Privacy Policy

Last updated: May 21, 2026

Rocky ("we", "us", "the app") is a gym workout tracker and AI coaching app. This policy explains what information we collect, how we collect it, how we use it, and who we share it with — including the third-party AI service that powers Rocky's coaching agent and the "Lazy add-in" feature.

1. Information we collect and how

• Account identity — collected when you sign in through our auth provider Clerk using one of three methods: email + password (with email verification), Google sign-in, or Apple sign-in. Clerk stores your email, name (when provided by the OAuth provider), and a user identifier; we receive a stable user ID.
• Coaching profile — collected during onboarding and editable from Profile: training goal (e.g. hypertrophy, strength, fat loss), experience level, height, bodyweight, sex (optional), date of birth (optional), available equipment, weekly session target, session length target, listed injuries (optional), and your timezone. The app does not function as a coach without a goal and experience level; the rest are optional.
• Workout data you enter — collected when you type it into the app: routines, exercises, sets, reps, weights, session dates and durations, session notes, and per-session feedback (RPE, "how it felt", optional free-text).
• Readiness check-ins — collected when you tap "Swap or adjust" or fill in the post-workout debrief: energy, sleep, soreness map, time available, and any free-text you enter.
• Lazy add-in free-text — collected when you type a workout description into the "Lazy add-in" screen and tap "Parse with Rocky". The exact text you typed, plus the date you picked, is transmitted to our backend and forwarded to a third-party AI service (see Section 3).
• Push notification token — collected if you grant notification permission. We store an Expo push token issued by Expo's push service so we can deliver your daily training briefing. The token does not identify your device hardware; it is install-specific.
• Preferences — collected when you change settings in the app: your chosen unit system (kg or lbs), nudge / haptics / rest-timer preferences, and whether you have consented to Lazy add-in AI processing.
• Coaching notes Rocky writes — derived data, stored on our servers. As Rocky plans your sessions it writes short structured notes to itself about patterns it sees in your training (e.g. "bench bar speed slower at 100kg×5 than two weeks ago", "user reported left shoulder discomfort on overhead press"). These are visible to you in Profile → Coach notes, where you can read or delete any individual note.
• Product analytics events — collected automatically as you use the app, via PostHog (see Section 4). Events include sign-in / sign-up, onboarding completion, screen views, workout started / finished / discarded, post-workout debrief submitted, routine created, plan adjustments, and profile changes (e.g. goal updated, agent paused). Each event is tagged with your Rocky user identifier, your email, name, and a PostHog-issued device identifier, plus standard properties such as app version, OS, device model, locale, and approximate location (country / region, derived from IP address by PostHog and stored at city-level granularity). We use this data only to understand which features are used and to fix issues — not for advertising or profiling.

2. How we use your information

We use the data above for the following purposes only:

• To authenticate you and keep you signed in.
• To store and display your own workout history, routines, profile, and personal records.
• To compute your own aggregated stats (volume, streaks, muscle-group balance) on our server and show them back to you.
• To run Rocky's coaching agent — a server-side process that, on a schedule and on demand, sends a snapshot of your profile, recent training, readiness, and coaching notes to Google Vertex AI (see Section 3) so a Gemini model can generate a tailored daily training plan and short coaching notes.
• To parse Lazy add-in free-text into structured sets via Google Vertex AI (see Section 3), with your prior in-app consent.
• To send you push notifications you have permitted (e.g. your daily briefing).

We do not use your data for advertising, profiling for advertisers, or any purpose unrelated to providing the service. We do not share your data with anyone except the sub-processors listed in Section 4.

3. AI features and third-party processing

Rocky uses Google Vertex AI (Gemini models, hosted in the us-central1 Google Cloud region) for two features. Both are accessed only through our backend on Google Cloud Run; the app never talks to Google directly.

3a. Coaching agent (the daily plan)

• What is sent: your coaching profile (goal, experience, height, bodyweight, sex if provided, equipment, weekly/session targets, listed injuries, timezone), recent training history (last ~21 days of sessions with sets/reps/weights and your RPE/felt feedback), the last ~14 days of readiness check-ins, recent personal records, your saved routines, and the coaching notes Rocky has written about you. Your name, email, and account identifiers are not included in the prompt; an internal user id is used only to associate the response with your account on our side.
• Why it is sent: to let the Gemini model decide the highest-value workout for your next training day and write short coaching notes for future runs.
• When it runs: once per day around your configured briefing hour, on demand when you tap "Swap or adjust" or finish onboarding, and after you save a session or post-workout debrief.
• Your consent: completing onboarding constitutes consent to this data flow. You can revoke at any time from Profile → Pause Rocky; while paused, no agent runs occur and no data is sent to Vertex AI for coaching.
• Retention by Google: under Google Cloud's customer-data terms applicable to Vertex AI, your prompts are not retained by Google and are not used to train Google's foundation models.
• What Rocky stores: the model's response (planned session, optional check-in question, coaching notes) is saved on our backend so the briefing card and the notebook persist across launches. We also store a short audit row per agent run (timestamp, model, token counts, latency, outcome) for cost monitoring and debugging.

3b. Lazy add-in (free-text parsing)

• What is sent: the exact free-text you typed into the Lazy add-in box (e.g. "Squats 3×8 at 80kg yesterday") and the date you selected. No account identifiers, no other workout history, no coaching notes, and no device identifiers are sent.
• Why it is sent: solely to parse the free-text into a structured list of exercises, sets, reps, and weights returned to the app for your review before saving.
• Your consent: the app shows an in-app consent screen before the first parse; parsing is not performed until you agree.
• Retention by Google: as in Section 3a — Vertex AI does not retain these prompts and does not use them to train its models.

3c. Equivalent protection and contractual terms

Google is contractually bound by the Google Cloud Data Processing Addendum and the Vertex AI Service Specific Terms, which provide data-protection commitments equivalent to those we make to you in this policy. Google may not use your data for its own purposes.

4. Other sub-processors

We use the following additional service providers to run Rocky. They are contractually required to protect your data and are not permitted to use it for their own purposes.

• Clerk — authentication. Receives your email + password (email flow) or your OAuth identifiers (Google / Apple flow) when you sign in.
• Google Cloud Run — application hosting for the Rocky backend.
• Google Vertex AI — generative-AI processing for the coaching agent and Lazy add-in (see Section 3).
• Neon (hosted on AWS, ap-southeast-1 / Singapore) — Postgres database for your workouts, profile, and coaching notes.
• Expo — push-notification delivery. We submit your daily briefing through Expo's push service, which forwards it to Apple Push Notification service (APNs) on iOS or Firebase Cloud Messaging (FCM) on Android. Expo receives the token and message body in transit only.
• PostHog (EU region, Frankfurt) — product analytics. Receives the events listed in Section 1 along with your Rocky user identifier, email, name, a PostHog-issued device identifier, app and device metadata, and an approximate location (country / region, derived from IP). PostHog processes this data on our behalf and is contractually prohibited from using it for its own purposes. Data is hosted within the EU.

5. Information we do not collect

• We do not read Apple Health, Health Connect, or any system health/fitness frameworks.
• We do not collect your precise location. Our analytics sub-processor (PostHog, Section 4) records an approximate country / region derived from your IP address, but never GPS or street-level location.
• We do not use advertising identifiers, no ad SDKs are embedded in the app, and we do not track you across other apps or websites. Rocky's iOS privacy manifest declares NSPrivacyTracking = false.
• We do not run crash reporting or session replay.
• We do not sell your data, share it with data brokers, or use it for advertising or profiling.

6. Storage and retention

Data is stored in Neon Postgres on AWS (ap-southeast-1 / Singapore) and served through Google Cloud Run. Connections use TLS, and data is encrypted at rest by the provider.

We retain your workout, profile, coaching notes, and readiness data for the life of your Rocky account. When you delete your account, all of your workout history, routines, PRs, profile, coaching notes, readiness check-ins, planned sessions, agent run audit rows, push tokens, and preferences are purged from our systems within 30 days. Backups that may still contain your data roll off within a further 30 days. Lazy add-in free-text and agent prompts are not retained by Google Vertex AI (see Section 3); on our side, prompts are processed in memory and not persisted — only the model's structured response (planned session and coaching notes) is stored.

7. Your rights — and deleting your account

You can delete your Rocky account and all associated data at any time:

• In the app: Profile → Delete account. The deletion is immediate and permanent.
• On the web: rocky.shreyak.dev/delete-account

You can also:

• Pause the coaching agent at any time from Profile → Pause Rocky. While paused, no agent runs occur and no data is sent to Vertex AI for coaching. Your logged history remains intact.
• Read or delete coaching notes Rocky has written about you at Profile → Coach notes. Each note can be removed individually.
• Withdraw Lazy add-in consent by simply not using the feature. Every other part of the app works without AI; the coaching agent runs only when not paused.
• Request data export by emailing [email protected].

8. Children

Rocky is not directed to children under 13 (or under 16 in the EEA / UK). We do not knowingly collect data from children.

9. International data transfers

Your data is processed in the United States (Google Cloud Run, Vertex AI in us-central1; Clerk; Expo), Singapore (Neon Postgres), and the European Union (PostHog, Frankfurt). Where required by applicable law, transfers rely on the standard contractual clauses incorporated in our sub-processors' agreements.

10. Changes

If we change this policy we'll update the date above and, for material changes, notify you in-app.

11. Contact

[email protected]