Privacy Policy
This policy explains what data the seto mobile app and backend (collectively, “seto” or “we”) collect about you, why we collect it, who we share it with, and how you can exercise your rights over it.
1. Who we are
seto is operated by Oleg Laliev, an individual sole trader, reachable at hello@seto.fit. There is no legal entity behind seto at the time of writing; if and when one is formed this policy will be updated to reflect the controller of record.
2. What we collect
We collect only the data we need to run the service:
2.1 Account data
- Email address (required for sign-up, used for login and transactional notifications)
- Password (stored as a one-way bcrypt hash — we cannot read it)
- Optional profile details you choose to enter: display name, age, sex, height, weight, training experience, primary goal
- If you sign in with Apple or Google: the identifier and email returned by the provider, plus an avatar URL if your provider supplies one
2.2 Workout & training data
- Workouts you log — sets, reps, weights, durations, exercises performed, dates and times
- Templates and routines you create
- Body measurements you enter (weight, body-fat percentage, circumferences)
- Personal records computed from your sets
- Constraints / injuries you register so workouts adapt around them
- Equipment availability you tell us about
2.3 Device & session data
- Device name and OS family (e.g. “iPhone 15 Pro”, “ios”) so we can show you which devices have an active session
- IP address of the device making each request, and the user-agent string, used for security analysis and rate limiting
- Push notification tokens, if you grant notification permission
2.4 Subscription & payment data
seto Pro subscriptions are processed by Apple (on iOS) or Google (on Android) — we never see your card details, billing address, or purchase tokens. We only receive, via RevenueCat, an event saying your subscription is active, expiring, or cancelled. See § 3 for third parties.
2.5 Diagnostics
When the app or backend hits an unexpected error, we send a crash report to Sentry containing the stack trace, the file/line where it happened, and (for backend errors) your seto user ID and email so we can debug. We do not send the contents of your workouts or measurements to Sentry.
3. Third parties we share with
We share the minimum necessary data with the following processors, each of which has its own privacy policy you can review:
| Processor | Purpose | What's shared |
|---|---|---|
| Apple (App Store) | iOS subscription billing | Apple is the merchant of record on iOS. They handle the transaction; we never see card data. |
| Google (Play Store) | Android subscription billing | Same as Apple, on Android. |
| RevenueCat | Cross-platform subscription state | Your seto user ID and the subscription events Apple/Google send them (purchase, renewal, cancellation, expiry). |
| Resend | Transactional email | The recipient address and message body for verification emails, password resets, and email-change confirmations. |
| Sentry | Error & performance monitoring | Stack traces, error metadata, your user ID, your email. No workout content. |
| Cloudflare | DNS, TLS, R2 object storage for exercise media | Network-level metadata (IP, user-agent) inherent in any HTTPS request. Exercise media is non-personal. |
| Fly.io | Application hosting | All seto API traffic, subject to Fly's privacy policy. |
| Neon | Managed PostgreSQL database | Where the data described in § 2.1 – 2.4 is stored at rest. |
| Upstash | Redis (rate-limit + token blocklist) | IP addresses keyed for rate limiting; refresh-token hash entries. |
We do not sell your data. We do not share your data with advertisers. We do not run analytics SDKs that build behavioural profiles.
4. Why we collect it (legal basis)
- Contract: account, workouts, subscriptions — necessary to provide the service you signed up for.
- Legitimate interest: security logging, error monitoring, rate limiting — necessary to keep the service safe and reliable.
- Consent: push notifications, optional profile fields — only collected when you opt in.
5. Your rights
You can exercise the following rights at any time:
- Access: see your data inside the app (Profile tab and per-feature screens). Email hello@seto.fit for a portable export.
- Correction: edit your profile, body measurements, and workouts directly in the app.
- Deletion: Settings → Account → Delete account. Deletion is immediate and permanent — see Delete account.
- Restriction / objection: email hello@seto.fit with the request and we'll process it within 30 days.
- Complaint: if you're in the EU/UK, you can complain to your local data-protection authority.
6. Retention
- Account, workouts, profile: kept until you delete the account.
- Refresh tokens: 30 days from issue, then automatically expired.
- Sentry events: 90 days, per Sentry's default retention.
- After deletion: the account row and every user-keyed dependent (workouts, sets, measurements, gyms, refresh tokens) are hard-deleted in a single transaction. There is no grace period.
7. International transfers
The seto backend is hosted in the European Union (Frankfurt). Some of the third parties in § 3 (RevenueCat, Sentry, Cloudflare) are based in the United States and may process data there. Where we transfer EU/UK data to processors outside the EEA we rely on the Standard Contractual Clauses approved by the European Commission.
8. Children
seto is not directed at children under 16. We don't knowingly collect data from children. If you believe a child has created an account, email hello@seto.fit and we will delete it.
9. Security
We secure data with TLS in transit, bcrypt password hashing, SHA-256 token hashing, and access controls in the database layer. No security is perfect; if you spot a vulnerability please email hello@seto.fit rather than disclosing publicly.
10. Changes to this policy
Material changes will be communicated by an in-app notice and an update to the “Last updated” date above. Continued use after the change date constitutes acceptance of the revised policy.
11. Contact
Questions, deletion requests, or data-subject requests: hello@seto.fit.