Callus Privacy Policy
Version 1.0 - 2026-05-20
Callus is a minimalist weightlifting tracker for iPhone and Apple Watch. This policy explains how prspctv (“we”, “us”, “our”) processes personal data when you use Callus, the optional cloud and social features, and the prspctv.no website.
Controller and contact
The data controller is prspctv, Oslo, Norway.
Privacy requests: privacy@prspctv.no
Support requests: support@prspctv.no
We aim to answer privacy requests within 5 business days. GDPR allows us up to 1 month for formal data subject requests.
What we process and why
| Purpose | Data | Legal basis |
|---|---|---|
| Local workout logging | Exercises, sessions, sets, weights, reps, personal records, programs, categories, notes, app settings | Contract necessity, GDPR Art. 6(1)(b) |
| Optional cloud sync | Supabase user UUID, Sign in with Apple account identifier, workout data, settings, sync metadata | Contract necessity |
| Optional social features | Username, display name, profile photo, friends, posts, reactions, comments, squad or group memberships | Contract necessity |
| Premium subscription access | Apple transaction identifiers, entitlement status, product identifiers | Contract necessity |
| Sign in with Apple | Apple identity token and stable Apple user identifier | Contract necessity |
| Push notifications | APNs device token and notification preferences | Consent, GDPR Art. 6(1)(a) |
| HealthKit | Workout writes; and on-device reads of body weight and, when Recovery Intelligence is enabled, sleep, heart rate, resting heart rate, heart rate variability, steps, wrist temperature, respiratory rate, VO2 max, and menstrual/cycle data used to estimate recovery and cycle phase | Consent |
| Camera and photo library | QR scans processed locally; selected profile photos uploaded only if you choose them | Consent |
| Crash reporting | App version, build number, device and OS, screen context, breadcrumbs, stack traces, and signed-in Callus user ID tag | Consent, with opt-out in Settings |
| Optional usage analytics | Minimal product events such as onboarding completion, workout start, workout completion duration/counts, and subscription purchase/restore events | Consent |
| Website waitlist | Email address if you join the waitlist | Consent |
Local-first storage
Workout data is stored on your device by default. It does not leave your device unless you sign in and use cloud or social features. HealthKit data is processed only on your device and is never uploaded to Callus servers.
Cloud processors and recipients
We use these processors to provide optional online features:
- Supabase Inc. for authentication, cloud sync, social data, and database hosting in the EU region.
- Apple for Sign in with Apple, StoreKit subscriptions, HealthKit permissions, and Apple Push Notification service.
- Sentry for optional crash reporting in its EU region.
- Website waitlist emails are stored in our own Supabase (EU-region) database; no third-party email-list processor is used.
- Plausible Analytics for cookieless website analytics.
- Giphy, a Shutterstock service, for optional GIF search in chat. When you search for a GIF, your search text is sent to Giphy to return results. Giphy is not used unless you open GIF search.
Processor use is governed by data processing terms or data processing addenda. APNs carries notification delivery data in transit. Notification bodies may include limited previews of social content you receive, such as a commenter’s username, a short excerpt of their comment or message, and the name/date of the workout they interacted with. You can disable lock-screen previews in iOS Settings if you prefer.
Sentry crash reporting
If you enable crash reporting, we collect crash reports that may include app version, build number, screen context, stack traces, breadcrumbs, view hierarchy snapshots, and a tag containing your Callus user ID after sign-in. We do not intentionally include passwords, emails, message contents, HealthKit data, or workout set contents in crash reports. You can opt out in Settings.
Sentry events are retained according to the active Sentry plan at publication time. We verify the active plan before publishing material updates to this policy.
Retention
- Local data: kept on your device until you delete it or uninstall Callus.
- Account and cloud sync data: kept while your account is active.
- Account deletion: active cloud records are deleted or anonymized within 30 days, with backups aging out within 90 days.
- Push tokens: invalidated or removed within 24 hours of account deletion where technically available.
- Sentry events: retained according to the active Sentry plan.
- Waitlist email: kept until you unsubscribe or request deletion.
Callus uses soft deletes internally before purge so sync can remain consistent across devices.
Your rights
Where GDPR or similar law applies, you may request:
- Access to your personal data.
- Correction of inaccurate data.
- Deletion of your account and cloud data.
- Restriction of processing.
- Data portability.
- Objection to processing where applicable.
- Withdrawal of consent for optional features.
You can export app data in Settings, delete your account in Settings, turn off HealthKit in iOS Settings, disable notifications in iOS Settings, and disable optional analytics or crash reporting in Callus Settings.
Callus does not use automated decision-making that produces legal or similarly significant effects.
Children
Callus is not directed to children under 13. Users under 16 in the EEA must have parental consent where required by local law.
Cookies and tracking
Callus is an iOS-native app and does not use web cookies in the app. The prspctv.no website may use cookieless, privacy-focused analytics.
Security
Cloud communication uses HTTPS. Authentication is handled through Sign in with Apple. Database access is protected with row-level security. We do not store passwords.
Changes to this policy
We will notify you in-app of material policy changes. Material changes require explicit acceptance before continued use of features that rely on changed processing, such as cloud sync, social features, or analytics. You can continue using local-only workout logging while reviewing changes.
Supervisory authority
If you believe your data protection rights have been violated, you may complain to your local supervisory authority. In Norway, this is:
Datatilsynet
Postboks 458 Sentrum, 0105 Oslo, Norway