Jiya Privacy Policy

This Privacy Policy describes how Jiya (“Jiya,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use the Jiya iOS application (the “App”) and any related services (collectively, the “Services”).

1. What this app does, in plain language

Jiya is a group fitness competition app. You sign in with Apple or email, optionally upload a profile photo, and create or join short-running competitions with friends. Your activity (steps, running distance, active calories, or workout minutes) is read from Apple Health on your device and submitted to the relevant competition's leaderboard. At the end of a competition we generate a fun AI cartoon recap image and store it on our backend.

We collect only what we need to run those features.

2. Information we collect

2.1 Information you provide

• Account information: display name, username, optional bio, avatar color, optional gender (used only to bias the AI cartoon recap).
• Profile photo: optional — only if you choose to upload one or generate one with Apple's Image Playground feature.
• Authentication credentials: if you sign in with Apple, we receive your Apple Sign-In identifier (“sub”) and, if you choose to share them, your email address and name. If you sign in with email, we receive your email address and a one-time login code we email to you.
• Content you generate: competitions you create or join; reactions and quick-phrase messages you send to other participants.
• Device push token: if you grant notification permission, your device's APNs push token so we can deliver notifications.

2.2 Information we read from Apple Health (on-device only)

With your permission, the App reads the following Apple Health metrics on your device:

• Step count
• Walking + running distance
• Active energy burned
• Workouts (used to compute total workout minutes)

We do not receive your raw Apple Health samples. The App reads these values on your device, aggregates them within the time window of an active competition, and submits only the aggregated total for that competition to our backend so the leaderboard can be displayed. We never write back to Apple Health.

2.3 Information collected automatically

• Approximate location: none. The App does not request or use location services.
• Device + diagnostic data: standard logs (HTTP request metadata, timestamps, error traces) generated by our backend (Convex) when the App makes a request.
• Crash reports: if you have crash reporting enabled at the OS level, Apple may share aggregated crash data with us through Apple's Developer tools.

2.4 Information we do NOT collect

We do not knowingly collect: precise location, contacts, microphone audio, camera photos other than a profile photo you explicitly select, financial information, or biometric identifiers.

3. How we use information

We use the information described above to:

• Create and authenticate your account (Sign in with Apple / email one-time codes).
• Display you and your competitors on real-time leaderboards.
• Generate the end-of-competition AI cartoon recap image (see §5).
• Send push notifications you've consented to (reactions, rank changes, invites, recap-ready alerts).
• Operate, secure, and improve the Services.
• Comply with legal obligations and enforce our Terms of Service.

We do not use your information for personalized advertising or sell it to third parties.

4. Legal bases for processing (EEA/UK users)

If you are in the European Economic Area or the United Kingdom, we process your personal information on the following legal bases:

• Performance of a contract — to provide the Services you've requested.
• Legitimate interests — to operate, secure, and improve the Services, where this is not overridden by your rights.
• Consent — for sensitive data such as Apple Health metrics, optional profile information you choose to share, and push notifications. You can withdraw consent at any time in iOS Settings.
• Legal obligation — when required by applicable law.

5. Third-party services we use

We share the minimum information necessary with the following processors:

We do not share your information with any third party for advertising purposes.

5.1 OpenAI specifically

Per OpenAI's API data policy, content sent through the API is not used to train OpenAI's models by default. Generated images and any inputs you send (including profile photos used as a likeness reference) are subject to OpenAI's usage policies. We send the minimum necessary inputs and store generated images on Convex; we do not retain a copy in OpenAI's systems beyond their default retention window.

6. How long we keep information

When you delete your account (see §8), we delete or anonymize all of the above except where we are legally required to retain certain records.

7. How we protect information

• All network traffic between the App, Convex, Apple, Resend, and OpenAI is encrypted in transit (TLS).
• Session tokens are stored as SHA-256 hashes on the server; the plaintext only ever lives in the iOS Keychain on your device.
• Email one-time codes are also stored as SHA-256 hashes; we never log or display them server-side outside dedicated dev environments.
• Apple Health raw samples never leave your device.
• We follow industry-standard practices for access control, secret management, and audit logging.

No system is perfectly secure. Use a strong device passcode and keep iOS up to date.

8. Your rights and choices

Depending on where you live, you have rights over your personal information including:

• Access — request a copy of the personal information we hold about you.
• Correction — update your display name, username, photo, bio, gender, and avatar color in-app.
• Deletion — delete your account in-app under Settings → Account → Delete account, or contact us at the address above. Deletion is permanent.
• Portability — request a copy of your data in a machine-readable format.
• Withdraw consent — revoke HealthKit access in iOS Settings → Privacy & Security → Health → Jiya. Revoke push notifications in iOS Settings → Notifications → Jiya.
• Object to processing / restrict processing — where applicable under GDPR/UK GDPR.
• Lodge a complaint — with your local data-protection authority.

To exercise any right not built into the App, email us at the contact address above. We respond within 30 days.

8.1 California residents

California residents have the rights described under the CCPA/CPRA, including the right to know, delete, correct, and limit use of sensitive personal information. We do not “sell” or “share” personal information as defined under the CCPA. To submit a CCPA request, email the contact address above.

9. Children

Jiya is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

10. International transfers

Our backend (Convex) and processors (Apple, Resend, OpenAI) operate primarily in the United States. If you use the App from outside the US, your information will be transferred to and processed in the US. Where required, we rely on Standard Contractual Clauses or equivalent mechanisms.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified in-app or by email at least 30 days before they take effect. Continued use of the Services after the effective date constitutes acceptance.

12. Contact

Questions, concerns, or requests: