Privacy Policy

1. Who We Are

CompSesh is the data controller responsible for your personal information. If you have questions about this policy or your data, contact us at:

CompSesh
Email: [email protected]

We have not appointed a Data Protection Officer as we do not currently meet the thresholds requiring one under GDPR Article 37. For all data protection inquiries, contact [email protected]. For purposes of Brazil's LGPD, this contact also serves as our designated Encarregado. For purposes of South Korea's PIPA, this contact serves as our Chief Privacy Officer. For purposes of South Africa's POPIA, this contact serves as our Information Officer.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address — for authentication, account recovery, and service communications. If you use Apple Sign-In with the "Hide My Email" feature, we receive and treat your Apple relay address (@privaterelay.appleid.com) identically to a standard email address. If you use Google Sign-In, we receive the email address associated with your Google account.
• Display name — shown to other users on your profile and during sessions.
• Profile photo (optional) — displayed on your profile and in social features. If you use Google Sign-In, your Google profile photo may be imported as your initial profile photo.
• Password (email/password users only) — stored as a bcrypt hash. We never store or have access to your plaintext password.
• Apple Sign-In identifier (Apple Sign-In users only) — a unique, app-scoped token provided by Apple.
• Google Sign-In identifier (Google Sign-In users only) — a unique identifier provided by Google through the OAuth authentication flow. We do not receive or store your Google password.

2.2 Climbing Performance Data

When you log sessions and climbs, we collect:

• Session timestamps (start and end times)
• Gym associations (which gym you climbed at)
• Boulder and route information (grades, names, identifiers)
• Attempt counts and send status (flash, send, attempts)
• Scores and performance metrics calculated from your climbing activity
• Skill ratings and progression data

2.3 Photos and Videos

When you upload photos or videos of boulders, routes, or climbing sessions, we collect:

• The media files themselves — photos (JPEG) and videos (MP4) uploaded through the App, stored in our cloud infrastructure (Supabase Storage on AWS).
• File metadata — file size, format, dimensions, and upload timestamp.
• EXIF and embedded metadata — photos and videos taken by phones and cameras often contain hidden metadata including GPS coordinates, device make and model, camera settings, and timestamps. Uploaded photos and videos are re-encoded (compressed and resized) on your device before upload, which removes embedded EXIF metadata including GPS coordinates from the stored media. We may retain non-identifying technical metadata (such as image dimensions) for display purposes.

Profile photos are similarly compressed and re-encoded on upload, removing EXIF metadata.

Important: While the re-encoding process removes EXIF data from the version stored on our servers, the original file on your device is not modified. If you share photos outside CompSesh, those files may still contain location data.

2.4 Social and Multiplayer Data

When you use social features, we collect:

• Follow and follower relationships
• Community feed activity and interactions
• Multiplayer session participation, including real-time climbing data visible to session participants
• Session invitations sent and received

2.5 User-Created Gym Data

When you submit gym information, we collect:

• Gym name, city, state or region, and country
• Geographic coordinates (latitude and longitude of the gym)
• Any additional gym details you provide

This data is factual information about businesses and is treated as a community resource.

2.6 Push Notification Tokens

If you enable push notifications, your device provides a push notification token. This token is used solely to deliver notifications about session invitations, social activity, and service updates.

2.7 Subscription Data

If you subscribe to CompSesh Pro, subscription purchases are processed entirely by Apple through the App Store. We do not collect or store your payment information (credit card numbers, billing address, etc.). We receive and store:

• Subscription status — whether you have an active Pro subscription (used to enable Pro features).
• Transaction identifiers — Apple-provided transaction IDs for purchase verification.

2.8 Technical and Usage Data

We collect limited technical data necessary to operate the service:

• IP addresses — recorded in connection with account creation, agreement acceptance, and authentication events. IP addresses in authentication logs are retained for 90 days.
• Authentication logs (login timestamps, authentication method) — retained for 90 days for security purposes
• Error logs and crash data generated by the App — used to diagnose and fix bugs
• App version and iOS version — used to ensure compatibility

We limit the collection of personal information to what is necessary for the purposes identified in this policy. We do not collect device advertising identifiers, IP-based geolocation for profiling, browsing history, or any data from other apps on your device.

2.9 Locally Cached Data

The App caches certain data on your device for performance and offline access, including your profile information, recent session data, gym information, and downloaded media. This data remains on your device and is cleared upon account deletion or app removal.

3. How We Use Your Information

We use your information for the following purposes:

To provide and operate the App — authenticating your identity, logging climbing sessions, calculating performance metrics, displaying your profile and activity, enabling multiplayer sessions, and delivering push notifications.

To maintain and improve the service — diagnosing technical issues, fixing bugs, and improving App functionality based on aggregated, non-identifying usage patterns.

To communicate with you — sending service-related emails such as account verification, password reset, material changes to this policy or our Terms of Service, and responding to your support requests.

To enforce our terms and protect users — moderating user-generated content (including photos, videos, and gym data), investigating reports of abuse or policy violations, and taking action against accounts that violate our Terms of Service or Community Guidelines.

To comply with legal obligations — responding to lawful requests from authorities, complying with applicable laws, and protecting our legal rights.

We use automated calculations to generate climbing performance scores, Skill Index ratings, and leaderboard rankings based on your logged climbing data. These calculations do not produce legal effects or similarly significant effects concerning you, and no automated decisions are made about your access to the Service based on these scores.

We do not use your personal information for advertising, profiling, automated decision-making that produces legal effects, or any purpose not described in this policy.

Necessity of data provision. Providing your account information (email address, display name) is a contractual requirement necessary to use the Service. If you do not provide this information, you cannot create an account or use the App. Providing climbing data, photos, videos, and gym data is voluntary but necessary to use the corresponding features.

4. Legal Bases for Processing (EU/EEA, UK, and Similar Jurisdictions)

Where applicable law requires a legal basis for processing your personal data, we rely on the following:

Contractual necessity (GDPR Article 6(1)(b)) — Processing your account information, climbing data, social data, session data, and photos/videos is necessary to provide you the service you signed up for.

Consent (GDPR Article 6(1)(a)) — Push notification delivery requires your affirmative consent, obtained through the iOS system permission prompt. You may withdraw consent at any time through your device settings. We also obtain your consent before processing any data that falls outside the scope of contractual necessity.

Legitimate interest (GDPR Article 6(1)(f)) — User-created gym data (factual information about businesses) is processed under legitimate interest, as it is voluntarily submitted, has minimal privacy impact, and supports the shared gym directory that benefits all users. We have conducted a Legitimate Interest Assessment for this processing. Security logging and fraud prevention are also processed under legitimate interest.

Legal obligation (GDPR Article 6(1)(c)) — We process certain data to comply with applicable laws, including responding to lawful data access requests and maintaining records required by law.

5. How We Share Your Information

5.1 With Other Users

Certain information is visible to other CompSesh users by design:

• Your display name and profile photo
• Your climbing scores and activity on community feeds
• Your real-time climbing data during multiplayer sessions (visible to session participants)
• Gym data you submit (visible to all users as part of the shared gym directory)
• Photos and videos you upload of boulders and routes (visible to users viewing those boulders/routes)

5.2 With Service Providers (Data Processors)

We share your data with the following service providers, who process it solely on our behalf and under contractual obligations to protect your data:

• Supabase, Inc. — Backend infrastructure (database, authentication, file storage, real-time functionality). Data is stored on AWS infrastructure. Supabase acts as a data processor under a signed Data Processing Agreement covering GDPR, UK GDPR, Swiss law, and US state privacy laws. Supabase's sub-processors include AWS, Fly.io, Cloudflare, and Google Cloud/BigQuery (for logging).
• Cloudflare — Content delivery network and application hosting.
• Resend — Transactional email delivery, integrated via Supabase Edge Functions.
• Novu — Push notification delivery service.
• Apple Inc. — Authentication (Apple Sign-In) and in-app subscription purchases via the App Store.
• Google LLC — Authentication (Google Sign-In). When you use "Continue with Google," Google processes your authentication and shares your email address, display name, and profile photo with us via the OAuth protocol. Google's use of your data is governed by Google's Privacy Policy.

All processors are bound by data processing agreements that include standard data protection commitments.

5.3 With Authorities

We may disclose your information if required by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 In Business Transfers

If CompSesh is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent in-app notice before your information becomes subject to a different privacy policy.

5.5 What We Never Do

We do not sell or share your personal information with third parties for advertising, marketing, or profiling purposes. We do not provide data to data brokers. We do not engage in cross-context behavioral advertising. This applies globally, without exception.

6. International Data Transfers

CompSesh's infrastructure is hosted on AWS, which may process your data in the United States or other regions. If you are located outside the United States, your data will be transferred internationally.

For transfers of personal data from the EU/EEA, we rely on:

• Standard Contractual Clauses (SCCs) — included in our Data Processing Agreements with Supabase, Resend, and Novu, which cover transfers to the US and other third countries.
• EU-US Data Privacy Framework (DPF) — where applicable and to the extent our processors are certified (including Cloudflare, Apple, and Google, which are DPF-certified).

For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, in addition to the UK Extension to the EU-US Data Privacy Framework where applicable.

For transfers from all other jurisdictions, we ensure adequate safeguards are in place through contractual commitments with our service providers that meet the requirements of applicable local law.

7. Data Retention

We retain your data for the following periods:

• Account and climbing performance data — retained for the duration of your account plus 30 days after a deletion request is processed, to allow for completion of the deletion process.
• Photos and videos — retained for the duration of your account. Deleted when you remove them individually or when your account is deleted.
• Social and multiplayer data — follow relationships, feed activity, and session participation data are retained for the duration of your account and deleted upon account deletion.
• Subscription data — subscription status and transaction identifiers are retained for the duration of your account. Upon account deletion, subscription data is deleted from our systems (Apple retains its own transaction records per Apple's privacy policy).
• Push notification tokens — retained until you revoke notification permission or delete your account.
• User-created gym data — retained indefinitely as a community resource. Upon account deletion, your gym contributions are anonymized (disassociated from your identity) but the factual gym data persists.
• Authentication and security logs — retained for 90 days, then permanently deleted.
• Encrypted backups — deleted data may persist in encrypted backups for a limited retention period determined by our infrastructure provider's backup schedule, after which it is permanently overwritten.

8. Your Privacy Rights

8.1 Rights Available to All Users

Regardless of your location, you have the right to:

• Access your personal data — request a copy of the data we hold about you.
• Correct inaccurate data — update or fix errors in your information.
• Delete your account and personal data — request complete deletion of your account and associated data.
• Export your data — receive your data in a structured, machine-readable format (JSON).

To exercise any of these rights, contact us at [email protected] or use the account management features within the App (Settings > Account > Delete Account for deletion).

8.2 Additional Rights for EU/EEA and UK Residents

Under the General Data Protection Regulation (GDPR) and UK GDPR, you additionally have the right to:

• Data portability — receive your personal data in a structured, commonly used, machine-readable format and, where technically feasible, have it transmitted directly to another controller.
• Restrict processing — request that we limit how we use your data in certain circumstances.
• Object to processing — object to processing based on legitimate interest.
• Not be subject to automated decision-making — not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
• Withdraw consent — where we process data based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
• Lodge a complaint — file a complaint with your local data protection supervisory authority. A list of EU data protection authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

We will respond to rights requests within 30 days (extendable by 60 days for complex requests, with notice).

8.3 Additional Rights for California Residents

Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), you have the right to:

• Know what personal information we collect and how it is used.
• Delete your personal information.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information — CompSesh does not sell or share personal information as defined by the CCPA/CPRA.
• Non-discrimination — we will not discriminate against you for exercising your privacy rights.

California residents may also designate an authorized agent to submit requests on their behalf.

We do not collect sensitive personal information as defined by the CPRA, with the exception of account login credentials, which are used solely for authentication purposes. CompSesh Pro subscription pricing is based on access to additional features, not on the collection, retention, or sale of your personal information. We do not offer financial incentives in exchange for personal information.

8.4 Additional Rights for Residents of Other US States

Residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Indiana, Iowa, Tennessee, Delaware, New Hampshire, New Jersey, Nebraska, Maryland, Minnesota, Kentucky, Rhode Island, and other states with comprehensive privacy laws have rights that may include access, correction, deletion, data portability, and the right to opt out of the sale of personal data, targeted advertising, and certain profiling. Where your state law provides a right to appeal our decision on a privacy request, you may appeal by contacting [email protected]. We will respond to appeals as required by your state's law.

CompSesh does not sell personal data, does not engage in targeted advertising, and does not profile users for decisions that produce legal or similarly significant effects, under any state's definition of those terms. We will respond to requests from US residents within 45 days, as required by applicable state law, extendable as permitted. If you are a Virginia resident and your appeal is denied, you may contact the Virginia Attorney General at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

8.5 Rights for Residents of Other Jurisdictions

If you reside in a jurisdiction not listed above, we will honor your data protection rights as required by your local law. Contact [email protected] to exercise your rights. You may also contact your local data protection authority, including:

• Brazil: ANPD — https://www.gov.br/anpd
• Canada: OPC — https://www.priv.gc.ca
• Australia: OAIC — https://www.oaic.gov.au
• South Africa: Information Regulator — https://inforegulator.org.za
• Japan: PPC — https://www.ppc.go.jp
• South Korea: PIPC — https://www.pipc.go.kr

9. Children's Privacy

CompSesh is not directed at children. You must be at least 13 years old to create an account (or the minimum age required by your jurisdiction, if higher — for example, 16 in certain EU member states, 13 in the United Kingdom under the Data Protection Act 2018, 16 in Australia as required by the Online Safety Amendment (Social Media Minimum Age) Act 2024, and 14 in South Korea).

We do not knowingly collect personal information from children under the applicable minimum age. If we discover that we have collected data from a child under the applicable age, we will promptly delete that data and terminate the associated account.

We do not accept parental consent as a means to allow children under the applicable minimum age to use CompSesh. Users under the applicable minimum age are prohibited from using the Service. CompSesh does not have an age-gating mechanism beyond the user's self-certification at account creation.

If you believe a child under the applicable minimum age has created a CompSesh account, please contact us at [email protected].

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• All data transmitted between the App and our servers is encrypted using TLS (Transport Layer Security).
• Passwords are stored as bcrypt hashes and are never stored or transmitted in plaintext.
• Database access is controlled through Supabase Row Level Security (RLS) policies, ensuring users can only access data they are authorized to view.
• Our infrastructure provider (Supabase/AWS) maintains SOC 2 Type II compliance and ISO 27001 certification.
• GPS/location metadata is removed from uploaded photos and videos through the client-side re-encoding process before storage.
• Authentication tokens are stored securely on your device using the iOS Keychain.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a security breach affecting your personal data, we will notify you and applicable authorities as required by law, including within 72 hours for EU/EEA authorities under GDPR.

11. Do Not Track and Global Privacy Control

We do not track users across third-party websites or apps. Because we do not engage in any cross-site or cross-app tracking, there is no tracking behavior to modify in response to Do Not Track browser signals.

We honor Global Privacy Control (GPC) signals where required by applicable law. Because CompSesh does not sell or share personal information for advertising purposes, GPC signals do not change our data practices, but we recognize and log them as valid opt-out requests.

12. Third-Party Links and Services

CompSesh may contain links to third-party websites or services (for example, gym websites). We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before providing them with your information.

Our website (compsesh.app) uses only strictly necessary cookies for site functionality. We do not use advertising, analytics, or tracking cookies on our website. The website loads fonts from Google Fonts, which may result in your IP address being transmitted to Google when you visit the website.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes (changes to data collection practices, new third-party sharing, or changes to your rights), we will:

• Notify you by email at least 30 days before the changes take effect.
• Display a prominent in-app notice.
• Require re-acceptance before continued use of the App.

For minor changes (formatting, clarification of existing practices, updated contact information), we will update the effective date and post the revised policy. Previous versions are archived at compsesh.app/privacy/archive.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at:

Email: [email protected]

We aim to respond to all inquiries within 30 days.

---

This Privacy Policy was last updated on February 27, 2026.