Data usage disclosure

Detailed MBGlobal app and website data usage

This page provides a practical, implementation-level description of how MBGlobal data flows through the Android app, API, admin tooling, and website. It is intended to support policy transparency and app-store compliance.

Updated: March 5, 2026 Platform: MBStreak Android + mbgobal.fit services Policy contact: support@mbgobal.fit

1) MBGlobal data map (high level)

Collected directly from users

Account data: email, password, display name.
Profile data: goals, timezone, profile visibility preferences.
Workout data: activity type, duration, optional distance, optional notes.
Social participation data: group joins, challenge joins, challenge requests.

Generated by system processing

Points, streak values, leaderboard ranking, completion percentages.
Workout-derived calorie and goal-met summaries.
API health and route telemetry metrics (latency, status code, route key).
Rate-limit counters and security event traces.

2) Android app data handling

Authentication and session

App submits email/password for login or registration over HTTPS.
API returns access and refresh tokens for authenticated use.
Session tokens are stored on device in encrypted preferences where supported.
Token refresh and logout flows revoke or rotate refresh credentials.

Feature data

Workout submission sends activity fields and notes to the API for daily records.
Profile updates send goal, timezone, and visibility settings to API endpoints.
Groups/challenges endpoints return user-facing list, progress, and ranking payloads.
Cached API payloads are stored locally to support offline/temporary outage behavior.

Optional location access

Fine/coarse location permission is requested only for GPS Assist interactions.
GPS Assist reads last known location to populate in-app form fields.
Current workout sync payloads are driven by workout fields and do not include a dedicated location key.

3) API and backend processing details

Security and identity controls

Password hashes are stored server-side, not raw passwords.
Refresh tokens are persisted as SHA-256 hashes.
JWT access tokens contain expiry and issuer validation claims.
Authentication endpoints enforce request throttling/rate limiting.

Operational reliability data

API request metrics store route key, method, status, and latency.
Rate-limit records store action key, scope key, window, and request count.
Request processing captures request ID and client IP for traceability and defense.
Error logs may include technical traces needed for incident remediation.

4) Website data usage

Website sessions use secure HTTP-only cookies for state and anti-CSRF protection.
Contact form workflow stores inquiry content and abuse-protection metadata.
Contact submissions are validated, rate-limited, and event-logged for fraud defense.
Public pages consume API data for challenge and leaderboard transparency.

5) Google Play style disclosure summary

Personal info

Email and display name are used for account creation, authentication, and community display features.

Health and fitness related inputs

Workout activity records are user-submitted to provide streak, progress, and challenge calculations.

App activity and diagnostics

Operational telemetry and rate-limit metrics are used to secure and maintain service quality.

Approximate/precise location

Location permission is optional and only used for explicit GPS Assist behavior initiated by users.

MBGlobal does not use ad SDKs for cross-app ad profiling.
MBGlobal does not sell personal data.
Data may be shared inside the platform for challenge/group functionality and public leaderboard features.

6) User controls and support

Update profile and notification settings from within the app.
Disable location permission in Android settings at any time.
Request account data access, correction, or deletion by emailing support@mbgobal.fit.
Use in-app legal links (Privacy, Terms, Data Usage) to review latest policy text at any time.