1. What this app does
TheLab is a personal training log. You record workouts, sets, bodyweight, and a few profile details. The app is provided as a Progressive Web App at lab.brightlabcrew.com and as a wrapped Android app on Google Play. This policy covers both.
2. What we collect — and where it lives
By default, nothing leaves your device. Workouts, custom exercises, routines, bodyweight history, and preferences are stored locally in your browser (localStorage and IndexedDB). We do not run a backend that receives your training data.
Three exceptions to that, in plain language:
- Hosting logs (Cloudflare). Cloudflare Pages hosts the app. When your browser loads a page, Cloudflare receives an HTTP request that includes your IP address, the URL, your user-agent string, and a timestamp. This is standard CDN logging and is retained per Cloudflare's policy. We do not query or analyse these logs.
- Exercise illustrations (third-party CDN). Some exercise detail pages stream animated GIFs from
static.exercisedb.dev. When that happens, the request includes your IP address. We don't send your training data, identity, or any other personal information. - Notification permission (browser). If you enable rest-timer notifications, the browser records the permission. We don't see who granted it.
3. What we do not collect
- No analytics, telemetry, or session-replay tools.
- No advertising trackers.
- No account creation, no email collection, no password storage.
- No location data.
- No contacts, camera, microphone, or filesystem access.
4. If you upgrade to a paid tier (in-app purchase)
If you upgrade to Pro or Unlimited inside the Android app, the transaction is handled entirely by Google Play Billing. Google receives your payment details; we do not. We receive a token confirming the purchase, which the app uses to unlock the relevant features locally. We do not learn your name, email, or card details from this process.
5. AI features (Pro and Unlimited only)
The AI coach features available on Pro and Unlimited send the specific prompt you submit (for example: a question about your form, or a request for a programme suggestion) to Anthropic, the operator of the Claude API, via our backend Worker. We do not include your name, email, or identifying details in those requests, and we do not send your full training history unless you explicitly attach it. Anthropic processes the prompt per its own privacy policy and (per its public API terms) does not train its models on Claude API traffic. The Worker counts your usage to enforce the monthly call quota but stores only an anonymous per-device counter.
6. Sub-processors
The third parties that touch your traffic (not your training data unless noted):
- Cloudflare — hosting + CDN (lab.brightlabcrew.com), plus the AI Worker for Pro/Unlimited
- GitHub — source code repository (the app's code, not your data)
- Google Play — Android distribution + billing (Android version only)
- Anthropic — AI coach features (Pro/Unlimited only; receives the prompt you type)
- static.exercisedb.dev — exercise illustration CDN
- Google Fonts / unpkg.com — font and icon-library delivery
7. Your rights (and how to act on them)
- Export everything. Profile → Data → "Export all data (JSON)" pulls every piece of locally-stored data into a single file.
- Delete everything. Profile → Data → "Reset local cache" + "Reset custom exercises" wipes all on-device storage. On Android, uninstalling the app removes all local data.
- Revoke notification permission. Your browser/OS handles this — Settings → Notifications → TheLab.
- Ask us anything. Email hello@brightlabcrew.com.
8. Children
TheLab is not directed at children under 13. We don't knowingly collect data from children. If you believe a child has used the app and we somehow hold information about them, contact us and we'll address it.
9. Legal basis (NZ + EU)
For users in New Zealand, processing is governed by the Privacy Act 2020. Because the app stores data locally on your device, we are not the holding agency for your training data — you are. Where we do process information (hosting logs), our basis is legitimate interest in operating the service.
For users in the European Union, the same logic applies under GDPR. The lawful basis for processing hosting logs is Article 6(1)(f) (legitimate interests). You have the right to object; contact us as above.
10. Changes
If this policy materially changes, the "Effective" date at the top updates and the next time you open the app you'll see a notice. Trivial wording fixes happen silently.
11. Contact
Noah Waculicz
BrightLab Crew
New Zealand
hello@brightlabcrew.com