Privacy Policy

Last updated: 31 March 2026

1. Introduction

MoveFirst ("we", "us", "our") is operated by an individual sole trader based in Australia. We operate the MoveFirst mobile application (the "App"), which helps users build healthier habits by gating access to distracting apps behind real physical activity.

This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using MoveFirst, you agree to the collection and use of information as described in this policy.

2. Information We Collect

2.1 Account Information

When you sign in with Apple, we receive your Apple-provided user identifier, and optionally your name and email address if you choose to share them. We use Supabase Auth to manage your session securely.

Your email address, if provided, is used only for account recovery and important service communications. We will never sell your email or use it for marketing without your consent.

2.2 Health and Fitness Data (Apple HealthKit)

With your explicit permission, we read workout data from Apple HealthKit. The specific data types we access include:

  • Workout type (e.g. running, cycling, strength training)
  • Workout duration
  • Calories burned
  • Start and end timestamps
  • Source app metadata (which app or device recorded the workout)

We do NOT access:

  • Heart rate samples
  • GPS or location data
  • Sleep data
  • Nutrition or dietary data
  • Body measurements
  • Any other HealthKit data types beyond workout summaries listed above

Only workout summary data (type, duration, calories, timestamps) is transmitted to our servers for reward calculation. Raw health samples never leave your device.

2.3 Screen Time Data (FamilyControls)

We use Apple's Screen Time APIs (FamilyControls, ManagedSettings, DeviceActivity) to enable app blocking functionality that you configure.

Your app selection (which apps you choose to block) is stored as an opaque, randomised token generated by iOS. We cannot see which specific apps you selected, how often you use them, or your app usage duration. We only know that a selection exists.

All app blocking decisions are processed entirely on your device. We do not collect, transmit, or store any data about your specific app usage patterns.

2.4 Workout Source Detection

We read the source metadata of workouts stored in Apple HealthKit to identify which fitness apps and devices contributed your workout data (e.g. Strava, Garmin Connect, Nike Run Club, Apple Watch). This allows us to show you which apps are contributing workouts and to provide quick-start links to your favourite fitness apps.

We do not have direct integrations with Strava, Garmin, or any other third-party fitness platform. We do not connect to their APIs, store their credentials, or access your accounts on those services. All workout data is read exclusively through Apple HealthKit.

2.5 Workout and Reward Data

We store workout event records (activity type, duration, timestamps, source) to calculate and award screen time rewards. We maintain a reward ledger tracking screen time earned and screen time spent. We also store daily streak and goal completion data.

2.6 Device and Technical Information

We collect limited technical information including:

  • Device platform (iOS)
  • App version
  • Timezone (for correct daily boundary calculations)
  • Anonymous analytics events (via PostHog) for product improvement, such as screen views, feature usage, and error rates
  • Error reports and crash diagnostics (via Sentry) to identify and fix bugs

We do not use analytics data for advertising, and we do not sell technical data to third parties.

3. How We Use Your Information

We use the information we collect to:

  • Calculate screen time rewards based on your completed workouts
  • Maintain your reward balance, streak count, and daily progress
  • Manage app blocking preferences on your device
  • Sync workout data between your device and our server for accurate reward tracking
  • Prevent duplicate reward credits when the same workout appears from multiple sources
  • Provide fitness insights and activity history
  • Send optional daily reminders and notifications (with your permission)
  • Improve the App through anonymous, aggregated analytics

4. How We Protect Your Information

  • All data transmitted between your device and our servers uses TLS encryption (HTTPS)
  • Database access is controlled by Row Level Security (RLS), meaning you can only access your own data
  • Our database uses encryption at rest
  • No raw health samples (heart rate, GPS, etc.) ever leave your device
  • We follow the principle of data minimisation: we request only the minimum data and API scopes needed for App functionality

5. Apple HealthKit Data Compliance

We comply with Apple's App Store Review Guidelines (Section 27) and HealthKit documentation requirements:

  • HealthKit data is not stored in iCloud, CloudKit, or any Apple-managed cloud storage
  • HealthKit data is never shared with third parties for advertising, marketing, or data brokerage purposes
  • HealthKit data is transmitted only over encrypted (HTTPS/TLS) connections
  • We read only the HealthKit data types strictly necessary for reward calculation
  • HealthKit data is used solely to provide the core service of converting workouts into screen time rewards

6. Third-Party Services

MoveFirst uses the following third-party services to operate the App:

  • Supabase— Backend infrastructure including database, authentication, and serverless functions. Data is stored in Supabase's cloud infrastructure with encryption at rest.
  • Apple — Sign in with Apple for authentication, HealthKit for workout data, and FamilyControls / ManagedSettings / DeviceActivity for screen time management.
  • PostHog — Anonymous product analytics to help us understand how the App is used and identify areas for improvement.
  • Sentry — Error reporting and crash diagnostics to help us identify and fix bugs.

Each of these services has their own privacy policy governing their handling of data.

7. Data Retention and Deletion

Your workout and reward data is retained for as long as your account is active. You can delete your account at any time from the App's settings.

Account deletion permanently removes all your data from our servers, including: account information, workout records, reward ledger entries, preferences, and streak history. This action cannot be undone.

8. Children's Privacy

MoveFirst is intended for users aged 18 and older. We do not knowingly collect personal information from children under 18. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at hello@movefirst.co.

9. Your Rights

You have the right to:

  • Access your data through the App's settings and insights screens
  • Delete your account and all associated data at any time
  • Revoke HealthKit permissions through iOS Settings > Privacy & Security > Health
  • Revoke Screen Time permissions through iOS Settings
  • Disable analytics collection through the App's settings

If you are located in the European Economic Area (EEA), you may also have additional rights under the General Data Protection Regulation (GDPR), including the right to data portability and the right to lodge a complaint with a supervisory authority. If you are located in Australia, the Australian Privacy Principles (APPs) under the Privacy Act 1988 may also apply. Please contact us if you wish to exercise any of these rights.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes through the App or via email if you have provided one. Continued use of MoveFirst after changes constitutes acceptance of the updated policy.

11. Contact Us

For privacy-related questions or requests, contact us at: hello@movefirst.co