1. Who We Are (Data Controller)
EVX Labs SpA (“EVX Labs”, “we”, “us”, “our”), a company incorporated under the laws of the Republic of Chile with its principal place of business in Santiago, Chile, is the data controller responsible for the personal data processed through the EVX Tactical mobile application (the “App”) and the website evxtactical.com (the “Website”, and together with the App, the “Service”).
For any privacy question or to exercise your rights, contact us at support@evxtactical.com.
2. Scope
This Privacy Policy applies to personal data we process when you use the App (including beta versions distributed via TestFlight and, in the future, the Android version) and when you interact with the Website, including its email forms. It does not cover processing carried out independently by Apple Inc. (“Apple”) or Google LLC (“Google”) under their own terms and privacy policies — for example, App Store billing or your Apple/Google account — which we neither control nor have full access to.
3. Data We Collect
3.1 Account data
When you create an account you may sign in with Sign in with Apple, Google Sign-In, or a one-time 6-digit code sent to your email (OTP). In all cases we receive and store the email address (or the private relay address Apple provides if you choose to hide your email) and the technical identifier the sign-in provider shares with us. We never receive or store passwords.
3.2 Profile and training data
During onboarding and use of the App you provide:
- Height, weight and date of birth (used to calibrate your training program);
- Your selected training protocol, phase and weekly frequency;
- Your callsign (in-app display name);
- Your mission and workout progression, cycles completed and rank.
This data is stored in our backend infrastructure (see Section 5). Because height, weight and date of birth relate to your physical condition, we treat them with the safeguards described in Section 12.
3.3 Usage and analytics data
We operate a first-party analytics system — we do not use third-party advertising or analytics SDKs in the App. Analytics events are buffered on your device and sent in batches to our own backend. Currently these events are limited to the onboarding and paywall funnel (screens viewed, quiz steps completed, sign-in attempts, paywall interactions).
Before you create an account, events are associated with a random installation identifier (“anon_id”) generated on your device. If you then create an account, we link (“stitch”) the anonymous event history of that installation to your user account, so that your pre-registration activity is attributed to you. If you never create an account, those events remain associated only with the random installation identifier.
3.4 Purchase and subscription data
Subscriptions are purchased through the App Store and billed by Apple. We never receive or store your card number or full payment details. We receive subscription status metadata (product purchased, trial status, renewal, expiration, country and currency of the storefront) through Apple and our subscription-management provider RevenueCat, in order to activate your entitlements and measure aggregate business performance.
3.5 Diagnostics (crash data)
If the App crashes or encounters an error, technical diagnostic information (device model, operating-system version, App version, stack traces and related technical state) is sent to our error-monitoring provider Sentry. We use this data solely to identify and fix defects. Crash data is not used for advertising or profiling.
3.6 Device and technical data
- Push token — if you enable notifications, the device token issued by Apple (APNs) or Google (FCM) needed to deliver them;
- IP address — processed transiently by our backend for rate-limiting, abuse prevention and security (limits are applied per installation identifier and per IP);
- Basic device and OS information necessary for the App to function and for diagnostics.
3.7 Website data
The Website offers email forms (founding-access requests, training-diagnostic results and the Android waitlist). If you submit one, we collect your email address and the context of your request in order to respond, deliver what you asked for, and — where you have agreed — send you related updates. See Section 13 regarding cookies and web analytics.
4. Purposes and Legal Bases
We process your data under the lawful bases recognized by Chilean Law No. 19.628 and Law No. 21.719 on the protection of personal data, which correspond substantially to the bases in Article 6 GDPR:
| Data category | Purpose | Legal basis |
|---|---|---|
| Account data (§3.1) | Create and secure your account; authenticate you | Performance of a contract |
| Profile & training data (§3.2) | Calibrate and deliver your training program; track progression and ranks | Performance of a contract; your explicit consent for health-adjacent data (§12) |
| Usage & analytics data (§3.3) | Understand and improve onboarding and conversion; fix funnel issues | Legitimate interest (improving the Service) |
| Purchase data (§3.4) | Activate your subscription entitlements; measure business performance; comply with tax/accounting duties | Performance of a contract; legal obligation |
| Diagnostics (§3.5) | Detect, reproduce and fix crashes and errors | Legitimate interest (stability and quality) |
| Device & technical data (§3.6) | Deliver push notifications; prevent abuse; secure the Service | Consent (push); legitimate interest (security) |
| Website emails (§3.7) | Respond to your request; send updates you signed up for | Consent (revocable at any time) |
5. Third-Party Processors and Recipients
We share personal data only with the service providers strictly necessary to operate the Service, acting on our behalf and under contractual data-protection commitments:
| Provider | Role | Data involved | Location |
|---|---|---|---|
| Supabase, Inc. | Backend infrastructure: database, authentication, edge functions | Account, profile, training and analytics data | United States |
| RevenueCat, Inc. | Subscription management and metrics | Subscription status metadata, app user identifier | United States |
| Functional Software, Inc. (Sentry) | Crash and error monitoring | Diagnostic data only (§3.5) | United States |
| Apple Inc. | Sign in with Apple, App Store billing, push delivery (APNs) | Sign-in identifier, purchase data, push token | United States |
| Google LLC | Google Sign-In; push delivery (FCM) for the future Android version | Sign-in identifier, push token | United States |
International transfers. Because these providers are hosted in the United States, your data is transferred outside Chile (and, if you are in the EEA/UK, outside your jurisdiction). We put in place contractual safeguards with each provider — including data-processing agreements with standard contractual protections — so that your data receives a level of protection consistent with this Policy and applicable law.
We may also disclose data if required by law, court order or competent authority, or to protect our legal rights. We do not sell personal data and do not share it with data brokers or advertisers (see Section 14).
6. Data Retention
- Account, profile and training data — kept while your account is active, and deleted or irreversibly anonymized within 30 days after account deletion (§8);
- Analytics events — kept for up to 24 months, after which they are deleted or aggregated;
- Crash data — retained per our error-monitoring provider's rolling window (typically 90 days);
- Subscription/transaction records — retained as long as required by tax, accounting and consumer-protection law;
- Website emails — kept until the purpose is fulfilled or you unsubscribe, whichever comes first.
7. Your Rights
Under Chilean law (Law No. 19.628 and, as of its entry into force, Law No. 21.719) you have the rights of access, rectification, cancellation (erasure), opposition, and portability of your personal data, as well as the right to withdraw consent at any time without affecting prior processing.
If you are in the European Economic Area or the United Kingdom, you have the equivalent rights under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection, and the right not to be subject to solely automated decisions producing legal effects — which we do not perform).
If you are a California resident, you have the rights under the CCPA/CPRA to know, access, correct and delete personal information, and the right to opt out of “sale” or “sharing” — noting that we do not sell or share personal information as those terms are defined by that law, and we do not use or disclose sensitive personal information for purposes other than providing the Service.
To exercise any right, email support@evxtactical.com from the address associated with your account. We will respond within the legal deadline. You also have the right to file a complaint with the Chilean Agencia de Protección de Datos Personales (once operational under Law No. 21.719) or with your local supervisory authority.
8. Account Deletion
You can delete your account at any time directly in the App (Settings → Account → Delete account) or by emailing support@evxtactical.com. Deletion removes your account, profile, training history and linked analytics identity from our systems within 30 days. We may retain only what the law requires us to keep (e.g., transaction records for tax purposes) and data already irreversibly anonymized. Deleting your account does not cancel an active App Store subscription — cancel it in your device Settings (see the Terms of Use).
9. Security
We apply technical and organizational measures appropriate to the risk: encryption of data in transit (TLS), encryption at rest on our infrastructure providers, row-level access controls in our database, least-privilege internal access, and rate-limiting to prevent abuse. No system is 100% secure; if a personal-data breach occurs that creates a risk to your rights, we will notify you and the competent authority as required by applicable law.
10. Children
The Service is intended for adults and is restricted to users 18 years of age or older. It is not directed at children, and we do not knowingly collect data from anyone under 18. If we learn that we have collected personal data from a minor, we will delete it promptly. If you believe a minor has provided us data, contact support@evxtactical.com.
11. Push Notifications
Push notifications (e.g., mission reminders) are strictly opt-in: they are only sent if you accept the operating-system permission prompt. You can disable them at any time in your device Settings. Declining notifications does not affect the rest of the App.
12. Sensitive Data (Health-Adjacent)
Your height, weight, date of birth and training records relate to your physical condition and may qualify as sensitive or health-related data under applicable law, including Chilean Law No. 21.719. Accordingly:
- We collect them only with your explicit consent, given during onboarding, and you may decline (some features will then be limited);
- We use them solely to calibrate and deliver your training program — never for advertising, and we never disclose them to third parties other than the processors in Section 5;
- The App does not access Apple HealthKit, Google Fit / Health Connect, or any other health platform on your device;
- This data is not medical data, and nothing in the Service constitutes medical advice, diagnosis or treatment (see the medical disclaimer in the Terms of Use).
13. Cookies and Web Analytics
The Website currently uses no advertising cookies and no third-party tracking cookies. We may in the future deploy a web-analytics tool (such as Google Analytics) to measure aggregate Website traffic; if we do, we will update this section, disclose the provider, and — where required — request your consent through a cookie notice before any non-essential cookies are set.
14. No Sale of Data, No Third-Party Advertising
We do not sell, rent or trade your personal data. The App contains no third-party advertising SDKs and does not track you across other companies' apps or websites — which is why the App does not display Apple's App Tracking Transparency prompt: there is no tracking to authorize.
15. Changes to This Policy
We may update this Policy as the Service or the law evolves. The “Last updated” date at the top governs. For material changes we will give you reasonable prior notice in the App or by email. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
16. Contact
EVX Labs SpA — Santiago, Chile
Email: support@evxtactical.com
This Policy is published in English and Spanish. In case of any conflict, the English version prevails (see the Terms of Use).