Privacy Policy

Effective date: April 20, 2026  ·  Applies to: Rally for iOS (the “App”)  ·  Publisher: Rally (“we,” “us”)

Rally is a small, private fitness accountability app. You and 3–8 people you trust keep each other honest with a daily workout photo. This policy explains, in plain English, what we collect, why, who sees it, and how to get rid of it. If anything here is unclear, email us — the address is at the bottom.

We wrote this policy to match Apple's App Privacy (“nutrition label”) categories so you can compare it line-for-line with what you see on the App Store.

1. What we collect

We try to collect as little as possible. Here is the complete list.

Identifiers

• User ID. When you sign in, Firebase Authentication creates a random string (a “UID”) that identifies your account to our servers.
• Account identifiers. If you sign in with email, we store the email address you use to sign in. If you use Sign in with Apple, we store the Apple-provided relay email when you choose Hide My Email. Anonymous IDs from earlier test builds are signed out before production use.
• Device push token (future). If you opt in to push notifications, Apple will give us a device token through Firebase Cloud Messaging so we can send cheers and squad nudges. The token identifies your device, not you.

User content

• Workout photos. Every check-in is a photo you take or choose. Photos are stored in Firebase Storage and are visible only to the 3–8 members of your squad.
• Posts and captions. The workout type, detail (miles, steps, minutes, sessions), and any caption you attach to a photo.
• Comments. Text you send in your squad's post comment threads.
• Goals and streaks. The structured data behind your personal goals (free-text goal plus an optional target number) and your streak calendar. Goals are personal commitments only — Rally does not handle money, process payments, route donations, or accept wagers of any kind.

Usage data

• In-app activity. Posts you create, cheers you give or receive, streaks you hit, and the last time you opened the app — all stored in Firestore so the app has something to show you.
• We do not use third-party analytics. Rally does not integrate Amplitude, Mixpanel, Segment, Google Analytics, Firebase Analytics, or any comparable SDK. There is no behavioral event stream leaving your device.
• Crash and performance data. We may collect anonymous crash reports through Apple's built-in diagnostics (which you control in iOS Settings → Privacy → Analytics & Improvements). We do not run our own crash SDK today.

Contact info

• Email address. Used for email sign-in, account recovery, privacy requests, and support. Sign in with Apple's “Hide My Email” is fully supported.

Location, health, contacts, financial info, browsing history, search history, sensitive info

• None. Rally does not collect GPS or any location data. Rally does not integrate HealthKit. Rally does not read your contacts, calendar, microphone, or any biometric data. Rally does not process payments inside the app. Goals are personal commitments only; the app does not accept wagers, donations, tips, or any other money movement.

Metadata in photos

• Photos you capture with Rally's camera contain the minimum EXIF metadata needed to render them correctly (dimensions, orientation). We strip GPS coordinates from every upload. If you pick an existing photo from your library, we strip GPS on the server before storing it.

2. How we use what we collect

We use your data for exactly these reasons. Nothing else.

• To run the app. Show your squad feed, keep your streak, deliver comments, track your goals, and let you scroll your own grid.
• To keep the app and squads safe. Investigate abuse reports, honor block requests, and respond to legal requests.
• To communicate with you (future). If you opt in to push, send streak reminders and squad activity notifications. You can turn these off anytime in iOS Settings.

We do not sell your data. We do not use your photos or messages to train advertising profiles. We do not run ads.

3. Who sees your data

Rally is built on a small set of service providers. They act as processors on our behalf — they handle data only to run the parts of Rally we pay them for, and only under their own published privacy and security commitments.

• Firebase (Google Cloud). Authentication, Firestore database, Storage for photos, and (future) Cloud Messaging for push. Firebase stores data in Google's data centers. See Google's Firebase privacy documentation for specifics.
• Apple. Apple handles the Sign in with Apple exchange. Push notifications will flow through Apple Push Notification service if they ship in a future release.
• Expo Application Services. We use EAS Update to deliver over-the-air JavaScript bundle updates to the app. EAS receives the device's runtime version and platform; no user content is transmitted.

We do not share your data with advertisers, data brokers, analytics companies, or affiliates. There are no affiliates.

We may disclose data when legally required (a valid subpoena, a safety emergency, or as part of a business transfer, in which case we will notify you first and give you the chance to delete your account).

4. How long we keep your data

• Photos. Stored until you delete the post, leave the squad that owns it, or delete your account. Deleted posts are removed from Firebase Storage within 30 days. Backup copies age out within 90 days.
• Comments and posts. Same retention as photos.
• Account record. Kept while your account is active. When you delete your account, we delete the record and your personal content within 30 days, except minimal records we are legally required to retain (none today).
• Anonymous accounts. If you never sign up and do not open Rally for 12 consecutive months, we may delete your anonymous account and its content automatically.

5. Your rights and controls

You can do all of the following from inside Rally or by emailing us:

• Access. See every photo, post, and message tied to your account. Most of this is already visible in-app.
• Export. Request a copy of your data in a machine-readable format. We'll deliver it within 30 days.
• Correct. Edit captions, workout type, and your profile anytime from the app.
• Delete specific content. Delete any photo, post, or message you created.
• Delete your account. Open Rally, go to Profile, tap the sign-out icon in the top right, and pick Delete account. Your profile, squad membership, and goals are removed immediately. Past workout posts remain in the squad feed without your name attached; email abenuro@gmail.com if you want those scrubbed too.
• Withdraw consent. Revoke camera or notification permissions in iOS Settings → Rally at any time.

If you live in California, the EEA, the UK, or another jurisdiction with data-protection laws, you also have the right to object to processing, request portability, and lodge a complaint with your local regulator. Email us and we'll honor the same rights globally.

6. How we protect your data

• Photos and data are transmitted over TLS.
• Firebase Storage and Firestore enforce per-user access rules — the rules that decide who can read or write a post live in our code repository and are reviewed before every release.
• Squad photos and comments are readable only by members of the same squad, enforced by Firestore security rules.
• We do not store any secrets, payment card numbers, or government identifiers.

No system is perfect. If we learn of a breach that affects you, we will notify you by email (if we have one) or an in-app notice, and we'll tell you what happened and what to do.

7. Children

Rally is for people 13 and older. The App Store age rating reflects that. We do not knowingly collect data from children under 13. If you believe a child under 13 is using Rally, email us and we'll delete the account.

Some jurisdictions set the minimum age higher (for example, 16 in parts of the EU). In those places, the local minimum applies.

8. International users

Rally's servers run in the United States on Google Cloud. If you use Rally from outside the US, your data will be transferred to and processed in the US. By using Rally you consent to that transfer. We apply the same privacy commitments to your data regardless of where you live.

9. Changes to this policy

If we change this policy in a material way — for example, when push notifications turn on, or when a new service provider is added — we will update the effective date at the top and notify you in-app before the change takes effect. Older versions are available on request.

10. Contact

Questions, requests, complaints, or a polite nudge to fix a typo:

Email: abenuro@gmail.com

We respond to privacy requests within 30 days.

Thanks for trusting us with your streak. We take it seriously.