Privacy Policy
Effective date: April 1, 2026 · Last updated: May 22, 2026 · Version 1.0
OnRep publishes this Privacy Policy to explain how we collect, use, store, protect, and dispose of personal information while providing the OnRep service.
1. Personal information we collect
Required account information
| Item | When collected | Purpose |
|---|---|---|
| Email address | Sign-up | Account creation, authentication, password reset, service notices |
| Nickname or display name | Sign-up or profile setup | User identification inside the service |
| Password | Sign-up | Encrypted authentication credential |
Information generated while using the service
| Item | When collected | Purpose |
|---|---|---|
| Workout records | When a workout is logged | Workout history, analytics, and progress comparison |
| Running GPS route data | When Running specialized mode is used | Stored encrypted on device (AES-256-GCM) to show maps and running analysis. By default, raw GPS coordinates are not uploaded; the server stores only required summaries such as distance, time, pace, elevation, and splits. |
| Device information | When the app runs | Compatibility checks and bug fixes |
| Crash and error logs | When an error occurs | Service stability improvement |
| Usage events | During app use | Product improvement and UX optimization |
| Purchase and subscription records | At payment | Subscription and payment management |
Optional information
| Item | When collected | Purpose |
|---|---|---|
| Apple ID email | When Sign in with Apple is selected | Social login authentication |
| Google email | When Google sign-in is selected | Social login authentication |
Information we do not collect for unnecessary profiling
- Contacts
- Government-issued identifiers such as resident registration or passport numbers
- Sensitive profiling data for external marketing
2. Purposes of collection and use
| Purpose | Details |
|---|---|
| Account management | Sign-up, identity confirmation, authentication, password reset |
| Service delivery | Workout storage, progress analytics, weekly and monthly comparisons, 1RM estimates, data sync |
| Product improvement | UX improvement and feature planning based on usage patterns |
| Reliability | Crash and error tracking, incident response |
| Customer support | Inquiry handling and complaint resolution |
| Payment management | Paid subscription processing, subscription state management, refund handling |
| Notices | Service changes, maintenance, and important security notices |
OnRep does not use collected personal information for third-party marketing, external targeting, or unnecessary profiling.
3. Retention period
Personal information is destroyed without delay once the purpose of collection and use has been fulfilled, unless retention is required by law.
| Item | Retention period | Basis |
|---|---|---|
| Account information | Until account deletion | Service use |
| Workout records | Until account deletion | Service use |
| Crash and error logs | 90 days from collection | Service stability |
| Payment and subscription records | 5 years from transaction | E-commerce records retention |
| Service usage logs | 3 months from collection | Communications records retention |
| Deleted account information | 30 days after deletion | Abuse prevention and dispute handling |
4. Third-party sharing and processors
OnRep does not sell or share personal information with third parties except where the user has consented, where law requires disclosure, or where processors are needed to operate the service.
| Processor | Role | Data processed | Server location |
|---|---|---|---|
| Supabase Inc. | Authentication, database hosting, data sync | Email, nickname, workout records | United States |
| Sentry | Crash/error tracking and performance monitoring | Device information and error data | United States |
| RevenueCat, Inc. | Subscription management and receipt validation | Purchase records, subscription status, anonymous user ID | United States |
| Apple Inc. | Apple sign-in and App Store payments | Apple ID email and payment data | United States |
| Google LLC | Google sign-in and Play Store payments | Google email and payment data | United States |
5. International transfer
Some information may be transferred internationally to cloud, authentication, monitoring, and payment providers required for service operations.
| Recipient | Country | Items | Purpose | Retention |
|---|---|---|---|---|
| Supabase Inc. | United States | Email, nickname, workout records | Database hosting and authentication | Until account deletion |
| Sentry | United States | Device information, crash logs | Error tracking | 90 days |
| RevenueCat, Inc. | United States | Purchase records, subscription status | Subscription management | 1 year after subscription ends |
6. Destruction of personal information
When retention periods expire or processing purposes are fulfilled, personal information is destroyed without delay. Legally retained data is separated and destroyed after the required period.
| Type | Method |
|---|---|
| Electronic files | Deleted using technical measures that prevent recovery |
| Paper documents | Shredded or incinerated |
| Backups | Overwritten or deleted according to the backup cycle |
7. User rights and requests
| Right | Description | How to exercise |
|---|---|---|
| Access | Request access to personal information collected about you | In-app settings or email |
| Correction | Request correction of inaccurate information | Profile edit or email |
| Deletion | Request deletion of personal information | Account deletion or email |
| Restriction | Request suspension of processing | |
| Withdrawal of consent | Withdraw consent to collection and use | Account deletion |
| Portability | Request export or transfer of your information | Email or CSV export where available |
- Profile edits and account deletion are available in app settings.
- Email requests can be sent to wonwookimnida@gmail.com.
- A representative may submit a request with proof of authorization.
- Access, correction, deletion, and restriction requests are handled within 10 days of receipt where legally possible.
8. Security measures
| Measure | Details |
|---|---|
| Encryption | Password hashing and TLS for data in transit |
| Access control | Database Row Level Security policies |
| Authentication security | JWT-based authentication and session expiry management |
| Offline data | Stored within the app sandbox on the device |
| Running route files | Raw GPS coordinate files are not uploaded by default. They are stored in the app sandbox on the device encrypted with AES-256-GCM, and the local route file is deleted when the session is deleted. |
| Least privilege | Separated operational access and personal data access |
| Regular review | Security reviews and patching |
9. Automatic collection tools
| Tool | Purpose | Data |
|---|---|---|
| Sentry SDK | Crash and error tracking | Device information and stack traces |
| Firebase Analytics | Usage analytics | Screen visits and anonymized events |
- You can limit analytics sharing in device settings.
- On iOS, app analytics sharing can be disabled in privacy settings.
- On Android, Google settings can limit personalization and analytics sharing.
10. Children's privacy
OnRep does not knowingly collect personal information from children under 14. If we learn that such information has been collected, we will delete it without delay.
11. Privacy contact
| Item | Details |
|---|---|
| Name | Wonwoo Kim |
| Role | CEO / Privacy Officer |
| wonwookimnida@gmail.com | |
| General support | support@onrep.app |
For privacy infringement reports or counseling, users may contact the relevant public privacy, dispute resolution, prosecutor, or police cybercrime agencies in their jurisdiction.
12. Changes to this policy
This Privacy Policy may be revised due to changes in law or service operations. Material changes will be announced in app and by email at least 7 days before the effective date.
| Version | Effective date | Changes |
|---|---|---|
| 1.0 | 2026-04-01 | Initial publication |
13. Governing privacy laws
This policy is operated in accordance with applicable Korean privacy, information network, and e-commerce consumer protection laws.
OnRep
Email: support@onrep.app
Privacy contact: wonwookimnida@gmail.com
Website: https://onrepbybty.vercel.app
Effective date: April 1, 2026