Maxxd Legal

Effective Date: April 7, 2026
Company: Wave State, LLC (“Wave State”, “we”, “us”, or “our”)
Address: 2033 San Elijo Ave #1011, Cardiff, CA 92007, USA
Contact: support@wavestate.co

This Privacy Policy explains how we collect, use, disclose, and protect information about users of the Maxxd mobile application (the “App” or “Service”).

By using the App, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.

Note: This Policy includes principles from applicable privacy laws (including the California Consumer Privacy Act (CCPA/CPRA) and the EU/UK General Data Protection Regulation (GDPR)). You should have a qualified attorney review for specific compliance needs.

1. Scope

This Privacy Policy applies to information we collect:

Through the Maxxd mobile application
Through related services and communications
Through our support channels

It does not apply to third-party websites, services, or applications, even if accessed through the App.

2. Information We Collect

We collect the following categories of information:

2.1 Account and Profile Information

Name, email address, and password
Mobile phone number (required for account creation and identity verification; also stored as a searchable property in our analytics platform for internal account lookup and support purposes)
Optional profile details such as gender, date of birth, height, weight, fitness goals, and preferences

2.2 Health, Fitness, and Usage Data

Workout history, sets, reps, weights, exercise performance
Nutrition data including foods logged, calories, macronutrients, and notes
Progress metrics such as weight changes, body measurements, and optional progress photos

Some of this data may qualify as “sensitive personal information” under applicable laws.

2.3 Camera and Photo Data for AI Scanning

When you use our AI scanning features, we collect:

Photos captured using your device camera
Photos you choose to upload from your device
Metadata associated with images (where available)

These images are used to:

Detect and identify food items
Estimate calories and nutritional content
Improve our AI models and recognition systems

Image Processing: Photos may be processed on our secure servers. When we use them to improve recognition systems, we de-identify or pseudonymize the images whenever feasible.

You can revoke camera or photo access at any time through your device settings.

2.4 Apple Health Integration (HealthKit)

With your explicit permission, Maxxd may read and/or write certain data through Apple Health (HealthKit), such as:

Steps, distance, and active minutes
Heart rate data
Workouts and exercise sessions
Weight and body composition metrics
Sleep duration and related data

This data is used only to:

Personalize workouts, nutrition insights, and recovery recommendations
Display analytics, charts, and trends
Award points, streaks, and achievements

We do not use HealthKit data for advertising, and we do not sell HealthKit data.

You can enable or revoke permissions at any time via your device settings.

2.5 Device and Technical Information

We may automatically collect:

Device identifiers (device ID, OS version, app version)
IP address and approximate location (derived from IP)
Log data including feature interactions, usage times, crash reports, and diagnostics

2.6 Cookies and Similar Technologies

We may use cookies, SDKs, or similar technologies in web-based components to:

Remember your preferences
Analyze usage and performance
Improve the App

Where required by law, we will request consent before using these technologies.

2.7 Support and Communications

If you contact us, we collect:

Your email address
The content of your messages
Attachments you send
Support and feedback records

3. How We Use Your Information

3.1 To Provide and Maintain the App

Create and manage user accounts
Deliver core features such as workout planning, nutrition logging, and AI scanning
Sync and display your progress across devices

3.2 To Operate Our AI and Analytics

Process images and data to estimate calorie and nutrient values
Improve recognition accuracy, algorithms, and overall app performance
Develop new features and functionalities
Analyze usage patterns, feature engagement, and onboarding effectiveness using third-party analytics platforms. Your activity in the App is associated with a pseudonymous account identifier. Your phone number is stored as a property on your analytics profile for internal account lookup and support purposes. Certain onboarding responses (such as fitness goals, experience level, and dietary preferences) and usage data (such as meal logging activity and workout engagement) are also sent to our analytics provider to help us improve the App.

3.3 To Personalize Your Experience

Generate tailored workout recommendations
Adjust training volume, difficulty, or nutrition targets
Provide suggestions and insights based on your goals and behaviors

3.4 To Communicate With You

Respond to messages and provide customer support
Send administrative notifications (account security alerts, policy updates)
Provide optional feature updates or relevant notices
Send SMS messages for account verification and promotional communications (see Section 3.7)

3.5 For Security and Fraud Prevention

Detect, investigate, and prevent unauthorized access
Protect users and Wave State from fraudulent or malicious activity

3.6 For Legal Compliance

Comply with legal obligations
Enforce our Terms of Service
Respond to lawful requests from authorities

3.7 SMS and Text Messaging

When you provide your mobile phone number during account creation, we may use it to send you text messages for the following purposes:

Verification and security: One-time passcodes (OTP) for account verification, login authentication, and security alerts.
Promotional messages: Occasional marketing or re-engagement messages about Maxxd features, offers, or updates (up to 4 messages per month).

By providing your phone number and creating an account, you consent to receiving these text messages. Message and data rates may apply. Message frequency varies but will not exceed 4 promotional messages per month. Verification messages are sent only when triggered by an account action.

You can opt out of promotional messages at any time by replying STOP to any message. Opting out of promotional messages will not affect verification or security messages. For help, reply HELP or contact support@wavestate.co.

We do not sell, rent, or share your mobile phone number or SMS consent with third parties or affiliates for their own marketing or promotional purposes.

Carriers are not liable for delayed or undelivered messages. Compatible carriers include but are not limited to major US carriers. Check with your carrier for details on your text messaging plan.

4. Legal Bases for Processing (EEA/UK Users)

If you are located in the EEA or UK, we process your personal data under one or more of the following legal bases:

Contract: To provide and maintain the Service, including creating your account, delivering workouts and nutrition plans, and processing your data to operate core features.
Consent: For processing health-related data (including nutrition logs and fitness metrics shared with analytics providers), image scanning, HealthKit integration, and certain communications. You may withdraw consent at any time, though this may limit functionality.
Legitimate Interests: To improve and secure the App, analyze usage patterns, and optimize the user experience — provided these interests are not overridden by your rights. This includes using a pseudonymous account identifier for product analytics and storing your phone number as a searchable property for internal support. We have conducted a balancing assessment for this use.
Legal Obligation: To comply with applicable laws.

GDPR Controller Statement. For users in the EEA and UK, Wave State, LLC is the data controller for your personal data. PostHog, Inc. acts as a data processor on our behalf for analytics data, under a Data Processing Agreement that includes Standard Contractual Clauses for international transfers.

We do not sell your personal information for money. We do not sell, rent, or share your mobile phone number or SMS consent information with third parties or affiliates for their marketing or promotional purposes.

We may share information as follows:

5.1 Service Providers

We use third-party vendors to help operate and improve the App, including:

Cloud hosting and storage for secure data infrastructure
Analytics — We use PostHog, a product analytics platform, to understand how users interact with the App. Your activity is tracked using a pseudonymous account identifier. PostHog also receives your phone number (as a searchable property for internal lookup), onboarding responses (such as fitness goals, experience level, dietary style, and date of birth), and usage data (such as meal logging details, workout engagement, and feature interactions). PostHog processes this data on our behalf under a Data Processing Agreement. For more information, see PostHog’s privacy policy at https://posthog.com/privacy.
Crash reporting and diagnostics
Payment processing (via app stores)
Email delivery and communication
SMS delivery (for verification codes and promotional messages)

These providers are contractually required to protect your information and may only use it as we instruct.

5.2 AI and Model Infrastructure Partners

When using external infrastructure for model training:

We de-identify or pseudonymize data whenever feasible
Partners are required to protect data through contractual safeguards

5.3 Legal and Safety Disclosures

We may disclose information if necessary to:

Comply with legal obligations
Protect any person’s safety
Defend the rights or property of Wave State

5.4 Business Transfers

If Wave State undergoes a merger, acquisition, financing, or sale of assets, your information may be transferred subject to continued protection under this Policy.

5.5 Aggregated and De-Identified Data

We may use or share data that cannot reasonably identify you for analytics, research, or lawful business purposes.

6. Data Retention

We retain your information for as long as reasonably necessary to:

Provide and maintain the App
Comply with legal obligations
Resolve disputes
Enforce our agreements

Analytics data. Usage events and associated identifiers stored in our analytics platform (PostHog) are retained for up to 24 months from the date of collection. After this period, events are deleted or anonymized. If you request account deletion, we will also delete your identifiable analytics data from PostHog within 30 days of processing your request.

Some data may remain in encrypted backups for a limited time after deletion.

7. Your Choices and Control

7.1 Camera and Photo Permissions

You may revoke camera or photo access at any time in device settings.
Disabling these permissions prevents use of certain AI scanning features.

7.2 Account and Profile Information

You may update or delete certain account information within the App.
For full account deletion requests, contact support@wavestate.co. Upon processing your request, we will delete your account data from our servers and remove your identifiable data from our analytics platform (PostHog), including your phone number and any associated event history. Some data may persist in encrypted backups for a limited period.

7.3 Marketing Communications

You may opt out of marketing emails using unsubscribe links or by contacting us.
You may opt out of promotional SMS messages at any time by replying STOP to any message.
Opting out of promotional SMS does not affect transactional messages such as verification codes and security alerts.
We may still send non-marketing administrative messages.

8. Your Privacy Rights

8.1 California Residents (CCPA/CPRA)

You may have the right to:

Request disclosure of personal information collected
Request access or deletion
Request correction of inaccurate information
Limit the use of sensitive personal information
Not be discriminated against for exercising your rights

We do not “sell” or “share” personal information for cross-context behavioral advertising.

Submit requests to support@wavestate.co.

You may have the right to:

Access your personal data
Request correction or deletion
Restrict or object to processing
Request data portability
Withdraw consent

You may lodge a complaint with your local supervisory authority.

8.3 Other Regions

We will honor privacy rights provided under your local laws where required.

9. Children’s Privacy

The App is not intended for children under 13.
We do not knowingly collect personal information from children under 13.
If you believe we collected data from a child under 13, contact support@wavestate.co.

10. Security

We use reasonable technical and organizational safeguards to protect your information.
However, no system can be guaranteed 100% secure.
You are responsible for maintaining the confidentiality of your login credentials.

11. International Data Transfers

Your information may be transferred to and processed in the United States or other jurisdictions with different data protection laws.

Where required, we implement appropriate safeguards such as standard contractual clauses.

12. Automated Decision-Making and Profiling

Maxxd uses algorithms and AI to:

Provide workout and nutrition recommendations
Estimate calories and macronutrients
Adjust difficulty and schedule insights

These systems are intended to assist, not replace, personal judgment.

Recommendations may not always be accurate or appropriate for every user.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.
If changes are material, we will update the Effective Date and may provide in-app or email notice.
Continued use of the App indicates acceptance of any updated Policy.

14. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, contact:

Wave State, LLC
2033 San Elijo Ave #1011
Cardiff, CA 92007
USA
Email: support@wavestate.co