KickFlow Privacy Policy

Last Updated: May 12, 2026

This Privacy Policy explains how KickFlow and KickFlow Wear ("the Application") handle information when users install and use the application. Protecting user privacy is a core principle of the application's design. KickFlow is built to operate with minimal data usage and without collecting personal information beyond what is described below.

1. Data Controller

The Application is developed and operated by Veltrix Interactive ("the developer"). For privacy enquiries, contact [email protected]. Where applicable data protection law (such as the EU/UK General Data Protection Regulation or Türkiye KVKK) requires the identification of a data controller, Veltrix Interactive acts as the controller for the limited categories of data described in Sections 7, 7a, 7b, 7c and 7d of this policy.

2. Minimal Data Collection

KickFlow does not collect, store, or sell personal information to external servers or third parties, except for the limited transmissions described in Sections 7 (AI Features), 7a (AI Form Check), 7b (Firebase Analytics), 7c (Firebase Crashlytics), 7d (NFC Sparring Partner Sync), 8e (Friends Leaderboard via Firebase Auth + Firestore) and 6 (In-App Purchases).

Outside of those described transmissions, the Application does not collect or transmit:

• Email addresses or phone numbers
• Precise location data (GPS, latitude/longitude)
• Persistent device identifiers (IMEI, MAC, advertising ID)
• Microphone recordings
• Camera images or recordings, except when explicitly using the AI Form Check feature (see Section 7a)
• Contacts, calendar, or other on-device personal data not listed in this policy

KickFlow does not require user accounts or registration and does not track users across devices or services.

3. Local Device Storage

Information required for application functionality is stored locally on the user's device. This includes:

• User name and age (entered during onboarding)
• Training history and workout progress
• Custom workout programs
• Experience points, level, and streak data
• Unlocked badges and achievements
• Body weight log entries
• Language and theme preferences
• Subscription status (Pro/Free)

All locally stored data:

• Remains only on the user's device
• Is never transmitted to the developer's servers
• Is not accessible to the developer
• Is not shared with third parties

If the application is uninstalled, locally stored data may also be deleted.

4. Health Connect Integration

KickFlow may optionally integrate with Health Connect by Android to read fitness-related information. If a user grants permission, the application may read the following Health Connect data types:

• Heart rate
• Step count
• Active calories burned
• Blood oxygen (SpO2)
• Respiratory rate
• Body temperature
• Blood pressure (systolic and diastolic)
• Heart rate variability (RMSSD)
• Sleep stages (asleep, awake)
• Distance
• Workout sessions
• Body weight
• Blood glucose

This data is handled under the following principles:

• Access occurs only with explicit user permission via the standard Health Connect consent screens
• Data is used solely for displaying live health metrics and enhancing workout tracking within the application
• Data remains on the user's device — it is not transmitted to the developer's servers or shared with third parties
• Health data may, however, be passed to the Google Gemini API as workout context if the user explicitly uses the AI features described in Section 7

Users may revoke Health Connect permissions at any time through their device settings.

5. Bluetooth Heart Rate Sensors

KickFlow may optionally connect to Bluetooth Low Energy (BLE) heart rate monitors (such as chest straps or smartwatch HR broadcast mode) to display real-time heart rate during workouts.

• Bluetooth scanning occurs only with user-initiated action and appropriate system permissions
• Heart rate data received via BLE is used only for live display and workout statistics within the application
• No BLE data is stored beyond the current session or transmitted externally

6. Wear OS Companion App (KickFlow Wear)

KickFlow includes an optional companion application for Wear OS smartwatches (KickFlow Wear). The companion app communicates with the phone application using the Google Wearable Data Layer API and reads on-watch sensors and Health Services data.

Data exchanged between the phone and watch includes:

• Heart rate readings
• Step count
• Calorie estimates
• Distance travelled (daily and per-session)
• Floors climbed (daily)
• Estimated VO2max (per workout, where supported by the device)
• Elevation gain (per workout, where the watch has a barometer)
• Punch and kick counts (detected via watch accelerometer and gyroscope)
• Rep counts for bodyweight exercises
• Current exercise name and workout elapsed time
• Connection status, watch battery level and charging state

The Wear OS companion app accesses the following on-watch data sources:

• Heart rate sensor (TYPE_HEART_RATE)
• Step counter (TYPE_STEP_COUNTER)
• Accelerometer (TYPE_ACCELEROMETER) — used for strike detection
• Gyroscope (TYPE_GYROSCOPE) — used for strike classification
• Barometric pressure sensor (TYPE_PRESSURE), where available — used to estimate elevation gain
• Google Health Services (androidx.health:health-services-client) Passive Monitoring — used to receive daily distance, floors climbed and calories
• Google Health Services Exercise Client — used during an active workout to receive estimated VO2max and total distance

All sensor data is processed locally on the watch for strike detection and workout tracking. Data is transmitted only between the paired phone and watch over the Wearable Data Layer (a direct device-to-device connection facilitated by Google Play services). No sensor data is transmitted to the developer's servers.

Watch sensor permissions (BODY_SENSORS / health.READ_HEART_RATE on API 36+, plus background variants) are requested separately on the watch and may be revoked at any time through the watch's system settings.

7. In-App Purchases

KickFlow offers an optional Pro subscription through Google Play Billing. Purchase transactions are processed entirely by Google Play.

• KickFlow does not collect, store, or have access to payment information, credit card details, or billing addresses
• Subscription status (active or inactive) is stored locally on the device
• Purchase verification is handled through Google Play services and, when needed, KickFlow's Cloudflare Worker proxy. KickFlow does not store payment card information.

For information on how Google handles purchase data, refer to Google's Privacy Policy.

8. AI Features (Google Gemini)

KickFlow Pro includes AI-powered features such as KickFlow Bot (AI Coach) and AI Workout Generator. These features use the Google Gemini API, accessed via a developer-operated Cloudflare Worker proxy that holds the API key. The proxy does not log message content; it forwards requests to Google and returns the response.

When using AI features:

• User messages and contextual fitness data (workout history, recent health metrics, weight log entries, current program) are sent to Google's Gemini API servers for processing
• Data is transmitted over HTTPS and used to generate AI responses within the app
• Google may process and retain this data according to their Gemini API Terms of Service and Google Privacy Policy. Under current Google policy for the unpaid tier of the Gemini API, prompts and responses may be retained by Google for a limited period (e.g. up to 55 days) for abuse review and service improvement; users should review Google's terms for current details
• KickFlow does not store conversation data on its own external servers — chat history exists only in memory during the active session
• The Cloudflare Worker proxy may apply a per-user rate limit using a hashed identifier; it does not retain message contents
• AI-generated advice is for informational purposes only and should not be treated as professional medical, nutritional, or fitness advice
• AI can make mistakes — always verify important information

Users who do not wish to use AI features can simply avoid using them. AI features require an active Pro subscription and explicit in-app consent on first use.

8a. AI Form Check — Camera Usage

KickFlow Pro includes an AI Form Check feature that uses the device camera to analyze martial arts technique. When using this feature:

• The camera permission is requested on first use — the Application will not access the camera without permission
• A live camera preview is shown on-screen only while the feature is open
• A single still image is captured only when the user initiates a form check via the 3-2-1 countdown
• The captured image is sent to Google's Gemini API (via the Cloudflare Worker proxy described in Section 7) for technique analysis and is then immediately discarded by the Application — it is never saved to the device gallery, transmitted to the developer's servers, or stored by KickFlow on any server
• Google's retention of the submitted image is governed by the same Gemini API terms referenced in Section 7
• No continuous recording or video is ever captured
• The same data-sharing consent required for all AI features applies to AI Form Check
• Users may deny camera permission at any time via their device settings without affecting other app features

8b. Firebase Analytics

KickFlow uses Firebase Analytics (provided by Google) to collect anonymous, aggregated usage data to improve the app experience. This data includes:

• Feature usage events (e.g. which screens are visited, which workout types are started)
• App performance metrics (crash counts, load times)
• Device type and OS version (no unique identifiers under the developer's control)

Firebase Analytics data:

• Is anonymised and aggregated — the developer cannot link it to an individual user
• Does not include health data, workout content, AI conversations, or any user-generated content
• Is governed by Google's Privacy Policy and the Firebase Terms of Service
• Can be opted out on Android via Google device settings → Google → Ads → Opt out of Ads Personalisation

8c. Firebase Crashlytics

KickFlow uses Firebase Crashlytics (provided by Google) to detect and diagnose crashes and serious errors in the Application. When a crash occurs, Crashlytics may transmit the following information to Google:

• The exception type, stack trace, and the line of code where the crash occurred
• Non-personal device information (model, OS version, available memory, orientation, locale)
• A randomly generated installation identifier used to count affected users (this identifier is not linked to a real user identity by the developer)
• Limited application breadcrumb logs that record which screens were navigated to before the crash

Crashlytics data:

• Does not include health data, workout content, AI conversations, body weight log entries, names entered during onboarding, or other user-generated content
• Is used solely to diagnose and fix bugs in the Application
• Is governed by Firebase's privacy and security information and Google's Privacy Policy

8d. NFC Sparring Partner Sync

KickFlow includes an optional Sparring Partner feature that allows two nearby users running KickFlow to exchange live workout statistics with each other using Near Field Communication (NFC) and the Android Host Card Emulation framework.

When a user explicitly initiates a sparring partner connection:

• The Application broadcasts and receives, over NFC and only with the other user's consent (their device must also be running KickFlow with the feature open), the following: heart rate, punch count, kick count, calorie estimate, and step count for the active sparring session
• No name, email, age, location, account identifier, or other personal information is exchanged
• The exchange occurs directly between the two devices over a short-range physical connection (a few centimetres); no data passes through the developer's servers, Google's servers, or any other third-party server
• The exchanged sparring data is held in memory for the duration of the active sparring session and is not retained by either device after the session ends

NFC permission can be controlled via the device's system settings. The Sparring Partner feature requires both devices to opt in.

8e. Social Friends Leaderboard (Firebase Authentication + Cloud Firestore)

KickFlow includes an optional Friends Leaderboard feature that allows users to compare weekly workout aggregates with friends they explicitly add. When a user opens the Friends section, the Application uses Firebase Authentication (anonymous sign-in) and Cloud Firestore (both Google services) to enable this feature.

What is collected and stored on Google's Firebase servers:

• Anonymous user ID — auto-generated by Firebase. It is not linked to your email, phone number, name, or any real-world identity.
• Nickname — chosen by you, 3 to 16 characters, alphanumeric and underscore only.
• Friend code — auto-generated, 8 characters, used so other users can send you a friend request.
• Weekly aggregated workout stats — total strikes, XP earned, current streak length, total minutes, and workout count for the current week only. Individual workout details (HR data, exact timestamps, GPS, etc.) are not uploaded.
• Friend list — the user IDs of people you have explicitly accepted as friends through two-way mutual confirmation.
• Friend requests — pending incoming friend requests, including the sender's nickname and friend code.
• Rival flag — a boolean indicating whether you have marked a particular friend as a "rival" (maximum of three rivals).

What is not collected by the social feature:

• Email, phone number, real name, address, age, gender
• Location data of any kind
• Device contacts, photos, or other personal device content
• Individual workout records, GPS routes, heart-rate traces, or anything beyond the weekly aggregates listed above

How the data is shared:

• Your nickname and weekly aggregated stats are visible only to users you have explicitly accepted as friends. There is no global leaderboard, no public feed, and no discovery mechanism that lets strangers find you without your friend code.
• Friendship is enforced server-side via Firestore Security Rules: both parties must add each other before either side can read the other's stats.
• Data is not shared with advertisers, data brokers, or any third party beyond Google's Firebase infrastructure which acts as the hosting provider.

Security and abuse prevention:

• All traffic uses HTTPS/TLS via Firebase.
• Firebase App Check with Google Play Integrity rejects requests from tampered or unofficial copies of the Application.
• Stat values are bound-checked server-side and a 30-second rate limit is enforced between updates to prevent abuse.
• Nicknames are validated against a strict character allow-list (alphanumeric and underscore only).

Retention and deletion:

• Social data is retained for as long as you keep the Application installed and the social feature active.
• You can permanently delete all of your social data — profile, weekly stats, friend list, pending requests, and the anonymous Firebase account itself — at any time via Settings → Friends → Delete Social Account inside the Application. All data is removed from Firebase upon request.
• If you uninstall the Application without using the Delete Social Account button, your anonymous account and stored data remain on Firebase until you reinstall the Application and explicitly delete it, or until you contact veltrixinteractive@gmail.com requesting deletion.

The Friends Leaderboard is optional. If you never open the Friends section, no Firebase Authentication account is created and no Firestore document is written for you.

8f. Children Under 13

The social features described in Section 8e are not directed to children under the age of 13. If the developer becomes aware that an anonymous account corresponds to a user under 13, that account and all associated data will be deleted. Parents or guardians who believe their child has used the social features may contact veltrixinteractive@gmail.com to request immediate deletion.

9. No Behavioural Advertising or Cross-Service Tracking

KickFlow does not use third-party advertising networks, behavioural advertising SDKs, or tracking technologies that build profiles of users across services.

The Application does not share information with advertisers or external organisations for commercial purposes. External transmissions are limited to those described in Sections 7, 8, 8a, 8b, 8c and 8d.

10. Data Security

External transmissions described above use HTTPS/TLS in transit. Phone-to-watch communication occurs over the Google Wearable Data Layer, which requires prior pairing of the watch with the phone. NFC sparring sync is short-range and only active while the user holds the feature open. Users maintain control of any data stored locally on their device through standard Android application data controls.

No security system is perfect. The developer cannot guarantee the security of data transmitted to or stored by third-party services (Google, Firebase, Cloudflare).

11. Your Rights (GDPR / UK GDPR / KVKK)

If you are in the European Economic Area, the United Kingdom, Türkiye, or another jurisdiction with similar data-protection law, you may have the following rights with respect to personal data the developer controls (which is limited to the categories described in Sections 7, 8, 8a, 8b, 8c and 8d):

• Right of access — to ask what personal data, if any, the developer holds about you
• Right to erasure — to ask the developer to delete personal data it holds about you
• Right to rectification — to ask the developer to correct inaccurate data
• Right to object / restrict processing — for example, to object to the processing of crash data via Crashlytics
• Right to data portability — where applicable
• Right to lodge a complaint with your local data-protection supervisory authority

Because most KickFlow data lives only on your device, the most effective way to exercise erasure of locally stored data is to clear the application's storage or uninstall the Application from your device. For server-side data held by Google (Gemini API, Firebase Analytics, Crashlytics), please follow the request procedures in Google's privacy resources. For any request directed to the developer, contact [email protected].

12. Age Restriction

KickFlow is a physical training and exercise application and is not directed to children. The minimum age to use the Application is 13 years. In jurisdictions where applicable law sets a higher digital-consent age (for example, some EU member states set this age between 14 and 16), the higher local age applies and the Application should not be used below that age without verifiable parental or guardian consent.

Users under 18 should use the Application only with the involvement of a parent or legal guardian who has reviewed this Privacy Policy and the Terms of Use.

13. Health and Liability Disclaimer

KickFlow provides general kickboxing and fitness training guidance for educational purposes only. The Application is not a medical device and does not provide medical advice, diagnosis, or treatment.

By using the Application, users acknowledge and agree that:

• All exercises are performed at their own risk
• Users are responsible for their own physical condition and safety
• Users should consult a qualified healthcare professional before beginning any exercise program if necessary
• Heart rate data, calorie estimates, distance, floors, VO2max, elevation gain, strike counts, and other metrics provided by the Application and its companion Wear OS app are approximations and should not be relied upon for medical purposes
• The developer of KickFlow shall not be held liable for any injuries, physical harm, medical conditions, damages, or losses that may occur as a result of using the Application or performing exercises provided within it

14. How Long We Keep Your Data (Data Retention)

KickFlow retains different categories of data for different periods, depending on where the data is stored and which third-party service processes it:

• Local device data (workout history, custom programs, XP, level, streak, badges, body weight log, name, age, language and theme preferences, subscription status, locally cached AI plans): retained indefinitely on the user's device until the user deletes it from within the app, clears the application's storage from system settings, or uninstalls the Application. The developer has no copy of this data and cannot retain it after the user deletes it locally.
• Health Connect data (heart rate, steps, calories, SpO2, HRV, sleep, etc.): not retained by KickFlow at all — the data remains in Health Connect, which is governed by Google. KickFlow only reads it on demand to display live metrics.
• Bluetooth heart rate data: held only in memory during the active workout session; discarded when the session ends or the app is closed.
• Phone-to-watch sensor data (Wear OS companion): held in memory during the active workout; aggregated session results are saved into the local workout history (see above) and otherwise discarded when the session ends.
• NFC sparring partner data: held in memory only for the duration of the active sparring session (typically one to a few rounds, ending when the user stops the session) and then discarded; no copy is retained on either device or transmitted to the developer.
• AI feature data sent to Google Gemini (chat messages, captured form-check images, contextual fitness data): not retained by KickFlow or by the Cloudflare Worker proxy. Google may retain prompts and responses for up to 55 days under the current Gemini API unpaid-tier policy for abuse review and service improvement; please refer to Google's current Gemini API terms for the live retention period. Conversation history exists in the Application only in memory during the active session.
• Firebase Analytics: anonymous event data is retained by Google for up to 14 months of activity, after which Google automatically deletes it. Aggregated reports may be retained longer in anonymised form.
• Firebase Crashlytics: anonymous crash reports are retained by Google for up to 90 days per Firebase defaults; the developer may also delete individual crash reports manually before that period ends.
• Google Play Billing records (subscription / purchase status): retained by Google under Google's own Play Billing retention policy; KickFlow does not control or extend this period.

The developer does not operate any user database, analytics warehouse, or backup system that holds personal data outside of the third-party services listed above.

15. How to Delete Your Data

Because KickFlow stores most user data only on the user's device, deletion is fast and is largely controlled by the user directly. The procedure is:

1. Delete all local data from inside the app. Open KickFlow → Settings → Reset Progress, then confirm. This permanently deletes the user's name, age, gender, workout history, sparring records, custom programs, XP, level, streak, challenge progress, unlocked badges, weight log entries, locally cached AI plans, and consent flags from the device.
2. Uninstall the Application to clear any remaining local files, including SharedPreferences and cached images.
3. Revoke Health Connect permissions in the Android system settings (Settings → Apps → Health Connect → Apps → KickFlow → Remove access) to stop future reads.
4. Revoke microphone, camera, NFC, body sensors and Bluetooth permissions in Android system settings if desired.
5. Request deletion of any anonymous server-side records (Firebase Analytics installation ID, Crashlytics records, or any prompts that may have been retained by Google's Gemini API): email veltrixinteractive@gmail.com with the subject line Data Deletion Request — KickFlow. Please include the device model, the approximate install date and, if available, your Firebase Installation ID (visible in the app's About screen). Requests are actioned within 30 days; a confirmation email is sent when deletion is complete.
6. Partial deletion is also supported in-app: individual workout entries can be removed from the Workout History screen, custom programs from the Programs tab, weight entries from the Weight Log screen, and AI consent or analytics opt-in can be revoked at any time from Settings.

Full step-by-step deletion instructions are also available at https://getkickflow.app/delete_data.html.

16. Changes to This Privacy Policy

This Privacy Policy may be updated periodically to reflect improvements to the application, new features, or regulatory requirements. Any updates will be indicated by revising the "Last Updated" date at the top of this policy. Continued use of the Application after updates constitutes acceptance of the revised policy.

17. Contact

If you have questions regarding this Privacy Policy or wish to exercise the rights described in Section 11, you may contact the developer at [email protected] or through the official distribution platform where KickFlow is published.