SculptR Privacy Policy
Last updated: 14 July 2026
This Privacy Policy explains what personal data the SculptR mobile app ("SculptR", "we", "us", "our")
collects, how and why we use it, who we share it with, and the rights you have. It is written to meet
the requirements of the UK GDPR and the EU General Data Protection Regulation (GDPR).
Who we are (data controller)
SculptR is operated by Saifur Rahman, based in the United Kingdom
("the controller"). For any privacy question or to exercise your rights, contact us at
support@sculptr-app.com.
Information we collect
- Account information. Your email address, and your name where you provide it. If you use
Sign in with Apple or Sign in with Google, we receive the identifier (and, where you allow it, the
name and email) that provider shares. Used to authenticate you and sync your data.
- Profile and fitness data. Age, sex, height, weight and target weight, goals, activity
level, equipment, your training discipline and cardio preferences, diet and allergies, and your
country (used to set your currency).
- Health-related data (special category). Your body weight and weigh-ins, body metrics, diet
and allergy information, and — if you complete an optional weekly check-in — your self-reported
energy, sleep, hunger, stress and how your training felt. With your permission we also read your
step count from your device's motion sensors, and, if you connect Apple Health, your most
recent body weight and today's steps. Because this reveals information about your health, we treat
it as "special category" data and process it only with your explicit consent (see "Legal bases").
It is never used for advertising and is never sold. You can revoke sensor or Apple Health access at
any time in your device Settings.
- Content you create. Logged foods and workouts, saved meals, plans, and your messages to the
in-app AI coach ("Sola").
- Camera. If you scan a barcode, the camera reads the product code in real time and no image
is stored. If you use AI meal-photo analysis, the photo is sent to our AI provider to estimate
nutrition and is not stored by us afterwards.
- Subscription data. If you subscribe, your subscription status and an app-generated user
identifier are processed by our payments partners. We never receive your full payment card details.
Legal bases for processing
Under the GDPR we rely on the following legal bases:
- Consent (Art. 6(1)(a)) and explicit consent (Art. 9(2)(a)) — for processing your
health-related and other special-category data to power tracking, plans and coaching. You may
withdraw consent at any time by deleting your account or contacting us; this does not affect
processing carried out before withdrawal.
- Performance of a contract (Art. 6(1)(b)) — to create your account, provide the app's
features you request, and manage your subscription.
- Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse, and
maintain reliability, balanced against your rights.
How we use your information
- To provide core features: tracking, calorie and macro targets, and progress charts.
- To generate AI workout and meal plans, adapt them, and answer coaching questions. To do this, the
profile, goal, log and check-in details needed for the request (and, for meal scans, the photo) are
sent to our AI provider (Anthropic) through a secure server function. We do not send your
email address or account identifiers to the AI provider, and it does not use your data to train its
models under our API terms.
- To manage your subscription and restore purchases.
- To secure the service and enforce fair-use limits.
How and where your data is stored
Your account and synced data are stored using Supabase, our backend and database provider, over
encrypted connections and with access restricted to your own account. Some data is also cached on your
device so the app works offline.
Sub-processors we use
| Supabase | Authentication, database and cloud backup/sync. |
| Anthropic | AI model that generates plans, coaching replies and meal-photo estimates. |
| RevenueCat | Manages subscription entitlements and purchase status. |
| Apple | Sign in with Apple, Apple Health (opt-in), and App Store payment processing. |
| Google | Sign in with Google and Google Play payment processing (Android). |
| Open Food Facts | Looks up product nutrition when you scan or enter a barcode. |
We do not sell your personal data, and we do not use it for third-party advertising.
International data transfers
Some of our providers (including Anthropic and RevenueCat, and, depending on the hosting region,
Supabase) process data on servers in the United States. Where your data is transferred outside the
UK/EEA, we rely on appropriate safeguards, such as the EU Standard Contractual Clauses (and the UK
Addendum) and, where applicable, the providers' certification under the EU–US Data Privacy Framework.
Data retention
We keep your account and associated data for as long as your account is active. When you delete your
account, we remove it from our live systems immediately and from encrypted backups within 30 days.
Content sent to our AI provider may be retained by that provider for a limited period (up to around 30
days) to detect misuse, after which it is deleted. We may keep minimal records where required to
comply with a legal obligation.
Your rights
Subject to the GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data (you can edit most of it in Profile).
- Erasure — delete your account and data.
- Portability — receive your data in a portable format.
- Restriction and objection — restrict or object to certain processing.
- Withdraw consent — at any time, for processing based on consent.
- Complain — lodge a complaint with your data protection authority (in the UK, the
Information Commissioner's Office; in the EU, your local authority).
How to exercise your rights
- Delete your data. Open Profile → Delete account in the app to permanently delete
your account and associated data.
- Export your data. Use Profile → Export data to receive a copy of your data.
- Edit your data. Update your details any time in Profile.
- Everything else. Email support@sculptr-app.com
and we will respond within one month.
Security
We protect your data with encrypted connections, database row-level security that limits each record
to its owner, and server-side controls on sensitive actions. No system is perfectly secure, but we
work to protect your information.
Data breaches
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we
will notify the relevant supervisory authority within 72 hours where required, and we will inform
affected users without undue delay where the risk is high.
Children
SculptR is not directed to children under 13, and we do not knowingly collect their data. In the EU,
where the applicable digital-consent age is higher than 13, users below that age should only use
SculptR with the consent of a parent or guardian.
Changes to this policy
We may update this policy from time to time. Material changes will be reflected by the "Last updated"
date above and, where appropriate, notified in the app.
Contact
Questions about this policy or your data? Email
support@sculptr-app.com.