Privacy Policy

1. Who this is from

This Privacy Policy describes how Linchpin Industries ("we," "us") collects, uses, and protects information in connection with the Stupid Simple Fitness service (the "Service"). Questions about this policy: help@stupidsimplefitness.com.

2. What we collect

Account information

When you sign up, we collect your email address and a hashed password. If you choose to add a display name or other profile detail, we store that too.

Intake and training data

The information you give the Service so it can build a plan: your goal, your timeline, your training history, your equipment access, your injuries, restrictions, and anything else you put in the intake or your profile.

Logged training

The sets, reps, loads, RPE, durations, distances, and notes you log against your plan. The journal entries you write. The reasons you give when you mark a workout missed.

Subjective inputs

Sleep, mood, soreness, energy, and any other check-in fields you choose to fill out.

Billing information

Subscription status, plan, renewal date, billing email. We do not store your full card number. Card details are handled by our payment processor (Stripe), which is PCI-DSS compliant. We receive a customer identifier and the last four digits of your card so we can show you which card is on file.

Device and usage data

Browser, operating system, device type, language, timezone, IP address (used to derive coarse region and to rate-limit abuse), pages visited inside the Service, features used, and timestamps. We use this to understand how the Service is actually used and to debug problems.

Optional context

During intake we ask for permission to attach your timezone, language, and browser type to your account so we can schedule your week sensibly and tailor your dashboard. You can decline and we'll still build you a plan.

Communications with us

If you email us or fill out a support form, we keep that conversation so we can help you and so we have a record.

3. What we don't collect

• We do not collect your precise location. We do not need it.
• We do not collect contacts, microphone, camera, or photo library access.
• We do not buy data about you from data brokers.
• We do not run third-party advertising trackers.

4. How we use what we collect

To run the Service for you. Specifically:

• Build and update your plan. Your inputs and logged training are sent to our AI provider so the AI can generate and recalibrate your plan.
• Run your account and bill you. Authentication, subscription management, receipts, and billing-related email.
• Communicate with you. Service-related email (e.g. trial ending, plan changes, weekly read), responses to your messages, and important policy updates. We do not send marketing email without your opt-in.
• Improve the Service. Aggregate and anonymous metrics, debugging, performance, and safety-rail tuning.
• Keep the Service safe. Detect abuse, fraud, jailbreak attempts, and rate-limit accordingly.
• Comply with the law. Tax, accounting, and legal requirements where they apply.

5. The AI part

The Service uses third-party large language model providers to generate plans and written feedback. We usually use Anthropic, with OpenAI as a backup in case of outages. When the AI builds something for you, the relevant inputs (your goal, history, recent log, the question being asked) are sent to whichever provider is serving the request, and a response is returned.

Our AI provider, under our contract with them:

• Does not use the data we send to train their models.
• Does not retain the data beyond what is operationally required.
• Is bound by their own published privacy and security commitments.

The AI Disclosure walks through exactly which data goes where and why.

6. Who we share data with

A short, finite list of service providers we use to run the Service. Each is contractually bound to use your data only to perform the service we hired them for.

• Hosting and infrastructure (currently Heroku/AWS): to run the application and store your data.
• AI providers (usually Anthropic, with OpenAI as a backup in case of outages): to generate plans and written outputs.
• Payment processor (currently Stripe): to handle subscriptions and billing.
• Transactional email (currently SendGrid): to send you account and Service emails.
• Error monitoring: to catch and fix bugs. Configured to scrub user-identifying details where possible.

We will also share data when we are legally required to (a valid court order, subpoena, or equivalent legal process), and when needed to protect the Service or its users from abuse, fraud, or imminent harm.

If we ever sell or transfer the business, your data may transfer with it. We will tell you before that happens, and the buyer will be bound by privacy commitments at least as strong as these.

7. What we do not do with your data

• We do not sell it. Not in a "we have a careful definition of 'sell'" way. We do not sell it.
• We do not rent it, swap it, or share it with data brokers.
• We do not use it to train third-party AI models.
• We do not run third-party advertising trackers on our pages.
• We do not retarget you on other websites based on what you logged here.
• We do not read your journal entries to find patterns to monetize. Journal entries are between you and the AI that's building your plan, full stop.

8. How long we keep it

Active accounts: as long as your account is open, so the Service can keep working with your history.

Closed accounts: we delete or anonymize your personal data within 60 days of account closure, except for the minimum we are legally required to keep (for example, billing records for tax purposes, which we retain for the period required by law).

Backups age out on a normal rolling schedule, typically within 30 days.

9. Your rights

Depending on where you live, you may have legal rights to:

• Access the personal data we have about you.
• Correct it if it's wrong.
• Export it in a portable format.
• Delete it (and close your account).
• Object to or restrict certain processing.
• Withdraw consent where processing was based on your consent.
• Lodge a complaint with your local data protection authority.

You can exercise most of these from inside your account. For anything you can't do from the UI, email help@stupidsimplefitness.com and we will respond within 30 days.

For California residents: under the CCPA/CPRA you have the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. We will not discriminate against you for exercising any of these rights.

10. Security

We use industry-standard practices to protect your data: encryption in transit (TLS), encryption at rest, hashed passwords, scoped database access, regular dependency and security updates, and the principle of least privilege for staff access.

No system is perfectly secure. If we ever suffer a breach that affects your data, we will notify you in line with applicable law and tell you what happened, what we know, and what to do.

11. Children

The Service is for adults (18+). We do not knowingly collect personal information from anyone under 18. If you believe a minor has signed up, email help@stupidsimplefitness.com and we will delete the account.

12. International users

The Service is operated from the United States. If you're using it from outside the U.S., your information will be transferred to and processed in the U.S. and other countries where our service providers operate. By using the Service, you understand and accept that.

13. Cookies

We use a small number of cookies, almost all of them strictly necessary (login session, CSRF token). The full breakdown is in the Cookies & Tracking page.

14. Changes to this policy

We will update this Privacy Policy when the Service changes or when the law changes. If a change is material, we will notify you in advance (in-app, by email, or both). The "Last updated" date at the top of this page always reflects the current version.

15. Contact

Privacy questions, requests, or complaints: help@stupidsimplefitness.com.