Privacy Policy

Takat is an iOS workout tracker published by Six Pak Labs LLC, a California limited liability company ("we", "us"). This policy explains what data Takat collects and what happens to it.

Summary

  • Takat has no account system. You do not sign up, log in, or give us your email to use the app.
  • Your workout data lives on your iPhone. If you subscribe to Takat Plus and enable iCloud backup, a copy is saved to your iCloud Drive — we never receive or store it on our servers.
  • We use a small number of service providers: RevenueCat (subscription management), PostHog (anonymous product analytics), Cloudflare (AI coach request routing), OpenAI (AI coach model).
  • We do not sell your data. We do not use advertising networks. We do not track your location.

Data on your device

Everything you enter in Takat — routines, programs, logged sets, session notes, preferences, onboarding answers, and coach conversations — stays in device-local storage on your iPhone. Uninstalling the app removes all of it. You can also wipe it from inside the app via Settings → Delete all Takat data.

iCloud backup (Takat Plus)

If you enable cloud backup in Settings, Takat writes a backup file to your personal iCloud storage. Apple stores the file under your Apple ID; we never receive or access it. You can delete it anytime from the Files app under iCloud Drive → Takat, or in iOS Settings → [your Apple ID] → iCloud → Manage Storage.

Apple Health (optional)

If you grant Takat access to Apple Health, the app reads recent body-weight samples and recent workout summaries so the AI coach can calibrate plans. Health data stays on your device except as a short summary included in a coach prompt you explicitly initiate. Takat does not write to Apple Health. You can revoke access any time in iOS Settings → Privacy & Security → Health → Takat.

Microphone and voice logging

Voice logging transcribes audio on-device using Apple's Speech Recognition framework. The microphone is only active during a voice-logging session you initiate. Depending on your device and language, Apple may transmit audio to its own services for transcription under Apple's terms; we never receive the audio. The resulting text transcript is sent through our AI coach proxy to OpenAI so it can be parsed into a set (exercise, weight, reps), then discarded.

AI coach

The Takat AI coach uses a large language model hosted by OpenAI. Coach requests pass through a proxy we operate on Cloudflare, which verifies the request using Apple App Attest, then forwards it on.

Sent to the proxy and OpenAI: your prompt or voice transcript, relevant context from your device (active routine, recent workouts, training goals from onboarding, and — if you granted Health access — a short summary of recent body weight and activity), and App Attest headers that verify a real Takat install.

Not sent: any identifier that links your requests across sessions to you personally, your payment details, your email, or your Apple ID.

What the coach proxy retains

The Cloudflare coach proxy is a pass-through forwarder. It does not store, log, or retain your prompts, voice transcripts, or the AI's responses. It does not record request or response bodies. The only content-related values it records are numeric counters (token counts and byte sizes reported by OpenAI) used to measure latency and detect cost regressions — never the text itself.

The proxy keeps a few short-lived operational records:

  • App Attest challenges for one-time registration of your install: a random nonce with a 5-minute expiration.
  • App Attest registration records for your install: a public key identifier and a monotonic usage counter (used to detect replay attacks). Stored for the lifetime of the install — never the private key, which stays in your iPhone's Secure Enclave and is not accessible to us.
  • Daily rate-limit counters: integer request and token-budget tallies that reset each UTC day (24-hour rolling retention) and are never linked to prompt content.

Cloudflare's infrastructure logs request-level metadata (timestamps, IP address, response status) for operational purposes under Cloudflare's standard retention. Our own proxy code writes a per-request telemetry line with the route name, byte counts, OpenAI token counts, and timing data, plus operational error messages — never request or response bodies.

What OpenAI retains

OpenAI processes coach requests under its API data-usage policy. OpenAI does not use API inputs to train its models. OpenAI retains API request and response data for up to 30 days for abuse and misuse monitoring, after which it is deleted. Full policy: openai.com/policies/api-data-usage-policies

Subscriptions

Takat Plus is sold through Apple's In-App Purchase system. We use RevenueCat to validate purchases and manage entitlements. RevenueCat receives an anonymous device-generated user ID, the product you purchased and its status, and basic device metadata. It does not receive your name, email, or Apple ID.

If you grant App Tracking Transparency permission when prompted, RevenueCat additionally collects Apple's advertising identifier (IDFA) for install-attribution reporting. If you deny the prompt, RevenueCat does not collect IDFA. Nothing in Takat depends on ATT being granted.

RevenueCat's privacy policy: revenuecat.com/privacy

Anonymous analytics

We use PostHog to understand how people use Takat so we can improve it. PostHog receives event names (for example, "workout logged" or "paywall viewed") and category-only properties. A client-side allowlist prevents exercise names, routine titles, notes, or any coach content from ever being sent. Events are tied to an anonymous device ID; PostHog does not know your name, email, or Apple ID.

PostHog's privacy policy: posthog.com/privacy

App Tracking Transparency

After onboarding, iOS shows Apple's App Tracking Transparency prompt. Your choice controls whether RevenueCat collects Apple's advertising identifier (IDFA). Denying the prompt does not disable any feature of Takat. You can change your choice in iOS Settings → Privacy & Security → Tracking.

Service providers (subprocessors)

  • Apple — App Store, StoreKit, iCloud, HealthKit, Speech Recognition, App Attest (apple.com/legal/privacy)
  • RevenueCat — subscription validation and entitlements
  • PostHog — anonymous product analytics
  • Cloudflare — AI coach proxy infrastructure
  • OpenAI — AI coach language model

What we do not collect

  • No advertising SDKs beyond the IDFA collection noted above (no Facebook SDK, no AppsFlyer, no Branch).
  • No location tracking.
  • No access to your contacts, calendar, or photos.
  • No microphone access outside an active voice-logging session you started.
  • No sale or rental of your data to third parties.

Children

Takat is not directed at children under 13 and we do not knowingly collect information from children under 13. If you believe a child has used Takat, email hello@takat.app and we will remove any associated data we can identify.

Delete all data

Settings → Delete all Takat data wipes your routines, programs, logged workouts, onboarding profile, app settings, coach conversation, and AI-generated form cues. It rotates the anonymous analytics and subscription identifiers tied to your install, and deletes the iCloud backup on a best-effort basis if iCloud is reachable.

It does not cancel an active Takat Plus subscription — only Apple can do that, in iOS Settings → [your Apple ID] → Subscriptions. The in-app success alert links you there.

Your California privacy rights (CCPA / CPRA)

California residents have the right to:

  • Know what categories of personal information we collect and why.
  • Request deletion of personal information we hold about you.
  • Correct inaccurate personal information.
  • Opt out of any "sale" or "sharing" of personal information.
  • Limit the use of "sensitive personal information" as defined by the statute.

We do not sell or share personal information. We do not use personal information for cross-context behavioral advertising. We do not process "sensitive personal information" beyond Apple Health data you explicitly grant (governed by Apple's own terms).

To exercise any of these rights, email hello@takat.app. Because Takat has no account system, verification usually involves enough context (approximate install date, device model, Apple ID used for purchase) for us to identify the right records at RevenueCat or PostHog on your behalf. We respond within the 45-day window required by the statute.

Your privacy rights (other jurisdictions)

Residents of other US states with comprehensive consumer-privacy laws (Colorado, Connecticut, Virginia, Utah, and similar) have substantially similar rights. Exercise them the same way.

EEA / UK / Switzerland residents

Takat is a solo-operator app offered to users in the United States and internationally through the App Store. If you are in the European Economic Area, the United Kingdom, or Switzerland, the EU General Data Protection Regulation and (for UK residents) the UK GDPR apply to our processing of your personal data.

Your rights. You have the right to access the personal data we hold about you; to request rectification of inaccurate data; to request erasure; to request restriction of processing; to data portability; and to object to processing, including processing based on legitimate interest. Where we rely on your consent (Apple Health, microphone, App Tracking Transparency, iCloud backup), you may withdraw that consent at any time from iOS Settings or from within Takat. Withdrawal does not affect processing carried out before withdrawal.

Automated decision-making. We do not use automated decision-making that produces legal or similarly significant effects about you within the meaning of GDPR Article 22. The AI coach's suggestions are advisory and only take effect when you act on them.

Our legal bases. We rely on your consent for the permissions you explicitly grant (Apple Health access, microphone access for voice logging, App Tracking Transparency, iCloud backup). We rely on our legitimate interest in operating, securing, and improving the Service for the minimal analytics, subscription validation, and coach-request routing required to deliver the features you invoke. We rely on contract performance for the subscription validation that makes Takat Plus features available.

How to exercise your rights. Email hello@takat.app with a description of what you're asking for. Because Takat has no account system, please include enough context for us to identify the right records — approximate install date, device model, the Apple ID you used for any Takat Plus purchase. We will respond within one month of receipt, as required by GDPR Article 12, and may extend that period by up to two further months for complex or numerous requests, in which case we will tell you within the first month.

EU and UK representative. At our current scale, Takat does not maintain an EU representative under GDPR Article 27 or a UK representative under UK GDPR Article 27. We handle data-subject requests and supervisory-authority correspondence directly via email at hello@takat.app.

Right to complain. You have the right to lodge a complaint with the data-protection supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of alleged infringement, or with the UK Information Commissioner's Office (ico.org.uk). We ask that you contact us first at hello@takat.app so we have a chance to resolve your concern directly.

International transfers. Your data may be processed in the United States by our subprocessors (OpenAI, PostHog, RevenueCat, Cloudflare). For transfers from the EEA / UK / Switzerland to the United States, we rely on the Standard Contractual Clauses published by the European Commission (and the UK International Data Transfer Addendum where applicable) as incorporated into our subprocessors' data-processing terms.

Data retention

  • Data on your device: until you delete it in-app or uninstall.
  • iCloud backup: until you delete it from your iCloud storage.
  • RevenueCat records: per RevenueCat's retention policy. The anonymous subscription identifier is rotated on Delete All Data.
  • PostHog events: 1-year rolling retention. The anonymous distinct ID is rotated on Delete All Data; post-rotation events cannot be linked to the prior install.
  • Coach proxy (Cloudflare): prompts, voice transcripts, and AI responses are not retained. App Attest challenges expire after 5 minutes. Rate-limit counters reset daily (24-hour rolling). App Attest registration records persist for the lifetime of the install and are erased on Delete All Data (the key is cleared locally; the server-side record remains until expiry but cannot be linked to you after the local key is wiped).
  • OpenAI: up to 30 days for abuse and misuse monitoring, then deleted. Not used to train models.

Data security

We use TLS for all network traffic. The App Attest private key that verifies coach requests is stored in your iPhone's Secure Enclave and is not accessible to us or to the app. No online service is 100% secure; if you notice something concerning, email hello@takat.app.

Changes to this policy

If we make a material change we will update the Last updated date and surface the change in-app before your next coach or backup action.

Governing law

This policy is governed by the laws of the State of California, without regard to conflict-of-laws principles, except where mandatory consumer-protection law in your jurisdiction applies.

Contact

Email: hello@takat.app

Publisher: Six Pak Labs LLC, California, United States