OnSet

OnSet Mobile Application

Privacy Policy

Effective Date: April 28, 2026

Last Updated: April 28, 2026

OnSet ("we," "our," or "us") operates the OnSet mobile application (the "App"). This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the rights and choices available to you. By accessing or using the App, you agree to the practices described in this policy.

OnSet serves two distinct audiences: (1) facility operators and administrators ("Facilities") who subscribe to the platform and control how it is used within their organization, and (2) individual staff members, route setters, and other personnel ("End Users") who access the App through a Facility account. This policy addresses both relationships. If you are an End User, please also refer to your Facility's own privacy policy, as your Facility acts as the data controller for the operational data you generate within the App.

If you do not agree with this policy, please discontinue use of the App and contact us to request deletion of your data.

1. Information We Collect

a. Account Information

  • Full name, if provided during registration
  • Email address
  • Authentication credentials, managed and encrypted by Supabase; we never store raw passwords

b. Facility Operational Data (Processed on Behalf of Your Facility)

The following data is generated and controlled by your Facility. OnSet processes it on the Facility's behalf as a data processor, under the Facility's instructions:

  • Climb logs, route data, setter assignments, notes, and grading information
  • Wall and inventory records, scheduling data, and route lifecycle information
  • Role assignments, permissions, and team structures within your facility
  • Any other operational content entered into the platform by you or your Facility

Because your Facility controls this data, requests to access, correct, or delete it should be directed to your Facility administrator first. OnSet will assist the Facility in fulfilling such requests as required.

c. Device & Technical Data

  • Device type, model, and operating system version
  • App version and session data
  • IP address and general location, at country or region level only
  • Crash reports, error logs, and performance diagnostics collected via Sentry

d. Push Notification Data

  • Device push tokens, used solely to deliver notifications
  • Notification preferences and interaction data, such as whether a notification was opened

e. Information We Do NOT Collect

We do not collect precise GPS location, financial or payment information, government ID numbers, biometric data, health information, or contacts from your device.

f. Data Minimization

OnSet collects only the minimum personal data necessary to provide the App's features. We do not require users to provide personal information beyond what is needed for the App to function. We periodically review what data we collect and delete or stop collecting data that is no longer necessary.

2. How We Use Your Information

We process your data only for the following purposes and do not use it for any other purpose without your consent:

  • Provide, operate, and maintain the OnSet platform
  • Create and manage user accounts, roles, and permissions
  • Enable real-time collaboration among facility staff and setters
  • Send push notifications related to assignments, route updates, or system activity
  • Monitor app performance, diagnose bugs, and fix crashes via Sentry
  • Improve features and user experience based on aggregated, anonymized usage patterns
  • Respond to your support inquiries and communications
  • Comply with applicable legal obligations

Legal basis for users in jurisdictions requiring this disclosure: We process your data on the basis of (i) contractual necessity to provide the service, (ii) legitimate interests in improving and securing the App, and (iii) your consent where required.

3. How We Share Your Information

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We share information only in the following limited circumstances:

a. Service Providers

Supabase provides secure cloud database infrastructure and authentication services. Data is stored in encrypted form. See: https://supabase.com/privacy

Sentry provides error monitoring and crash diagnostics. Error data may include device info and anonymized stack traces. See: https://sentry.io/privacy/

Apple Push Notification Service (APNs) is used to deliver push notifications to your device. Only device push tokens are shared, solely for routing notifications. Message content is never disclosed to Apple beyond what is required for delivery.

We require all third-party service providers who receive your personal data to provide the same or equivalent level of protection as described in this Privacy Policy and as required by applicable law. We contractually prohibit our service providers from using your data for purposes other than those specified in our agreements with them.

b. Within Your Facility

Certain profile information, such as your name and role, is visible to other authorized users within your facility or organization on the App. You consent to this by joining a facility workspace.

c. To Your Facility Administrator (as Data Controller)

If you access OnSet through a Facility account, your Facility is the data controller for the operational data you generate, including climb logs, setter records, scheduling, and related activity. OnSet processes this data on the Facility's behalf and may share it with or make it accessible to your Facility's administrators as part of normal platform operation. The Facility is responsible for its own data practices with respect to its staff.

d. Legal Requirements

We may disclose your information if required by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or ensure the safety of users or the public.

e. Business Transfers

If OnSet is involved in a merger, acquisition, or asset sale, your information may be transferred as part of that transaction. We will notify you via email or prominent in-app notice before your data becomes subject to a different privacy policy.

f. With Your Consent

We may share your data with additional third parties when you explicitly authorize us to do so.

3b. Facility Administrators: OnSet's Role as Data Processor

When a gym, climbing facility, or other organization ("Facility") subscribes to OnSet and grants its staff access to the App, OnSet acts as a "data processor" for that Facility. The Facility is the "data controller" for operational data generated by its staff within the platform.

What This Means for End Users

If you use OnSet through your employer or a facility you work for:

  • Your Facility, not OnSet, is primarily responsible for how your operational data is managed, retained, and disclosed
  • Your Facility administrator has access to data you enter into the platform as part of normal operations
  • Questions about how your Facility handles your data should be directed to your Facility administrator or your Facility's own privacy policy
  • OnSet will process your data only as instructed by your Facility, except where we are independently required by law to act otherwise

What OnSet Controls Independently

Separate from Facility operational data, OnSet acts as an independent data controller for:

  • Account credentials and authentication data, including your email and login
  • Device and technical data collected for app performance and diagnostics via Sentry
  • Push notification tokens and preferences
  • Support communications you send directly to OnSet

For this independently controlled data, the rights and obligations described throughout this Privacy Policy apply directly between you and OnSet.

Data Processing Agreements

OnSet enters into Data Processing Agreements (DPAs) with Facilities that require them, including those subject to GDPR or other applicable data protection laws. These agreements govern OnSet's obligations as a processor, including security standards, sub-processor disclosures (Supabase, Sentry, APNs), and breach notification timelines. Facility administrators may request a copy of OnSet's standard DPA by contacting billy@onsetops.com.

4. Data Storage and Security

  • Data is stored in secure cloud infrastructure provided by Supabase, using AES-256 encryption at rest and TLS 1.2+ in transit
  • Access to production systems is restricted to authorized personnel only, using role-based access controls
  • We conduct periodic reviews of our security practices and promptly address identified vulnerabilities
  • In the event of a data breach that affects your personal information, we will notify you in accordance with applicable law

Important: While we implement industry-standard safeguards, no system is completely immune to risk. You are responsible for maintaining the confidentiality of your account credentials.

5. Data Retention

We retain your personal data for as long as necessary to:

  • Provide the App and its features
  • Maintain your account and its history
  • Comply with legal, tax, and regulatory obligations
  • Resolve disputes and enforce our agreements

When you request account deletion, we will delete or anonymize your personal data within 30 days, except where retention is required by law. Aggregated, anonymized data, which cannot identify you, may be retained indefinitely for analytics purposes.

For Facility operational data, including climb logs, setter assignments, and route records, retention is governed by the Facility's instructions and any applicable Data Processing Agreement. End Users seeking deletion of operational data should contact their Facility administrator. OnSet will fulfill deletion requests from Facilities within 30 days of instruction.

5b. Aggregated and Anonymized Data

OnSet may derive aggregated, anonymized data from the information processed through the platform, for example, overall usage patterns, feature adoption trends, or general platform performance metrics. This data is stripped of all personally identifying information and cannot reasonably be used to identify any individual user or Facility.

We use this anonymized data to:

  • Improve the OnSet platform and develop new features
  • Understand how the App is used across our customer base
  • Generate internal benchmarks and product analytics

Aggregated and anonymized data is not subject to deletion requests, as it does not constitute personal data. It may be retained indefinitely. We do not sell or share anonymized data with third parties for advertising purposes. If we ever share it externally, for example in published product research, it will be presented only in aggregate form that cannot identify any individual or Facility.

6. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your account and associated personal data
  • Portability: Request your data in a machine-readable format
  • Objection / Restriction: Object to or request restriction of certain processing activities
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at billy@onsetops.com.

We will respond to verifiable requests within 30 days, or as required by applicable law. We do not charge a fee for reasonable requests. We may require identity verification before fulfilling requests.

Important: If you access OnSet through a Facility account, some rights, particularly access, correction, and deletion of operational data, must be exercised through your Facility administrator, as the Facility is the data controller for that data. OnSet will redirect requests accordingly and assist Facilities in fulfilling them.

California residents: Please see the California Privacy Rights section for additional rights under the CCPA/CPRA.

EEA/UK residents: Please see the EEA/UK Privacy Rights section for additional rights under GDPR.

7. Push Notifications

OnSet uses push notifications to alert you to assignment updates, route changes, and other facility activity. Notifications are delivered via Apple Push Notification Service (APNs) on iOS.

Your Consent Is Required First

We will never send you push notifications without your explicit prior consent. When you first launch the App, iOS will present a system permission prompt asking whether you allow OnSet to send notifications. We only begin sending notifications if you tap "Allow." We do not send notifications to users who have declined or not yet responded to this prompt.

What We Send

  • Assignment notifications, for example when you have been assigned a new route to set
  • Route and wall update alerts relevant to your facility
  • System and account activity relevant to your role

We do not send marketing, promotional, or advertising push notifications. OnSet notifications are limited strictly to operational activity directly relevant to your role and facility. No promotional content will ever be sent via push notification without your separate, explicit opt-in consent obtained through in-app consent language, which we currently do not use and have no plans to implement.

Revoking Consent

You may withdraw your consent and disable notifications at any time through:

  • Your device's system Settings > Notifications > OnSet
  • Notification preferences within the OnSet app settings

Revoking notification consent will not affect your ability to use any core features of the App. If you later re-enable notifications, you will resume receiving them.

8. Children's Privacy

OnSet is intended for use by adults and professional facility staff. The App is not directed to children under the age of 13, or 16 in certain jurisdictions. We do not knowingly collect personal data from children.

If you believe we have inadvertently collected information from a child, please contact us immediately at billy@onsetops.com and we will delete that information promptly.

9. Third-Party Services and Links

The App integrates with the following third-party services, each governed by its own privacy policy:

  • Supabase: supabase.com/privacy
  • Sentry: sentry.io/privacy/
  • Apple Push Notification Service (APNs): apple.com/legal/privacy/

We are not responsible for the privacy practices of these third parties. We encourage you to review their policies. We perform due diligence when selecting service providers to ensure they meet appropriate data protection standards.

10. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

  • Post the updated policy in the App with a new effective date
  • Send you an in-app notification or email, where required by law, at least 30 days before changes take effect

We will provide advance notice of material changes before they take effect. Your continued use of the App after that notice period does not waive any rights you hold under applicable law. If you do not agree to the updated policy, you may discontinue use of the App and request deletion of your data by contacting us at billy@onsetops.com.

11. International Data Transfers

OnSet is operated from the United States. If you access the App from outside the United States, your data may be transferred to and processed in the United States or other countries where our service providers operate. These countries may have different data protection laws than your country.

Where required by law, for example transfers from the EEA or UK, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses (SCCs) to safeguard your data.

14. Tracking Technologies, SDKs, and Persistent Identifiers

The App uses the following third-party SDKs and tools that may collect or use persistent identifiers for the purposes described below. We do not use any tracking technologies for advertising or cross-app tracking.

Sentry (Error Monitoring)

Sentry may assign a persistent device-level identifier to correlate crash reports and error logs across sessions. This identifier is used solely for diagnostic purposes: to group related errors and understand how crashes affect specific devices. It is not used for advertising, profiling, or shared with advertising networks.

  • Data collected: device identifiers, OS version, app version, stack traces, session context
  • Purpose: crash diagnostics and performance monitoring only
  • Retention: governed by Sentry's data retention policy at sentry.io/privacy/

Apple Push Notification Service (APNs)

APNs assigns a push token to your device when you grant notification permissions. This token is stored on our servers solely to route notifications to your device and is not used for tracking or advertising.

Apple App Privacy Label Disclosure

In accordance with Apple's App Privacy requirements, our App Privacy nutrition label on the App Store discloses all data types collected and their purposes. The categories disclosed in this policy are consistent with that label. If you observe any discrepancy, please contact us immediately.

We do not use any analytics SDKs, advertising SDKs, or fingerprinting technologies beyond what is described above.

Privacy Manifest (PrivacyInfo.xcprivacy)

In compliance with Apple's privacy manifest requirements, effective Spring 2024, OnSet includes a PrivacyInfo.xcprivacy file in the app bundle. This machine-readable file declares all APIs that could be used for device fingerprinting, the approved reasons for their use, and all data types collected by the App and its third-party SDKs. The declarations in this manifest are consistent with the disclosures in this Privacy Policy and the App Privacy label on the App Store.

Artificial Intelligence

OnSet does not currently use third-party artificial intelligence (AI) services to process your personal data. We do not send user data to any external AI providers such as OpenAI, Google Gemini, Anthropic, or similar services. If this practice ever changes, we will update this policy, notify you in advance, and obtain any required consent before your data is shared with an AI service, in accordance with Apple App Store Guideline 5.1.2(i).

15. Do Not Track

Some browsers and mobile operating systems include a "Do Not Track" (DNT) feature that signals your preference not to be tracked across websites and apps. Because there is no universally accepted standard for how apps must respond to DNT signals, OnSet does not currently alter its data practices in response to DNT signals.

However, we want to be clear: we do not engage in cross-app tracking, behavioral advertising, or the sale of your data regardless of DNT status. If industry standards for DNT compliance are established, we will evaluate and adopt them accordingly.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Know: The right to know what personal information we collect, use, disclose, and sell
  • Delete: The right to request deletion of your personal information
  • Correct: The right to correct inaccurate personal information
  • Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising
  • Limit Use of Sensitive Information: We do not collect sensitive personal information as defined by the CPRA
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To submit a CCPA request, contact: billy@onsetops.com. You may designate an authorized agent to submit requests on your behalf with written authorization.

17. EEA / UK Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area or the United Kingdom, the following additional information applies:

  • Data Controller: OnSet is the data controller for the personal data you provide
  • Legal Bases: We process your data based on contract performance, legitimate interests, legal obligation, or your consent
  • Data Protection Officer: If required, contact us at billy@onsetops.com
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority

To submit a GDPR data subject request, contact: billy@onsetops.com. We will respond within the timeframes required under applicable law.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

OnSet Support
Email: billy@onsetops.com
Mailing Address: ONSET OPERATIONS LLC, 3817 Evanston Ave N, Seattle, WA 98103

We aim to respond to all inquiries within 5 business days. For verified data subject requests under CCPA or GDPR, we will respond within the legally required timeframe.

19. Accessing This Privacy Policy

This Privacy Policy is available in the following locations:

  • Within the App: navigate to Settings > Privacy Policy
  • App Store listing: linked in the OnSet App Store product page metadata
  • Online: available at /privacy-policy

This policy is written in plain English and is available in English. If you require this policy in another language or an accessible format, please contact us at billy@onsetops.com.

This document was prepared for App Store and Google Play compliance. It is not legal advice. Consult a qualified attorney to ensure compliance with laws applicable to your jurisdiction.

ContactBack to site