Last Updated: May 21, 2026 · Effective Date: May 21, 2026
This Privacy Policy describes how 3 Bonos Holdings LLC, doing business as Hexrep ("Hexrep," "we," "us," or "our"), collects, uses, discloses, and protects information about you when you use our mobile application, website at hexrep.com, and related services (collectively, the "Service").
By using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, do not use the Service.
1. Information We Collect
1.1 Information You Provide Directly
Account information:
Email address
Password (stored in hashed form using industry-standard cryptographic methods)
Display name and username (handle)
Optional: profile photo, bio, location
Workout and fitness data:
Exercises performed, sets, reps, weight, duration, rest periods
Custom exercises, programs, templates, and workout notes
Body metrics you choose to enter (bodyweight, measurements)
Personal records (PRs) and milestones
Journal and journey data:
Photos, notes, mood entries, goals, and milestones you record
Reflections, training observations, and other personal entries
Social content:
Posts you publish, comments, reactions
Users you follow or who follow you
Reports, blocks, and other interaction data
Communications:
Messages you send to our support team
Feedback, surveys, or other communications
1.2 Information Collected Automatically
Diagnostic and technical data:
Anonymous crash logs and error reports
App version, device type, and operating system version (attached to crash reports)
Approximate region (derived from IP address by our infrastructure providers; not precise location)
Performance metrics to identify and fix bugs
Subscription and purchase data:
Subscription status, purchase history, and entitlements (we receive this from Apple/Google; we do not see your full payment information)
1.3 Information We Do NOT Collect
We do not collect your contacts
We do not collect precise location data (GPS coordinates)
We do not collect cross-app tracking identifiers
We do not access your phone's microphone or camera except when you explicitly use them to add photos to the Service
We do not collect biometric identifiers beyond what you voluntarily enter (e.g., bodyweight)
2. How We Use Your Information
We use the information we collect to:
Provide and operate the Service — display your workouts, render the social feed, sync data across your devices, maintain your account
Compute insights — calculate personal records, training volume, milestones, and analytics for your personal use
Improve the Service — debug issues, fix bugs, understand which features are used, and develop new functionality
Communicate with you — respond to support requests, send service-related notifications, notify you of important updates
Enforce our policies — investigate reports of Terms of Service violations, protect against abuse and fraud
Comply with legal obligations — respond to lawful requests from authorities, enforce our agreements, protect our rights
3. How We Share Your Information
We do not sell your personal information. We do not run advertising. We do not share your information with data brokers.
We share information only in the following limited circumstances:
3.1 Service Providers
We work with carefully selected third-party providers who help us operate the Service. These providers process data on our behalf under contractual obligations to protect your information:
RevenueCat — subscription management and analytics
Apple App Store / Google Play Store — app distribution, in-app purchases
Anthropic — AI-powered features (e.g., training brief generation), where applicable; data sent for AI processing is governed by Anthropic's data policies and is not used to train models
Sentry — anonymous crash and error reporting
A current list of service providers is available upon request at contact@hexrep.com.
3.2 Other Users
Information you choose to make public or share with other users is visible according to your privacy settings:
Public profile (anyone with your handle): display name, handle, bio, profile photo, follower/following counts, lifetime training totals
Followers and followed users: posts you publish to the social feed, controllable per-content-type in Settings
Private by default: journal entries, photos, notes, moods, goals, milestones, body metrics, and detailed workout data unless you explicitly share them
3.3 Legal Compliance
We may disclose information when we believe in good faith that disclosure is necessary to:
Comply with applicable laws, regulations, legal process, or government requests
Enforce our Terms of Service or other policies
Protect the rights, property, or safety of Hexrep, our users, or the public
Detect, prevent, or address fraud, security, or technical issues
3.4 Business Transfers
If Hexrep is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
3.5 With Your Consent
We may share your information for other purposes with your explicit consent.
4. Data Retention
We retain your information for as long as your account is active or as needed to provide the Service. Specifically:
Account and workout data: retained while your account is active
Support communications: retained for up to 3 years to improve customer service and for legal record-keeping
Anonymous analytics: retained indefinitely in aggregated, non-identifiable form
Legal records: retained as required by applicable law
When you delete your account, we delete your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or dispute resolution). Backups containing deleted information are overwritten in our normal backup rotation cycle, typically within 90 days.
5. Your Rights and Choices
5.1 Access and Portability
You can access most of your information directly through the app. To request a complete export of your personal data in a portable format, contact us at contact@hexrep.com.
5.2 Correction
You can update your profile information, workout data, and most other content directly in the app. For corrections to information you cannot edit directly, contact us at contact@hexrep.com.
5.3 Deletion
You can delete your account at any time through Settings → Account → Delete Account. Deletion removes:
Your authentication record
Your profile (display name, handle, bio, photo)
All workouts, sets, exercises, and training data
All posts, reactions, comments, and reports
All follows and blocks
All journal entries, photos, notes, moods, goals, milestones
All uploaded media
Anonymized or aggregated data that cannot be linked back to you may be retained.
5.4 Marketing Communications
If we send marketing emails in the future, you can opt out via the unsubscribe link in any such email. Service-related communications (e.g., account security, subscription status) cannot be opted out of while you maintain an account.
5.5 Push Notifications
You can control push notifications through your device settings.
6. Rights Under State Privacy Laws (United States)
If you are a resident of California, Colorado, Connecticut, Utah, Virginia, or another state with comprehensive privacy legislation, you may have additional rights, including:
Right to know what personal information we collect, use, and disclose
Right to access your personal information
Right to delete your personal information
Right to correct inaccurate personal information
Right to data portability
Right to opt out of the sale or sharing of personal information (note: we do not sell or share personal information for cross-context behavioral advertising)
Right to non-discrimination for exercising these rights
Right to limit the use of sensitive personal information
To exercise these rights, contact us at contact@hexrep.com. We will respond within 45 days (or as required by applicable law). We may need to verify your identity before processing your request.
California Residents — Additional Disclosures
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Categories of personal information collected: identifiers (email, username), commercial information (subscription data), internet activity (app usage), sensory data (workout photos if uploaded), professional information (none), inferences (training patterns), and health-adjacent information (workout and body metrics you provide)
Sources of collection: directly from you, automatically through your use of the Service, and from service providers
Business purposes for collection: service operation, support, safety and security, analytics
Categories of third parties: service providers listed in Section 3.1
We do not sell personal information.
We do not share personal information for cross-context behavioral advertising.
We do not knowingly collect or sell information of minors under 16.
You may designate an authorized agent to make requests on your behalf. We may require verification of the agent's authority.
7. Rights Under GDPR (European Users)
If you are located in the European Economic Area, United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent laws give you the following rights:
Right of access — obtain confirmation of whether we process your data and a copy of that data
Right to rectification — correct inaccurate or incomplete data
Right to erasure ("right to be forgotten")
Right to restrict processing — limit how we use your data
Right to data portability — receive your data in a structured, machine-readable format
Right to object to processing based on legitimate interests
Right to withdraw consent at any time where processing is based on consent
Right to lodge a complaint with your local data protection authority
Legal Basis for Processing
We process your personal data on the following legal bases:
Performance of a contract — to provide the Service you've signed up for
Legitimate interests — to improve the Service, prevent fraud, ensure security, debug and fix crashes
Legal obligation — to comply with applicable laws
Data Controller
3 Bonos Holdings LLC, 418 Broadway, Suite N, Albany, New York 12207, United States, is the data controller for personal data processed through the Service.
International Data Transfers
Your data may be transferred to and processed in the United States, where data protection laws may differ from those in your country. Where required, we implement appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.
8. Children's Privacy
Hexrep is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information promptly.
For users between 13 and 18 (or the age of majority in their jurisdiction), parental or guardian consent may be required under applicable law. Parents who believe their child under 13 has provided us with personal information should contact us at contact@hexrep.com.
For California residents under 16, we do not sell personal information without affirmative authorization. For users under 13, this requires parental consent; for users 13-15, this requires the user's affirmative consent.
9. Security
We implement industry-standard technical and organizational measures to protect your personal information, including:
Encryption of data in transit using TLS
Encryption of passwords using cryptographic hashing
Access controls limiting who can view personal data
Regular security reviews of our systems
Vendor security assessments for third-party service providers
However, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.
If we become aware of a data breach affecting your personal information, we will notify you and the appropriate authorities as required by applicable law.
10. Third-Party Services
The Service may include integrations with or links to third-party services, including:
Apple HealthKit / Google Health Connect — if you enable these integrations, you can read and write health and fitness data between Hexrep and the platform. Data exchanged is governed by your device's permissions and the respective platform's privacy policies. Data received from these platforms is processed locally on your device and only uploaded to Hexrep servers if you explicitly choose to log it.
Apple App Store / Google Play Store — for app distribution and in-app purchases
External links — the Service may contain links to third-party websites or services, which are governed by their own privacy policies
We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies.
11. Cookies and Similar Technologies
The Hexrep mobile app does not use cookies. The hexrep.com website may use essential cookies for functionality (e.g., maintaining your session if you sign in via web). We do not use advertising cookies or third-party tracking cookies.
12. Do Not Track
Some browsers offer a "Do Not Track" signal. Because there is no industry consensus on how to interpret these signals, the Service does not currently respond to them. However, we do not engage in cross-site tracking regardless of any such signal.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will:
Update the "Last Updated" date at the top of this policy
Notify you within the app via a banner or notification if changes are material
For significant changes affecting how we process your data, obtain your renewed consent where required by law
We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
14. Contact Us
For privacy-related questions, concerns, or requests, please contact:
3 Bonos Holdings LLC d/b/a Hexrep
418 Broadway, Suite N
Albany, New York 12207
United States
Email: contact@hexrep.com
For users in the European Economic Area, you may also contact your local data protection authority.
15. Effective Date
This Privacy Policy is effective as of May 21, 2026, and replaces all previous privacy policies.