Privacy Policy
Effective date: 25 May 2026 · Last updated: 4 June 2026
This Privacy Policy describes how the MSCLS iOS and watchOS app ("MSCLS", "the app", "we") handles your data. MSCLS is a personal gym-tracking app.
TL;DR — MSCLS does not collect any of your personal data. All workout data stays on your device and, if you have iCloud enabled, in your own iCloud account. We have no servers that store your data and no analytics. The only exception is optional: if you choose to connect your Strava account, workouts you upload are sent directly from your device to Strava, with a small relay we operate for sign-in that stores nothing (see section 7).
1. Data the app does not collect
MSCLS does not collect, transmit, or share any of the following:
- Personal information (name, email, phone number, address)
- Account or login credentials (the app has no account system)
- Device identifiers or advertising identifiers
- Location data
- Usage analytics, telemetry, or crash reports
- Contacts, photos, microphone, or camera data
We do not use any third-party analytics, advertising, or tracking SDKs.
The one thing that ever leaves your device is data you explicitly choose to upload to Strava after connecting your Strava account. This is entirely opt-in and is described in section 7.
2. Data the app stores locally
MSCLS stores the data you enter — workouts, exercises, sets, weights, templates, gym locations, and per-gym personal records — locally on your device using Apple's SwiftData framework. This data lives in your device's sandbox and is not sent to any server operated by us.
Your app preferences — including your body weight (used to count bodyweight exercises toward your workout stats) and the muscle-map figure you pick — are stored in your device's local app settings. Like everything else, these stay on your device and are never transmitted to us.
If you have iCloud enabled on your device, your iPhone may sync this data between your devices and back it up via Apple's iCloud services. That sync is controlled by Apple and your iCloud account settings, not by us. We have no access to your iCloud data.
3. HealthKit data
With your explicit permission (granted via the system permission prompt), MSCLS uses Apple's HealthKit framework to:
- Read heart rate samples during an active workout, so the app can display and store your heart rate as part of the workout record.
- Write completed workouts to Apple Health, so they appear in your activity history alongside data from other apps.
All HealthKit data is read from and written to your device's local HealthKit store. MSCLS does not transmit HealthKit data off of your device. We never send HealthKit data to any third party. We never use HealthKit data for advertising, marketing, or any data-mining purpose.
You can revoke MSCLS's HealthKit access at any time in Settings → Privacy & Security → Health → MSCLS, or in the Health app under Sharing → Apps & Services → MSCLS.
4. Apple Watch and workout mirroring
MSCLS includes an Apple Watch companion app. When you start a workout on your iPhone, the Watch app wakes automatically, records your heart rate during the workout using a HealthKit workout session, and streams those heart-rate readings back to your iPhone using Apple's HealthKit workout mirroring. This communication stays between your own paired devices and does not pass through any server operated by us.
5. App Group container
The iOS and watchOS apps share a single data store via an App Group
container (group.spla.mscls) so both apps see the same data.
The container is local to your devices and is provided by iOS.
6. Crash reports
MSCLS does not bundle a crash-reporting SDK. If you have enabled "Share with App Developers" in Settings → Privacy & Security → Analytics & Improvements, Apple may share anonymized, aggregated crash diagnostics with us through App Store Connect. We never receive personally identifiable information through this channel, and you can disable it at any time in iOS Settings.
7. Strava integration (optional)
Effective 4 June 2026, MSCLS offers an optional integration with Strava. This integration is strictly opt-in: nothing is shared with Strava unless you explicitly connect your Strava account and upload a workout — either by choosing to upload an individual workout, or by enabling an auto-upload toggle that you turn on yourself. If you never connect Strava, none of your data ever leaves your device to Strava, and everything in the other sections of this policy applies to you unchanged.
Connecting your account (OAuth). When you connect Strava, you
sign in on Strava's own website or app — we never see your Strava username or
password. Strava then issues access and refresh tokens that let the app upload on
your behalf. These tokens are stored only on your device, in the
iOS Keychain. The token exchange is relayed through a small proxy we
operate (strava.mscls.app), this relay stores no data and keeps no
logs of your tokens or authorization codes — requests simply pass through
to Strava.
What is uploaded. When you upload a workout, the app sends the following directly from your device to Strava's API over HTTPS:
- The workout title
- Exercise names with their set, repetition, and weight details
- The workout's start and end times and total duration
- Heart-rate samples recorded during the workout
- Exercise-category data used for Strava's muscle map
Once a workout is uploaded, the data lives on Strava and is governed by Strava's own privacy policy. Who can see the activity, and how it is shared, is controlled by your Strava account settings — not by us.
Disconnecting. You can disconnect Strava at any time in the app. Doing so deletes the stored tokens from your device and revokes the app's access at Strava (deauthorization). You can also revoke access yourself at strava.com/settings/apps. Disconnecting does not delete activities you have already uploaded — those remain on Strava and are managed through your Strava account.
8. Other third parties
Apart from the optional Strava integration described in section 7, we do not share data with any third party. The app has no third-party analytics, advertising, or tracking SDKs, and makes no network requests to non-Apple services other than the Strava uploads and OAuth relay you have explicitly enabled.
9. Children's privacy
MSCLS is not directed at children under 13. We do not knowingly collect any data from children. Because the app does not collect data from anyone, no special handling is required.
10. Your rights
Because MSCLS keeps all data on your own device:
- You can view, edit, or delete any workout, gym, template, or record at any time inside the app.
- You can delete all app data by deleting the MSCLS app from your devices.
- You can revoke HealthKit permissions at any time as described in section 3.
- If you connected Strava, you can disconnect it at any time as described in section 7.
- If you use iCloud, you control your data via your iCloud account settings.
We hold no copy of your data, so there is nothing for us to delete or export on your behalf.
11. International users (GDPR / CCPA)
Because we do not collect or process personal data, MSCLS does not act as a data controller or processor under the GDPR (EU/UK), nor does it engage in the "sale" or "sharing" of personal information under the CCPA/CPRA (California). Unless you choose to connect Strava and upload a workout, no data leaves your device.
If you do connect Strava, the workout data you upload is sent by you, from your device, directly to Strava, and is then handled by Strava as an independent controller under Strava's own privacy policy.
12. Changes to this policy
If we change how the app handles data — for example, if a future version adds an account system or analytics — we will update this policy and bump the "Last updated" date at the top.
Material change: the optional Strava integration described in section 7 is effective as of 4 June 2026. It does not change how your data is handled unless you choose to connect your Strava account and upload a workout.
13. Contact
Questions about this policy or how the app works: mscls.app@icloud.com