Privacy Policy
Last updated: June 6, 2026
This Privacy Policy explains how Jotlift collects, uses, and protects personal information. It applies to users in Japan and internationally.
1. Operator and legal entity
Service name: Jotlift.
Operator of the Jotlift platform: Jotlift. For registered business name, address of the operator, and name of the representative (as required under Japan’s Act on the Protection of Personal Information (APPI)), contact support@jotlift.com. We will respond without undue delay.
General inquiries and privacy requests: support@jotlift.com
Website: https://jotlift.com
2. What we collect
Account data: email, username, profile photo, language preferences, account type (trainee or trainer), and authentication identifiers from Apple or Google when you use those sign-in options.
Workout and training data: exercises, sets, notes, templates, rest-timer settings, and related content you enter or upload.
Media: profile photos, workout set videos, and trainer exercise videos you choose to upload.
Health and device data (optional): heart-rate readings when you enable HealthKit (iOS), Health Connect (Android), Apple Watch companion features, or live heart-rate integrations; device and app metadata needed to run those features.
Payment and subscription data: subscription status, product identifiers, and billing metadata from Apple, Google, RevenueCat, or Stripe. We do not store full payment card numbers.
Communications: support messages and email delivery metadata.
Technical data: IP address, device type, app version, and logs used for security, debugging, and abuse prevention.
3. HealthKit, Apple Watch, and health data
Heart-rate and rest-timer features are optional. On iOS, Jotlift may read heart-rate data from HealthKit and from an Apple Watch companion app when you grant permission. On Android, similar data may be read from Health Connect where supported.
We use this data only to display heart rate during workouts, support rest-timer features, and sync workout state between your phone and watch. We do not use health data for advertising or sell it to third parties.
Health data is stored with your account when the feature requires server sync. You can revoke access in iOS Settings → Health → Data Access & Devices, or Android Health Connect permissions, and disable watch features in the app.
Apple Watch Live Activities and workout session features may process timing and heart-rate data on your device to show rest timers on your watch or lock screen.
4. Why we use data
We use data to provide and operate the service (contract), authenticate users, sync workouts across devices, process subscriptions, deliver trainer–client features, send transactional email, secure accounts, prevent abuse, and improve reliability.
With your opt-in only, we send product tips and marketing email. You may unsubscribe at any time.
5. Legal bases
Depending on your location, we rely on contract necessity, consent (marketing email and optional health integrations), and legitimate interests (security, fraud prevention, service improvement).
In Japan, we handle personal information in accordance with the APPI and related guidance, including rules on disclosure of retained personal data and external transmission of user-related information.
6. Cookies and similar technologies
Marketing website (jotlift.com): We use a small preference cookie (ROLE) to remember trainee vs trainer role selection on the public site. It is stored for up to one year with SameSite=Lax.
Dashboard and authentication: Session and OAuth cookies are set on our API/auth host when you sign in with email or Apple/Google. These are necessary for login and security.
We do not currently use third-party advertising cookies or cross-site tracking for ads on our websites.
You can control cookies through your browser settings. Disabling essential cookies may prevent sign-in.
7. Subprocessors and external transmission
We use trusted service providers to run Jotlift. They process data only on our instructions and for the purposes listed below. We do not sell personal data for third-party marketing.
Vercel — hosting for the marketing website and trainer dashboard (United States / global edge).
Railway — hosting for the Jotlift API backend (United States).
Cloudflare R2 — cloud storage for uploaded photos and videos (global infrastructure).
SendGrid (Twilio) — transactional and marketing email delivery (United States).
Stripe — trainer platform subscriptions and billing portal (United States; may process payment data according to Stripe’s terms).
RevenueCat — mobile subscription management for App Store and Google Play purchases (United States).
Apple — Sign in with Apple, App Store in-app purchases, HealthKit, and Apple Watch services (per Apple’s terms).
Google — Sign in with Google and Google Play billing (per Google’s terms).
When you use these features, certain account, subscription, or health-related data may be transmitted to the providers above or to Apple/Google as part of providing the service.
8. International transfers
Your data may be processed in countries other than your own, including the United States and Japan. Where required, we use appropriate safeguards such as contractual protections with processors.
9. Security
We use encryption in transit (HTTPS), access controls, and industry-standard practices to protect personal information. No method of transmission or storage is completely secure.
10. Retention
We retain personal data while your account is active and as needed to provide the service, resolve disputes, enforce agreements, and comply with legal obligations.
When you delete your account through the app or dashboard, we delete or anonymize personal data as described in the delete-account flow, except where retention is required by law.
11. Your rights
You may request access, correction, deletion, restriction, or export of your personal data, and opt out of marketing email, by contacting support@jotlift.com.
Japan (APPI): You may request disclosure of retained personal data, correction, suspension of use, erasure, and suspension of third-party provision. We will respond without undue delay in accordance with APPI.
EU/UK (GDPR): You may have additional rights including objection and lodging a complaint with a supervisory authority.
California (CCPA/CPRA): We do not sell personal information. You may have rights to know, delete, and correct personal information as applicable.
12. Children
Jotlift is not directed at children under 16. We do not knowingly collect personal data from children under 16.
13. Marketing email
Product newsletters and promotional email are sent only if you opt in during onboarding. Each marketing email includes an unsubscribe link. Transactional email (verification, security, service-related invitations) does not require marketing consent.
14. Changes
We may update this policy. Material changes will be communicated as required by law (including notice on our website or by email where appropriate).