Privacy Policy

Last updated: April 28, 2026 · Effective date: April 28, 2026

This Privacy Policy describes how TallPosture ("TallPosture", "we", "us") collects, uses, stores, and shares information when you use the TallPosture mobile application (the "App") and any related services (collectively, the "Service"). Please read it carefully. By using the Service you agree to the practices described below.

Health-related information. The App collects sensitive information related to your physical health (height, weight, sleep, activity, chronic conditions, medications, hormone-related answers, food intake). We treat this data with extra care and never sell it. TallPosture is a wellness app; it is not a medical device and does not provide medical advice — see our Terms of Service for the full disclaimer.

1. Who we are

TallPosture is operated by the publisher identified at the bottom of this page. If you have any questions about this policy or your data, contact us at [email protected].

2. Information we collect

2.1 Information you provide

Onboarding answers: birth date, gender, current and target height, current weight, shoe size, parental heights, growth-plate status, ethnicity, sports played, activity level, sleep hours, water intake, smoking status, chronic conditions, medications, hormone-related answers.
Account identifiers (optional): email address and password if you choose to link an email account; Google account identifier and email if you sign in with Google; Apple identifier (and optionally name/email) if you sign in with Apple.
Tracking data: daily food entries, food photos, exercise sessions, sleep logs, height measurements, posture-related task completions, AI-coach chat messages.
Testimonials and feedback you choose to submit.

2.2 Information collected automatically

Device identifier: a unique per-device ID (Apple identifierForVendor on iOS, Android ID on Android, or a randomly generated UUID stored locally) used to create your anonymous account.
Push token: the Expo Push Token issued by your device, used solely to deliver in-app notifications you have enabled.
Locale and time zone: to localize content and schedule notifications.
Server logs: the IP address used to make requests, request timestamps, the requested endpoint and response code. These are kept short-term for security and abuse prevention.

2.3 Information from third parties

RevenueCat: subscription status (active, trial, expired, cancelled) and store transaction identifiers from Apple App Store / Google Play.
Sign in with Apple / Google: the provider's subject identifier, your name (only on first Apple sign-in if you choose to share it), and your email (or Apple's private relay address if you elected to hide it).

2.4 Information we do not collect

We do not use third-party advertising or analytics SDKs.
We do not track you across other companies' apps or websites (App Tracking Transparency: tracking disabled).
We do not read your Apple HealthKit / Google Fit records.
We do not sell your personal data, ever.

3. How we use your information

Purpose	Data used	Legal basis (GDPR)
Provide the core Service (analysis, program, tracking, coach)	Onboarding answers, tracking data, account identifiers	Performance of contract
Generate AI insights and Coach responses	Onboarding answers, tracking data, chat messages	Performance of contract
Send push notifications you have enabled	Push token, locale, time zone	Consent (you can disable any time)
Manage subscriptions and billing	Store transaction identifiers from Apple/Google via RevenueCat	Performance of contract
Account recovery across devices (optional)	Email, Google ID, Apple ID	Performance of contract
Security, fraud prevention, abuse mitigation	Server logs, account identifiers	Legitimate interest
Comply with legal obligations	As required	Legal obligation

4. Sub-processors and third parties

We use the following processors to deliver the Service. Each is contractually bound to handle your data only as instructed by us.

Server hosting and database — operates the API and PostgreSQL database that store your account and tracking data.
S3-compatible object storage — stores food photos and exercise media you upload.
OpenAI — processes Coach chat messages, food image analysis, and growth-prediction prompts. Inputs may include onboarding answers and food images so the model can produce relevant responses. OpenAI processes data per its enterprise data policy and does not use API inputs to train models.
RevenueCat — manages subscription state and validates store receipts.
Apple App Store / Google Play — process payments for subscriptions; we never see your payment card details.
Google Sign-In / Sign in with Apple — verify your social identity if you choose to link an account.
Expo Push Service — delivers push notifications.

If you would like the current list of named sub-processors, write to [email protected].

5. International data transfers

The processors above may be located outside your country, including in the United States. Where transfers leave the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards.

6. Data retention

Active accounts: we keep your data for as long as your account is active.
Account deletion: when you delete your account in the App (Profile → Delete Account) we erase your personal data within 30 days, except records we are legally required to retain (e.g., subscription receipts for tax purposes).
Server logs: typically 30 days.
Backups: data may persist in encrypted backups for up to 90 days after deletion before being overwritten.

7. Your rights

Subject to applicable law (GDPR, UK GDPR, CCPA/CPRA, KVKK and similar regimes) you may have the right to:

Access the personal data we hold about you;
Request correction of inaccurate data;
Request deletion ("right to be forgotten") — available in-app via Profile → Delete Account;
Request a portable copy of your data;
Object to or restrict certain processing;
Withdraw any consent you previously gave (e.g., notifications);
Lodge a complaint with your local data protection authority.

To exercise any of these rights, email [email protected]. We will respond within the time limit required by applicable law (30 days under GDPR).

8. Security

We implement industry-standard technical and organizational measures, including TLS encryption in transit, hashed passwords (bcrypt) and refresh tokens (SHA-256), restricted database access, short-lived access tokens, and regular dependency updates. No system is 100% secure; if we become aware of a breach affecting your data we will notify you in line with applicable law.

9. Children

TallPosture is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from such users. If you believe a child has provided us data, write to [email protected] and we will delete it.

10. California / CCPA disclosures

California residents have the right to know what personal information we collect (see Section 2), the purposes (Section 3), the categories of third parties we share with (Section 4), and to request deletion (Section 7). We do not "sell" or "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.

11. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect any change. Material changes will be announced in the App or by other reasonable means before they take effect.

12. Contact

Questions, requests, or concerns:

Email: [email protected]
Web: https://tallposture.app