← Back

PRIVACY POLICY

Last updated: May 1, 2026

1. WHAT WE COLLECT

A) Data sent for AI analysis (during a check-in)

When you submit a check-in, the following data is sent to the active AI provider to generate your analysis:

  • Photo — a downscaled copy of your check-in photo. Your face may be visible in the transmitted image. Your full-resolution photo is never transmitted and is stored only on your device.
    • Single-pose mode: max 1024px, ~85% JPEG quality
    • Multi-angle mode: max 1268px per image, ~65% JPEG quality
    • Gemini debug mode (see Section 3): max 1536px, 75-85% JPEG quality
  • Health metrics — biological sex, age, height, weight, and calculated BMI.
  • Training context — your goal (for example: bulk, cut, recomp), experience level, self-assessed weakness, and target physique archetype if set.
  • Body measurements — proportional measurements derived on-device using BlazePose and Apple Vision (for example shoulder width, limb ratios, body region percentages, asymmetry). Raw pixel buffers are not transmitted.
  • Photo conditions — derived metadata such as distance estimate, lighting quality, sharpness, skin tone classification, overexposure flag, and shadowed body regions.
  • Capture metadata (when present) — source (in-app camera vs photo library), camera position, 35mm-equivalent focal length, aperture, approximate image resolution, metadata quality rating (full / partial / stripped).

B) Account and authentication data

If you sign in with Apple, Specimen stores and uses:

  • Supabase user ID (UUID) — your stable account identifier.
  • Email (if provided by Apple) — may be an Apple private relay address.
  • Display name (if provided by Apple) — used in your profile.

We do not collect your Apple password.

C) Cloud sync data (when signed in)

If you are signed in, check-in metadata is synced to our Supabase backend, including:

  • Check-in ID and timestamp
  • Pose type
  • Overall score and muscle score breakdown
  • Weight, body fat estimate, and FFMI (when available)
  • AI feedback text
  • Derived photo context metadata
  • Check-in sequence number and sync timestamp

Your full-resolution photos are not synced to Supabase by this flow.

D) Subscription and entitlement data

We use RevenueCat to manage subscription status. RevenueCat may process:

  • App User ID (anonymous RevenueCat ID before sign-in, then your Supabase UUID after sign-in)
  • App and OS version
  • Device model and platform identifiers
  • App Store transaction and receipt data

No check-in photos are shared with RevenueCat.

2. WHAT WE DO NOT COLLECT OR DO

  • We do not use cross-app or cross-website tracking for advertising.
  • We do not show an App Tracking Transparency prompt because we do not perform ATT-covered tracking.
  • We do not sell your personal data.
  • On-device pose/measurement processing occurs locally. Raw pixel buffers from on-device processing are not uploaded by that processing pipeline.
  • Specimen does not provide any feature where users can browse other users' check-in photos.
  • The Specimen team does not manually review check-in photos submitted for analysis as part of normal operations.
  • Our operational logs are designed to capture diagnostic metadata (for example request success/failure and token usage), not image payload contents.

Specimen uses paid commercial API tiers for AI processing. Based on provider policy terms, submitted content is not used to train their generative models.

AI providers process submitted photos automatically to produce analysis output. Any provider-side personnel access is governed by the provider's privacy/security terms and legal obligations, not by a Specimen human review workflow.

3. THIRD-PARTY SERVICES

Supabase — account authentication (Sign in with Apple token exchange) and cloud storage for signed-in profile/check-in metadata. https://supabase.com/privacy

Anthropic — default AI analysis provider for check-ins. https://www.anthropic.com/legal/privacy

Google (Gemini API) — alternate AI provider behind a hidden debug toggle. If you do not enable this toggle, check-in analysis is not sent to Google. https://policies.google.com/privacy

RevenueCat — subscription and entitlement management. https://www.revenuecat.com/privacy

Apple — Sign in with Apple and App Store purchase infrastructure. https://www.apple.com/legal/privacy/

4. DATA RETENTION

Local device data

Check-in photos and local analysis history remain on your device storage unless you delete them or remove the app. Photos are stored in the app container (not automatically saved to the Photos library).

Cloud account data

When signed in, your profile and synced check-in metadata are retained in Supabase until deleted according to our operational retention and account support processes. Signing out does not automatically delete historical cloud records.

Third-party processor retention

RevenueCat, Supabase, and AI providers may retain operational logs/records according to their own retention policies and legal obligations.

5. CHILDREN

Specimen is not intended for users under 17. We do not knowingly collect personal data from children.

6. CONTACT

Questions about this policy: matt@fierroinnovations.com