Mesocycle
Legal

Privacy policy.

Last updated · April 18, 2026

This is the plain-language version of how Mesocycle handles your data. If you want the formal version, skip to the sections below — they're meant to say the same things, slower.

Short version: we collect the minimum data needed to run the app, store it encrypted in a database only you can read from, don't sell or share it, and delete it when you ask us to.

1. Who runs this

Mesocycle ("the app," "we," "us") is operated as an independent project. Questions about this policy can be directed to the contact address at the bottom of this page.

2. What we collect

We collect only what the app needs to function:

  • Account data — the email address you sign up with, a hashed password, and any multi-factor authentication secrets you set up. Authentication is handled by Supabase Auth.
  • Profile data — the values you enter in onboarding (age, height, weight, training age, goal). These are used to calibrate your program.
  • Training data — the sessions and sets you log, the exercises you pick, and your muscle-priority marks.
  • Operational logs — short-lived server-side logs (request timestamps, error traces) kept for debugging and security; these do not contain your training data.

We do not collect:

  • Location data.
  • Contacts, photos, or health records.
  • Advertising identifiers or third-party tracking cookies.
  • Payment information (the app is free during the beta; when paid tiers exist, payment processors — not us — will handle card details).

3. Where it lives

Your account and training data live in a Supabase-managed Postgres database hosted in the United States (us-east-1). Every domain table has row-level security enforced, with policies keyed on the signed-in user's ID. In practice this means no user can read or write another user's rows — not via the app, not via the API, not at all.

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Audit events are append-only; once written, they cannot be modified or deleted by any role, including us.

4. Who can see it

You. That's the answer to the question in the heading. Row-level security ensures that API calls only return rows belonging to the authenticated caller.

We share data with:

  • Supabase — our database and auth provider. They process data on our behalf under a data-processing agreement.
  • Vercel — our hosting provider for the static site and the app shell.
  • Law enforcement — only if compelled by a valid legal process, and only to the minimum scope required.

We do not sell your data, share it with advertisers, or use it to train third-party models.

5. Cookies and local storage

The app uses localStorage to remember that you've completed onboarding and to keep your auth session alive across page loads. It does not use analytics cookies, marketing cookies, or any tracking pixels. The marketing pages at mesocycle.app/, /science, etc. do not set any cookies.

6. Your rights

Regardless of where you live, you can:

  • Access your data — all of it is visible inside the app. A CSV export is coming; for now, email us and we'll send it.
  • Correct your data — from the app's Settings screen.
  • Delete your account — from Settings. Deletion requires a second factor (MFA) as a safety check. All your training data is removed.
  • Port your data — the export above is intended to satisfy portability rights under GDPR and CCPA.
  • Object or restrict — email us and we'll talk about what's feasible.

7. Security

Security measures in place:

  • Forced row-level security on every domain table.
  • Password minimum length of 12 characters and breached-password checks.
  • TOTP-based multi-factor authentication available, required for account deletion.
  • Rate limits on sign-in, OTP, and email endpoints.
  • Strict Content Security Policy, HSTS, and modern transport security headers.
  • Native iOS builds (when shipped) will use certificate pinning against the Supabase project's SPKI hashes.

No system is perfect. If you find a vulnerability, please email us rather than disclosing publicly, and we'll respond quickly.

8. Retention

We keep your data for as long as your account is active. If you delete your account, training data is removed immediately. Some operational logs may persist for up to 30 days for security and debugging purposes; these don't contain training data.

9. Children

Mesocycle is not designed for or directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, contact us and we'll delete it.

10. International users

Our servers are in the United States. If you access the app from outside the U.S., your data will be transferred to and processed in the U.S. By using the app you consent to this transfer.

11. Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top of this page and, for substantial changes, notify active users inside the app.

12. Contact

Email hello@mesocycle.app with questions, data requests, or security disclosures.