Overview

KILO is a workout tracker for iPhone and Apple Watch. By default, your workout data stays on your devices. Cloud features, including iCloud Sync and optional KILO account sync, are opt-in and can be managed from Settings.

This policy describes the information handled by the KILO iOS app, Apple Watch app, widgets and Live Activities, and this website ("KILO," "we," "us").

Who is responsible for your data

KILO is operated by Reece Charlton in the United Kingdom. Reece Charlton is the data controller for personal information handled through KILO accounts, KILO Sync, support, and this website. You can contact the controller at support@kiloapp.uk.

Information we handle

Data you create in the app

This includes active and completed workouts, exercises, custom exercises, sets, reps, weights, workout and set notes, templates, rest timer settings, strength goals, goal outcomes, exercise preferences, muscle contribution settings, favorites, personal records, streaks, stats preferences, unit and theme preferences, your self-reported experience level, local insights, and locally cached AI summaries.

This data is stored locally using Apple on-device storage, including SwiftData and app-group storage used by the app, Apple Watch companion, widgets, and Live Activities.

Health data (HealthKit)

When you grant permission, KILO uses HealthKit to support active workouts. The Apple Watch app can read live heart rate and workout data needed to run and mirror a workout, and it can write a completed workout to Apple Health when you finish a Watch workout. The iPhone app can also start a temporary HealthKit workout session to collect live heart rate during an active session, then discard that temporary workout instead of saving it to Health.

Heart-rate values may be mirrored between your iPhone, Apple Watch, and Live Activity while a workout is active. KILO may also store heart-rate timeline samples for completed workout summaries, including beats per minute, timestamp, source, and workout, rest, or exercise context labels. If you enable iCloud Sync or KILO Sync, those heart-rate timeline samples may be included in sync data so your workout heart-rate charts and timelines can be restored across devices. iCloud Sync stores this data in your private CloudKit database associated with your Apple Account. KILO Sync transmits it over HTTPS and stores it in Supabase. KILO does not upload HealthKit workouts to KILO account sync, and we never use HealthKit data for advertising or tracking.

Account information (optional)

If you create a KILO account, we handle your email address, optional name, authentication provider information, optional profile metadata supplied by your sign-in provider such as display name, verification status, email-change status, and account session information. Password authentication is handled by Supabase; KILO does not store plaintext passwords. If you use Sign in with Apple, we receive the Apple identity token needed to sign you in, but we do not receive your Apple ID password.

KILO account sync data (optional)

If you enable KILO Sync, the data needed to keep your devices aligned is transmitted over HTTPS and stored in Supabase. This includes settings, custom exercises, muscle contributions, exercise preferences, exercise and template notes, workout templates, workout history, workout exercises, sets, set metadata, notes, rest timer settings, strength goals, goal outcomes, heart-rate timeline samples for workout summaries, detailed stats preferences, and sync timestamps.

KILO Sync data is linked to your KILO account and protected by authentication, row-level security policies, and operational access controls. It is not end-to-end encrypted.

iCloud data (optional)

If you enable iCloud Sync, KILO stores a sync snapshot in your private CloudKit database associated with your Apple Account. This may include workout heart-rate timeline samples when they are available. This data is not stored on KILO's Supabase backend. iCloud and CloudKit are managed by Apple, and KILO accesses this data through Apple's CloudKit APIs from your signed-in devices.

Subscriptions and purchases

KILO Pro subscriptions are processed by Apple through StoreKit and the App Store. KILO reads product and entitlement status so it can unlock Pro features, cache entitlement state for short-term offline use, and mirror Pro access to Apple Watch. We do not receive or store your payment card details.

Notifications, alarms, and Live Activities

If you allow notifications or alarms, KILO can schedule local rest timer alerts, active-workout reminders, inactivity reminders, and a reminder before cancelled KILO Pro access ends. Notification text may include information such as an exercise name, training reminder, or subscription end date. Live Activities can display active workout and rest timer state, including live heart rate when available. These features are handled on your device through Apple's notification, AlarmKit, ActivityKit, and app-extension systems.

Website and support messages

This website is static and does not include advertising pixels, analytics scripts, or tracking cookies. Like any website, your browser and the hosting provider may process routine technical information needed to load the page. If you email support, we receive your email address and whatever information you include in the message.

Diagnostic information

If you opt in at the system level, Apple may share anonymised crash reports with us through built-in diagnostics. KILO does not embed third-party analytics, crash-reporting, or advertising SDKs.

How we use information

We do not sell your data. We do not share it with advertisers. We do not use your data to train machine learning models. We do not track you across apps or websites.

Our lawful bases

Where UK data protection law applies, we rely on the following lawful bases:

Heart-rate information and other health information can be special-category data. When KILO Sync uploads heart-rate timeline samples, we rely on your explicit consent under Article 9(2)(a) of the UK GDPR. KILO explains that heart-rate timeline samples are included before you enable KILO Sync. You can withdraw this consent by turning off KILO Sync and can delete the synced data from Settings. Withdrawal does not affect processing that occurred before you withdrew consent.

Smart suggestions

KILO’s suggestion engine runs on-device. It analyses your own training history together with general best practices about recovery and progressive overload. No training data is sent to external servers to power suggestions.

AI workout summaries

On supported devices, KILO uses Apple's on-device Foundation Models framework to generate short summaries from the workout information already stored in the app, such as workout title, duration, sets, total volume, trained muscles, notes, personal records, goals, and recent comparisons. KILO does not send this data to our backend for AI summaries, and we do not use it to train machine learning models.

Generated summaries are cached locally for the matching workout and are refreshed if that workout changes.

Third-party services

We use a small number of service providers and Apple platform services to deliver optional features:

Data retention

Locally stored data remains on your device until you delete it, reset KILO data from Settings, or delete the app. Local AI summary caches are removed when you reset all KILO data.

iCloud Sync data remains in your private CloudKit database until you delete it from KILO Settings, delete the app's iCloud data through Apple controls, or Apple removes it according to your Apple Account choices.

KILO account and KILO Sync data remain in Supabase until you delete the synced data or your account. Deleting KILO Sync data removes synced workout, heart-rate timeline, template, exercise, preference, and settings data from the live service and signs this device out. Deleting your account also removes the authentication account record. Local data on your device, App Store purchase history, and any active App Store subscription are not deleted or cancelled by KILO account deletion.

Residual copies of deleted KILO Sync data may remain in encrypted service backups until the next applicable backup rotation. Backups are retained only for security and disaster recovery and are not used to restore an individual account after deletion. Authentication and security logs are retained according to the operational and security schedules of the relevant service provider.

Support messages are kept while needed to answer your request, investigate related issues, protect the service, or meet a legal obligation, and are deleted when they are no longer needed for those purposes. Diagnostic reports provided by Apple are retained according to Apple's diagnostic-service controls and schedules.

Contact us to request an export or help if the in-app controls do not cover your request.

Your choices and rights

Depending on where you live and the lawful basis being used, you may have rights to access, correct, erase, restrict, or receive a portable copy of your personal information, and to object to certain processing. Where processing relies on consent, you may withdraw that consent at any time. Contact us using the details below to exercise these rights.

If you are in the United Kingdom, you also have the right to complain to the Information Commissioner's Office (ICO). We would appreciate the opportunity to address your concern first, but contacting us is not a prerequisite to making a complaint.

Security

Traffic between KILO and Supabase is encrypted in transit with TLS. Supabase handles password storage and authentication, and KILO does not store plaintext passwords. The KILO Sync database uses row-level security policies tied to your authenticated user ID. Administrative access is limited to what is needed to operate, secure, support, and comply with legal obligations for the service.

KILO Sync data is not end-to-end encrypted. If you want KILO data to remain only on Apple-controlled storage, you can use local-only mode or iCloud Sync instead of KILO Sync.

If you suspect unauthorized access to your account, contact us immediately so we can help.

Children’s privacy

KILO is not directed to children under 13 (or the equivalent minimum age in your region). We do not knowingly collect personal information from children. If you believe a child has provided us with information, please contact us and we will delete it.

International users

KILO is operated from the United Kingdom and its primary Supabase database is hosted in Ireland. Apple, Supabase Edge Functions, and service-provider subprocessors may process information in other countries. Where personal information is transferred internationally, we rely on an applicable adequacy regulation or contractual protections provided by the service provider, including the safeguards in Supabase's Data Processing Addendum where relevant. You can contact us for more information about the safeguards that apply.

Changes to this policy

We may update this policy as the product evolves. Material changes will be announced in-app and on this page. The effective date at the top of the policy always reflects the latest version.

Contact us

Questions about this policy or about your data? We’d like to hear from you.

Data controller and privacy inquiries

Reece Charlton
United Kingdom

Email us and we’ll respond as quickly as we can.

support@kiloapp.uk