Privacy Policy

Last updated: June 2, 2026

This Privacy Policy explains how LyraFit collects, uses, shares, transfers, and protects your personal data when you use our website, web application, mobile application, and related services.

LyraFit is a workout tracking platform currently operated by its founding team. Plans are underway to transition legal operations, data control, and platform operations to Krevallo Ltd in the United Kingdom following incorporation. Until that transition is complete and reflected in this Privacy Policy, the LyraFit founding team acts as the data controller responsible for your personal data.

If you have any questions about this policy or our data practices, contact us at legal@lyra.fit.

We collect the following categories of personal data:

• Account and profile data. Name, email address, profile image, authentication identifiers, and account settings when you create or manage an account.
• Authentication data. LyraFit uses Clerk for authentication. If you sign in with Google, we receive the basic Google account information needed to authenticate you and create or access your LyraFit account. See the Google Sign-In and Google User Data section below for more detail.
• Workout and fitness data. Custom workouts, exercise logs, training plans, planned sessions, completed sessions, sets, repetitions, weights, time-based records, progress records, coach feedback, and other fitness-related information you submit.
• Preferences and relationship data. App preferences such as theme, timezone, analytics preference, body type setting, voice countdown settings, and coach-client relationships where those features are used.
• Waitlist and early access data. Email address, device preference, user type, IP address, user agent, and invitation status when you join the waitlist or receive early access.
• Device, usage, analytics, and error data. IP address, browser type, operating system, referring URLs, pages visited, timestamps of interactions with the platform, feature usage, account-linked analytics events, and browser error diagnostics. We use PostHog for product analytics and error tracking unless you disable analytics in Settings.
• Cookies and local storage. Small pieces of data stored on your device to support essential functionality, authentication, analytics preferences, and analytics/error tracking. See the Cookies & Tracking section below.

We process your personal data for the following purposes:

• Service delivery. To provide, maintain, and operate the LyraFit platform, including storing your workouts and displaying your progress.
• Authentication and account management. To create accounts, verify sign-ins, manage sessions, and administer account deletion requests.
• Workout and coaching features. To manage workouts, plans, session history, performance metrics, coach-client assignments, and related app functionality.
• Improvement. To analyse usage patterns and improve the functionality, performance, and reliability of the service, including through PostHog product analytics unless you disable analytics in Settings.
• Security. To detect, prevent, and respond to fraud, abuse, and security incidents.
• Communications. To send service-related notices, such as account verification, early access invitations, security alerts, and updates to our terms or policies.

If you choose to sign in with Google, LyraFit uses Google Sign-In through Clerk to authenticate you and create or access your LyraFit account.

LyraFit requests the following Google OAuth scopes: openid, email, and profile. These scopes allow us to receive your Google account identifier, email address, email verification status, name, and profile image where available.

We use Google user data only to authenticate you, create and maintain your LyraFit account, secure your session, and display basic account/profile information in the app. We do not use Google user data for advertising, sell Google user data, or transfer Google user data to third parties except as necessary to provide authentication, security, hosting, and app services described in this Privacy Policy.

LyraFit's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Under UK GDPR Article 6, we rely on the following legal bases:

• Performance of a contract. Processing necessary to provide the service you signed up for, including authentication, workout tracking, account settings, and support.
• Legitimate interests. Processing necessary for our legitimate interests, such as improving the platform, ensuring security, and preventing abuse, where those interests are not overridden by your rights.
• Consent. Where we rely on your consent, such as certain analytics preferences or marketing communications, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligations. Processing necessary to comply with applicable law, regulatory requests, or enforceable legal processes.

We do not sell your personal data. We may share data with the following categories of third-party service providers who process data on our behalf:

• Cloud and backend providers, including Convex and hosting infrastructure that store and serve application data.
• Authentication providers, including Clerk and supported social sign-in providers such as Google, that manage sign-in and identity verification.
• Analytics and error tracking providers, including PostHog, that help us understand how the platform is used and diagnose issues.
• Email providers, including Resend, that deliver account, early access, and service-related messages.

All third-party processors are contractually bound to handle your data in accordance with applicable data protection law and only for the purposes we specify.

We may also disclose information if required by law, to protect the rights and safety of users or the platform, or as part of a corporate reorganisation, incorporation, merger, acquisition, or transfer of LyraFit operations.

Your data may be transferred to and processed in countries outside the United Kingdom or the European Economic Area, including the United States and European Union, depending on the providers and infrastructure used to operate the service. Where such transfers occur, we use appropriate safeguards, including:

• Transfers to countries recognised by the UK Secretary of State as providing an adequate level of data protection (adequacy decisions).
• Standard Contractual Clauses (SCCs) approved for use under UK GDPR.
• Equivalent safeguards required by applicable data protection law.

We retain your personal data for as long as your account is active and as needed to provide you with the service. If you request deletion of your account, we will delete or anonymise your personal data within a reasonable timeframe, subject to any legal obligations that require us to retain certain information.

Anonymised or aggregated data that can no longer identify you may be retained indefinitely for analytical and improvement purposes.

You can request account deletion through your account security settings or by following the instructions at https://lyra.fit/support/delete-my-account. Account deletion is irreversible and removes your account identifiers, workout data, training plans, sessions, preferences, relationships, and related LyraFit records from active systems, subject to legal retention obligations and backup rotation periods.

Under UK GDPR, you have the following rights regarding your personal data:

• Access. Request a copy of the personal data we hold about you.
• Rectification. Request correction of inaccurate or incomplete data.
• Erasure. Request deletion of your personal data where there is no compelling reason for continued processing.
• Restriction. Request that we restrict processing of your data in certain circumstances.
• Portability. Request a copy of your data in a structured, commonly used, machine-readable format.
• Objection. Object to processing based on legitimate interests or for direct marketing purposes.
• Withdraw consent. Where processing is based on consent, withdraw that consent at any time.

To exercise any of these rights, contact us at legal@lyra.fit. We will respond within one month as required by law.

LyraFit is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, please do not use the platform or provide any personal information. If we become aware that we have collected data from a child under 16, we will take steps to delete it promptly.

LyraFit uses the following types of cookies:

• Essential cookies. Required for the platform to function correctly, such as session management and authentication. These cannot be disabled.
• Analytics cookies and local storage. Used by PostHog and LyraFit to collect product usage data, page views, analytics preferences, and browser error diagnostics that help us improve the service. These are enabled by default and can be disabled through LyraFit's analytics preference controls in Settings.

We do not use cookies for advertising or cross-site tracking.

We may update this Privacy Policy from time to time. Changes will be indicated by an updated "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the service after changes constitutes acceptance of the revised policy.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

• Website: ico.org.uk
• Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

If you have any questions about this Privacy Policy or our data practices, please contact us at legal@lyra.fit.