LiftEngine

Privacy Policy

Last updated: 2026-04-14

1. Introduction

LiftEngine ("we", "us") is an independently operated workout-planning service. This policy explains what data we collect, how we use it, how long we keep it, and what rights you have under applicable privacy laws including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

The data controller responsible for personal data processed through LiftEngine is the individual operator of this service. The only contact channel is contact@liftengine.fit. We do not publish a postal address for this hobby-scale service; a postal contact will be added if and when a legal entity is formed.

This policy applies to the LiftEngine website and any directly connected services. Links to third-party sites (for example Google's ad and privacy resources) are governed by those sites' own policies.

2. Summary

In plain language:

  • You do not create an account. We do not collect your name, email address, or phone number.
  • A single strictly-necessary cookie (wp_session) identifies your anonymous session so we can show you the plans you have generated.
  • Your workout plans and the exercises you have ticked off are stored against that anonymous session only.
  • Inactive sessions and all associated data are automatically deleted after 60 days. You can also delete everything yourself at any time from the My data page.
  • We show advertising supplied by Google AdSense to help cover hosting costs. Users in the European Economic Area, the United Kingdom, and Switzerland see a consent prompt via Google's certified Funding Choices consent management platform before any advertising cookies are set.

3. Information we collect

We deliberately collect the minimum data needed to run the service. Specifically:

Anonymous session identifier
A random UUID stored server-side and mirrored in an HTTP-only cookie named wp_session. The cookie is cryptographically signed (HMAC-SHA256) to prevent tampering. It contains no information about you.
Locale preference
The language you chose for the interface, stored on your session record so the site renders in your preferred language on return visits.
Workout plan inputs and outputs
The selections you make in the plan wizard (training goal, experience level, available equipment, weekly schedule, preferred and avoided exercises) and the generated plan produced from them.
Exercise completion ticks
When you mark an exercise as completed within a plan, we store the plan, week, session and exercise index along with a timestamp so your progress survives page reloads.
Server request logs
Our hosting infrastructure keeps short-lived operational logs (timestamp, request path, response status, and truncated IP address) strictly for security, abuse prevention and debugging. These logs are not linked to your session and are rotated out within a short period.

We do not collect:

  • Your name, email address, phone number, or postal address
  • Health, medical, or biometric data linked to your identity
  • Device fingerprints, advertising IDs, or cross-site trackers
  • Payment information — the service is free to use
  • Any information knowingly collected from children under 16

4. How we use your data

We use the data above only for the following purposes:

  • Generating your workout plan and returning it to your browser
  • Remembering your plan and completion progress across visits from the same browser
  • Displaying the site in your chosen language
  • Keeping the service secure, including detecting abusive or automated traffic
  • Debugging and improving the service

5. Legal bases for processing (GDPR)

Where GDPR or UK-GDPR applies, we rely on the following lawful bases:

Legitimate interests (Art. 6(1)(f))
Operating the strictly-necessary session cookie, storing the plans you generate, and keeping short-lived security logs. Our legitimate interest is providing the service you have requested and protecting it from abuse. You can object to this processing by deleting your data.
Consent (Art. 6(1)(a))
Any future advertising cookies, personalised advertising, and similar non-essential processing. We will ask for your consent through a consent management prompt before any such cookies are set, and you will be able to withdraw consent at any time.

6. Cookies and similar technologies

Today we use a single cookie. We have listed the third-party advertising cookies below so you know what to expect once advertising goes live; none of them are set today.

NameProviderPurposeTypeLifetime
wp_sessionLiftEngine (first-party)Identifies your anonymous session so your plans and progress are available on return visits.Strictly necessary60 days
__gads, __gpiGoogle (third-party, future)Used by Google AdSense to measure and control ad delivery.AdvertisingUp to 13 months
NID, IDEGoogle (third-party, future)Used by Google to personalise advertising and measure ad performance.AdvertisingUp to 13 months

Strictly-necessary cookies are exempt from consent under the EU ePrivacy Directive because they are required to deliver a service you have explicitly requested. Advertising cookies will only be set after you give consent through the prompt shown on first visit, once AdSense is enabled.

7. Advertising (Google AdSense)

LiftEngine displays advertising supplied by Google AdSense to help cover hosting costs.

When AdSense is enabled, Google acts as an independent data controller for the information it collects through ads, including cookies, device identifiers, and your interactions with ads. Depending on your consent, Google may use this information to show you personalised advertising based on inferred interests.

Users in the European Economic Area, the United Kingdom, and Switzerland will be asked for consent through an IAB Transparency & Consent Framework (TCF) prompt before any advertising cookies are set. If you decline, you will either see non-personalised advertising (advertising that is not based on your interests) or no advertising, depending on Google's current policies.

You can review and change your Google ad settings at any time at adssettings.google.com, and learn more about how Google uses data from its partners at policies.google.com/technologies/partner-sites and policies.google.com/technologies/ads. Industry-wide opt-out tools are available at youradchoices.com (United States and Canada) and youronlinechoices.eu (European Economic Area).

8. Data sharing and disclosure

We do not sell your personal data. We do not share your personal data for cross-context behavioural advertising outside of the limited advertising relationship with Google described above.

Your data is processed by the following categories of recipient: (a) our hosting and infrastructure providers, who store the database and serve the site under contractual data-processing agreements; (b) Google, solely in connection with AdSense once it is enabled; and (c) law enforcement or regulators, where we are required to disclose data by a valid legal process.

9. International data transfers

Our primary infrastructure is hosted within the European Economic Area. Where a service provider (notably Google) processes data outside the EEA, transfers are protected by the European Commission's Standard Contractual Clauses, an adequacy decision, or an equivalent safeguard under UK-GDPR.

10. How long we keep your data

Session records and everything linked to them (plans, completion ticks) expire 60 days after the session was created. A scheduled job removes expired sessions, and foreign-key cascade rules delete the related rows automatically.

You can delete everything we hold about you at any time using the My data page. Deletion is immediate and irreversible.

Short-lived operational logs are rotated out within a few days and are not linked to your session.

Delete my data

11. Your rights

Because we do not hold your name or contact details, we cannot look you up on request — but the anonymous-session model means almost every right can be exercised directly from your browser using the My data page. For anything that cannot be resolved that way, email us at contact@liftengine.fit.

Under GDPR and UK-GDPR

  • Right of access: your session record, plans, and completion history are all visible in the app itself.
  • Right to rectification: regenerate a plan with corrected inputs, or delete the existing one.
  • Right to erasure ("right to be forgotten"): delete everything instantly from the My data page.
  • Right to restriction and objection: stop using the service and delete your data; we keep nothing linked to you after deletion.
  • Right to data portability: the plan page includes a copy-link action that encodes your plan.
  • Right to withdraw consent: you can withdraw advertising consent at any time through the cookie prompt once AdSense is enabled.
  • Right to lodge a complaint with a supervisory authority — in the EEA, your national data-protection authority; in the UK, the Information Commissioner's Office (ico.org.uk).

Under CCPA / CPRA (California)

  • Right to know what personal information we collect and how we use it — set out in this policy.
  • Right to delete — exercised via the My data page.
  • Right to correct — regenerate your plan with corrected inputs.
  • Right to opt out of sale or sharing: we do not sell personal information; the narrow "sharing" that may occur once AdSense is enabled will be gated behind the consent prompt.
  • Right to non-discrimination for exercising your privacy rights.

Under PIPEDA (Canada)

  • Right of access to your personal information and how it is being used.
  • Right to challenge the accuracy of your information and have it corrected.
  • Right to withdraw consent, subject to legal or contractual restrictions.
  • Right to complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca).

12. Security

Session cookies are HTTP-only, SameSite=Lax, and marked Secure in production — they cannot be read by JavaScript and are not sent on cross-site requests. Cookie values are HMAC-signed so tampering is detected server-side.

The site is served over TLS in production. Data is stored in a managed PostgreSQL database with foreign-key cascade rules that guarantee deletion of dependent rows when a session is removed.

No user credentials are stored — the service has no login system.

13. Children's privacy

LiftEngine is not directed to children under 16. We do not knowingly collect information from children under 16. If you believe a child has used the service, please contact us and we will delete the associated session.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of the page reflects the latest revision. Material changes will be flagged in-product on your next visit. Continued use of the service after an update constitutes acceptance of the revised policy; if you disagree, you can delete your data at any time.

15. Contact

Questions, requests, or concerns about this policy or your data should be directed to contact@liftengine.fit.