Privacy Policy

Version v2026-05-19. Effective 2026-05-19.

1. Who we are

Plifto ("we", "us") operates the Plifto web and mobile applications. For privacy-related questions contact privacy@plifto.com.

2. What we collect

• Account information: email address, password hash (we never store passwords in clear text), display name, and chosen username.
• Profile information: any optional fields you add (e.g. claimed lifter record, privacy preferences, radar preferences).
• Operational and diagnostic information: IP address, user agent, request timestamps, and limited diagnostic information from your browser or app. This information is used to operate the Service, prevent abuse, and diagnose issues. It is recorded in routine server logs and rotated as described in Section 9.
• Authentication tokens: session cookies issued by our authentication provider so you stay logged in.
• Consent records: every time you accept the Terms of Service and Privacy Policy, we store a consent event containing your user ID, the version and a cryptographic hash of each document you accepted, the date and time of acceptance, your browser's user-agent string, and an opaque one-way hash of your authentication session ID. We do not store your IP address in consent records. The session ID hash cannot be reversed to recover your session token; it exists only to link a consent event to a specific authenticated session for evidentiary purposes.

We also receive data from third parties on your behalf:

• OpenPowerlifting — historical meet results, including names, weight classes, attempts, and totals. See Section 3 for the upstream license and our use of that data.
• LiftingCast — live attempt-by-attempt data during active meets via public CouchDB feeds. Same upstream framing applies.
• Federations — when you submit a verification request, we may receive corroborating information directly from the relevant federation (e.g. USAPL, IPF) to confirm a claim.

3. Public competition records (OpenPowerlifting and LiftingCast)

The Service mirrors publicly available powerlifting competition results. Records are imported from the OpenPowerlifting dataset and, during active meets, from public CouchDB feeds operated by LiftingCast. The original sources are not under our control and publish this information as part of competitive sports records.

OpenPowerlifting attribution. The OpenPowerlifting dataset is released under CC0 / public domain. As suggested by the project: this page uses data from the OpenPowerlifting project, https://www.openpowerlifting.org. You may download a copy of the data at https://gitlab.com/openpowerlifting/opl-data.

As a result, real names and competition results may appear on per-lifter profile pages (for example, /lifter/[id]) whether or not the corresponding lifter has signed up for an account.

Opt-out path. If you are a lifter, or the parent or guardian of a lifter, and you would like a profile page removed, redacted, or corrected, email privacy@plifto.com. Because these records are derived from publicly available competition results, we honor good-faith, first-person (or guardian) requests with minimal friction: tell us, in your own words, which profile and the meets or federation it covers so we can confirm we are acting on the correct record. We do not require government identification or uploaded documents; we may ask brief follow-up questions to confirm a request is genuine and made by you or on your behalf. Removals are reversible and audit-logged, so a request made in error or in bad faith can be corrected. Where we offer a higher-assurance feature (such as a verified-athlete badge), we use a dedicated third-party identity service rather than collecting identity documents ourselves. We respond within 30 days, or sooner where applicable law requires. Removing a profile from Plifto does not remove the record at its original source (for example, OpenPowerlifting or the relevant federation).

4. Legal basis (EEA / UK)

For users in the European Economic Area or the United Kingdom, our legal bases for processing are:

• Consent — for creating an account, accepting these documents, and any future optional features (e.g. email digests).
• Legitimate interest — for operating the Service, preventing fraud and abuse, displaying public competition records that are already published by federations and event organizers, and retaining consent records as evidence of agreement to these documents. You may object at any time via privacy@plifto.com.
• Contractual necessity — for providing the features you request (e.g. claiming a profile, following another lifter).

5. How we use information

• To create and authenticate your account.
• To display the Service to you and to other users (public profile pages, competition history, leaderboards).
• To prevent abuse, fraud, and impersonation.
• To respond to support requests, opt-out requests, and legal obligations.
• To communicate service-essential information (e.g. security notices, material changes to these documents).
• To maintain a defensible record that you accepted the Terms of Service and Privacy Policy at a specific point in time.

We do not sell your personal information. We do not run third-party advertising during the closed beta.

6. Third-party processors

We use the following service providers to operate Plifto. Each processes only the data necessary for its function:

• Fly.io — application hosting (United States).
• Neon — managed Postgres database (United States).
• Vercel — frontend hosting and edge delivery (global edge network).
• Better Auth — authentication library (runs in our infrastructure, no third-party transfer of credentials).
• Cloudflare R2 — encrypted archive of raw upstream data sources.

We will update this list when we add analytics, push notifications, or other processors. Material additions trigger a version bump of this Policy and re-acceptance.

7. Cookies

We use a single cookie for authentication. It stores a session token and is required for the Service to function. We do not use advertising or third-party tracking cookies during the closed beta.

8. International transfers

Our infrastructure is hosted in the United States. By using the Service from outside the United States, you understand that your data is transferred to and processed in the United States and other jurisdictions where our processors operate. Where applicable law requires additional safeguards (such as Standard Contractual Clauses), we will put them in place before transferring data.

9. Retention

• Account data: kept while your account is active and for up to 90 days after deletion (during which the deletion can be reversed by signing back in). After 90 days the account is permanently removed. You may also request immediate permanent deletion at any time.
• Public competition records: kept for as long as they remain in the upstream source. Opt-out requests remove the record from Plifto regardless of upstream state.
• Consent records: retained for the lifetime of your account. After hard deletion of your account, we anonymize the consent record by removing your user ID, user-agent string, and session ID hash, retaining only the date, version, and cryptographic hash of each document. This anonymized record is kept indefinitely as part of our aggregate compliance trail and contains no information that identifies you.
• Operational and diagnostic logs: kept for up to 90 days, then rotated.

10. Your rights

Depending on where you live, you may have the right to access, correct, delete, restrict, or object to processing of your personal information, and to data portability. Send any such request to privacy@plifto.com. We respond within 30 days, or sooner where applicable law requires, and will not retaliate for exercising these rights.

Right to immediate erasure. Under GDPR Article 17 (and equivalent laws in other jurisdictions), you have the right to request immediate erasure of your personal data without waiting out the 90-day soft-delete window. Use the "Delete immediately" option during account deletion, or contact privacy@plifto.com.

California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect and to direct us not to sell it (we do not sell personal information). EEA and UK residents have rights under the GDPR/UK GDPR and may lodge a complaint with their local supervisory authority.

11. Children under 13

The Service is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you are under 13, please do not create an account or submit any information. If we learn we have collected personal information from a child under 13, we delete it promptly. Parents who believe their child has provided personal information to us can contact privacy@plifto.com for removal.

12. Security

Passwords are stored as one-way hashes. Communications are encrypted in transit (TLS). We restrict internal access to personal information to a need-to-know basis. No system is perfectly secure; if we become aware of a breach affecting your information, we will notify you in accordance with applicable law.

13. Changes to this Policy

We may update this Policy from time to time.

Material changes — such as new categories of data collected, new third-party processors handling personal data, changes to retention periods, or changes to your rights — increment the version number and require explicit re-acceptance. Active users see a full-screen prompt at next sign-in and must accept, sign out, or delete their account before continuing to use the Service.

Non-material changes — such as typographical fixes, formatting, or contact-information updates — also increment the version number but show a soft banner inviting review. Continued use after the effective date of a non-material change constitutes acceptance.

We may also email active users for material changes (per CAN-SPAM and applicable laws). Each acceptance is recorded as a consent event with the version, document hash, timestamp, user-agent, and session ID hash described in Section 2.

14. Contact

Privacy questions and opt-out requests: privacy@plifto.com.