2Act

Privacy Policy

In force from May 5, 2026

עברית · English

We at 2Act ("we", "the App") respect your privacy. This policy explains what data we collect, how we use it, with whom we share it, and what rights you have.

1. Who we are

2Act is a fitness and health app for women. Data controller: Alon Knafo. For privacy questions: support@2act-app.com.

2. Data we collect

We collect only data that users provide directly, or that is generated through use of the App:

• Account details: name, email, profile picture (if uploaded).
• Personal details: birth year, gender, height, weight — used to compute personalized goals.
• Activity data: completed workouts, nutrition tracking, water intake, daily steps, goals and achievements.
• Photos: meal photos that you choose to upload. These photos are sent to our AI provider for nutrition analysis (see Section 5).
• Community content: posts, comments, and reactions you publish.
• Preferences: diet type, health goals, notification settings.
• Basic usage data: sign-up date, login times, internal user identifier.

What we do not collect: we do not use ad tracking and do not sell data to anyone. Location/GPS data is collected only during an active outdoor run — see Section 3 for details.

3. Device sensor and notification access

The App requests access to the following sensors and services, only after your explicit approval:

• Motion sensors (Pedometer): to count your daily steps when Apple Health access is unavailable. Data is stored on the device and synced to your account.
• Apple Health (HealthKit) — read-only: on iPhone we read from Apple Health your daily step count, and — during running workouts only — walking/running distance, active energy, and heart rate, to display accurate activity data and real-time run metrics. We do not write any data to Apple Health. Health data is read and processed on the device; only summary metrics (such as daily steps and a run summary) are synced to your account. This data is not used for advertising and is not sold.
• Camera and Photo Library: only when you choose to take or upload a photo (profile / meal).
• GPS / Location — outdoor runs only: when you start an outdoor run, the App accesses GPS to calculate distance and pace in real time. Raw GPS coordinates are never sent to or stored on our servers. Only aggregated metrics (total distance, average pace) are saved to your account when the run ends. You can select "Indoor mode" for any run to avoid GPS entirely.
• Push Notifications: only if you allow them.
  • Local notifications: daily reminders for workout, water, and mood — generated on-device only, no server involved.
  • Remote push (APNs): community updates (reactions, comments) — sent from our servers via Apple Push Notification Service. Your APNs device token is stored in your account for delivery purposes. Notification content is not stored server-side. You can manage each notification type independently in App settings, or disable all notifications via iPhone Settings → Notifications → 2Act.

We do not request access to: microphone, FaceID, calendar, or contacts. Apple Health access is read-only and limited to the data types listed above. GPS is active only during an active outdoor run (see above).

4. How we use your data

• Operating the App and displaying your personalized content (Dashboard, workouts, nutrition, goals).
• Calculating activity rings, statistics, streaks, and achievements.
• Syncing across your devices through your account.
• Securing your account and protecting against community abuse.
• Improving the App (bug fixes and error analysis, without linking to personal identity).

4a. Explicit consent for processing health data

Some of the data we collect qualifies as "sensitive information" under Israel's Privacy Protection Law, 5741-1981 (section 7) and the Privacy Protection Regulations (Information Security), 5777-2017 — including: birth year, gender, height, weight, health goals, body fat percentage (if entered), injury history (if entered), step count, and physical activity.

By continuing to use the App and accepting this policy, you expressly consent to the processing of this information by 2Act and our hosting provider (Supabase) for the following purposes:

• Calculating personalized workout and nutrition recommendations based on your profile.
• Displaying progress, statistics, and achievements.
• Improving the App's algorithms (without sharing with third parties).

You can withdraw your consent at any time by deleting your account (Profile → "Delete Account") — this deletion will include all of your health data as detailed in section 7.

5. Sharing with third parties and service providers

We do not sell your data, and do not share it for advertising or marketing purposes. We use the following technology providers:

• Supabase (Supabase Inc., USA) — secure storage of your account and data, including authentication services. Data is transmitted over encrypted channels (HTTPS/TLS) and stored encrypted at rest in Supabase's infrastructure. Transfer of data to the US is performed in accordance with Supabase's information security standards.
• Apple Sign-in — if you chose to sign in with Apple. Apple receives no data from us out of the App.
• Google OAuth — if you chose to sign in with Google. Google provides us only with your email and public name.
• Apple App Store + StoreKit — handles all purchase, billing, and subscription processes. We do not see your credit card details — Apple handles them exclusively. We receive only a purchase identifier and subscription status.
• RevenueCat (RevenueCat Inc., USA) — subscription validation and management service. Receives an anonymous user identifier and subscription status only, no personal or health data.
• Apple Push Notification Service (APNs) — when notifications are sent, Apple handles delivery to your device. Notification content is created in-app only.
• Anthropic (Anthropic PBC, USA) — the AI provider that powers the "Gia" assistant and meal-photo analysis. To deliver the service we send it your chat messages and relevant profile context (such as goals, preferences, and activity data), as well as meal and nutrition-label photos for analysis. Processing is performed under Anthropic's API terms; the data is not used to train models, is not used for advertising, and is not sold. Transfer is encrypted.
• PostHog (PostHog Inc., USA) — product analytics to improve the app. Collects usage events and an internal user identifier only; no health or nutrition data, no advertising identifier (IDFA), and no ad tracking.
• Expo (Expo / 650 Industries, USA) — used to deliver push notifications (your push token) and over-the-air app updates, which transmit basic app-version and device information.

We share data only with the service providers listed above, and only to operate the service. We do not share health, workout, nutrition, steps, age, weight, or personal-goal data for advertising or marketing, and we do not sell it to anyone. Our AI providers do not use the data to train models.

6. Community content and leaderboard

When you publish a post or comment in the community, the content will be shown to other users. You can delete your content at any time. We maintain zero tolerance for harmful content — there is a reporting system and we may hide content following reports.

Community Leaderboard (75-day challenge): participants in the community challenge may display their progress on a leaderboard visible to all participants. Data shown includes: display name, profile picture, days completed, and average daily steps. Step data is hidden by default — you must explicitly enable "Show steps publicly" in Profile → Preferences for your steps to appear. You can opt out at any time; doing so removes your step data from the leaderboard immediately.

7. Data retention and deletion

Your data is retained as long as your account is active. When you delete your account from within the App (Profile → "Delete Account"):

• Immediately: your account becomes inaccessible — you can no longer log in, your content is no longer shown in the community, and your device session is closed.
• Within 30 days: all of your data is permanently deleted from our servers (profile, workouts, nutrition, posts, photos, goals).
• Exceptions: items we are legally required to retain (such as billing records for tax purposes) will be retained only for the shortest period required by law.

Deletion is irreversible — there is no way to restore a deleted account.

8. Your rights

At any time you can:

• Access all of your data — it is available within the App (profile, history, goals).
• Correct personal details from the Profile screen.
• Delete your account and all data: Profile → "Delete Account". Full details in section 7 above.
• Contact us by email for any other privacy-related request.

9. Security

Your data is transmitted over encrypted channels (HTTPS/TLS) and stored in a secure database with access control. Passwords are not stored in plain text — they are managed by Supabase Auth. The App session is stored in the device's secure store (Keychain on iOS).

10. Children

2Act is intended for users 13 years of age and older. We do not knowingly collect data from children under 13. If such information is received, it will be deleted. A parent who identifies that a child provided data to the App is asked to contact us by email.

11. EU and California residents (GDPR / CCPA)

The App is primarily marketed in Israel and governed by Israeli law. However, if you are a resident of the European Union, the United Kingdom, or California, you have additional rights, including:

• Right of access to the data we hold about you.
• Right of rectification of inaccurate data.
• Right of erasure ("right to be forgotten") — exercised by deleting your account from within the App.
• Right to data portability — receive your data in a machine-readable format (JSON).
• Right to object to data processing.
• Right to lodge a complaint with your local data protection authority.

For requests from residents of the EU or California, please contact us by email at support@2act-app.com with the subject "GDPR Request" or "CCPA Request". We will respond within 30 days. Data is transferred to the US (our service providers — Supabase, Anthropic, PostHog, Expo, and RevenueCat — are located in the US) using customary mechanisms in line with applicable data protection regulations.

12. Changes to this policy

We may update this policy from time to time. Material changes will be displayed on the App's landing screen. The latest update date is shown at the top of the page.

13. Contact us

For questions, requests, or complaints regarding privacy:
support@2act-app.com

© 2026 Alon Knafo / 2Act. All rights reserved.