Privacy Policy — Golf Elbow Oracle

Effective date: 2026-05-11 · App: Golf Elbow Oracle · Publisher: Erwan Alliaume

1. Summary

Golf Elbow Oracle (“the app”, “we”) is a self-management tool for golfer’s-elbow rehab. We collect the minimum data needed to run the app on your device and to calibrate your daily plan. We do not sell, rent, or share your data with advertisers. We do not run ads. We do not track you across other apps.

We use:

Anonymous Firebase Authentication so your data is tied to your install, not to your name or email.
Cloud Firestore to back up your stiffness logs, session logs, and progression state.
Google Play Billing + RevenueCat to manage subscriptions.
Firebase Crashlytics + Performance to detect crashes and slow startups.

You can delete all your data at any time from inside the app (Settings → Privacy → Delete my data).

2. Data we collect

2.1 Health and fitness data (sensitive)

We treat the following as sensitive health data and store it only in your private account:

Self-reported morning stiffness (a 0–10 score that you log daily, then bucketed for analytics).
Self-reported pain ratings logged after each exercise (Same/better, Slightly worse, Much worse).
Session completion logs — which exercises you completed, on what date, at what hole level.
Round log entries — when you played golf and how it felt.
Optional profile fields — club specs, clinician contact (only if you choose to enter them).

2.2 Account data

Anonymous authentication identifier — a random identifier generated on first launch. It is not linked to your real-world identity. Signing out abandons the identifier; a new one is minted on the next sign-in.

2.3 Subscription data

Purchase status and entitlement via Google Play Billing and RevenueCat. We do not see or store your card or payment information — Google handles that end-to-end.

2.4 Diagnostic data

Crash reports — stack traces, device model, OS version, app version. Stripped of any personal payload.
Performance metrics — startup duration, screen render times.
Per-install diagnostic identifier used for crash attribution. Not the Advertising ID; we have removed the AD_ID permission.

2.5 What we do NOT collect

We do not collect your name, email, phone number, address, or any government ID.
We do not collect precise or coarse location.
We do not access your camera, microphone, contacts, calendar, photos, files, or messages.
We do not access the Advertising ID and we do not run ads.
We do not track you across other apps or websites.

3. How your data is used

Purpose	Data used
Run the app on your device	All of the above
Calibrate today’s plan from yesterday’s stiffness	Self-reported stiffness, pain, session logs
Sync between your installs	Account data
Manage your subscription	Google Play purchase token, subscription entitlement
Diagnose crashes and slowness	Crash stack traces, performance traces, install identifier, device/OS version

We do not use your health data for advertising. We do not use it for training third-party AI models. We do not sell it.

4. Data sharing and processors

We share data only with the following processors, and only for the purposes listed:

Processor	Purpose	Data shared
Google Firebase (Authentication, Firestore, Crashlytics, Performance)	Backend, crash reporting	Anonymous identifier, session/morning logs, crash diagnostics
RevenueCat	Subscription management	Anonymous identifier, purchase status
Google Play Billing	Payment processing	Handled by Google; the app does not see card data

We do not share data with any other third party. We have no advertising partners.

5. Data retention

Account data and logs: retained until you delete them (in-app: Settings → Privacy → Delete my data) or close your account.
Crash logs: retained 90 days.
Performance traces: retained 90 days.
Subscription receipts: retained as long as legally required by tax law.

After deletion we keep no more than what is needed to comply with legal obligations (e.g. payment records).

6. Your rights

Depending on where you live, you may have rights under GDPR (EU/UK), CCPA/CPRA (California), LGPD (Brazil), and similar laws:

Access — see what data we hold about your install.
Deletion — erase your data.
Correction — fix inaccurate entries.
Portability — get a copy in a machine-readable format.
Withdraw consent — stop optional data collection at any time.

You can delete all your data immediately, without any request, from Settings → Privacy → Delete my data inside the app.

7. Children under 13

Golf Elbow Oracle is not designed for or directed at children under 13. The Play Store target audience is set to 18 and older. The app’s clinical framing, language, and feature set are aimed at adult recreational golfers.

We do not knowingly collect personal information from children under 13.

If a child between 13 and 18 uses the app under parental supervision, all of the protections in this policy apply, and we collect no additional data from teen users beyond what is documented above.

8. Security and data protection

Security procedures are in place to protect the confidentiality of your data, and we use encryption to protect your information:

Encryption in transit. All network traffic between the app and our processors uses TLS 1.2+ (HTTPS). Your data is encrypted whenever it leaves your device.
Encryption at rest. Data stored with our processors (authentication state, Firestore documents, crash logs, subscription records) is encrypted at rest by the underlying infrastructure (AES-256 on Google Cloud).
Per-user access controls. Database security rules require request.auth.uid == userId on every read and write — your data is not visible to other users, and we apply the principle of least privilege internally.
Data minimization. We do not store personally identifying information at signup. Anonymous authentication is the default. The smaller the dataset, the smaller the breach surface.
No payment data. Card and payment-method data is handled entirely by Google Play. The app never sees, transmits, or stores it.
No advertising identifiers. The AD_ID permission is explicitly removed from the manifest; we cannot build an ad profile of you even if we wanted to.
Operational practices. Access to production data is limited, secrets are stored in a managed secrets manager (not in source code), and dependencies are kept current to address known vulnerabilities.
Limited use of sensitive data. Health data is used only to deliver and improve in-app features visible to you (your plan, your trends, your scorecard). It is never transferred to third parties except as required to operate the listed processors, never used for advertising, and never sold.

No system is perfectly secure. If we ever experience a breach affecting your data, we will notify affected users within 72 hours, as required by GDPR Article 33, with details of the data involved and the steps you can take to protect yourself.

9. International transfers

Our processors are operated in the United States. By using the app you consent to the transfer of your data to the US under their respective Standard Contractual Clauses with the EU Commission.

10. Permissions used (Android)

Permission	Why
`INTERNET`	Sync logs to our backend
`VIBRATE`	Haptic feedback during workouts
`FOREGROUND_SERVICE` / `FOREGROUND_SERVICE_MEDIA_PLAYBACK`	Keep the metronome timer running while the screen is locked
`MODIFY_AUDIO_SETTINGS`	Tempo metronome audio
`SYSTEM_ALERT_WINDOW`	Optional overlay for guided timer (requested only if you opt in)
`com.android.vending.BILLING`	Subscription purchases via Google Play
(removed) `com.google.android.gms.permission.AD_ID`	We do not collect the advertising ID

We do not request location, camera, microphone, contacts, calendar, photos, or background body-sensor permissions.

11. Changes to this policy

We will update this page when our practices change. The “Effective date” at the top will reflect the most recent change. Material changes will be announced in-app on first launch after the update.

This policy is provided as a privacy notice for an educational self-management app. Golf Elbow Oracle is not a medical device and does not provide medical advice. Always consult a qualified clinician for medical concerns.