XPire Privacy Policy

Last updated: April 30, 2026

Data Controller

XPire is operated as an individual sole proprietorship based in Italy. The data controller responsible for the processing of your personal data under the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") is the operator of XPire, contactable at hello@xpireapp.com. Where the operator is later replaced by a registered legal entity, this section will be updated with the entity's legal name, registered address, and tax identification number.

Introduction

Welcome to XPire ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and website at https://xpireapp.com and related services (collectively, the "App").

By using XPire, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our App.

Information We Collect

1. Account Information When you create an account, we collect your email address, username, and display name. This information is used to authenticate your account and personalize your experience.

2. Profile Information You may choose to provide additional profile information such as a profile photo (avatar), bio, country, city, fitness level, and weight. This information helps customize your experience and connect you with other users.

3. Fitness and Workout Data We collect fitness-related data including workout logs, exercise types, duration, distance, calories burned, personal records, workout streaks, and experience points (XP). This data powers the core functionality of our fitness tracking and gamification features.

4. Location Data With your permission, we collect GPS location data during workouts to track your running, walking, or cycling routes. This includes real-time location coordinates, distance traveled, pace, and route paths. Location data is used to display your workout routes on maps and enable the country conquest feature. You can disable location tracking at any time in your device settings.

5. Media Content When you upload photos, videos, or stories to the App, we store this content on our servers. This includes workout photos, profile pictures, and social media posts. Stories automatically expire and are deleted after 24 hours.

6. Social and Communication Data We collect data related to your social interactions, including followers, following lists, messages, comments, and likes with other users.

7. Device and Usage Information We automatically collect certain device information including push notification tokens, timezone, device model, operating system version, app version, and general usage analytics. This helps us improve app performance, send you notifications (like streak reminders), and understand how users interact with our features.

8. Analytics and Crash Reporting We use PostHog (hosted in the European Union) to collect product analytics, anonymized session recordings, and error/crash reports. This includes events such as screens viewed, workouts completed, posts created, in-app actions, device type, browser, approximate location (country/region only, derived from IP address), and technical error details. Session recordings have all text inputs masked by default; we do not record passwords, payment details, or message contents. You can disable analytics at any time from the user menu in the app ("Allow analytics" toggle).

9. Advertising Identifiers All users — including those on paid subscriptions — may see rewarded video advertisements served via Google AdMob.. AdMob may process your device's advertising identifier (Apple IDFA on iOS, Google Advertising ID on Android), IP address, and limited device information to serve and measure ads. On iOS, we request your permission via Apple's App Tracking Transparency (ATT) framework before any cross-app tracking identifier is shared. On Android, you can reset or limit ad tracking via your device's Google settings. Users on paid subscriptions do not see ads, and no advertising identifier is collected for them.

10. Push Notification Data We use OneSignal to deliver push notifications (e.g. streak reminders, league updates, social notifications). To do so, OneSignal processes a device push token, your timezone, device language, app version, and a hashed user identifier. You can disable push notifications at any time from your device's system settings.

11. Subscription and Purchase Data Subscriptions are processed by Apple App Store or Google Play Store. We do not collect or store your payment card details. RevenueCat acts as our subscription manager and receives a pseudonymous user identifier, your subscription tier, transaction status, and store receipts in order to grant or revoke premium features.

12. Referral Data If you sign up using a referral code, we link your account to the referring user's account in order to award referral rewards. This link is internal and is not shared with any third party.

Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the GDPR for processing your personal data:

  • Performance of a contract (Art. 6(1)(b) GDPR) — to create and operate your account, deliver workout tracking, social features, leaderboards, and paid subscription features you have purchased.

  • Consent (Art. 6(1)(a) GDPR) — for optional features that require your explicit permission, including GPS location tracking, push notifications, product analytics and session replay (PostHog), and personalized advertising identifiers (ATT on iOS).

  • Legitimate interests (Art. 6(1)(f) GDPR) — to keep the Service secure, prevent fraud and abuse, debug crashes, enforce our Terms, and improve the product. Where we rely on legitimate interests, you have the right to object.

  • Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, consumer-protection, and law-enforcement obligations.

How We Use Your Information

  • To provide and maintain our fitness tracking and gamification services

  • To authenticate your account and ensure security

  • To display your workout routes on maps and enable country conquest features

  • To enable social features such as following and messaging

  • To send push notifications including streak reminders and workout updates

  • To calculate and display leaderboards, achievements, and rankings

  • To improve and optimize app performance and user experience

  • To display rewarded advertisements

  • To process subscriptions and grant entitlements through RevenueCat and the app stores

  • To respond to your inquiries and provide customer support

  • To prevent fraud, abuse, cheating, and violations of our Terms

  • To comply with legal obligations

Data Sharing and Disclosure

We do not sell your personal data. We may share your information in the following circumstances:

  • Service Providers (data processors): We use the following third-party services to operate the App: Supabase (database hosting, authentication, and file storage), MapLibre (map tile rendering for workout routes (no account required)), OneSignal (push notification delivery), PostHog (EU region) (product analytics, session replay, and error tracking), Cloudflare (content delivery network (CDN) for media and edge security), RevenueCat (subscription management and entitlement validation), Google AdMob (rewarded video ads), Apple App Store / Google Play Store (payment processing for subscriptions), Resend (transactional email delivery (e.g. password resets, email confirmation)), Despia (native mobile app wrapper that delivers the App on iOS and Android)

  • Other Users: Your public profile information, posts, and workout activities may be visible to other users based on your privacy settings.

  • Legal Requirements: We may disclose your information if required by law, court order, or in response to valid legal requests by public authorities (including to meet national security or law enforcement requirements).

  • Business Transfers: If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. You will be notified via the App or email of any such change.

International Data Transfers

XPire is operated from Italy and serves users worldwide. Some of our service providers (such as Cloudflare, RevenueCat, OneSignal, Google AdMob, and the app stores) are based outside the EEA, including in the United States. Where personal data is transferred outside the EEA, United Kingdom, or Switzerland, we rely on appropriate safeguards under the GDPR, including:

  • European Commission Standard Contractual Clauses (SCCs)

  • Adequacy decisions where applicable (e.g. EU–US Data Privacy Framework)

  • Provider-specific Data Processing Addenda (DPAs)

You may request a copy of the relevant safeguards by contacting us at hello@xpireapp.com.

Data Storage and Security

Your data is stored securely on cloud infrastructure provided by Supabase. We implement industry-standard security measures including:

  • Encryption of data in transit using TLS/SSL

  • Encryption of data at rest

  • Secure authentication protocols and password hashing

  • Row-level security policies for database access

  • Server-side validation of subscriptions and sensitive operations

  • Regular security reviews and dependency updates

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal data, we cannot guarantee absolute security.

Your Rights and Choices

You have the following rights regarding your personal data:

  • Access: You can view your personal data within the App's profile and settings sections.

  • Correction: You can update your profile information at any time through the App.

  • Deletion: You can delete your account and all associated data through Settings → Delete Account. This action is permanent and cannot be undone.

  • Data Export / Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format by contacting us at hello@xpireapp.com.

  • Restriction / Objection: You may ask us to restrict or object to certain processing activities, including processing based on our legitimate interests.

  • Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

  • Opt-out of Notifications: You can disable push notifications through your device settings or within the App.

  • Location Services: You can disable location tracking at any time through your device settings. Note that this will limit certain features like GPS workout tracking.

  • Profile Visibility: You can set your profile to private to limit who can see your activity.

  • Disable Analytics: Use the "Allow analytics" toggle in the user menu to opt out of product analytics and session replay.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide you services. Specific retention periods include:

  • Stories: Automatically deleted after 24 hours

  • Uploaded post media: Auto-deleted after 30 days from cloud storage

  • Account data, workout data, and messages: Retained until you delete your account

  • Analytics events (PostHog): Retained for up to 12 months in aggregated form

  • Subscription receipts: Retained as required by tax and consumer-protection law (typically up to 10 years in Italy)

Upon account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g. fraud prevention, tax records).

Children's Privacy

XPire is not intended for children under the age of 13 (or under 16 in jurisdictions of the EEA where a higher digital-consent age applies). We do not knowingly collect personal information from children below these ages. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@xpireapp.com, and we will take steps to delete such information.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy in the App and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

Additional Rights for EU/UK and California Residents

If you are a resident of the EEA, the United Kingdom, or Switzerland, you may exercise the rights described above under the GDPR. You also have the right to lodge a complaint with your local data protection authority. In Italy, the competent authority is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and CPRA, including the right to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as defined under the CCPA. To exercise these rights, please contact us at hello@xpireapp.com.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

XPire Operator location: Italy Email: hello@xpireapp.com Website: https://xpireapp.com

XPire

Contact

hello@xpireapp.com

© 2024. All rights reserved.

Terms of service