Privacy Policy

Last updated: June 2, 2026

MileUp is a social step-tracking app built by COVRU, a company based in Brampton, Ontario, Canada. This policy explains what data MileUp collects, why we collect it, where we store it, and the choices you have. We wrote it to be readable; if anything is unclear, email us at team.covru@gmail.com.

The short version

• We collect what we need to run the app: your account, your profile, your activity (steps, sleep, heart rate), and what you do inside the app (challenges, friends, marathons, water logs).
• We do not sell your data, run third‑party ads, or share your activity outside of the leaderboards and feeds you opt into with people you choose to connect with.
• Your raw Google Fit / Health Connect data stays on your phone. We read it on demand to display your stats; we don't upload the underlying records to our servers.
• For contact matching we send one‑way SHA‑256 hashes of your contacts' phone numbers. We never see the phone numbers themselves.
• You can delete your account at any time and we'll remove your data from our systems.

What we collect

Account information

When you sign up, we receive your email address, display name, and (if you sign in with Google) your Google profile picture URL. We store an internal user ID; we never see your Google password.

Profile information you provide

Things you enter in Edit Profile: a username, height, weight, daily step goal, daily water goal, unit preference (metric or imperial), and an optional avatar image you upload yourself.

Activity data

To show your daily progress, MileUp reads:

• Step counts from the phone's built‑in step sensor (Android TYPE_STEP_COUNTER), or from Health Connect / Google Fit if your phone routes steps through those.
• Sleep sessions and resting heart rate, when available, from Health Connect or Google Fit. These are displayed in your daily summary.

We store a daily aggregate (today's total steps) on our servers so your friends' leaderboards work even when your phone is offline. We do not upload the underlying minute‑by‑minute records, raw sensor traces, GPS, or audio of any kind.

In‑app activity

Challenges you create or join, marathon sessions you save, water cups you log, badges you earn, and your friend list. These are stored on our servers so your data syncs across reinstalls and devices.

Contacts (only if you opt in)

If you tap Find friends from contacts, MileUp asks for permission to read your address book. We then SHA‑256 hash each phone number on your device and send only the hashes to our server to match against other users who have opted into discoverability. The original phone numbers never leave your phone. We don't store names, emails, or anything else from your contacts.

Device and diagnostic information

An anonymous Expo push token (so we can deliver notifications you've opted into), your timezone (so daily resets happen at midnight in your local time), and basic crash/error reports.

What we don't collect

• Your precise location or GPS history.
• Microphone or camera content (the avatar uploader uses the OS picker; we receive only the file you pick).
• Browsing history or data from other apps.
• Anything from your contacts other than the SHA‑256 hashes described above.

How we use your data

• To run the app — show your stats, your friends' stats, your challenges and marathons.
• To deliver push notifications you've enabled (friend requests, challenge invites, weekly recaps). You can turn these off any time in Profile → Notifications.
• To debug crashes and improve the app.
• To respond to your support emails.

We do not use your data for advertising, profiling, automated decision‑making, or sale to third parties.

Where your data lives

Account and in‑app data is stored on Supabase (a managed Postgres service) in their US region. Encryption is enabled in transit (TLS 1.2+) and at rest (AES‑256). Row‑Level Security policies enforce that one user can only read their own rows and the rows their friends have shared with them — this is enforced by the database, not just the app.

Push notifications are delivered through Expo (Expo Application Services). The Expo push service receives the notification body and your push token; it doesn't see your account credentials or activity data.

Sharing

We don't sell your data and we don't share it with third parties for marketing. We share data only:

• With other users you connect with: friends see your daily steps and your name/avatar on shared leaderboards. Challenge participants see each other's steps for the duration of the challenge.
• With service providers who help us run the app: Supabase (database + auth), Expo (push notifications + crash reporting), Google (Sign in with Google). These are bound by their own terms not to use your data for their own marketing.
• If required by law — a valid court order, subpoena, or to protect against fraud or abuse.
• In a business transfer: if COVRU is ever acquired, your data may move to the acquirer, who will be bound by this policy or a successor with equivalent protections; you'll be notified before any change in custodian.

Your rights and choices

• Access & export: email team.covru@gmail.com and we'll send you a copy of your data within 30 days.
• Correction: edit your profile inside the app, or email us.
• Deletion: tap Sign out isn't the same as deleting. To fully delete your account and all associated data, email us with the address you signed up with. We'll process within 30 days. Backups are purged on a 30‑day rolling cycle.
• Withdraw consent: revoke any OS permission (contacts, Health Connect, notifications) in Android Settings. MileUp will continue to work for the parts that don't depend on that permission.
• Object / restrict / port (for users in the EU/UK): email us. We honour GDPR rights even though we're a Canadian company.

Children

MileUp is not intended for children under 13. If you're a parent and believe your child under 13 created an account, email team.covru@gmail.com and we'll delete it.

Retention

We keep your account data for as long as your account exists. When you delete your account, we delete your data within 30 days from primary databases and within 30 more days from backups. We may retain anonymized, aggregated statistics that cannot identify you (e.g. "total active users last week").

Security

TLS for everything in transit. AES‑256 at rest. Database‑enforced Row‑Level Security. We don't store passwords ourselves — auth is delegated to Supabase Auth and to Google. No system is perfectly secure, but we work to keep yours safe and we'll notify you within 72 hours if we discover a breach affecting your data.

Health and fitness data — special note

Some of the data MileUp reads on your device (steps, sleep, heart rate) may be classified as health data under Google Health Connect or Apple HealthKit policies. To be explicit about Google's Health Connect requirements:

• We never sell Health Connect data.
• We never share raw Health Connect records with any third party, advertiser, or data broker.
• We never use Health Connect data for advertising or profiling.
• We only transmit a derived daily step total to our servers so leaderboards work; we do not transmit individual readings, heart‑rate traces, or sleep stage timelines.
• You can revoke Health Connect access at any time in Settings → Health Connect → Apps and the data MileUp previously read will no longer be accessible.

Changes to this policy

If we change this policy materially, we'll notify you in‑app and update the "Last updated" date above. Continued use of the app after a change means you accept the updated policy.

Contact us

COVRU
Brampton, Ontario, Canada
Email: team.covru@gmail.com