Biskito

Privacy Policy

Effective date: April 30, 2026 Last updated: April 30, 2026

Welcome to Biskito. This Privacy Policy explains what data we collect, how we use it, and the principles that guide every decision we make about your information. Our approach is built on three commitments: collect the minimum, protect what we hold, and give you full control.

1. Our Privacy Principles

We believe your data is yours. Biskito is built around the following commitments:

Minimum data collection. We only collect the information strictly required to make the app work and to enable social interactions between team members.
No selling, no advertising, no profiling. We do not sell, rent, share, or monetize your personal information in any form.
No usage monitoring. We do not track your in-app behavior, screen views, session duration, taps, or interactions for analytics purposes. There is no behavioral telemetry inside Biskito.
Canadian data residency. Your data is stored in a database hosted in Canada and is subject to Canadian privacy law.
Full user control. You can delete your account and all associated data at any time, directly from the app.
Ethics first. We treat trust as the foundation of this product. Every privacy decision is made with that responsibility in mind.

2. What We Collect

We collect only what is necessary to operate the app and enable group features. This includes:

2.1 Account information

Email address (used for authentication and account recovery)
Display name and optional profile picture
Authentication identifier from your chosen sign-in provider (see Section 3)

Teams you belong to, create, or are invited to
Programs you create, save, favorite, or run
Daily activity logs you voluntarily submit (e.g. completed reps, workout durations)
Messages, reactions, or social signals you exchange with team members

2.3 Technical data required for delivery

A user identifier so we can associate data with your account
Device timezone (required to compute the correct day index of a program)

That is it. We do not collect location, contacts, advertising identifiers, biometric data, or browsing history.

Biskito supports sign-in through trusted third-party providers (such as Apple Sign-In and Google Sign-In). When you choose to authenticate with one of these providers:

We receive only what is strictly required to identify your account: a unique provider-issued user ID, your email address, and a display name (when you allow it).
We do not receive your password, contact list, calendar, photos, or any other data held by the provider.
You can disconnect the provider at any time by deleting your Biskito account.

We rely on these providers solely to make sign-in fast and secure — never to enrich a profile about you.

4. How We Use Your Data

Your data is used only for the following purposes:

Authenticating you and keeping your account secure
Displaying programs, teams, and daily logs to you and your teammates
Enabling social connection between members of the same team (so teammates can see each other's progress and motivate each other)
Sending strictly transactional communication (e.g. account recovery)
Complying with legal obligations when required

We do not use your data for:

Advertising or remarketing
Analytics, A/B testing, or product behavior tracking
Selling, renting, or sharing with brokers
Building shadow profiles or training third-party AI models

5. Data Storage and Location

All Biskito user data is stored in a database located in Canada, provided by our backend infrastructure partner Supabase. This means your data is governed by Canadian privacy law (notably PIPEDA at the federal level, and applicable provincial laws such as Quebec's Law 25).

We chose Canadian residency intentionally to keep your data subject to strong, predictable legal protections.

6. Security and Responsibility

We take security seriously and apply industry-standard practices, including:

Encrypted connections (HTTPS/TLS) between the app and our servers
Encryption at rest within our Canadian-hosted database
Strict access controls so that only systems and people who absolutely need data can reach it
Authentication handled through trusted identity providers

Honest disclosure

No system on the Internet can guarantee 100% security. While we apply strong protections, a breach originating from a third-party provider (such as Supabase or any underlying cloud infrastructure) is outside our direct control and is not something we can be held responsible for.

In the event of a security incident affecting your data, we commit to:

Acting immediately to contain and investigate the issue
Notifying affected users as quickly as possible, with clear and honest information
Cooperating fully with the relevant Canadian privacy authorities
Taking every reasonable action to protect our users and prevent recurrence

We cannot promise a perfect world — but we promise speed, honesty, and accountability when something goes wrong.

7. Your Rights and Controls

You always remain in control of your data.

7.1 Access

You can view your account information and your activity directly inside the app at any time.

7.2 Correction

You can update your profile information at any time from the settings screen.

7.3 Deletion

You can permanently delete your account and all associated data directly from within the app. When you do:

Your account, profile, programs, logs, and team memberships are deleted from our active database
Backups are rotated on a short retention schedule, after which deleted data is no longer recoverable
We do not retain shadow copies for marketing or analytics purposes

7.4 Portability

You can request an export of the data associated with your account by contacting us.

You can revoke your consent to data processing at any time by deleting your account.

8. Children's Privacy

Biskito is not intended for children under the age of 13 (or the minimum age required by your local jurisdiction). We do not knowingly collect data from children. If you believe a child has created an account, please contact us so we can remove it.

9. Changes to This Policy

If we update this Privacy Policy, we will publish the new version inside the app and update the "Last updated" date at the top. For material changes, we will notify users in a clear and visible way before the changes take effect.

10. Contact

For any privacy question, request, or concern, you can reach us at:

privacy@biskito.app

We will do our best to respond promptly and transparently.

Thank you for trusting Biskito. We do not take that trust lightly.

# Biskito # Privacy Policy **Effective date:** April 30, 2026 **Last updated:** April 30, 2026 Welcome to **Biskito**. This Privacy Policy explains what data we collect, how we use it, and the principles that guide every decision we make about your information. Our approach is built on three commitments: **collect the minimum**, **protect what we hold**, and **give you full control**. --- ## 1. Our Privacy Principles We believe your data is yours. Biskito is built around the following commitments: - **Minimum data collection.** We only collect the information strictly required to make the app work and to enable social interactions between team members. - **No selling, no advertising, no profiling.** We do not sell, rent, share, or monetize your personal information in any form. - **No usage monitoring.** We do not track your in-app behavior, screen views, session duration, taps, or interactions for analytics purposes. There is no behavioral telemetry inside Biskito. - **Canadian data residency.** Your data is stored in a database hosted in **Canada** and is subject to Canadian privacy law. - **Full user control.** You can delete your account and all associated data at any time, directly from the app. - **Ethics first.** We treat trust as the foundation of this product. Every privacy decision is made with that responsibility in mind. --- ## 2. What We Collect We collect only what is necessary to operate the app and enable group features. This includes: ### 2.1 Account information - Email address (used for authentication and account recovery) - Display name and optional profile picture - Authentication identifier from your chosen sign-in provider (see Section 3) ### 2.2 Social and team data - Teams you belong to, create, or are invited to - Programs you create, save, favorite, or run - Daily activity logs you voluntarily submit (e.g. completed reps, workout durations) - Messages, reactions, or social signals you exchange with team members ### 2.3 Technical data required for delivery - A user identifier so we can associate data with your account - Device timezone (required to compute the correct day index of a program) That is it. We do not collect location, contacts, advertising identifiers, biometric data, or browsing history. --- ## 3. Third-Party Sign-In Biskito supports sign-in through trusted third-party providers (such as **Apple Sign-In** and **Google Sign-In**). When you choose to authenticate with one of these providers: - We receive only what is strictly required to identify your account: a unique provider-issued user ID, your email address, and a display name (when you allow it). - We do **not** receive your password, contact list, calendar, photos, or any other data held by the provider. - You can disconnect the provider at any time by deleting your Biskito account. We rely on these providers solely to make sign-in fast and secure — never to enrich a profile about you. --- ## 4. How We Use Your Data Your data is used **only** for the following purposes: - Authenticating you and keeping your account secure - Displaying programs, teams, and daily logs to you and your teammates - Enabling social connection between members of the same team (so teammates can see each other's progress and motivate each other) - Sending strictly transactional communication (e.g. account recovery) - Complying with legal obligations when required We do **not** use your data for: - Advertising or remarketing - Analytics, A/B testing, or product behavior tracking - Selling, renting, or sharing with brokers - Building shadow profiles or training third-party AI models --- ## 5. Data Storage and Location All Biskito user data is stored in a database located in **Canada**, provided by our backend infrastructure partner **Supabase**. This means your data is governed by Canadian privacy law (notably **PIPEDA** at the federal level, and applicable provincial laws such as **Quebec's Law 25**). We chose Canadian residency intentionally to keep your data subject to strong, predictable legal protections. --- ## 6. Security and Responsibility We take security seriously and apply industry-standard practices, including: - Encrypted connections (HTTPS/TLS) between the app and our servers - Encryption at rest within our Canadian-hosted database - Strict access controls so that only systems and people who absolutely need data can reach it - Authentication handled through trusted identity providers ### Honest disclosure No system on the Internet can guarantee **100%** security. While we apply strong protections, **a breach originating from a third-party provider (such as Supabase or any underlying cloud infrastructure) is outside our direct control and is not something we can be held responsible for.** In the event of a security incident affecting your data, we commit to: - Acting **immediately** to contain and investigate the issue - Notifying affected users **as quickly as possible**, with clear and honest information - Cooperating fully with the relevant Canadian privacy authorities - Taking every reasonable action to protect our users and prevent recurrence We cannot promise a perfect world — but we promise speed, honesty, and accountability when something goes wrong. --- ## 7. Your Rights and Controls You always remain in control of your data. ### 7.1 Access You can view your account information and your activity directly inside the app at any time. ### 7.2 Correction You can update your profile information at any time from the settings screen. ### 7.3 Deletion You can permanently delete your account and all associated data directly from within the app. When you do: - Your account, profile, programs, logs, and team memberships are deleted from our active database - Backups are rotated on a short retention schedule, after which deleted data is no longer recoverable - We do not retain shadow copies for marketing or analytics purposes ### 7.4 Portability You can request an export of the data associated with your account by contacting us. ### 7.5 Withdraw consent You can revoke your consent to data processing at any time by deleting your account. --- ## 8. Children's Privacy Biskito is not intended for children under the age of 13 (or the minimum age required by your local jurisdiction). We do not knowingly collect data from children. If you believe a child has created an account, please contact us so we can remove it. --- ## 9. Changes to This Policy If we update this Privacy Policy, we will publish the new version inside the app and update the "Last updated" date at the top. For material changes, we will notify users in a clear and visible way before the changes take effect. --- ## 10. Contact For any privacy question, request, or concern, you can reach us at: **privacy@biskito.app** We will do our best to respond promptly and transparently. --- *Thank you for trusting Biskito. We do not take that trust lightly.*