← seto

Privacy Policy

Effective: 27 April 2026 · Last updated: 27 April 2026

This policy explains what data the seto mobile app and backend (collectively, “seto” or “we”) collect about you, why we collect it, who we share it with, and how you can exercise your rights over it.

1. Who we are

seto is operated by Oleg Laliev, an individual sole trader, reachable at hello@seto.fit. There is no legal entity behind seto at the time of writing; if and when one is formed this policy will be updated to reflect the controller of record.

2. What we collect

We collect only the data we need to run the service:

2.1 Account data

2.2 Workout & training data

2.3 Device & session data

2.4 Subscription & payment data

seto Pro subscriptions are processed by Apple (on iOS) or Google (on Android) — we never see your card details, billing address, or purchase tokens. We only receive, via RevenueCat, an event saying your subscription is active, expiring, or cancelled. See § 3 for third parties.

2.5 Diagnostics

When the app or backend hits an unexpected error, we send a crash report to Sentry containing the stack trace, the file/line where it happened, and (for backend errors) your seto user ID and email so we can debug. We do not send the contents of your workouts or measurements to Sentry.

3. Third parties we share with

We share the minimum necessary data with the following processors, each of which has its own privacy policy you can review:

ProcessorPurposeWhat's shared
Apple (App Store) iOS subscription billing Apple is the merchant of record on iOS. They handle the transaction; we never see card data.
Google (Play Store) Android subscription billing Same as Apple, on Android.
RevenueCat Cross-platform subscription state Your seto user ID and the subscription events Apple/Google send them (purchase, renewal, cancellation, expiry).
Resend Transactional email The recipient address and message body for verification emails, password resets, and email-change confirmations.
Sentry Error & performance monitoring Stack traces, error metadata, your user ID, your email. No workout content.
Cloudflare DNS, TLS, R2 object storage for exercise media Network-level metadata (IP, user-agent) inherent in any HTTPS request. Exercise media is non-personal.
Fly.io Application hosting All seto API traffic, subject to Fly's privacy policy.
Neon Managed PostgreSQL database Where the data described in § 2.1 – 2.4 is stored at rest.
Upstash Redis (rate-limit + token blocklist) IP addresses keyed for rate limiting; refresh-token hash entries.

We do not sell your data. We do not share your data with advertisers. We do not run analytics SDKs that build behavioural profiles.

4. Why we collect it (legal basis)

5. Your rights

You can exercise the following rights at any time:

6. Retention

7. International transfers

The seto backend is hosted in the European Union (Frankfurt). Some of the third parties in § 3 (RevenueCat, Sentry, Cloudflare) are based in the United States and may process data there. Where we transfer EU/UK data to processors outside the EEA we rely on the Standard Contractual Clauses approved by the European Commission.

8. Children

seto is not directed at children under 16. We don't knowingly collect data from children. If you believe a child has created an account, email hello@seto.fit and we will delete it.

9. Security

We secure data with TLS in transit, bcrypt password hashing, SHA-256 token hashing, and access controls in the database layer. No security is perfect; if you spot a vulnerability please email hello@seto.fit rather than disclosing publicly.

10. Changes to this policy

Material changes will be communicated by an in-app notice and an update to the “Last updated” date above. Continued use after the change date constitutes acceptance of the revised policy.

11. Contact

Questions, deletion requests, or data-subject requests: hello@seto.fit.