CragMate Privacy Policy
Effective: 2026-06-29 · Version: 1.0
Scope
This policy covers two things:
- This website, cragmate.com — live today. Its data processing is limited to cookieless, aggregate analytics and is described in This website.
- The CragMate iOS and watchOS app — currently in development and not yet available on TestFlight or the App Store. The sections after "This website" describe how the app will handle your data once it ships, so you can review them before you ever install it.
Where a section applies to only one of the two, it says so.
The short version
CragMate has no backend server and no user accounts. Your climbing data lives on your devices — iPhone and Apple Watch — and nowhere else. The only data that leaves your device is:
- Session summaries sent to your paired Apple Watch (and back) via Apple's WatchConnectivity protocol, device-to-device only.
- Workout data written to Apple Health, if you grant that permission.
- A small set of anonymous, aggregate usage signals sent to TelemetryDeck so we can understand how the app is used without knowing who you are.
Separately, the cragmate.com website sets no cookies and uses only cookieless, aggregate analytics — see This website.
If you are looking for the GDPR section, it is under Your rights.
This website
This section describes the data processing that happens today, on the cragmate.com marketing website. (Everything after it describes the CragMate app, which is not yet released — see Scope.)
Cookies and device storage
This website sets no cookies and stores nothing on your device — no cookies, no
localStorage, no sessionStorage, no device fingerprinting, and no advertising or
tracking pixels. Because nothing is written to or read from your device, the ePrivacy
("cookie law") consent requirement is not triggered, and the site deliberately shows
no cookie-consent banner — there is nothing to consent to.
Website analytics
The site uses TelemetryDeck (TelemetryDeck GmbH, Germany — see Third parties) to understand aggregate visitor activity. When a page loads, the following is sent:
| Signal | Data sent |
|---|---|
| web_page_view | the page path you viewed (e.g. /privacy) and the host of the site that referred you (e.g. google.com), if any |
| web_cta_click | an identifier for the button or link you clicked (e.g. footer_privacy) |
The TelemetryDeck SDK attaches a per-page-load random session ID (it is not stored and
not reused on your next visit) and a single constant value, web-anonymous, that is
identical for every visitor. The site does not assign you a persistent identifier.
As with any request to any website, TelemetryDeck's server receives the IP address
inherent in the network connection; per TelemetryDeck's policy that IP is used
transiently and is not stored in raw form.
What this means: the website cannot identify you, follow you across visits, or build a profile of you. It counts page views and clicks in aggregate.
Legal basis (GDPR Art. 6(1)(f) — legitimate interests): we rely on our legitimate interest in understanding, at an aggregate level, how the site is used and which pages are useful. Because the analytics are cookieless and do not single you out, the impact on you is minimal. You can object to this processing at any time — see Your rights.
What we collect
The sections from here through Retention describe the CragMate app, which is still in development and not yet released. They tell you, in advance, how the app will handle your data once it ships.
CragMate stores the following data locally on your device using Apple's SwiftData
framework. This data resides inside the iOS/watchOS shared App Group container
(group.com.climbr.shared) and is never uploaded to any server operated by CragMate.
Local profile (User record)
When you first launch the app, CragMate generates a random UUID as your local user ID. No sign-in, no account, no email address is required or collected. The profile record stored on-device includes:
- Local user ID (randomly-generated UUID, created on first launch)
- Display name (defaults to "Anonymous Climber"; you can change it)
- Grade scale preferences per climbing discipline (e.g., V-scale for bouldering, French sport for lead)
- Preferred measurement units (metric or imperial)
- Experience level (beginner / intermediate / advanced)
- Primary climbing style preference
- Timestamps for record creation and last update
Fields that exist in the data model but are NOT collected or used in the current anonymous-only version: email address (stored as empty string), first name, last name, profile image URL, authentication provider.
Climbing sessions
Each recorded session stores:
- Session start and end timestamps
- Location label (a text string you enter — not GPS coordinates)
- Session type (indoor bouldering, outdoor sport, trad, etc.)
- Optional goal and notes text (free-form, entered by you)
- Active calories burned and total calories (sourced from Apple Health if permission granted, otherwise 0)
- Average and peak heart rate (sourced from Apple Watch if connected)
- Heart rate timeline — a time-series of (timestamp, bpm) pairs for the session, stored as JSON in an external data file on your device
- Resting heart rate, heart rate variability (HRV), step count, floors climbed, recovery heart rate (all sourced from Apple Health, if granted)
- Total distance (if applicable; estimated flag stored)
- HealthKit Workout UUID (a reference to the corresponding workout saved in Apple Health)
- Source device tag ("iPhone" or "Apple Watch")
- Creation and update timestamps
Individual climb attempts
Each attempt logged within a session stores:
- Optional route name (free-form text you enter)
- Grade (selected from your grade scale)
- Outcome (attempt, send, flash, onsight)
- Relative effort (easy, medium, hard)
- Tags (movement style labels you select, e.g., "crimpy", "overhang")
- Optional notes (free-form text)
- Start and end timestamps for the attempt
- Sort order within the session
App preferences stored in UserDefaults / shared container
- Grade scale selections (persisted as strings)
- Feature flags (e.g.,
analyticsOptIn) — see Third parties
What leaves your device
1. Apple Watch sync (WatchConnectivity)
If you have an Apple Watch with the CragMate watch app installed, the following data travels between your iPhone and Apple Watch using Apple's WatchConnectivity framework. This is a direct device-to-device channel — it does not pass through Apple's servers and it does not go to CragMate's servers (CragMate has no servers).
Data synced between iPhone and Apple Watch:
- Full session records (all fields listed in "Climbing sessions" above)
- Full attempt records (all fields listed in "Individual climb attempts" above)
- User profile (grade scale preferences, display name, units)
- Sync control messages (acknowledgments, conflict signals)
For large payloads (sessions exceeding approximately 60 KB — typically sessions with dense heart rate timelines), the data is written to a temporary file in the App Group container and transferred via WatchConnectivity's file transfer channel. The temporary file is read and then deleted on the receiving device.
2. Apple Health (HealthKit)
CragMate requests HealthKit permission to read and write the following data types. Permission is optional; the app works without HealthKit, but heart rate metrics and calorie data will not be available.
Data CragMate reads from Apple Health:
| Category | Types | |---|---| | Characteristics | Date of birth, biological sex | | Body measurements | Height, body mass, body mass index | | Heart & cardio | Heart rate (during workout), resting heart rate, walking heart rate average, heart rate variability (HRV/SDNN), VO2 max, blood oxygen saturation | | Activity | Active energy burned, basal energy burned, step count, flights climbed, walking/running distance, Apple exercise time | | Workouts | Workout records |
Data CragMate writes to Apple Health:
| Type | What is written | |---|---| | Workout record | A climbing workout entry (start time, end time, activity type) | | Active energy burned | Calories burned during the climbing session | | Heart rate | Heart rate samples collected during the session |
This data is written to Apple Health on your device. CragMate cannot see this data after it is written — it lives in Apple's HealthKit store under your control. You can review and delete it at any time in the Health app.
The profile data read from Apple Health (date of birth, height, weight, etc.) is used only to populate your on-device profile display. It is not stored persistently in CragMate's own database.
3. TelemetryDeck anonymous analytics
CragMate uses TelemetryDeck (TelemetryDeck GmbH, Germany — see Third parties) to collect anonymous usage signals. This helps us understand how the app is used without knowing who you are.
What TelemetryDeck receives:
| Event | Parameters sent |
|---|---|
| app_launched | platform (value: "iOS" or "watchOS") |
| user_created | (none) — fires once, on first launch |
| workout_session_recorded | duration_seconds (integer), attempt_count (integer), session_type (string, e.g. "boulderIndoor") |
| workout_session_details_opened | session_id (the local UUID of the session) |
In addition to the parameters above, TelemetryDeck's SDK automatically attaches standard signals that TelemetryDeck documents as anonymized and non-identifying: app version, OS version, device model class, and a hashed, rotating user identifier derived from your anonymous local user ID. Refer to TelemetryDeck's own privacy policy for the complete list of SDK-level signals.
A note on session_id: the session_id sent in workout_session_details_opened
is a UUID generated locally on your device when the session is created. It is not
linked to your name, email, or any external account. However, it is a stable identifier
that, in combination with other signals, could theoretically be used to track usage
patterns over time.
Analytics opt-in status (planned app): in the app builds to date, analytics are enabled by default and an in-app toggle to disable them (a Privacy Settings screen) is a planned feature that has not yet shipped. We will finalise the in-app consent and opt-out model before the app is released.
What TelemetryDeck explicitly does NOT receive:
- Your display name, route names, or any free-text notes
- Your HealthKit data (heart rate, weight, age, etc.)
- Your climbing grades or individual attempt outcomes
- Your location
- Any persistent device identifier (no IDFA, no IDFV)
What does NOT leave your device
The following data stays on your iPhone and Apple Watch and is never transmitted to CragMate or any third party (other than Apple Health writes, which Apple controls):
- Your display name and climbing preferences
- Your session notes and route names
- Your individual climb attempts, grades, tags, and outcomes
- Your heart rate timeline (the per-second BPM log stored in the external data file)
- Your HealthKit profile data (date of birth, height, weight)
- Your local user ID (the UUID that identifies you within the app)
CragMate has no backend server. There is no CragMate cloud, no remote database, and
no sync service operated by CragMate. SwiftData persistence is configured with
cloudKitDatabase: .none, which means iCloud sync is explicitly disabled.
Third parties
Apple (HealthKit)
CragMate integrates with Apple HealthKit to read workout metrics and write workout records. Apple operates the HealthKit data store on your device under Apple's own privacy policy (https://www.apple.com/legal/privacy/). CragMate does not control how Apple handles your health data.
Apple (WatchConnectivity)
Session sync between iPhone and Apple Watch uses Apple's WatchConnectivity framework. This is a peer-to-peer channel between your devices. Apple's servers do not relay the payload content — the transmission goes directly between your iPhone and Watch when they are within Bluetooth or Wi-Fi range of each other, or through Apple's relay infrastructure when they are not (in which case the content is encrypted end-to-end).
TelemetryDeck GmbH
TelemetryDeck is a privacy-focused analytics service headquartered in Germany and therefore subject to GDPR. According to TelemetryDeck's documentation, signals are processed in a way that makes individual users unidentifiable: user identifiers are hashed with a rotating salt, and raw signals are not stored — only aggregated counts are. CragMate uses TelemetryDeck to understand aggregate usage patterns (how often sessions are recorded, which session types are used, etc.).
TelemetryDeck is also the analytics provider for the cragmate.com website — see This website.
TelemetryDeck's privacy policy: https://telemetrydeck.com/privacy/ TelemetryDeck's EU data processing: TelemetryDeck GmbH is established in the EU (Germany) and processes data within the EU.
No other third parties
CragMate does not integrate with advertising networks, social platforms, crash reporting services (such as Firebase Crashlytics or Sentry), or any other third-party SDK beyond TelemetryDeck and the Apple platform frameworks listed above.
Your rights
Access
All data CragMate holds about you is stored on your own device. You can view your sessions, attempts, and profile at any time within the app.
Export
You can export your session data from the Session Details screen. CragMate supports export in JSON and CSV formats. The exported file includes the full session record and all individual climb attempts. You control where you send the exported file — CragMate does not receive a copy.
Deletion
You can delete individual sessions from within the app. Deleting a session also deletes all climb attempts associated with it (cascade delete). Deleting the app from your device removes the SwiftData store and all locally-stored data.
If a climbing session was saved to Apple Health, deleting it in CragMate does not automatically remove the corresponding workout from Apple Health. You can delete it separately in the Health app.
GDPR rights (EU/EEA/UK users)
If you are located in the European Union, the European Economic Area, or the United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or the UK GDPR:
Right of access (Article 15 GDPR): You have the right to obtain confirmation of whether CragMate processes personal data about you, and if so, access to that data. Because all CragMate data is stored on your device, you can exercise this right directly in the app at any time. If you want a formal confirmation in writing, contact us at privacy@cragmate.com.
Right to erasure (Article 17 GDPR, "right to be forgotten"): You have the right to request deletion of your personal data. You can exercise this right directly by deleting sessions within the app or uninstalling the app. To request deletion of the anonymous analytics signals sent to TelemetryDeck, contact us at privacy@cragmate.com and we will forward the request to TelemetryDeck. Because TelemetryDeck hashes and aggregates signals, individual-level deletion may not be technically possible once aggregation has occurred.
Right to rectification (Article 16 GDPR): You can edit your profile and session data directly in the app.
Right to data portability (Article 20 GDPR): You can export your data in JSON or CSV format as described above.
Right to object (Article 21 GDPR): Our website analytics rely on our legitimate interests (Art. 6(1)(f)), so you have the right to object to them — contact us at privacy@cragmate.com. The app's analytics consent model will be finalised before the app is released (see "Analytics opt-in status" above).
Right to restrict processing (Article 18 GDPR): You have the right to request restriction of processing. Contact us at privacy@cragmate.com.
Supervisory authority: If you believe your rights have not been respected, you have the right to lodge a complaint with your local data protection authority.
Retention
Your data stays on your device for as long as you keep the app installed. CragMate does not operate a retention schedule because we do not hold your data — you do.
- Session and attempt data: retained until you delete individual sessions or uninstall the app.
- User profile: retained until you uninstall the app.
- Apple Health data written by CragMate: retained in Apple Health until you delete it there.
- TelemetryDeck analytics (website and, later, app): TelemetryDeck's documented retention period applies; refer to TelemetryDeck's privacy policy (https://telemetrydeck.com/privacy/) for details.
Changes to this policy
If we update this privacy policy, we will update the "Effective" date at the top of this document; the current version is always the one published at cragmate.com/privacy. Because the website has no accounts and collects no contact details, we cannot notify website visitors individually — please check this page for the latest version. Once the CragMate app is released, significant changes will also be surfaced in the app.
Contact
For privacy inquiries, data access requests, or erasure requests:
Email: privacy@cragmate.com
Alexander answers personally. For general questions, you can also reach us at hello@cragmate.com.
Who we are (Data Controller)
Under GDPR Article 13/14, the "data controller" is the party responsible for deciding how your data is processed. For CragMate, the controller is:
- Name: Alexander Batalov
- Legal status: Natural person (individual developer)
- Country of establishment: Luxembourg
- Governing law: Luxembourg — the General Data Protection Regulation (GDPR) as supplemented by the Luxembourg Law of 1 August 2018 on the organisation of the National Commission for Data Protection and the implementation of the GDPR.
- Contact: privacy@cragmate.com
- Supervisory authority: Commission nationale pour la protection des données (CNPD), Luxembourg — https://cnpd.public.lu/. If you believe your rights have not been respected, you may lodge a complaint with the CNPD or with the data protection authority of your own EU/EEA country of residence.
CragMate is developed by Alexander Batalov. This policy covers the cragmate.com website (live today) and the forthcoming CragMate iOS and watchOS apps (in development, not yet released).