Privacy Policy

This policy covers the UNBOUND iOS application and the unbound.guavalin.com waitlist site, both operated by Guavalin LLC. Section 2 lists everything we collect; later sections explain how it's used, where it lives, and how to delete it.

Account data: Apple Sign-In identifier, email, account creation timestamp.
Body scan photos: the three photographs you submit per scan.
Scan results: assigned archetype (e.g. BRUTE, V-TAPER), rank (E–S), match percentage, verdict text, and the timestamp of each scan.
Workout & progression data: completed sessions, streak count, Gains balance, badges earned, rank changes, and rescan history.
Subscription state: active tier, renewal status, and entitlement identifiers from Apple via RevenueCat. We never receive your full payment card details.
Device & diagnostics: iOS version, device model, anonymized crash logs, and app version.
Waitlist (web only): email, signup timestamp, and which form on the page you submitted.

We use your data to: generate your scan verdict and training protocol; track progress, streaks, and Gains; deliver the subscription you paid for; debug crashes; and email you about material product changes. We do not use your data for advertising, do not sell it, and do not share it with data brokers.

Photos are transmitted over TLS to our backend (Firebase Storage in Google Cloud, US region) and forwarded to a third-party AI vision model — Anthropic Claude Vision or OpenAI GPT-4 Vision, at our discretion — solely to generate your archetype and verdict. The AI provider is contractually bound not to retain or train on submitted images beyond the inference window. We do not use your photos to train any model. You may delete every photo you've ever submitted from Settings → My Data → Delete Scans or by emailing support; deletion propagates within 30 days.

App backend: Firebase (Google Cloud, US region) — Authentication, Firestore, Storage, and Cloud Functions. Encryption at rest and in transit.
Subscription state: RevenueCat (US) and Superwall (US) receive entitlement and paywall-variant data.
Payments: processed by Apple via the App Store; we never see your card or Apple ID password.
Waitlist site: Supabase Postgres (US-West) for email storage, Vercel (US) for hosting.

Apple (App Store, Sign-In, IAP), Firebase / Google Cloud (authentication, database, storage, functions), RevenueCat (subscription state), Superwall (paywall testing), Anthropic and/or OpenAI (scan AI inference), Supabase (waitlist email storage), Vercel (web hosting). Each is bound by their own privacy terms and a data-processing agreement with Guavalin LLC.

You may, at any time: view your data in the app; export it by emailing support; delete individual scans, your scan history, or your entire account from Settings → My Data. Full account deletion removes photos, scan history, and progression data within 30 days. EU/UK and California residents have additional rights under GDPR and CCPA — including the right to access, correct, port, and object to processing. Contact support@guavalin.com to exercise these rights.

The waitlist site sets no advertising or analytics cookies. The iOS app does not use the IDFA and does not show third-party advertising. We collect anonymized crash diagnostics via Firebase Crashlytics.

The Service is not directed at children under 16, and we do not knowingly collect data from minors. If you believe a minor has created an account, contact us and we will delete the record.

Account, scan, and progression data are retained for as long as your account is active. After account deletion, data is purged within 30 days, except where retention is required by law (e.g. tax records for subscription transactions, retained 7 years).

Data is encrypted at rest and in transit. Access to production systems is restricted, logged, and reviewed. We will notify affected users within 72 hours of any confirmed breach of personally identifiable information.

Material changes to this policy will be announced in-app and reflected here with a new effective date.

Reach us at support@guavalin.com.