Privacy Policy

Last updated: April 1, 2026

1. Data Controller

The data controller responsible for your personal data is:

  • Name: [NOME COMPLETO — DA COMPILARE]
  • Registered Address: [INDIRIZZO SEDE — DA COMPILARE]
  • Tax ID / VAT: [P.IVA/CF — DA COMPILARE]
  • Email: privacy@gymsweat.com
  • Website: gymsweat.app

GymSweat has not appointed a Data Protection Officer (DPO) as it is not required under Art. 37 of the GDPR. For any questions or requests regarding your personal data, please contact us at privacy@gymsweat.com, which is the designated point of contact for all privacy-related matters.

2. Data We Collect

We collect the following categories of personal data when you use the GymSweat app and services:

Account Information

  • Email address
  • Display name
  • Authentication provider data (Google, Apple, or email/password credentials)
  • Profile photo (if provided)

Workout & Fitness Data

  • Workout logs (exercises, sets, reps, weight, RPE, rest times)
  • Workout templates and programs
  • Workout schedules
  • Personal records (PRs) and performance history

Body Metrics

  • Body weight logs
  • Injury logs
  • Hydration logs
  • Biometric data (height, body fat %, if provided during onboarding)

Device & Technical Information

  • Device type, operating system, and app version
  • IP address (for security and analytics)
  • Crash reports and diagnostic data

Analytics Data

  • App usage patterns (screens visited, features used, session duration)
  • Performance metrics (load scores, ACWR, recovery scores)

3. Purpose of Data Processing

We process your personal data for the following purposes:

  • App Functionality: To provide and maintain the core workout tracking, analytics, and coaching features.
  • Account Management: To create and manage your user account, authenticate your identity, and sync your data across devices.
  • Performance Improvement: To improve our algorithms (auto-regulation engine, strength classification, coaching insights) and user experience.
  • Subscription Management: To process and manage your GymSweat Pro subscription, including billing and entitlements.
  • Notifications: To send you relevant local notifications (e.g., hydration reminders) based on your preferences.
  • Support: To respond to your inquiries and provide customer support.

4. Legal Basis for Processing

We process your personal data under the following legal bases as defined by the GDPR:

  • Consent (Art. 6(1)(a)): For analytics tracking via PostHog, which is opt-in during onboarding. You may withdraw consent at any time from the app's settings.
  • Contract Performance (Art. 6(1)(b)): To deliver the services you have signed up for, including workout tracking, data sync, and subscription features.
  • Legitimate Interest (Art. 6(1)(f)): For security measures, fraud prevention, and improving our services.

5. Health-Related Data (Art. 9 GDPR)

GymSweat collects self-reported wellness and fitness data such as body weight, body fat percentage, RPE (Rate of Perceived Exertion), injury logs, and recovery scores. This data is entered voluntarily by you and is not derived from medical devices, clinical assessments, or healthcare providers.

While this data may relate to physical well-being, we treat it with the highest care. As a precautionary measure, we rely on your explicit consent (Art. 9(2)(a) GDPR) for processing this category of data, which you provide upon account registration. You may withdraw this consent at any time by deleting your account or contacting us at privacy@gymsweat.com.

6. Third-Party Data Processors

We share your data with the following third-party processors, each governed by their own data processing agreements:

  • Firebase (Google Cloud): Authentication, Firestore database (cloud sync and backup), Cloud Storage (exercise images), Cloud Functions, and Crashlytics.
  • RevenueCat: Subscription management and entitlement tracking.
  • PostHog: Product analytics and event tracking (consent-based, EU-hosted instance).
  • Apple / Google: In-app purchase processing and payment handling through their respective app stores.
  • Paddle: Subscription billing for web purchases.

7. Data Retention

  • Account data: Retained for as long as your account is active. Deleted upon account deletion request.
  • Workout and fitness data: Retained for as long as your account is active. Fully erasable upon request.
  • Analytics data: Anonymized after 12 months. Raw event data is purged on a rolling basis.
  • Crash reports: Retained for 90 days for debugging purposes, then automatically deleted.

8. Your Rights (GDPR Art. 15–22)

As a data subject, you have the following rights under the GDPR:

  • Right of Access (Art. 15): You may request a copy of all personal data we hold about you. Use the "Export My Data" feature in the app's Settings screen to download your data instantly in JSON format, or email privacy@gymsweat.com.
  • Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete data. You can edit your profile directly in the app, or contact us at privacy@gymsweat.com.
  • Right to Erasure (Art. 17): You may request deletion of your personal data ("right to be forgotten"). Use the "Delete Account" option in the app's Settings, or email privacy@gymsweat.com.
  • Right to Restriction (Art. 18): You may request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of your data or evaluate an objection). Contact us at privacy@gymsweat.com.
  • Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format. Use the "Export My Data" feature in the app's Settings screen to download all your personal data in JSON format. You can also email privacy@gymsweat.com to request an export.
  • Right to Object (Art. 21): You may object to processing based on legitimate interest. Contact us at privacy@gymsweat.com.
  • Right Regarding Automated Decisions (Art. 22): GymSweat uses an AI-driven auto-regulation engine to generate training suggestions (e.g., readiness scores, load recommendations). These are informational aids and do not constitute decisions with legal or similarly significant effects. You may request human review of any automated output by contacting us.
  • Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. For analytics consent, toggle the switch in the app's Settings. For website cookies, click "Cookie Preferences" in the website footer.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. For users in Italy, this is the Garante per la Protezione dei Dati Personali (www.garanteprivacy.it).

9. Data Export & Deletion

Data Export (Art. 20)

You can export all your personal data at any time using the "Export My Data" button in the app's Settings screen. Your data will be provided in JSON format — a structured, commonly used, machine-readable format as required by GDPR Art. 20. You may also request a data export by emailing privacy@gymsweat.com.

Data Deletion (Art. 17)

You can delete your data in two ways:

  • In-App: Navigate to Settings and use the "Delete Account" option. This triggers a full GDPR deletion process that removes all your data from both local storage (Drift/SQLite) and remote storage (Firestore).
  • Email Request: Send a deletion request to privacy@gymsweat.com. We will process your request within 30 days.

If your request is particularly complex, we may extend the processing period by up to two additional months, in which case we will inform you within 30 days of receiving the request and explain the reason for the delay (Art. 12(3) GDPR).

Response Time

We will respond to all data rights requests without undue delay and within one month of receipt. For complex requests, this period may be extended by up to two further months with prior notification.

10. Cookies & Tracking

The GymSweat website uses PostHog for product analytics. PostHog is hosted in the EU and uses first-party cookies. Analytics tracking requires your explicit consent, provided via the cookie banner on first visit.

The GymSweat mobile app uses PostHog for event tracking. This is opt-in during the onboarding flow and can be disabled at any time in the app settings.

We do not use third-party advertising cookies. We do not sell your data to advertisers.

For a detailed list of all cookies used, their purpose, and duration, please see our Cookie Policy.

11. Cross-Border Data Transfers

Your data may be processed in the following regions:

  • European Union: PostHog analytics (EU-hosted instance). No cross-border transfer.
  • United States — Firebase/Google Cloud: Google LLC is a certified participant in the EU-U.S. Data Privacy Framework (DPF). Additionally, Standard Contractual Clauses (SCCs) approved by the European Commission are in place as a supplementary safeguard.
  • United States — RevenueCat: Data transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission.
  • United Kingdom / United States — Paddle: Paddle Payments Ltd is established in the UK with operations in the US. Transfers are governed by the UK-EU adequacy decision and SCCs where applicable.

12. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Local database encryption via SQLCipher (SQLite encryption at rest)
  • Encryption keys stored in platform-secure storage (Keychain / KeyStore)
  • TLS encryption for all data in transit
  • Firebase Security Rules enforcing per-user data isolation
  • Periodic security reviews and dependency audits

13. Children's Privacy

GymSweat is not intended for children under the age of 14, in accordance with Art. 8 of the GDPR and the Italian implementing legislation (D.lgs. 101/2018, which sets the age of digital consent at 14 in Italy). We do not knowingly collect personal data from children under this age. If you believe a child has provided us with personal data, please contact us at privacy@gymsweat.com and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, via in-app notification. The "last updated" date at the top of this page indicates when the policy was last revised.

15. Contact

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at: