Privacy Policy
Effective 2026-05-20
1. Scope
This policy covers the UNBOUND iOS application and the unbound.guavalin.com waitlist site, both operated by Guavalin LLC. Section 2 lists everything we collect; later sections explain how it's used, where it lives, and how to delete it.
2. What we collect
Account data: Apple Sign-In identifier, email, account creation timestamp.
Progress photos: photographs you choose to add to your private photo timeline, starting with an optional Day 0 photo.
Training & progression data: completed sessions, logged sets, skills, movement standards, attributes, overall level, rank changes, streak count, and trial results.
Subscription state: active tier, renewal status, and entitlement identifiers from Apple via RevenueCat. We never receive your full payment card details.
Device & diagnostics: iOS version, device model, anonymized crash logs, and app version.
Waitlist (web only): email, signup timestamp, and which form on the page you submitted.
Progress photos: photographs you choose to add to your private photo timeline, starting with an optional Day 0 photo.
Training & progression data: completed sessions, logged sets, skills, movement standards, attributes, overall level, rank changes, streak count, and trial results.
Subscription state: active tier, renewal status, and entitlement identifiers from Apple via RevenueCat. We never receive your full payment card details.
Device & diagnostics: iOS version, device model, anonymized crash logs, and app version.
Waitlist (web only): email, signup timestamp, and which form on the page you submitted.
3. How we use it
We use your data to: run your training progression and adaptive program; track your skills, attributes, ranks, level, and streak; store the photos in your timeline; deliver the subscription you paid for; debug crashes; and email you about material product changes. We do not use your data for advertising, do not sell it, and do not share it with data brokers.
4. Your photos
The photos you add to your photo timeline are transmitted over TLS and stored on our backend (Firebase Storage in Google Cloud, US region). They are visible only to you within the app. We do not analyze your photos with artificial intelligence, do not run them through any vision model, do not use them to generate scores or assessments, and do not use them to train any model. You may delete any photo, or every photo you have ever added, from Settings → My Data → Delete Photos or by emailing support; deletion propagates within 30 days.
5. Where it lives
App backend: Firebase (Google Cloud, US region) — Authentication, Firestore, Storage, and Cloud Functions. Encryption at rest and in transit.
Subscription state: RevenueCat (US) and Superwall (US) receive entitlement and paywall-variant data.
Payments: processed by Apple via the App Store; we never see your card or Apple ID password.
Waitlist site: Supabase Postgres (US-West) for email storage, Vercel (US) for hosting.
Subscription state: RevenueCat (US) and Superwall (US) receive entitlement and paywall-variant data.
Payments: processed by Apple via the App Store; we never see your card or Apple ID password.
Waitlist site: Supabase Postgres (US-West) for email storage, Vercel (US) for hosting.
6. Third-party processors
Apple (App Store, Sign-In, IAP), Firebase / Google Cloud (authentication, database, storage, functions), RevenueCat (subscription state), Superwall (paywall testing), Supabase (waitlist email storage), Vercel (web hosting). Each is bound by their own privacy terms and a data-processing agreement with Guavalin LLC.
7. Your rights
You may, at any time: view your data in the app; export it by emailing support; delete individual photos, your photo timeline, or your entire account from Settings → My Data. Full account deletion removes photos, progression data, and account data within 30 days. EU/UK and California residents have additional rights under GDPR and CCPA — including the right to access, correct, port, and object to processing. Contact support@guavalin.com to exercise these rights.
8. Cookies & tracking
The waitlist site sets no advertising or analytics cookies. The iOS app does not use the IDFA and does not show third-party advertising. We collect anonymized crash diagnostics via Firebase Crashlytics.
9. Children
The Service is not directed at children under 16, and we do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete the record.
10. Retention
Account, photo, and progression data are retained for as long as your account is active. After account deletion, data is purged within 30 days, except where retention is required by law (e.g. tax records for subscription transactions, retained 7 years).
11. Security
Data is encrypted at rest and in transit. Access to production systems is restricted, logged, and reviewed. We will notify affected users within 72 hours of any confirmed breach of personally identifiable information.
12. Changes
Material changes to this policy will be announced in-app and reflected here with a new effective date.
13. Contact
Reach us at support@guavalin.com.