Legal

Privacy Policy

How IKU LLC collects, uses, and protects your personal information.

Effective Date: March 1, 2026  |  Version 2.0

1. Introduction

IKU LLC (“IKU”, “we”, “our”, or “us”) operates KETTLEBELL MONSTER™ (the “Service”). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights over your data. By using the Service, you agree to the practices described in this Policy.

We are headquartered in the United States. All persistent user data is stored on servers in the United States (US-West region, Northern California). If you access the Service from outside the US, your information will be transferred to and processed in the US. For information about cross-border transfer safeguards, see Section 11.

2. Information We Collect

2.1 Information you provide directly

  • Account information: Name, email address, and password (or OAuth token if you sign in via Google or Facebook).
  • Profile information: Display name, username, avatar, bio, training style, kettlebell collection, and other optional profile fields you choose to complete.
  • Training data: Workout logs, timer sessions, personal bests, weights used, scores, rates of perceived exertion (RPE), and other training activity you record.
  • Mental readiness data: Self-reported stress, focus, motivation, confidence, and emotional load values (0–100 scale) submitted through our MIND features, as well as optional reflection notes and mental pattern assessments.
  • Recovery data: Self-reported body-part recovery status, symmetry assessments, and movement readiness inputs you submit through our RECOVER features.
  • Fitness profile data (optional): Height, body weight, resting heart rate, maximum heart rate, basal metabolic rate, weight classification, muscle mass category, and lifestyle/activity level.
  • Community content: Posts, comments, photos, and videos you share in CONNECT.
  • Payment information: If you subscribe to a paid plan or purchase content, your payment is processed by Stripe. We do not store your full card number, expiry, or CVV. We retain only the last four digits and card type for display purposes. Stripe stores your complete payment details under their Privacy Policy.
  • Creator information: If you become a creator, we collect additional information including your bio, certifications, specialties, social media links, and payout details (bank account information for Stripe Connect, encrypted at the application level).
  • Communications: Messages you send to us for support, feedback, or error reports.

2.2 Information collected automatically

  • Usage data: Pages visited, features used, and time spent on the Service. We use this internally to improve the Service; we do not share it with third-party analytics services.
  • Device and browser data: Browser type, operating system, screen resolution, and language preferences.
  • IP address: Used for security, fraud prevention, and infrastructure (CDN routing). We do not track precise GPS location.
  • Error reports: When errors occur, we automatically collect error messages, stack traces, and UI interaction breadcrumbs to diagnose issues. Sensitive data (passwords, card numbers, tax information) is automatically redacted before storage.
  • Cookies and similar technologies: See Section 6 below.

2.3 Information we do not collect

We do not collect: precise GPS location, phone numbers, government identification numbers, biometric identifiers (fingerprints, face scans), data from wearable health devices, or information from children under 13.

3. How We Use Your Information

We use your information to:

  • Provide the Service: Operate your account, display your training history, run timers, track scores, and power community features.
  • Personalize your experience: Remember your preferences, calculate training streaks, and display relevant content.
  • AI-powered guidance: Our Compass feature uses artificial intelligence (Anthropic Claude API) to generate personalized workout suggestions based on your training level, streak, mental readiness band, and recovery status. This processing uses aggregated metrics only (not raw check-in values). AI-generated responses are not stored by the AI provider beyond 30 days and are not used to train AI models. You can use the Service without this feature.
  • Process payments: Manage subscriptions, process purchases, and facilitate creator payouts via Stripe.
  • Send essential communications: Account confirmations, password resets, billing receipts, subscription renewal reminders, and critical account notifications.
  • Send optional communications: Product updates and feature announcements, only if you have opted in to receive them. You can opt out at any time from your notification settings.
  • Gamification: Calculate XP, levels, badges, and leaderboard positions based on your activity.
  • Security and abuse prevention: Monitor for unauthorized access, enforce our Terms of Service, and protect the platform.
  • Improve the Service: Analyze aggregate, de-identified usage trends. We do not build individual behavioral profiles for advertising.
  • Legal compliance: Fulfill legal obligations, respond to lawful requests, and protect our rights.

We do not sell your personal information to third parties. We do not share data with advertising networks. We do not use your data for behavioral advertising.

4. How We Share Your Information

We share your information only in the following circumstances:

4.1 Service providers

We share data with trusted vendors who help us operate the Service. Each provider processes data only as instructed by us and in accordance with their own privacy policies:

  • Supabase — Database hosting, user authentication, and file storage. All user data is stored on Supabase-managed infrastructure in the US-West region (Northern California). Privacy Policy
  • Stripe — Payment processing, subscription management, and creator payouts via Stripe Connect. Stripe receives your email, name, and payment details when you make a purchase. Privacy Policy
  • Amazon Web Services (SES) — Transactional email delivery from the US-East-1 (N. Virginia) region. AWS receives recipient email addresses and message content. Privacy Policy
  • Cloudflare — CDN, DDoS protection, DNS, web hosting (Cloudflare Pages), video hosting (Cloudflare Stream), image hosting (Cloudflare Images), and bot protection (Cloudflare Turnstile). Cloudflare processes IP addresses, request metadata, and browser characteristics for security purposes. Privacy Policy
  • Anthropic — AI personalization for the Compass guidance system. Anthropic receives aggregated, non-identifying user metrics (training level, streak count, mental readiness band) to generate recommendations. Anthropic does not use API data for model training and deletes inputs/outputs within 30 days. Privacy Policy

4.2 Authentication providers (user-initiated)

If you choose to sign in via Google or Facebook, those providers share your email, name, and profile picture with us during authentication. We do not share your activity data back to those providers.

4.3 Creator data

If you purchase creator content or join a Tribe, the creator can see your display name. Creators cannot see your email address, payment details, or private activity data.

4.4 Legal requirements

We may disclose your information if required by law, court order, or government authority, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of any person.

4.5 Business transfers

If IKU LLC is acquired, merged, or sells substantially all of its assets, your information may be transferred to the successor entity subject to the same privacy protections described here.

4.6 With your consent

We will share your information in any other circumstances only with your explicit consent.

5. Sensitive Health and Wellness Data

Some data you provide may be considered sensitive under privacy laws, including:

  • Fitness biometrics (height, weight, heart rate)
  • Mental readiness self-assessments (stress, motivation, focus, confidence, emotional load)
  • Recovery status and body-part assessments
  • Workout logs and physical performance data

How we handle sensitive data:

  • All sensitive data fields are optional. You can use core features of the Service without providing any health or wellness data.
  • We process this data only to provide the features you choose to use (workout tracking, mental readiness tools, recovery tools).
  • We do not share sensitive health data with third parties for their own purposes.
  • We do not use this data for advertising or profiling.
  • You can delete this data at any time by deleting individual entries or by requesting account deletion.

For users in the European Union, our lawful basis for processing health-related data is your explicit consent, which you provide when you voluntarily submit this information through the relevant features. You may withdraw consent at any time by ceasing to use these features and requesting deletion of your data.

For users in Washington State, in accordance with the My Health My Data Act, we collect consumer health data only with your consent and do not sell consumer health data.

6. Cookies and Tracking

We use cookies and similar technologies to operate the Service.

6.1 Essential cookies (always active)

These are required for the Service to function and cannot be disabled:

  • Authentication session tokens (secure, HTTP-only)
  • Cookie consent preference

6.2 Functional cookies

These support optional features:

  • Affiliate referral tracking cookies (30–90 day duration, used to attribute referrals to the correct affiliate)

6.3 What we do NOT use

We do not use advertising cookies, third-party tracking cookies, retargeting pixels, or cross-site tracking technologies. We do not share cookie data with advertising networks.

6.4 Managing cookies

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using the Service. For a detailed breakdown of our cookies, see our Cookie Policy.

7. Push Notifications

If you opt in to push notifications, we store a device token to deliver notifications to your browser. You can disable push notifications at any time from your notification settings or your browser settings. We do not share push notification tokens with third parties.

8. Data Security

We implement industry-standard security measures including:

  • Encryption in transit (TLS 1.2+) for all connections
  • Secure, HTTP-only authentication cookies
  • Row-level security on our database
  • Cloudflare DDoS and bot protection
  • Content Security Policy (CSP) headers
  • Automatic redaction of sensitive data in error logs
  • Encryption of creator payout details at the application level

Payment card data is handled exclusively by Stripe, which is PCI-DSS Level 1 certified. We never store, process, or transmit full card numbers on our servers.

However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

If you discover a security vulnerability, please report it responsibly to [email protected].

9. Data Retention

We retain your personal data as follows:

  • Account data: For as long as your account is active.
  • Training logs, mental readiness data, recovery data: For as long as your account is active, or until you delete individual entries.
  • Community content: Until you delete it or until your account is deleted.
  • Payment and billing records: Up to 7 years after the transaction, as required for tax and legal compliance.
  • Error logs: Automatically purged on a rolling basis.
  • Push notification tokens: Until you disable notifications or delete your account.

If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it by law (such as billing records for tax purposes). Aggregated, anonymized data (such as total workout counts) may be retained indefinitely as it cannot be linked back to you.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request that we correct inaccurate or incomplete data.
  • Deletion: Request deletion of your account and personal data. You can initiate this from Settings → Privacy & Data.
  • Data Export: Request a machine-readable export of your data (JSON format). You can initiate this from Settings → Privacy & Data.
  • Objection: Object to certain processing of your data, such as optional communications.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Restrict processing: Request that we limit how we use your data while a concern is being resolved.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

10.1 California residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know: You can request the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You can request deletion of your personal information, subject to certain exceptions.
  • Right to opt out of sale: We do not sell personal information. No opt-out is needed.
  • Right to limit use of sensitive personal information: We use sensitive personal information (health and wellness data) only to provide the features you have requested. We do not use it for purposes beyond what is necessary to provide the Service.
  • Non-discrimination: We will not discriminate against you for exercising your privacy rights.

For full CCPA/CPRA details, see our CCPA Notice.

10.2 European Union residents (GDPR)

For information about our lawful bases for processing, cross-border transfer safeguards, and your rights under the GDPR, see our Data Protection page.

11. International Data Transfers

Your personal data is processed and stored in the United States. If you access the Service from outside the US:

  • Your data will be transferred to the US, which may have different data protection laws than your jurisdiction.
  • For transfers from the European Economic Area, United Kingdom, or Switzerland, our service providers maintain appropriate safeguards including Standard Contractual Clauses approved by the European Commission.
  • You may request information about these safeguards by contacting [email protected].

12. Children’s Privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child under 13 has provided us with personal information, please contact us at [email protected] and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised Policy at this URL and update the effective date. For material changes, we will notify active users via email or an in-app notice at least 14 days before the change takes effect.

14. Contact

For privacy-related questions, requests, or complaints:

IKU LLC
Attn: Privacy
15442 Ventura Boulevard, STE 201-1081
Sherman Oaks, CA 91403, USA
Email: [email protected]