Privacy Policy — SwimLytic
Last updated: July 6, 2026
Controller: Henrique Rodrigues · H2N Ventures LLC (Florida, USA)
Contact: henricr@gmail.com
SwimLytic ("we", "our" or "the app") is an AI-powered swimming technique analysis application. This policy explains how we collect, use, store and protect your personal data. It is designed to comply with the privacy laws applicable to where you live, including the Brazilian LGPD (Law 13.709/2018), the EU/UK GDPR, and applicable US laws (including state privacy laws such as the California CCPA/CPRA and the federal COPPA rules for children).
1. Personal Data We Collect
1.1 Registration and Authentication
- Email (required, used for magic-link login)
- Name (required)
- Date of birth (optional)
- Gender (M/F)
- Swim club (optional)
- Age category (from youth to masters)
- Country
- Avatar photo (optional)
1.2 Swimming Videos
- Videos recorded with the camera or imported from the gallery (max. 60 seconds)
- Pose analysis runs on your own device. By default, your video never leaves your phone.
- If you use cloud analysis features (when available), the video is uploaded to our server for processing only and is automatically deleted after analysis. Videos are never stored permanently.
1.3 Body Landmark Data (Sensitive Data)
Video processing extracts:
- 33 body landmarks per frame (x, y, z coordinates and visibility)
- Biomechanical angles (elbow, shoulder, knee, body rotation, head, entry, catch, streamline, kick)
- A subset of body landmarks may be stored with each analysis
These landmarks describe swimming movement only. They are never used to identify you — SwimLytic performs no facial recognition and no identity matching. Because this data relates to your body, we treat it as sensitive data and require explicit, highlighted consent before your first analysis (LGPD Art. 11; GDPR Art. 9 standard).
1.4 Performance Data
- Analysis history (stroke, score, date)
- Generated cards (PNG image)
- Ranking position
- Card battle results
1.5 Feedback Data (Local Storage)
- Corrections you make to the AI analysis
- Stored locally on your device, never sent to our servers
2. Legal Basis for Processing
| Data | LGPD basis | GDPR equivalent |
|---|---|---|
| Email, name, profile | Contract performance (Art. 7, V) | Art. 6(1)(b) contract |
| Swimming video | Contract performance (Art. 7, V) | Art. 6(1)(b) contract |
| Body landmark data | Specific, highlighted consent (Art. 11, I) | Art. 9(2)(a) explicit consent |
| Anonymized analytics | Legitimate interest (Art. 7, IX) | Art. 6(1)(f) legitimate interest |
| Future use in AI training | Separate opt-in consent (Art. 7, I) | Art. 6(1)(a) consent |
3. How We Use Your Data
- Authentication: email used for magic-link login
- Video analysis: pose extraction and technical scoring run on your device; results (scores, angles and a landmark subset) are saved to your account
- Narrative report: when enabled, scores and biomechanical angles are sent to the Claude API (Anthropic) to generate your technical correction report
- Cards and rankings: card images are generated and stored for sharing and ranking
We do not sell your personal data, and we do not share it with third parties for their own marketing ("sale" or "sharing" as defined by the CCPA/CPRA).
4. Third-Party Processors
4.1 Supabase
- Role: authentication, database, storage
- Data: account data, analyses and cards
- Certification: SOC 2 Type II · Servers: AWS
4.2 Anthropic (Claude API)
- Role: generation of narrative technical reports
- Data sent: stroke style, category scores, biomechanical angles
- Location: USA
4.3 Apple App Store / Google Play
- Role: app distribution and subscription payments
4.4 RevenueCat
- Role: subscription management (store receipts; never receives your videos or landmark data)
4.5 Expo/EAS
- Role: app update delivery
5. Storage and Retention
| Data | Location | Retention |
|---|---|---|
| Athlete video | Device (default) or Supabase Storage (cloud analysis) | Automatically deleted after cloud analysis |
| Full analysis | Supabase DB | While your account is active |
| Body landmarks (subset) | Supabase DB (JSONB) | With the analysis |
| Biomechanical angles | Supabase DB (JSONB) | With the analysis |
| Narrative report | Supabase DB | With the analysis |
| Card (PNG image) | Supabase Storage | While your account is active |
| Athlete profile | Supabase DB | Until account deletion |
| Local feedback | Device (AsyncStorage) | Controlled by you |
An automatic mechanism removes orphaned videos (not deleted due to pipeline failure) after 1 hour.
6. Cards and Public Information
Generated cards contain the athlete's name, stroke style, score and tier. Card images are stored in a publicly accessible bucket to enable social sharing and rankings. Global rankings display athletes' names and scores.
7. Children and Minors
The app serves age categories that include minors.
- Brazil (LGPD Art. 14): users under 16 require consent from at least one parent or legal guardian.
- USA (COPPA): children under 13 require verifiable parental consent.
- Our sign-up flow requests parental consent for all users under 16, which satisfies both standards.
8. Your Privacy Rights
All users can, at any time:
- Access: view all personal data we hold about you
- Export: export your data as JSON via Settings > Privacy
- Delete: delete your account and all associated data via Settings > Privacy
- Withdraw consent: revoke consent for landmark data processing at any time
- AI training opt-out: refuse the use of your data for training AI models
If you are in Brazil (LGPD Art. 18): you may also request confirmation of processing, anonymization, portability, and information about sharing, and lodge a complaint with the ANPD.
If you are in the EEA/UK (GDPR): you may also exercise rights to rectification, restriction, portability and objection, and lodge a complaint with your supervisory authority.
If you are a California resident (CCPA/CPRA): you have the right to know, delete and correct your personal information, and to opt out of "sale" or "sharing" — we do not sell or share your personal information. We will never discriminate against you for exercising your rights.
To exercise any right, use Settings > Privacy in the app or email henricr@gmail.com.
9. AI Training
SwimLytic may use anonymized feedback data to improve its AI models. This use requires separate opt-in consent and can be revoked at any time under Settings > Privacy. Data from users who opt out is never included in any training process.
10. Device Permissions
| Permission | Reason |
|---|---|
| Camera | Record swimming video |
| Photo Library | Import existing video |
| Microphone | Audio captured with video |
No permission is accessed without an explicit user action.
11. Security
- Data in transit: HTTPS (TLS 1.2+)
- Data at rest: Supabase encryption (AES-256)
- Authentication: expiring JWT tokens
- We never sell, rent or share personal data with third parties for marketing purposes
12. International Data Transfers
Our infrastructure providers are located in the USA. For users outside the USA, data is transferred with your consent and under appropriate safeguards (LGPD Art. 33; GDPR Ch. V mechanisms where applicable). When the narrative report is enabled, scores and biomechanical angles are sent to the Claude API (Anthropic, USA) exclusively for generating technical reports.
13. Changes to This Policy
We may update this policy periodically. Changes will be announced in the app and take effect immediately upon publication.
14. Contact
For questions about this policy or to exercise your rights:
- Email: henricr@gmail.com
- Controller: Henrique Rodrigues · H2N Ventures LLC
© 2026 SwimLytic · H2N Ventures LLC. All rights reserved.