and user subcollections in the named Firestore database, and sweeps recognized legacy records in the default database.
- It deletes authored posts and their Firestore interactions, the account's interactions on other posts, follow relationships and requests, blocks, activity references, username records, custom exercises, and nested gym membership documents.
- It deletes direct-message threads containing the account and their messages, including the other participant's server copy of those conversations.
- It deletes profile photos, post photos, videos, thumbnails, and recognized current or legacy account-media folders from Firebase Storage.
- After sign-out it clears SharedPreferences, LiFit temporary files, in-memory image caches, and requests deletion of Firestore's local persistent cache on the device processing deletion. Active listeners may delay the SDK cache purge, but the deleted user is signed out and cannot refresh deleted account data.
Your privacy choices
Depending on the feature, you can:
- Edit profile fields and change public/private profile, bodyweight, height, and gym visibility settings.
- Delete individual completed workouts, meal entries, saved meals, recipes, workout plans, posts, and comments where the app provides that control.
- Block and unblock users, manage follow requests, and report posts.
- Change notification categories in LiFit and system notification or location access in device settings.
- Delete your account through the app.
Security
LiFit uses authentication, Firebase security rules, App Check, and access controls intended to protect information. No method of storage or transmission is completely secure, and LiFit cannot guarantee absolute security.
The technical audit identified Firestore rules that do not currently enforce the profile privacy represented in the interface and permit overly broad authenticated access to user records. Those rules must be corrected and tested before production release.
Children's privacy
LiFit is not intended for anyone under 15, and people under 15 may not create an account or use the service. LiFit uses the birthday provided during onboarding to prevent an underage user from completing setup.
Users must provide an accurate birth date. If LiFit reasonably determines that an account bypassed or used false information to evade the 15+ requirement, LiFit will disable and delete the account and its associated information, subject to applicable law. If you believe someone under 15 provided information to LiFit, contact us using the information below.
Privacy rights and international users
Depending on where you live, applicable law may provide rights regarding access, correction, deletion, restriction, portability, or objection. LiFit will evaluate verified requests under the law that applies to the request. This policy does not promise rights that do not apply or a response period that has not been confirmed.
LiFit uses service providers that may process information in countries other than your own, including the United States. The business owner must confirm the service's target countries and any required international-transfer safeguards before production.
Changes to this policy
We may update this policy when LiFit's features, providers, or legal obligations change. We will post the revised policy with a new last-updated date and provide any additional notice required by applicable law.
Contact us
Privacy questions may be sent to privacy@lifit.app. General support is available at support@lifit.app. LiFit's business mailing address is 187 Liberty Rd, Picayune, MS 39466, United States.
Social activity and communications
LiFit stores friend and follow relationships, follow requests, blocks, likes, comments, post reports, activity notifications, gym membership, and direct messages. Direct-message records include participants, profile snapshots, message text, sender, timestamps, read state, unread counts, and a last-message preview.
Friend-feed posts are intended for the relevant social audience, and gym posts are intended for members of the selected gym community. Posts can include profile identifiers, captions, tags, photos, videos, workout summaries, or meal summaries. Likes, comments, follower relationships, gym membership, and leaderboards may reveal your participation to other users.
Direct messages are available to thread participants. LiFit may access content when reasonably necessary to operate the service, investigate reports, enforce rules, comply with law, or protect users and the service.