Privacy Policy

Effective Date: February 21, 2026 Last Updated: February 21, 2026

Fieldhouse Athletic LLC ("Company," "we," "us," or "our") operates the Kiln Fit mobile application, website, and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, share, and protect your personal information when you use the Service. By using the Service, you consent to the practices described in this Privacy Policy.

1. Information We Collect

1.1 Account Information

• Email address — used for account creation, authentication, and communication
• Password — handled entirely by our authentication provider (Supabase Auth); we do not store or have access to your plaintext password

1.2 Profile and Fitness Information

We collect the following information to generate and adapt your training programs. All fields beyond email are optional and provided at your discretion:

• Demographic data: age, sex, height, weight
• Fitness profile: training age category (novice, intermediate, advanced), strength benchmarks (e.g., squat, deadlift, bench press), endurance benchmarks (e.g., 5K time, mile time)
• Goals: structured goal type selection and optional free-text goal description
• Physical limitations: structured injury flags indicating body region and severity (caution or avoid) — we do not collect medical records, diagnoses, or clinical notes
• Training preferences: effort metric preference (RPE vs. RIR), logging granularity, equipment available, sessions per week, minutes per session, days available

1.3 Training and Activity Data

• Workout logs: exercises performed, sets, reps, weight/load, RPE, RIR, completion status, and per-set notes
• Endurance session logs: duration, distance, pace, heart rate, perceived effort, terrain, and segment-level detail
• Daily readiness check-ins: sleep quality, mood, soreness, pain level, stress level, optional free-text notes, and pain-region flags

1.4 Military and Tactical Information (Optional)

If you use our tactical training features, you may optionally provide:

• Military branch
• Occupational category (e.g., combat arms, special operations, aviation)
• Fitness test type and next test date
• Upcoming schools or selection programs
• Field training dates with demand profiles

This information is used solely to tailor your training program. We do not share this information with any government agency, military branch, or third party except as described in Section 3.

1.5 Device and Technical Information

We do not collect device information directly. Our crash-reporting service (Sentry) automatically collects limited technical data when errors occur, including:

• Device type, operating system, and app version
• Screen navigation breadcrumbs (which screens you visited)
• HTTP request metadata (URLs and status codes only — no request or response content)
• A pseudonymous user identifier (your internal account ID, not your email or name)

Sentry is configured to actively scrub personal and sensitive data from all error reports. See Section 3.4 for details.

1.6 Information We Do NOT Collect

• Name (first name, last name, or display name)
• Location or GPS data
• Photos or videos
• Contacts or address book data
• Payment or financial information (see Section 5)
• Data from Apple Health, Google Fit, or any wearable device

1.7 Waitlist Information

If you join our waitlist before creating an account, we collect:

• Email address — to notify you when the Service launches
• Submission timestamp
• UTM campaign parameters (if present in the URL you visited) — to understand which channels are reaching potential users

We do not collect your name, IP address, device information, or browsing history as part of waitlist signup. Waitlist emails are retained until a launch notification has been sent, after which they are deleted within 30 days unless you have since created a Kiln account.

2. How We Use Your Information

We use your information for the following purposes:

We do not use your information to:

• Serve advertisements
• Build advertising profiles
• Sell your personal information to third parties
• Train AI models (neither our own nor those of our third-party AI providers)

3. How We Share Your Information

We do not sell your personal information. We share information only with the following categories of service providers, solely for the purposes of operating the Service.

3.1 AI / Large Language Model Providers

Providers: OpenAI, Inc. and Anthropic, PBC

We use third-party AI models to generate and modify training sessions. All AI calls are made server-side — the app on your device never communicates directly with AI providers.

The following data may be sent to AI providers depending on the function:

No personally identifiable information (email, user ID, name) is ever sent to AI providers. The only user-authored free text that reaches AI providers is your goal description and session modification requests, which contain only what you choose to type.

We have executed Data Processing Agreements (DPAs) with our AI providers. Under these agreements and their API terms of service, your data is not used to train their AI models.

We do not store prompt content. We log only metadata (function name, model used, token counts, latency, success/failure) for cost tracking and debugging purposes.

3.2 Infrastructure and Authentication

Provider: Supabase, Inc. (hosted on Amazon Web Services)

Supabase provides our database, authentication, and backend serverless functions. All user data stored in our database resides on Supabase's infrastructure (AWS). Row-Level Security (RLS) is enabled on every database table, ensuring users can only access their own data.

3.3 Authentication

Provider: Supabase Auth

Supabase Auth handles account creation and login. Passwords are hashed and managed entirely by Supabase Auth — our application code never accesses or stores plaintext passwords.

3.4 Crash Reporting

Provider: Sentry (Functional Software, Inc.)

Sentry collects crash reports and error data to help us identify and fix bugs. Sentry is configured with the following privacy protections:

• Default PII collection is disabled
• The only user identifier sent is your internal account ID (a random UUID) — not your email or name
• We actively scrub 30+ sensitive field names from all error reports, including: email, name, password, sleep quality, mood, soreness, pain, stress, injury flags, goal text, workout logs, RPE, RIR, and prompt content
• Performance tracing is disabled
• Sentry is active only in production builds

3.5 Legal Requirements

We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of the Company, our users, or the public.

4. Data Storage and Security

4.1 Where Your Data Is Stored

• Server-side: All user data is stored in a Supabase Postgres database hosted on AWS infrastructure in the United States.
• On-device: Only authentication tokens (JWT access and refresh tokens) are stored on your device, in encrypted OS-level secure storage (iOS Keychain / Android Keystore). No other user data is stored on your device.

4.2 Security Measures

• All data in transit is encrypted via HTTPS/TLS
• All data at rest is encrypted using AES-256 (AWS EBS encryption)
• Row-Level Security (RLS) is enforced on every database table
• Authentication tokens are stored in OS-level secure storage (iOS Keychain / Android Keystore)
• All AI/LLM calls are made server-side — your device never communicates directly with AI providers

4.3 Data Retention

• Your data is retained for as long as your account is active
• Upon account deletion, all personal data is deleted within 30 days
• Aggregate, anonymized analytics data (which cannot be linked back to you) may be retained indefinitely
• LLM call metadata (token counts, latency, success/failure — no prompt content) is retained for cost tracking and may be deleted periodically

5. Payment Information

The Service does not currently process payments. When paid subscriptions become available, payment will be handled entirely by Apple (App Store) or Google (Play Store). We will not collect, store, or have access to your payment card information, bank account details, or other financial data. For information on how Apple or Google handles your payment data, please refer to their respective privacy policies.

6. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@kiln.fit.

7. Your Rights and Choices

7.1 All Users

• Access: You can view your profile data, training logs, and check-in history within the app at any time.
• Correction: You can update your profile information within the app at any time.
• Deletion: You may request deletion of your account and all associated data. We will delete your personal data within 30 days of your request.

7.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, contact us at privacy@kiln.fit. We will verify your identity before processing your request.

7.3 European Economic Area, UK, and Swiss Residents (GDPR)

If you are located in the EEA, UK, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

• Legal Basis for Processing: We process your data based on (a) your consent (account creation), (b) performance of a contract (providing the Service), and (c) our legitimate interests (security, bug fixing).
• Right of Access: You may request a copy of your personal data.
• Right to Rectification: You may request correction of inaccurate data.
• Right to Erasure: You may request deletion of your data.
• Right to Restrict Processing: You may request that we limit how we use your data.
• Right to Data Portability: You may request your data in a structured, machine-readable format.
• Right to Object: You may object to processing based on legitimate interests.
• Right to Withdraw Consent: You may withdraw consent at any time.

Data Transfers: Your data is stored in the United States. By using the Service, you consent to the transfer of your data to the United States. We rely on Data Processing Agreements with our service providers (including Standard Contractual Clauses where applicable) to ensure adequate protection of your data.

To exercise these rights, contact us at privacy@kiln.fit.

8. Third-Party Links and Services

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing any personal information.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through the Service. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

Fieldhouse Athletic LLC
312 W. 2nd St #2433
Casper, WY 82601
privacy@kiln.fit

Sub-Processor List