Privacy

Tillen is offline-first. Your training data lives on your phone. It only leaves your device if you sign in to Tillen Sync, save a backup to a destination you choose, or grant Health Connect permission. Each of those is described below.

What stays on your device

Your workouts, sets, templates, custom exercises, body measurements, and settings live in a local database on your phone. Your name, bodyweight, and unit preferences live in your phone's preferences store. Sensitive items, like the sync session token and any passphrase you choose for encrypted backups, are kept in the platform's secure keystore.

Uninstalling the app removes all of this from the device. Backup files you wrote to an external location stay where you put them.

Tillen Account

Signing in is optional. Tillen uses Google Sign-In. Google verifies your account and gives Tillen your verified email address and a stable Google account identifier. Nothing else from your Google account is read.

The Tillen server stores your email, the Google identifier, and the dates the account and provider link were created. A long random session token is generated at sign-in and stored in your phone's secure keystore. The token expires after 30 days of inactivity and is invalidated server-side when you sign out.

Tillen Sync

Tillen Sync is opt-in. When you sign in and sync is on, your training data is uploaded to the Tillen server over HTTPS so it stays consistent across your devices.

Sync data is stored on the Tillen server in a form Tillen can read. This is a deliberate trade-off: the server can run sync without you having to remember a separate encryption passphrase. If you would rather Tillen could not read your training data at rest, use the encrypted backup feature described below instead of Tillen Sync.

What sync uploads:

• Your workouts, including the sets, exercises, notes, and timestamps inside them.
• Templates you create.
• Custom exercises and custom measurement types you create or edit.
• Body measurements you log.
• Your app settings (name, bodyweight, units, plate setup, rest defaults, reminder preferences, accent color).

Built-in exercises and built-in measurement types are not uploaded. Tillen does not share, sell, or license sync data, does not use it for advertising, and does not train any model on it.

Encrypted backups

Encrypted backups are a separate feature from Tillen Sync. The app can write a single backup file containing your entire database to a destination you choose. The file is encrypted on your phone with a passphrase you set, using modern memory-hard key derivation and authenticated AES-256 encryption.

Your passphrase never leaves your phone. Tillen never sees it, your storage provider never sees it, and there is no recovery if you forget it. Choose something you can remember or store in a password manager.

You can write the backup to:

• A folder on your phone, picked through the system file picker.
• A folder in your Google Drive that Tillen alone can see (Tillen cannot access the rest of your Drive).
• iCloud Files (iOS).
• The app's private storage, kept on the device for local restore.

Storage providers only ever hold the encrypted file. Tillen never sees its contents once it is written.

Health Connect (Android only)

If you grant Tillen the Health Connect permissions, the app writes one workout session record and one active calories record to Health Connect every time you finish a workout. The calorie value is estimated locally from your bodyweight and the session duration.

Tillen never reads from Health Connect. The integration is write-only. You can revoke the permissions at any time in the Health Connect app, and Tillen will continue to work without them.

Permissions

On Android, Tillen asks for permission to send notifications (for rest timer alerts and weekly reminders), to vibrate the phone (for haptics on set completion and timer end), and to receive a system signal at boot (so scheduled reminders survive a reboot). The Health Connect write permissions are only requested if you turn the integration on.

On iOS, Tillen asks for camera and photo library access only when you tap the avatar to take or pick a profile photo.

What Tillen doesn't do

Tillen does not embed any analytics SDK, crash reporter, advertising library, fingerprinting library, or remote configuration service. There are no third-party trackers in the app or on this website.

The Tillen server is hosted on Cloudflare. Cloudflare's edge platform records standard HTTP request metadata (timestamps, IP, user-agent, status code) for security, abuse prevention, and uptime monitoring. Tillen does not run additional logging on top of that.

Sign-out and account deletion

Signing out of the app invalidates your session on the server, clears the sign-in state on your phone, and leaves your local training data intact so it is not lost from the device.

To permanently delete your account, open Settings, tap Account, and use Delete account. The dialog asks you to type the word DELETE to confirm. On confirm, your account record and every row of synced data tied to it are removed from the server in a single operation. Your local workout history on the device is kept; you can keep using Tillen offline or sign in again later with a different account.

If you cannot reach the in-app setting, email [email protected] from the address linked to the account and we will run the deletion server-side.

Children

Tillen is not directed at children under 13. If you believe a child has provided personal information to us, please contact us so we can remove it.

Contact

Questions or data requests: [email protected].

Changes to this policy

The "Last updated" date at the top of this page moves whenever the policy changes. Material changes are summarized here.