Effective date: 14 July 2026
Last updated: 14 July 2026
RepCall is a social fitness app: you prove you showed up to work out, a small circle of friends sees it, and everyone keeps each other going. Because that involves your location, photos, and sometimes health data, we take privacy seriously. This policy explains what we collect, why, who we share it with, how long we keep it, and the rights you have under the laws of the UAE, the EU/UK (GDPR), and California (CCPA/CPRA).
The short version. We collect only what the app needs to work. Your precise location is used only to confirm you are at a real workout venue. It is never shown to anyone, not even your friends (they see the venue name and a verified badge). Your check-in photos and your private Progress Vault are stored privately and shown only to the people you choose. We do not sell your data, we do not share it for advertising, and there are no advertising or analytics trackers in the app. You can delete your account, and everything tied to it, at any time from Settings.
RepCall ("RepCall", "we", "us", "our") is a mobile application and related services (the "Service"). For the purposes of the GDPR, the UK GDPR, the UAE Personal Data Protection Law, and other data-protection laws, RepCall is the data controller of the personal data described in this policy.
The best way to reach us about this policy or your data is by email at hello@repcall.app.
This policy applies to the RepCall mobile app (distributed through the Apple App Store, and, if listed, Google Play) and any related services that link to it. It does not cover third-party services you may connect to RepCall (for example WHOOP), which have their own privacy policies.
We only collect data that supports the core loop of the app: checking in, proving it, and sharing it with your chosen friends. We do not buy personal data from third parties, and we do not run advertising or analytics SDKs. The table below lists each category, examples, why we collect it, and the legal basis we rely on under the GDPR (see Section 4 for what those bases mean).
| Category | Examples | Why we collect it | GDPR legal basis |
|---|---|---|---|
| Account & identity | Email address and password (managed by our authentication provider; the password is stored only as a secure hash), username, display name, optional profile photo (avatar). | To create and secure your account, sign you in, and give you an identity your friends recognise. | Performance of a contract; legitimate interests (account security). |
| Precise location sensitive | Your device's GPS coordinates at the moment of a check-in, and the name of the nearby workout venue we confirm. | Solely to verify you are physically at a real workout venue (gym, studio, court, pool, etc.). Coordinates are checked against Google Places and stored with the check-in. Your precise location is never shown publicly: friends see only the venue name and a "verified" / "unverified" badge. | Consent (device location permission); legitimate interests (preventing fake check-ins). |
| Check-in photos & videos sensitive | An optional photo or video captured live at check-in (no uploads from your camera roll). | To let you share proof of your workout with your accepted friends. Stored in a private storage bucket and shown only to your friends through short-lived, expiring links. | Consent; performance of a contract. |
| Progress Vault sensitive | Private progress photos you choose to add. | To let you privately track your physical progress over time. Vault photos are visible only to you, are never posted to the feed, and are served through even shorter-lived expiring links. | Consent. |
| Health & wearable data sensitive | If you connect WHOOP: workout metrics, specifically your active calories and day strain, plus basic WHOOP profile information (such as your WHOOP user identifier and name) used solely to link your WHOOP account to your RepCall account. Apple Health / Apple Watch is planned and, if enabled, would work the same way. | To display your session stats and help confirm a check-in. You connect a wearable only if you choose to; you can disconnect it any time in Settings. | Explicit consent (special-category data). |
| Social activity | Friend requests and relationships, emoji reactions, "nudges" (fixed preset messages, no free text), live presence ("working out now"), streaks, "Influence" points, and any workouts you publish. | To run the friend feed, streaks, and friendly nudges that make the app work. | Performance of a contract; legitimate interests. |
| Safety & moderation | Records of users you block, and reports you submit about content or people. | To keep the community safe and to review reported content. Reports are readable only by our team. | Legitimate interests (safety); legal obligation where applicable. |
| Push notification tokens | A device token issued by the operating system / Expo push service. | To deliver notifications you have enabled: a friend nudging you, or a reminder that your streak is at risk. | Consent (notification permission); legitimate interests. |
| Technical & session data | Your login session (stored on your device), and basic data needed to operate the app and its backend (e.g. timestamps of check-ins). | To keep you signed in and operate and secure the Service. | Performance of a contract; legitimate interests. |
Your username, display name, and avatar are part of your public-in-app profile and are visible to other users of the Service (for example, your friends and people you interact with). Everything else above is private or friends-only as described.
Some of what RepCall handles is sensitive and gets extra care. We want to be explicit about it:
We do not use your sensitive data to build advertising profiles, and we do not sell or "share" it. Under California law you have the right to limit our use of sensitive personal information, and we already limit it to providing the Service you asked for (see Section 9).
If you are in the EU, the UK, or another region whose law requires it, we rely on the following legal bases:
We use the data described above to:
We do not use your data for automated decisions that produce legal or similarly significant effects about you, and we do not carry out advertising profiling.
We do not sell your personal data and we do not "share" it for cross-context behavioural advertising (as those terms are defined under California law). We disclose data only in these limited ways:
Your profile (username, display name, avatar) and the content you choose to post (check-ins, reactions, published workouts, presence) are shown to the friends and users you interact with, exactly as described in this policy. Your precise location and your Vault are never shared with other users.
We use a small number of trusted vendors who process data on our behalf, under contract, only to provide their service to us:
| Provider | What they do for us | Data involved |
|---|---|---|
| Supabase | Database, authentication, and file storage: the backend that stores your account, check-ins, and media. | Account & identity, check-in data and coordinates, photos/videos, Vault, social activity, wearable connection records, push tokens. |
| Google (Places API) | Confirms whether a real workout venue is near your check-in coordinates. The request is sent from our secure server, not your device. | Check-in coordinates (sent for the lookup) and the returned venue name. The Google API key is held server-side only. |
| WHOOP only if you connect it | Supplies your workout metrics after you authorise the connection. | WHOOP account authorisation and the workout metrics we pull (active calories and day strain). |
| Expo | Delivers the push notifications you have enabled to your device. | Your device push token and the notification content (e.g. "a friend nudged you"). |
Each processor is bound by a data-processing agreement (or equivalent terms) restricting their use of the data to providing their service to us. We do not use any advertising networks, ad SDKs, or third-party analytics/tracking tools in the app.
RepCall is distributed through the Apple App Store and may also be listed on Google Play. When you download the app, make in-app purchases (if any are offered in the future), or use platform features, the platform (Apple or Google) processes certain data — such as your account ID, purchase, and basic device information — under its own privacy policy; see Apple's privacy policy and Google's privacy policy. We do not control the platforms' own processing.
We may disclose data if required by applicable law or a valid legal request, to protect the rights, property, or safety of our users or RepCall, or to enforce our terms. If RepCall is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to this policy.
RepCall is based in the United Arab Emirates and may have users in the UAE, the EU/UK, California, and elsewhere. Our processors may store or process data in locations outside your country, including outside the UAE and the EU/UK.
Our primary backend is hosted in the following region: Asia Pacific (Sydney, Australia). Google, WHOOP, and Expo may process data in the United States and other countries.
Where personal data of individuals in the EU/UK is transferred to a country without an adequacy decision, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum). For transfers out of the UAE, we take steps consistent with the UAE Personal Data Protection Law's cross-border transfer requirements. You can request more information about these safeguards at hello@repcall.app.
You do not need to delete your whole account to remove a single item: you can delete individual check-ins and Vault photos from within the app.
Subject to conditions in the law, you have the right to:
If you are a California resident, you have the right to:
We do not knowingly sell or share the personal information of anyone, and we do not sell or share the personal information of minors under 16 (the Service is 18+ in any case). You may use an authorised agent to submit a request on your behalf.
If you are in the UAE, under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data you have the right, subject to the law's conditions, to: obtain information about and access your personal data; request its correction; request its erasure; restrict or stop its processing; object to processing (including for direct marketing and certain automated processing); receive your data in a structured, machine-readable format (portability); and withdraw consent. You may also lodge a complaint with the UAE Data Office.
Many rights can be exercised directly in the app: edit your profile in Settings, delete individual check-ins or Vault photos, disconnect a wearable, block users, or delete your entire account (Settings → Delete account).
For anything else (access, portability, correction, or a formal request), email us at hello@repcall.app. To protect your account we may need to verify your identity before acting on a request. We will respond within the timeframe required by applicable law (generally one month under the GDPR and 45 days under the CCPA/CPRA, each extendable where the law permits). Exercising your rights is free unless a request is manifestly unfounded or excessive.
RepCall has not appointed a Data Protection Officer, because it does not carry out, as a core activity, large-scale regular monitoring or large-scale processing of special-category data of the kind that makes a DPO mandatory (GDPR Art. 37). Where the law requires it — for example, an EU or UK "Article 27" representative for a controller established outside the EU/UK that offers services to people there — we will designate one and publish the contact details here. In the meantime, you can raise any GDPR or UK GDPR matter directly with us at hello@repcall.app.
We protect your data with measures including: encryption in transit (HTTPS/TLS); passwords stored only as secure hashes by our authentication provider; row-level security rules in our database so users can only reach data they are permitted to see; private storage buckets for photos and videos served through short-lived, expiring links; and keeping sensitive credentials (such as wearable OAuth tokens and third-party API keys) on the server only, never in the app on your device. No method of transmission or storage is 100% secure, but we work to protect your data and to limit access to it.
RepCall is intended for adults. The Service is for users aged 18 and over. We do not knowingly collect personal data from anyone under 18, and the Service is not directed to children, including, without limitation, children under 13 (COPPA) or under 16. We ask users to confirm they are 18 or older before using features that involve photos. If you believe someone under 18 has provided us personal data, contact hello@repcall.app and we will delete it.
We may update this policy from time to time. When we do, we will change the "Last updated" date above, post the new version at this page (repcall.app/privacy), and, for material changes, provide a more prominent notice in the app or by email before the change takes effect. Your continued use of the Service after an update means you accept the revised policy, to the extent permitted by law.
This policy and any dispute relating to it are governed by the laws of the Emirate of Dubai and the applicable federal laws of the United Arab Emirates, without prejudice to any mandatory data-protection rights you have under the laws of your own country of residence (such as the GDPR or the CCPA/CPRA). The courts of Dubai, UAE shall have jurisdiction, subject to any non-waivable rights you have to bring proceedings in your local courts.
For any privacy question, request, or complaint, contact us at:
RepCall
Email: hello@repcall.app