Privacy Policy

2.1 Account Information

• Email address (required for non-anonymous accounts)
• Display name (from Apple or Google OAuth providers)
• Firebase UID (unique technical identifier)
• Authentication method (Apple Sign-In, Google Sign-In, Email/Password, or Anonymous)

2.2 Health & Biometric Data

• Age (18-55 range)
• Height and weight measurements
• BMI (calculated automatically)
• Face photograph (captured via camera for AI analysis)
• Lifestyle factors: resistance training frequency, diet quality, sleep hours, stress level, energy level
• Supplement usage (user-reported list)
• Timezone (used for quota reset scheduling)

2.3 Daily Tracking Data

• Sleep quality ratings (0-10 scale)
• Energy level ratings (0-10 scale)
• Stress level ratings (0-10 scale)
• Optional personal notes (free text)

2.4 Habit Tracking Data

• Custom habits created by you
• Habit categories (Diet, Workout, Lifestyle, Custom)
• Completion dates and streak history
• Reminder times and duration estimates

2.5 AI-Generated Results

• T-Score (0-100) and percentile rank
• Category classification (e.g., "Average," "Above Average")
• AI-generated recommendations for diet, workout, and lifestyle
• Facial analysis notes based on uploaded photos (including confidence score and detected facial features)
• Testosterone blocker analysis
• Premium assessment data is encrypted at rest using AES-256-GCM encryption with a per-user key

2.6 Subscription Data

• Subscription status (active, inactive, unknown)
• Product ID, price, and billing period
• Transaction history (via Apple StoreKit)
• Entitlements (managed via Superwall)
• Subscription lifecycle events received via webhook (purchase, renewal, expiration, trial conversion)

2.7 Device & Technical Data

• Device Identifier for Vendor (IDFV): A unique identifier assigned by Apple to your device for this app. We collect IDFV from all users (including organic installs) for fraud prevention, referral attribution, and abuse detection. IDFV is NOT a persistent advertising identifier and resets if you uninstall all apps from the same developer.
• Attribution source (organic, referral, or promotional campaign)
• App usage timestamps and assessment generation timestamps

2.8 Referral Data

• Your unique referral code (auto-generated 8-character alphanumeric code)
• Referral link URL (hosted via Firebase)
• Number of users you have referred and their qualification status (completed onboarding and face scan)
• If you were referred: the referral code used, referring user's ID, and attribution timestamp
• Referral trial status (whether unlocked, expiration date)
• Referral codes may be stored in your device Keychain to survive app reinstallation

2.9 Usage Quota Data

• Daily assessment generation count (maximum 5 per day)
• Daily AI habit generation count (maximum 2 per day)
• Quota reset timestamps (based on your local timezone)
• Rate limiting data (request counts per minute for certain operations)

3.1 Core Functionality

• Provide AI-powered testosterone assessments via Google Gemini API
• Generate personalized health and lifestyle recommendations
• Track daily habits and progress over time
• Manage user accounts and authentication
• Provide a one-time free assessment preview before subscription (free scan)
• Enable social sharing of your T-Score results to platforms you choose

3.2 Referral Program

• Generate and manage unique referral codes for each user
• Track referral attribution to determine which users were referred by whom
• Monitor referred user qualification status (completed onboarding and face scan)
• Grant 30-day premium trial access when referral requirements are met (3 qualified referrals)
• Validate referral trial expiration against server time to ensure accuracy

3.3 Fraud Prevention & Security

• Detect and prevent referral fraud using Device ID (IDFV) correlation
• Enforce daily usage quotas (assessment and habit generation limits)
• Rate-limit API requests to prevent abuse
• Validate subscription entitlements server-side
• Prevent device time manipulation for trial period validation

3.4 Service Improvement

• Improve AI model accuracy through usage patterns
• Optimize app performance and user experience
• Develop new features based on aggregated usage data

3.5 Legal Compliance

• Comply with applicable laws and regulations
• Enforce our Terms of Service
• Protect user safety, security, and rights

4.1 Google Gemini API (AI Analysis)

We transmit your face photograph (base64-encoded JPEG, optimized to maximum 768x768 pixels), age, height, weight, BMI, and lifestyle data (resistance training frequency, diet quality, sleep hours, stress level, energy level, supplements) to Google Gemini API (ai.google.dev) for AI-powered testosterone assessment and facial feature analysis. This transmission occurs both during free scans and premium assessments. IMPORTANT: Face photographs are NOT stored in our database; they are only transmitted to Google for analysis, then immediately deleted from our systems. Google may temporarily store images for up to 48 hours as part of API processing for abuse prevention and service improvement, after which they are automatically deleted. AI-generated text analysis results (observations about facial features) are stored in our Firebase Firestore database. Google Privacy Policy: https://policies.google.com/privacy | Google AI Terms: https://ai.google.dev/terms

4.2 Firebase (Google Cloud)

We use Firebase Authentication for user sign-in, Firebase Firestore for data storage, and Firebase Cloud Functions for server-side processing (assessment generation, referral tracking, subscription webhook handling, and quota enforcement). All user data except face images is stored in Firestore. Firebase Analytics is DISABLED. Data may be stored in Google Cloud data centers. Google Cloud Privacy: https://cloud.google.com/privacy

4.3 Superwall (Subscription Management)

We share subscription status and paywall interaction data with Superwall to manage in-app purchases and paywall presentation. Superwall sends subscription lifecycle events (purchases, renewals, trial conversions, expirations) to our servers via cryptographically signed webhooks (verified using Svix). Your Firebase UID is shared with Superwall for user identification. Superwall Privacy Policy: https://superwall.com/privacy

4.4 Apple (StoreKit & Sign-In)

We use Apple StoreKit for in-app purchase processing and Apple Sign-In for authentication. Apple processes payment transactions securely. Apple Privacy: https://www.apple.com/privacy/

4.5 Google Sign-In SDK

We use Google Sign-In SDK for OAuth authentication. Google manages authentication credentials. Google Privacy: https://policies.google.com/privacy

4.6 Social Media Platforms (User-Initiated Sharing)

When you choose to share your T-Score results, data may be transmitted to the following platforms via iOS system mechanisms: INSTAGRAM: A PNG image of your T-Score card (containing your score, tier, and sub-scores) is placed on the iOS pasteboard along with background color data and our Facebook App ID. Instagram receives this data when you share to Stories. SNAPCHAT: A PNG sticker image and optional content URL (App Store link) are shared via Snapchat's Creative Kit if installed. TIKTOK AND OTHER PLATFORMS: Data is shared via the standard iOS Share Sheet, which transmits the generated T-Score image. IMPORTANT: Social sharing is entirely user-initiated. We do NOT automatically share your data to any social platform. The shared T-Score card image is generated entirely on your device and is NOT uploaded to our servers. Once shared, the data is subject to the receiving platform's privacy policy.

5.1 Security Measures

• End-to-end encryption for data in transit (HTTPS/TLS)
• Firebase security rules enforce user-level data isolation
• Face images are NOT stored (privacy by design)
• OAuth 2.0 for secure authentication
• Premium assessment results are encrypted at rest using AES-256-GCM with a unique per-user encryption key
• Subscription webhook signatures are cryptographically verified (Svix)
• Referral codes stored in iOS Keychain for secure persistence
• Server-side validation of subscription entitlements and referral trials
• Regular security audits and updates

5.2 Data Isolation

Each user's data is stored in separate Firestore collections with strict access controls. Users can only access their own data via Firebase security rules.

6.1 Active Accounts

• Assessment history: Retained until you delete individual assessments or your account
• Daily logs: Retained until you delete individual logs or your account
• Habits: Retained until you delete individual habits or your account
• Referral data: Referral codes, referred user records, and attribution data are retained while your account is active
• Usage quota data: Daily counts reset automatically; historical quota data is not permanently retained
• Free scan status: A flag indicating whether you have used your one-time free scan is retained while your account is active

6.2 Account Deletion

To request account deletion, email privacy@testmaxxer.app with subject "Account Deletion Request." We will delete all your data within 30 days of your request, including referral data, attribution records, and per-user encryption keys. Note: Transaction records may be retained for legal compliance (up to 7 years). Referral records attributing other users to your account may be anonymized rather than deleted to preserve referral program integrity.

6.3 Backup Retention

Firebase backups may retain deleted data for up to 30 days after deletion for disaster recovery purposes.

7.1 All Users

• Access: Request a copy of your data by emailing privacy@testmaxxer.app
• Correction: Update profile information within the app
• Deletion: Delete individual assessments, logs, and habits in-app
• Account Deletion: Email privacy@testmaxxer.app to request full account and data deletion

7.2 GDPR Rights (EU/EEA Users)

• Right to Access (Article 15): Request all personal data we hold about you
• Right to Rectification (Article 16): Correct inaccurate data
• Right to Erasure (Article 17): Request deletion of your account and all data
• Right to Data Portability (Article 20): Request data export in machine-readable format (email privacy@testmaxxer.app)
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Object (Article 21): Object to certain data processing activities
• Right to Withdraw Consent (Article 7): Revoke consent at any time
• To exercise GDPR rights, email privacy@testmaxxer.app with subject "GDPR Request"

7.3 CCPA Rights (California Residents)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information
• Right to Opt-Out of Sale: We do NOT sell personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
• To exercise CCPA rights, email privacy@testmaxxer.app with subject "CCPA Request"

12.1 What Facial Data We Collect

• Facial photograph: A single front-facing photograph of your face captured using your device camera
• Facial analysis results: AI-generated observations about facial characteristics that may correlate with testosterone levels (e.g., facial structure, skin quality, jawline definition), including a confidence score (0-1) and a list of detected facial features
• Image metadata: Image dimensions (optimized to maximum 768x768 pixels), JPEG compression quality
• NO biometric identifiers: We do NOT collect, store, or use facial recognition data, facial templates, or biometric identifiers for identity verification

12.2 How We Collect Facial Data

You capture a facial photograph using your device's front-facing camera within the TestMaxxer app. The photo is taken only after you grant camera permission and provide explicit consent on the consent screen. Camera access is requested via iOS permission prompt. You must affirmatively check consent boxes before the photo is transmitted for analysis. Facial data is collected during both free scans (one-time preview before subscription) and premium assessments.

12.3 Complete Explanation of Facial Data Usage

• PRIMARY PURPOSE: Your facial photograph is transmitted to Google Gemini AI API for testosterone level estimation based on facial features
• ANALYSIS PROCESS: Google Gemini analyzes facial characteristics including bone structure, skin quality, facial fat distribution, and jawline definition to estimate testosterone levels
• RESULT GENERATION: The AI generates a T-Score (0-100), percentile rank, category classification, and personalized recommendations
• EDUCATIONAL USE ONLY: Results are estimates for educational purposes and are NOT medical diagnoses
• NO IDENTITY VERIFICATION: Facial data is NEVER used for identity verification, authentication, facial recognition, or tracking
• NO ADVERTISING: Facial data is NEVER used for advertising, marketing, or profiling
• CONSENT REQUIRED: All facial data processing requires your explicit consent via in-app consent checkboxes
• SOCIAL SHARING: If you choose to share your T-Score results to social media, a generated T-Score card image (which does NOT contain your facial photograph) may be shared. Your original face photograph is never included in shared content.

12.4 Facial Data Sharing with Third Parties

• GOOGLE GEMINI API (PRIMARY PROCESSOR): Your facial photograph (base64-encoded JPEG, optimized to 768x768 pixels) is transmitted to Google Gemini API (ai.google.dev) for AI-powered facial analysis
• DATA TRANSMITTED TO GOOGLE: Facial photograph + age + height + weight + BMI + lifestyle factors (training, diet, sleep, stress, energy) + supplements
• GOOGLE'S PRIVACY POLICY: https://policies.google.com/privacy
• GOOGLE AI TERMS: https://ai.google.dev/terms
• NO OTHER SHARING: Facial photographs are NOT shared with any other third parties, advertisers, data brokers, or partners
• FIREBASE/FIRESTORE: Facial photographs are NOT stored in Firebase Firestore (only AI-generated text analysis results are stored)
• SOCIAL MEDIA: Facial photographs are NEVER shared to social media platforms. Only the generated T-Score card image (score, tier, and sub-scores) is shared when you initiate sharing.

12.5 Where Facial Data is Stored

• TESTMAXXER STORAGE: Facial photographs are NOT stored in TestMaxxer's database (Firebase Firestore). Only the AI-generated text analysis results (facial feature observations) are stored.
• DEVICE STORAGE: Facial photographs are temporarily held in device memory during camera capture and transmission, then immediately deleted after successful API transmission
• GOOGLE STORAGE: Google may temporarily cache or store facial photographs as part of API processing. According to Google AI terms (https://ai.google.dev/terms), Google may retain data for up to 48 hours for abuse prevention and service improvement, then deletes it.
• DATA LOCATION: Google processes data in Google Cloud data centers globally, which may include United States, Europe, and Asia-Pacific regions
• NO PERMANENT STORAGE: TestMaxxer does NOT maintain any permanent storage of facial photographs

12.6 Facial Data Retention Period

• TESTMAXXER RETENTION: Facial photographs are retained for 0 seconds (deleted immediately after transmission to Google Gemini API)
• GOOGLE RETENTION: According to Google AI API terms (https://ai.google.dev/terms), Google may retain facial photographs for up to 48 hours for abuse prevention, service quality, and improvement purposes, after which they are automatically deleted
• ANALYSIS RESULTS RETENTION: AI-generated text analysis results (observations about facial features) are stored in Firebase Firestore until you delete your assessment or account
• ACCOUNT DELETION: When you delete your account, all AI-generated analysis results are permanently deleted within 30 days
• NO LONG-TERM RETENTION: Neither TestMaxxer nor Google retains facial photographs for longer than 48 hours

12.7 Privacy Policy Sections Covering Facial Data

Facial data collection, use, disclosure, sharing, and retention are explained in the following privacy policy sections: Section 2.2 (Health & Biometric Data - face photograph collection), Section 3.1 (Core Functionality - AI-powered analysis), Section 4.1 (Google Gemini API sharing), Section 4.6 (Social Media - clarification that face photos are NOT shared), Section 5.1 (Security Measures - face images not stored), Section 6 (Data Retention), Section 12 (This section - comprehensive facial data handling), Section 13 (Health Data & Consent - legal basis for processing)

12.8 User Control and Consent

• EXPLICIT CONSENT REQUIRED: You must affirmatively check consent boxes on the ConsentView screen before any facial data is collected or transmitted
• CAMERA PERMISSION: iOS camera permission must be granted before photo capture
• WITHDRAWAL OF CONSENT: You can withdraw consent at any time by deleting your account (email privacy@testmaxxer.app)
• NO AUTOMATED DECISIONS: Facial analysis does not result in automated decisions with legal or similarly significant effects
• RIGHT TO DELETE: You can request deletion of all AI-generated analysis results by deleting individual assessments in-app or requesting account deletion

14.1 What Data is Shared

• A generated PNG image of your T-Score card, which may include: your overall T-Score (0-100), your tier designation (e.g., Platinum, Gold, Silver), your Diet, Workout, and Lifestyle sub-scores, and TestMaxxer branding
• Your App Store link (copied to clipboard for easy sharing)
• Background color data matching your tier (for Instagram Stories)
• IMPORTANT: Your facial photograph, personal health data, account information, and assessment details are NEVER included in shared content

14.2 How Sharing Works

Social sharing is entirely user-initiated. You must tap the share button and select a platform. The T-Score card image is generated entirely on your device and is NOT uploaded to our servers. For Instagram Stories, the image and background colors are placed on the iOS pasteboard with a 5-minute expiration. For Snapchat, the image is shared via Snapchat Creative Kit. For other platforms, the standard iOS Share Sheet is used. Once data is shared to a third-party platform, it is subject to that platform's privacy policy and terms of service.

14.3 Third-Party Platform Policies

• Instagram: https://privacycenter.instagram.com/policy
• Snapchat: https://values.snap.com/privacy/privacy-policy
• We are not responsible for how third-party platforms handle data you share with them

15.1 Referral Data Collection

• REFERRER DATA: Your unique referral code, referral link URL, total referral count, referred user qualification statuses, and referral trial unlock/expiration dates
• REFERRED USER DATA: The referral code used, referring user's ID, attribution timestamp, and your Device ID (IDFV)
• GLOBAL TRACKING: Click counts, install counts, and qualification counts per referral code (aggregated, not personally identifying)

15.2 Device ID (IDFV) Collection

We collect your Apple Identifier for Vendor (IDFV) to prevent referral fraud (e.g., one person using multiple accounts to self-refer). IDFV is a device-specific identifier that is unique to apps from the same developer on your device. It is NOT an advertising identifier and cannot be used to track you across other apps or websites. IDFV resets if you uninstall all apps from our developer account. We collect IDFV from all users, including those who did not arrive via referral, to maintain referral program integrity.

15.3 Referrer Visibility

When a referred user joins via your referral link, they may see your first name displayed on a welcome screen (e.g., "You've been invited by [Name]!"). The referrer can see the qualification status (pending, qualified) of users they referred, but cannot see any health data, assessment results, or other personal information of referred users.

15.4 Referral Data Retention

Referral data is retained while your account is active. Upon account deletion, your referral code is deactivated and your referral records are deleted or anonymized within 30 days. Attribution records linking you as a referred user may be anonymized rather than fully deleted to prevent referral fraud.