Privacy Policy

Last updated: January 26, 2026

Tavla ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application.

Information We Collect

Account Information

When you create an account, we collect your email address, name, and password. You may also optionally provide a profile picture and username. If you sign in with Google or Apple, we receive your name, email, and profile picture from those services.

Health and Fitness Data

We collect fitness and health data that you provide or that is synced from connected services, including: workout activities (type, distance, duration, heart rate), nutrition logs (foods consumed, calories, macronutrients), body metrics (age, sex, height, weight), and fitness goals.

Apple HealthKit Data

With your permission, we read workout and health data from Apple HealthKit, including workouts, heart rate, sleep, and step data. HealthKit data is used solely to display your fitness information within the app and is never sold to third parties or used for advertising.

Images and Camera Data

With your permission, we access your camera to scan barcodes on food packaging and your photo library for profile pictures and food images. Food photos may be sent to our AI service for nutritional analysis.

AI Coach Interactions

When you use the AI coach feature, your messages and conversation history are stored. The coach accesses your workout history, nutrition logs, goals, and profile information to provide personalized guidance.

Social Features

If you use social features, we collect friend connections, friend invitations, and fitness commitment challenge data including progress and points.

How We Use Your Information

We use your information to: provide and maintain the app's core functionality; track your workouts, nutrition, and fitness progress; power the AI coach with personalized insights; sync activity data with connected services like Strava; manage your account and preferences; process subscriptions; and enable social fitness features such as commitments with friends.

Third-Party Services

We share data with the following third-party services to provide app functionality:

  • Supabase — Database hosting, authentication, and file storage.
  • Strava — Syncing workout activities when you connect your Strava account. We store your Strava OAuth tokens and athlete ID.
  • OpenAI — Powering the AI coach. Your fitness history, nutrition logs, goals, and chat messages are sent to OpenAI for processing.
  • RevenueCat — Managing premium subscriptions. Your user ID is shared with RevenueCat to track subscription status.
  • USDA FoodData Central and Edamam — Looking up nutritional information for foods. Food search queries are sent to these services.
  • Apple and Google — Authentication via Sign in with Apple or Google, and processing in-app purchase payments. We do not store your payment card information.

Data Storage and Security

Your data is stored in a PostgreSQL database hosted by Supabase. All data is transmitted over HTTPS. Authentication uses JWT-based tokens, and the database enforces row-level security to ensure you can only access your own data. On your device, session tokens are stored using secure storage mechanisms provided by the operating system.

Data Retention and Deletion

Your data is retained for as long as your account is active. You may delete your account at any time from the profile page. When you delete your account, all of your personal data, including workout history, nutrition logs, coach conversations, social connections, and profile information, is permanently removed from our systems.

Children's Privacy

Tavla is not intended for use by children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that information promptly.

Your Rights

You have the right to access, correct, or delete your personal data. You can update your profile information directly within the app. You can disconnect third-party services like Strava at any time. You can revoke HealthKit permissions through your device settings. To delete your account and all associated data, use the account deletion option on the profile page.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last updated" date at the top of this page. Your continued use of the app after any changes constitutes acceptance of the updated policy.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us through the app's feature request page or reach out to us directly.