Privacy Policy

1. Introduction

Gymbers ("Gymbers", "we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal data when you access or use our website (the "Website"), mobile applications for iOS and Android (the "App"), and any associated services (collectively, the "Services").

By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use the Services.

2. Data Controller

The data controller responsible for processing your personal data is:

Gymbers
Operated by the founder in an individual capacity
Flintsbacher Str. 3, 80686 Munich, Germany
Email: contact@gymbers.com

3. Data We Collect

We collect different categories of data depending on how you interact with our Services.

3.1 Account and Authentication Data

• Email address
• OAuth identity data when signing in with Google or Apple (provider-specific identifiers, name, and email as shared by the provider)
• Authentication and session tokens

3.2 Profile Data

• First name and last name
• Profile picture
• Date of birth, gender, and height
• Fitness preferences (fitness goal, experience level, workout frequency, equipment access, training style, activity level)
• Unit preference (metric or imperial)

3.3 Fitness and Workout Data

• Workout sessions (exercises performed, sets, repetitions, weights, duration, notes, timestamps)
• Exercise progress data (estimated one-rep max, personal records, volume history)
• Custom exercises and workout program templates
• Body measurements (weight, body fat percentage, neck, chest, waist, hip, and thigh measurements)

3.4 Nutrition Data

• Food diary entries (food names, calories, macronutrients, meal categories)
• Nutrition targets (daily calorie and macronutrient goals)
• Barcode scans (product barcodes are sent to third-party nutrition databases for food identification; no personal data is included in these lookups)

3.5 Health Platform Data

When you choose to connect Apple Health (iOS) or Google Health Connect (Android), Gymbers accesses specific health data categories. See Section 6 for full details.

3.6 Payment and Purchase Data

• Subscription status and purchase history (managed by RevenueCat and the respective app store)
• Marketplace transaction references and VAT information for creator program purchases (processed by Stripe)
• Gymbers does not store payment card details. All payment processing is handled by third-party providers (Apple, Google, Stripe).

3.7 Analytics and Technical Data

• Product usage events and feature interactions (collected via PostHog, only when you opt in)
• Error logs and crash reports (collected via Sentry, without personally identifiable information)
• Device information (operating system, app version, device model)
• IP address (used for rate limiting and security purposes)

3.8 Contact Form Data

• Name, email address, and message content submitted through our Website contact form
• This data is forwarded to us via email and is not stored in our database

3.9 Push Notification Data

• Device push notification tokens
• Notification preferences and opt-in status

4. How We Use Your Data

We use the data collected for the following purposes:

• To provide, operate, and maintain the Services
• To create and manage your account, including authentication and profile management
• To process subscriptions, purchases, and transactions
• To synchronize your fitness data with health platforms (Apple Health, Google Health Connect) when you enable this feature
• To look up nutrition information from third-party food databases when you scan barcodes or search for foods
• To operate the marketplace for creator-published workout programs
• To send push notifications such as workout reminders and service-related communications (with your consent)
• To analyze usage patterns and improve the performance and reliability of the Services (when you opt in to analytics)
• To detect, investigate, and prevent errors, fraud, and abuse
• To respond to your inquiries submitted via the contact form
• To comply with legal obligations

5. Legal Bases for Processing

We process your personal data under the following legal bases pursuant to the General Data Protection Regulation (GDPR):

• Performance of a contract (Art. 6(1)(b)) — to provide you with the Services, including account management, workout tracking, nutrition logging, subscriptions, and marketplace transactions.
• Legitimate interests (Art. 6(1)(f)) — to maintain and improve the Services, ensure security, detect fraud, and conduct error monitoring.
• Legal obligations (Art. 6(1)(c)) — to comply with applicable laws, including accounting, tax, and consumer protection requirements.
• Consent (Art. 6(1)(a)) — where required, such as for analytics data collection, push notifications, and optional features.
• Explicit consent (Art. 9(2)(a)) — for processing health data through Apple Health or Google Health Connect integrations, which constitutes special category data under the GDPR.

6. Health Data

When you choose to connect a health platform (Apple Health on iOS or Google Health Connect on Android), Gymbers accesses the following health data categories:

Data Gymbers writes to the health platform:

• Workout summaries (activity type, duration, calories burned)
• Body weight measurements
• Body fat percentage measurements
• Daily nutrition totals (calories, protein, carbohydrates, fat)

Data Gymbers reads from the health platform:

• Body weight measurements (for bidirectional sync)

How health data is handled:

• Health data is used solely to keep your fitness data in sync between Gymbers and your device's health platform.
• Gymbers does not sell, share, or transfer health data to third parties for any purpose, including advertising or data brokerage.
• Health data is stored locally on your device in an encrypted database and in your encrypted Gymbers cloud account.
• Health data is not used for purposes unrelated to health and fitness functionality within Gymbers.

You can disconnect the health platform integration at any time from the Health section in Gymbers Settings. Disconnecting stops all future data syncing. Data already synced to the health platform remains in the health platform and can be managed through its settings. Data imported into Gymbers from the health platform remains in your Gymbers account until you delete it or delete your account.

7. Analytics and Tracking

Product Analytics (PostHog)

We use PostHog for product analytics and feature management. PostHog is hosted in the European Union. Analytics collection is disabled by default and is only activated when you explicitly opt in through the App settings. You can opt out at any time, which immediately stops the collection of usage events. When opted out, no analytics data is sent to PostHog.

Error Monitoring (Sentry)

We use Sentry for error tracking and crash reporting to maintain the reliability of the App. Sentry is configured to not collect personally identifiable information. Error reports include technical context such as device type, operating system version, and app version, but do not include your name, email, or personal content.

Website

Our Website does not use tracking cookies or third-party analytics scripts. Strict Content Security Policy headers prevent the loading of external tracking scripts.

8. Data Sharing and Processors

We share your data with trusted third-party service providers who process data on our behalf. We do not sell your personal data to any third party.

These providers process data in accordance with their own privacy policies and applicable data protection laws. Where required, appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place.

9. Disclosure of Personal Data

Legal Requirements

Gymbers may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order, regulatory investigation, or government agency request).

Business Transfers

If Gymbers is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

Protection of Rights

Gymbers may disclose your personal data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of Gymbers
• Prevent or investigate possible wrongdoing in connection with the Services
• Protect the personal safety of users of the Services or the public

10. International Data Transfers

Your primary data is stored in the European Union (Supabase, AWS EU Central region). Some of our service providers process data in the United States or other countries outside the EU/EEA.

Where personal data is transferred outside the EU/EEA, we ensure an adequate level of protection through mechanisms such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission (e.g., the EU-U.S. Data Privacy Framework, where applicable)
• Contractual commitments from service providers to maintain equivalent data protection standards

11. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy or as required by law.

• Account deletion: When you delete your account, all associated personal data — including your profile, workout history, nutrition data, body measurements, exercises, programs, and notification tokens — is permanently deleted.
• Unverified accounts: Accounts that remain unverified (email not confirmed) are automatically deleted after 24 hours.
• Body measurements: When you delete a body measurement in the App, it is soft-deleted (marked as removed) and excluded from all views and calculations. Soft-deleted records are permanently removed upon account deletion.
• Marketplace records: Published program snapshots and purchase records are retained as an immutable audit trail for legal and accounting purposes.
• Transaction references: Limited transaction and payment references may be retained after account deletion to comply with statutory accounting and tax obligations.
• Contact form messages: Messages sent via the contact form are retained in our email system and are not stored in any database.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data. These include:

• Encryption at rest: The local database on your device is encrypted using SQLCipher (AES-256 encryption).
• Secure key storage: Encryption keys are stored in platform-level secure storage (Apple Keychain on iOS, Android Keystore on Android).
• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS.
• Row-level security: Database access is enforced through row-level security policies, ensuring that each user can only access their own data.
• Content Security Policy: Our Website enforces strict Content Security Policy headers to prevent cross-site scripting and unauthorized script execution.
• Rate limiting: Public endpoints are rate-limited to prevent abuse.
• Minimal data collection: Error monitoring (Sentry) is configured to not collect personally identifiable information, and analytics (PostHog) is disabled by default.

However, no system is completely secure, and we cannot guarantee absolute protection. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and inform affected users without undue delay, as required by the GDPR.

13. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights:

• Right of access (Art. 15) — to request a copy of your personal data.
• Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — to request deletion of your personal data.
• Right to restriction of processing (Art. 18) — to limit how we process your data in certain circumstances.
• Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, and machine-readable format, or to request that it be transferred to another controller.
• Right to object (Art. 21) — to object to processing carried out on the basis of legitimate interests.
• Right to withdraw consent (Art. 7(3)) — to withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint — to file a complaint with your local supervisory authority. For users in Bavaria, Germany, the competent authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA).

To exercise any of these rights, please contact us at contact@gymbers.com. We will respond to your request within 30 days.

14. Children's Privacy

The Services are intended for users aged 18 and older. Gymbers does not knowingly collect personal data from individuals under the age of 18. If we become aware that data has been collected from a minor, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at contact@gymbers.com.

15. Links to Other Websites

Our Services may contain links to third-party websites and services that are not operated by us, including app stores, health platforms, payment providers, and community platforms. If you follow a link to any third-party site, please note that the site has its own privacy policy.

We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.

16. Changes to This Privacy Policy

Gymbers reserves the right to modify or update this Privacy Policy at any time. We will update the "Last Updated" date at the top of this page. For material changes, we will notify users through the App or via email. Continued use of the Services after such changes constitutes acceptance of the revised policy.

17. Contact Information

For any privacy-related questions, data subject requests, or concerns, please contact us at:

Gymbers
Flintsbacher Str. 3, 80686 Munich, Germany
Email: contact@gymbers.com