← Back to lockin.
Privacy Policy
Last updated: May 19, 2026
The short version: lockin. is local-first. Camera-based exercise verification stays on your device, and we use limited backend services only for subscriptions, connected-workout delivery, Live Activity expiry alerts, and support operations.
lockin. ("we", "us", or "our") operates the lockin. mobile application (the "App"). This Privacy Policy explains what information we collect, how we use it, how we protect it, and what choices you have.
By using the App, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the App.
1. Information we collect
Information you provide
- Onboarding preferences — During setup, you answer a personalization quiz (daily screen time estimate, problem app categories, exercise preferences, reduction goals). This data is used to build your plan and is stored on your device.
- Blocked-app selections — The app categories and apps you choose to block. These selections are processed through Apple's Screen Time API and are opaque to us — we never see the names or identifiers of individual apps.
Information collected automatically
- Activity and progress data — Exercise completions, earned minutes, streak counts, daily goals, time-bank balances, and milestone achievements needed to operate the service.
- Purchase and entitlement data — Subscription status, transaction identifiers, and app user identifiers needed to unlock paid features and restore purchases. Billing is handled entirely by Apple; we do not process payment card details.
- Notification delivery data — If you connect supported workout integrations, we may store an installation identifier and APNs device token so workout webhooks can wake the app with silent push in the background.
- Live Activity session data — If you start a timed unlock session with a Live Activity, we may send your installation identifier, a per-activity Live Activity push token, and the session expiry time to Supabase so the Live Activity can be updated and alerted when your session is about to end or expire.
Information from optional integrations
The following data is collected only if you explicitly connect the integration. You can stop syncing a connected integration at any time from the App's settings.
- Apple Health — Step counts and workout summaries (duration, type) so your daily movement can earn screen time. This data is read locally via HealthKit. Disconnecting Apple Health in the App stops future syncs, but to fully revoke access you must also remove Lockin's Health permission in iOS Settings > Privacy > Health.
- WHOOP — Workout summaries (duration, sport type) and basic profile information needed to show your connected account. OAuth tokens are stored in the device Keychain on your device. If you connect WHOOP, lockin. may also store the provider user ID, an installation identifier, and your device token in backend infrastructure so webhook events can trigger background sync.
- Strava — Activity summaries (duration, sport type, name) retrieved through the Strava API. OAuth tokens are stored in the device Keychain on your device. If you connect Strava, lockin. may also store the provider athlete ID, an installation identifier, and your device token in backend infrastructure so webhook events can trigger background sync.
Camera and on-device processing
The App uses your device camera and Apple's Vision framework to detect body pose during exercise verification. All processing happens entirely on your device. No images, video frames, or pose data are recorded, stored, uploaded, or transmitted. The camera feed is analyzed in real time and immediately discarded.
Face data
The App does not collect, use, store, or share face data. The App's camera-based exercise feature uses Apple's VNDetectHumanBodyPoseRequest API exclusively for body-pose estimation (detecting joint positions such as shoulders, elbows, and knees). No face detection, face recognition, or facial analysis APIs are used. No face geometry, face landmarks, or facial feature data is extracted from the camera feed at any time. The raw camera frames are processed in real time for body-joint detection only and are immediately discarded — they are never written to disk, uploaded, or transmitted.
2. Information we do not collect
- We never see which apps you have installed or use. Apple's Screen Time API is privacy-preserving — app selections are opaque tokens that we cannot read.
- We never store camera footage or pose data.
- We never collect, store, or process face data (no face detection, face recognition, or facial analysis is used).
- We never collect your location.
- We never collect device advertising identifiers (IDFA) or use device fingerprinting.
- We never use third-party advertising or tracking SDKs.
- We never sell, rent, or share your personal data with third parties for their marketing purposes.
3. How we use your information
We use your data solely to provide, maintain, and improve the lockin. service:
- Tracking earned screen time and managing your daily time bank
- Syncing workouts from connected fitness services
- Enforcing app-blocking schedules via Apple's Screen Time API
- Managing your subscription and restoring purchases
- Personalizing your plan based on onboarding preferences
- Displaying progress, streaks, milestones, and widgets
- Sending local notifications (streak reminders, earned-time alerts)
- Powering lock-screen widgets and Live Activities
4. Data storage and security
On-device storage
Most app data is stored locally on your device within an encrypted App Group container protected by iOS Data Protection. Limited service data may also be processed by our backend vendors to support subscriptions, connected-workout webhooks, device-token delivery, Live Activity session-alert delivery, and support operations.
Keychain
OAuth tokens for connected services (WHOOP, Strava) are stored in the iOS Keychain, which is hardware-encrypted and inaccessible to other apps. Tokens are cleared when you disconnect an integration or remove the App.
Background sync
If you have connected fitness sources, the App may periodically refresh workout data in the background using iOS Background App Refresh. This syncs directly between your device and the connected fitness service. You can disable background refresh in iOS Settings.
5. Third-party services
We use a limited number of third-party services to operate the App. Each receives only the minimum data necessary:
- RevenueCat — Subscription management. RevenueCat receives an app user identifier and transaction data to manage entitlements. See RevenueCat's privacy policy.
- PostHog — Product analytics. PostHog receives event data tied to a persistent installation identifier so we can understand how the App is used and improve the experience. This includes app opens and feature interactions; onboarding/profile properties such as subscription status, blocked-app count, screen-time goals, problem-app categories, onboarding goals/challenges, and preferred movement source; paywall and purchase events such as package identifiers, prices, and trial/conversion outcomes; exercise completion events; and source connection/disconnection events. These analytics are not anonymous, but we do not send direct identifiers such as your email address or name, or device advertising identifiers. Data is hosted in the EU. See PostHog's privacy policy.
- Supabase — Backend infrastructure used for OAuth relay flows, webhook mapping, APNs device-token storage, Live Activity session registration (including per-activity push tokens and expiry times), and connected-workout delivery.
- Apple — Screen Time API (FamilyControls / ManagedSettings / DeviceActivity), HealthKit, App Store billing, local notifications, and APNs push infrastructure.
- WHOOP — Workout data sync, only if you connect it. See WHOOP's privacy policy.
- Strava — Activity data sync, only if you connect it. See Strava's privacy policy.
We do not use advertising networks or cross-app tracking services.
6. Data retention
- While you use the App: Most app data remains on your device for as long as the App is installed.
- App deletion or in-app deletion: Removing the app or using the in-app delete flow clears local app data on the device, including blocked-app configuration, notification preferences, and the local installation identifier. We also attempt to remove stored device-token and webhook-mapping records that support connected-workout delivery.
- Third-party data: Purchase, billing, infrastructure, and provider records managed by Apple, RevenueCat, Supabase, WHOOP, or Strava remain subject to their respective retention policies.
7. Your rights and choices
- Access: You can view all your data within the App (Dashboard, Progress, and Settings screens).
- Deletion: You can delete your local data from within the app or by removing the app from your device.
- Disconnect integrations: You can disconnect WHOOP or Strava at any time; doing so stops future syncs and removes stored OAuth tokens from your device.
- Apple Health: You can disconnect Apple Health in the App at any time to stop future syncs, but to fully revoke Health access you must also remove Lockin's permission in iOS Settings > Privacy > Health.
- Notifications: You can disable notifications in iOS Settings at any time.
- Background refresh: You can disable background app refresh in iOS Settings → General → Background App Refresh.
If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction with applicable data protection laws, you may also have the right to request correction of inaccurate data, restriction of processing, or to lodge a complaint with your local data protection authority. Contact us to exercise these rights.
8. Children's privacy
lockin. is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
9. International data transfers
Some service providers we use may process data outside your jurisdiction, including the United States and other countries where Apple, RevenueCat, Supabase, WHOOP, or Strava operate. Please refer to their privacy policies for details.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top and, where appropriate, notify you through the App. Your continued use of the App after changes take effect constitutes acceptance of the revised policy.
11. Contact us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, email us at hello@lockin.lifestyle.