· Legal · Privacy

Your body data is yours.

Repbeats is built on a simple rule: biometric signals stay on your device unless you choose otherwise. This page explains, in plain language, what we collect, why, and how you stay in control.

EffectiveApril 1, 2026Versionv1.1JurisdictionGlobal · GDPR · CCPA
PrivacyTerms

Overview

Repbeats is a mobile app that syncs music tempo to your workout. To do that, we read signals from your phone and wearables (heart rate, motion, cadence) and use them to pick and time-stretch tracks in real time.

By default, everything we read is processed on-device. Your raw biometric stream never reaches our servers. When we do need something in the cloud (account basics, purchases, your custom playlists), we keep it minimal and encrypted.

The short versionOn-device by default. No biometric sale, ever. Export or delete your cloud mirror in two taps from Settings → Data & privacy.

What we collect

We group data into three buckets:

  • Account data: email, display name, password hash, subscription status. Stored on our servers so you can sign in across devices.
  • Biometric signals: heart-rate, steps, cadence, effort. Processed locally. Only aggregated session summaries (e.g. average BPM, duration) leave the device, and only if you enable cloud sync.
  • App telemetry: crash logs, anonymized feature counters. Used to fix bugs. No advertising identifiers.

Biometric signals

This is the sensitive stuff, so we treat it separately. Repbeats reads from:

  • Apple Health: workouts, VO₂ summaries, calorie estimates. Revoke anytime inside iOS Health.
  • Apple Watch: native pairing through our Wearables drawer; swapping devices replaces the previous stream.
  • Fitbit & Whoop OAuth: narrow scopes for heart-rate, readiness, strain, sleep debt.
  • Garmin • Samsung Galaxy Watch • Google Pixel Watch: surfacing soon with the same one-active-device guarantees.
  • Motion sensors: steps and cadence from the handset when you deliberately start a tempo session.

Raw samples exist only in RAM during a session. When the session ends, we persist a summary (duration, zones, average HR) to local storage. Nothing biometric goes to us without cloud sync turned on, and even then: encrypted at rest, never shared with third parties, never used to train general-purpose models.

Music & listening

Repbeats connects to Apple Music and Spotify Premium through their official SDKs. Listening events (which track, for how long, what BPM it hit) stay on-device for the Auto-DJ engine. If you opt into recommendations, we share a hashed track-ID and your session's target BPM with the matcher service, nothing else.

Sharing

We do not sell data. Ever. We share in three narrow cases:

  1. Service providers that host our infrastructure (AWS, Stripe for payments). Contractually bound, processors only.
  2. Legal obligation: valid court order, subpoena, or to prevent imminent harm.
  3. With your consent: e.g. if you post a session to a social feed.

Retention

Account data lives as long as your account does. Session summaries default to a 12-month rolling window; you can change this to 3, 6, or unlimited in Settings → Data. Telemetry is aged out at 30 days.

Delete your account in Settings → Account → Delete, or email support@repbeats.com. We confirm within 72 hours and purge within 30 days.

Your rights

Repbeats Data & privacy screen with Export and Delete shortcuts
Settings → Data & privacy matches the disclosures above. Tap through to export JSON or purge cloud history.

Wherever you are, you can:

  • Access: export everything we hold as a JSON bundle.
  • Correct: edit profile data in-app.
  • Delete: wipe your account and all associated data.
  • Object: opt out of telemetry and recommendations.
  • Port: hand your export to any other service you like.

EU/UK residents can contact our Data Protection Officer at support@repbeats.com. California residents have specific rights under the CCPA/CPRA; see California residents (CCPA) below.

California residents (CCPA)

If you live in California, the California Consumer Privacy Act (CCPA), as amended by the CPRA, gives you additional rights over personal information we hold about you. We do not sell your personal information or share it for cross-context behavioral advertising.

  • Know: what categories of personal information we collect and how we use them (summarized in the sections above).
  • Access & delete: export or delete account data in Settings → Data & privacy, or email support@repbeats.com.
  • Correct: update profile details in-app.
  • Limit sensitive data: biometric signals stay on-device by default; you control cloud sync.
  • Non-discrimination: we will not deny service for exercising these rights.

Authorized agents may submit requests on your behalf with written permission. We verify identity before fulfilling requests and respond within the timelines required by California law.

Children

Repbeats is not directed at children under 13 (under 16 in the EU). We do not knowingly collect their data. If you believe a child has signed up, email support@repbeats.com and we will remove the account.

Changes to this policy

We will notify you in-app and by email at least 14 days before any material change. Non-material updates (typos, clarifications) are versioned above.

Contact

Questions about this policy? Reach us at: