Privacy Policy
Last updated: 2026-05-17 · Effective: 2026-05-17
This policy explains what 114kilo collects, how it's stored, what we do with it, and what rights you have. Plain English, no fluff.
Who runs 114kilo
114kilo is built and operated by an anonymous solo developer. Contact: hello@114kilo.com
What we collect
When you sign in with Google, we receive:
- Your Google account email
- Your name (from your Google profile)
- Your Google profile picture URL
When you use the app, we store:
- Your start weight, goal weight, display name (set during onboarding)
- Every weight you log
- Every habit tap, with timestamp and which rotating response was shown
- Custom habits you add and the responses you write
- Run data: GPS coordinates sampled during the run, heart rate samples, total distance, duration, average and max heart rate
- The route polyline of each run, including your baseline route
- Privacy preferences (e.g. whether weight values are blurred by default)
We do NOT collect:
- Anything outside the app
- Location data when you're not actively running
- Heart rate data when you're not actively running
- Any data from other apps on your phone
- Cookies for tracking, advertising, or analytics
Where data is stored
All your data is stored in Supabase (a cloud database service), in the European Union region. Data is encrypted at rest and in transit.
Every row of your data is protected by row-level security keyed to your Google account. The database physically refuses to return another user's data when you query it. No exceptions.
Who can see your data
Nobody but you.
- We don't share your data with anyone.
- We don't sell your data.
- We don't use your data to train AI models.
- We don't show your data in any leaderboards, social feeds, or shared views.
- Even the developer cannot read your weight or run data without explicit access — the system is built so the developer's queries are RLS-restricted to their own account, same as yours.
The only exception: if a court order legally requires us to produce specific data, we would comply with the minimum required by law and notify you unless legally prohibited from doing so.
Cookies and tracking
We use only essential cookies:
- Google OAuth session cookie (so you stay logged in)
- Supabase auth token cookie (so the app knows it's you)
We do NOT use:
- Google Analytics, Plausible, or any other analytics
- Advertising cookies
- Third-party tracking pixels
- Cross-site fingerprinting
If we add analytics in the future, it will be privacy-preserving (no individual tracking, no third-party data sharing), and this policy will be updated.
Bluetooth and GPS
When you start a run:
- The app uses Web Bluetooth to read heart rate from your paired device. The Bluetooth pairing is local between your phone and your strap — nothing is sent to our servers from the strap directly.
- The app uses GPS via your phone's location services. GPS samples are stored only while a run is active and saved to our database when the run ends.
You can revoke Bluetooth and GPS permissions in your browser/phone settings at any time. The app will not function for run tracking without them, but the rest of the app (weight logging, habits, history) still works.
Your rights
You have the right to:
- Access your data: ask us and we'll send you everything we have on you in a machine-readable format (JSON export).
- Correct your data: edit it in the app, or ask us to fix it.
- Delete your data: tap Settings → Account → Delete account. This cascades and removes everything: profile, weights, runs, samples, habits, responses, clicks. Permanent and irreversible. Alternatively, email hello@114kilo.com and we'll do it manually.
- Export your data: tap Settings → Account → Export data (JSON download).
- Withdraw consent: sign out, stop using the app, or delete your account.
We respond to data requests within 30 days. If you're in the EU, you also have the right to lodge a complaint with your national data protection authority.
How long we keep data
- While your account is active: we keep your data so the app works.
- After you delete your account: data is removed within 30 days from active systems and within 90 days from backups.
- If you stop using the app but don't delete: we keep your data indefinitely so you can come back. If you'd rather we delete it after inactivity, email us.
Children
114kilo is not intended for anyone under 16. If you're under 16, do not sign in. If we learn we have data from someone under 16, we will delete it.
Security
- All connections use HTTPS with HSTS.
- Database access requires row-level-security-enforced authentication.
- Database is hosted in an EU-based, ISO 27001 certified data center (Supabase / AWS Frankfurt).
- We do not store your Google password — Google handles authentication entirely.
- If we ever discover a data breach affecting your information, we will notify you within 72 hours.
Third-party services we rely on
- Google — for OAuth sign-in. Their privacy policy: policies.google.com/privacy
- Supabase — for data storage and authentication. Their privacy policy: supabase.com/privacy
- Lovable (development platform) — does not have access to your production data.
- Cloudflare (CDN / DNS) — sees request metadata (IP address, timestamp) for DDoS protection. No persistent tracking.
Changes to this policy
If we change this policy materially, we'll update the "Last updated" date at the top and, for significant changes, notify you in-app the next time you open it. Continued use after a change means you accept it. If you don't accept, you can delete your account.
Contact
- Email: hello@114kilo.com
- Response time: within 7 days for general questions, within 30 days for data rights requests
This policy applies to 114kilo, accessible at https://114kilo.com.