In short — the plain-language version
- We collect your phone number, profile and workout data — because that's what the product is.
- We never sell your personal data. No exceptions.
- Only a trainer you've actively linked with can see your training data — and their access ends the moment the link does.
- Solo athletes are invisible to trainers. Reviews are always anonymous.
- You can access, correct or delete your account and data at any time.
1.Scope of this policy
This Privacy Policy explains how koRep ("we", "us") processes personal data when you use our mobile app and website (the "Service"). It is designed to meet our obligations under Indian law, including the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 and its rules. By using the Service you consent to the processing described here.
2.What we collect
| Category | Examples | Source |
|---|---|---|
| Identity | Mobile number (used for sign-in), name, date of birth, gender, profile photo | You |
| Fitness profile | Training goal, experience level, chosen gym | You |
| Workout data | Sessions, exercises, sets, reps, weights, durations, notes, plans, streaks | You, or a trainer you've linked with logging on your behalf |
| Trainer profile (trainers only) | Bio, years of experience, specialisations, certification documents, pricing, availability, UPI handle for receiving payments | You |
| Connections & reviews | Trainer requests, link status, waitlist positions, reviews and flags you submit | You |
| Payment records | Amounts, dates and confirmation status of payments you record; subscription status. We never see or store your UPI PIN, bank details or card numbers. | You / payment providers |
| Device & usage | Device model, OS version, app version, crash logs, notification preferences and tokens | Your device |
We practise data minimisation: no email requirement, no contact-list access, no location tracking in the background — your gym is a choice you make, not a place we follow you to.
3.How we use your data
- To run the product: sign you in, show your dashboard, compute streaks, weekly volume, estimated 1RM and progression suggestions, deliver plans and notifications.
- To run the marketplace: show trainer profiles (with rating and specialisations) to clients at the same gym, manage requests, waitlists and links.
- To keep records straight: maintain the two-step confirmation trail for payments and the audit history of reviews.
- To keep the platform honest: enforce review eligibility, detect fake sessions and review fraud, and compute trainer verification.
- To improve the Service: analyse aggregated, anonymised usage (never your identity) and fix crashes.
- To meet legal obligations and respond to lawful requests from authorities.
4.Who can see your data
Other users
- Your linked trainer(s): while a link is active or paused, they can view your sessions, plans and progress dashboard, and log sessions for you. They never see your payment history with other trainers or your activity with other coaches.
- Clients browsing the directory (about trainers): trainers' public profile — name, photo, bio, specialisations, pricing, rating, review count and badges. Never a trainer's phone number.
- Nobody sees solo athletes. If you train solo, you do not appear in any directory or list visible to trainers.
- Reviews are anonymous: your name and identity are never displayed alongside a review, and trainers are not told who wrote one.
Service providers (processors)
- Supabase — our backend infrastructure (database, authentication, file storage), processing data on our instructions.
- Razorpay (when gateway payments/subscriptions are active) — to process subscription payments; they handle your payment instrument under their own privacy policy.
- Google AdMob — to serve banner advertising in free tiers (see Section 10).
Legal
We may disclose data where required by law, court order or governmental authority, or to protect the rights, safety and integrity of the Service and its users.
5.What we never do
- We never sell your personal data.
- We never reveal a reviewer's identity to a trainer.
- We never expose solo athletes to trainers.
- We never share a client's workout data with a trainer whose link has ended.
- We never see or store UPI PINs, bank account numbers or card details.
6.Data ownership & trainer access
All workout data belongs to the client it describes — including sessions logged by a trainer. When a trainer–client link ends (by either side), the trainer's access is revoked immediately and automatically at the database layer, not just hidden in the interface. The client retains every session, plan and record permanently. A trainer who created an offline client record transfers that record — history included — to the person it describes when they sign up with the same phone number.
7.Storage & security
- Data is stored in a managed cloud database with row-level security: access rules are enforced inside the database for every single query, scoped to the signed-in user — the strictest place they can live.
- All data moves over encrypted connections (TLS).
- Sensitive business rules (reviews, links, payments) can only be changed through controlled server-side procedures — not by direct client writes.
- Certification documents are stored in private storage accessible only to their owner and our review process. Profile photos you upload are public to other users of the app by design.
- No system is perfectly secure. If we learn of a breach affecting your data, we will notify you and the authorities as required by law.
8.Retention
- Account data: kept while your account is active.
- Workout history: kept indefinitely while your account exists — that permanence is the product — and deleted when your account is deleted.
- Payment and subscription records: retained as required by Indian tax and financial-record laws, even after account deletion, then deleted.
- Security logs: retained briefly for fraud prevention, then deleted.
9.Your rights
Under the DPDP Act and this policy you can:
- Access the personal data we hold about you — most of it is visible directly in the app; write to us for a full copy.
- Correct inaccurate profile data — editable in the app at any time.
- Delete your account and data — see Delete your account.
- Withdraw consent for optional processing (e.g., specific notification types, via in-app preferences). Withdrawing consent essential to the Service (like storing workout data) means deleting your account.
- Nominate a person to exercise these rights on your behalf as provided by the DPDP Act.
- Complain — first to our grievance officer (Section 13), and if unresolved, to the Data Protection Board of India.
10.Advertising
Free tiers of the app may show banner advertisements served by Google AdMob. AdMob may process device identifiers to serve and measure ads under Google's privacy policy. We do not pass your workout data, phone number or profile to advertisers. Paid tiers remove advertising where stated in-app.
11.Children
The Service is intended for users aged 18 and above. We do not knowingly process children's data. If you believe a minor has created an account, contact us and we will delete it.
12.Changes to this policy
We will announce material changes in the app before they take effect and update the "Last updated" date above. Your continued use after the effective date constitutes acceptance.
13.Grievance officer & contact
In accordance with the Information Technology Act, 2000, the DPDP Act, 2023 and rules made thereunder, our Grievance Officer can be reached at:
- Email: support@korep.fit
We acknowledge grievances within 48 hours and aim to resolve them within 15 days. For anything else: support@korep.fit or our contact page.