Native app legal document

GymOptic Privacy Policy

Last updated: May 14, 2026

This policy explains what GymOptic processes, what stays on your device, what can be processed through account and sync features, and what rights and controls you have.

1. Data Controller

  • GymOptic is operated by Christian H. in Denmark (EU).
  • If you have questions about privacy, data handling, or your rights, contact: [email protected]

2. Data We Process

  • Local profile and app-choice data: name or display name, 16+ confirmation, preferred rep range, onboarding choices, legal acknowledgements, Explicit Consent choice, and similar app settings stored on your device.
  • Training and workflow data: workouts, sets, reps, load, timestamps, machine setup details, cardio logs, routines, Hybrid Race stations, Hybrid Race sessions, and related training history.
  • Account-related data: email address, authentication records, account ID, sync-related identifiers, and supported synced workout or workflow data when you choose to create or link an account.
  • Pro access data: Pro status, invite or promo code redemption records, entitlement metadata, access checks, rate-limit records, and related account-security events when you use Pro features.
  • Feedback and support data: feedback type, message, optional reply email, platform, app version, and technical status needed to receive, review, and respond to feedback you choose to send.
  • Local media and local-only private progress data: custom machine photos, race station photos, optional progress check-in photos, optional bodyweight entries, optional notes, and unfinished draft form data stored on your device.
  • Some optional private progress features may involve data that could be sensitive from a privacy perspective, such as progress photos, bodyweight entries, and related training notes. GymOptic only enables these features after a separate Explicit Consent choice.
  • Device feature data: notification permission status and scheduled local rest-timer alerts, and Wear OS companion messages if you use a compatible watch logger.
  • Technical logs: our infrastructure providers may process limited technical logs, such as timestamps, IP address, device or app context, request metadata, or error logs, where needed for security, troubleshooting, abuse prevention, and service reliability.

3. Why We Use The Data

  • To provide the core app features you request, including onboarding, training logs, cardio logging, Hybrid Race, reports, exports, imports, custom machines, routines, and account-linked sync features.
  • To generate app features based on your own logged training data, such as Ghost suggestions, progress summaries, volume views, category briefings, session briefings, and other performance-oriented estimates.
  • To operate server-verified Pro features, including checking entitlement status and returning Pro Ghost recommendations or category briefings when your account has access.
  • To provide optional private progress and load-insight features on your device when you enable Explicit Consent.
  • To receive and handle feedback or support messages you intentionally submit.
  • To operate account security, prevent abuse, troubleshoot service issues, and maintain the stability of the app and cloud services.

4. Legal Bases

  • Core app use and account or sync features: performance of the service you request.
  • Optional private progress features: your separate Explicit Consent, including where this is needed for privacy-sensitive progress data such as progress photos, bodyweight entries, or related notes.
  • Security, abuse prevention, troubleshooting, service reliability, feedback handling, and defending legal claims: legitimate interests.
  • Legal compliance and dispute handling: legal obligation or legitimate interests where applicable.
  • Under the GDPR, these may correspond to Article 6 legal bases such as contract or service performance, consent, legitimate interests, or legal obligation. Where optional private progress data is treated as special-category data, GymOptic relies on your separate Explicit Consent under Article 9.

5. Local Storage And Cloud Sync

  • GymOptic is designed as a local-first app. Without a linked email account, the app stays in local mode.
  • Cloud sync only applies when you use a linked email account and currently covers supported training and workflow data such as machines, workouts, sets, cardio logs, routines, Hybrid Race sessions, and the preferred rep range setting.
  • When you use server-side Pro features, relevant account, machine, profile preference, and recent training context may be sent to GymOptic cloud functions so they can verify access and return Ghost recommendations or category briefings.
  • Machine photos, race station photos, progress check-in photos, optional progress check-in bodyweight and notes, Explicit Consent state, and local drafts stay on your device and are not part of the standard synced workout dataset.
  • Local-only private progress check-ins and their photos are not part of the standard cloud export dataset.
  • When you intentionally create a local device export or full local backup, the export may include private progress check-in data such as bodyweight and notes, and a full local backup may also include local progress photo files when available.
  • If you delete the app, clear app storage, or lose access to the device without a backup or sync, local data may be permanently lost.

6. Processors, Recipients, And Sharing

  • We do not sell personal data, share it for cross-context behavioral advertising, or use advertising analytics inside the app.
  • We currently use Supabase and related infrastructure providers to support authentication, cloud sync, Pro access checks, feedback intake, and server-side app features.
  • Personal data may be processed by service providers acting on our instructions, such as hosting, authentication, storage, and support infrastructure providers.
  • Export and sharing features let you intentionally share your own files, such as JSON, CSV, or PDF, through your device sharing options.

7. International Transfers

  • Depending on the cloud providers, regions, and subprocessors involved, some personal data may be processed outside your country and, in some cases, outside the EU/EEA.
  • Our current main cloud provider is Supabase, used for authentication, cloud sync, Pro checks, feedback intake, and server-side app features.
  • Where personal data is transferred outside the EU/EEA, we rely on appropriate safeguards where required, such as contractual safeguards, provider data-processing terms, and applicable transfer mechanisms.
  • If you want more information about the current cloud setup relevant to your account, contact us at [email protected].

8. Retention

  • Local data remains on your device until you delete it, delete the app, clear app storage, or otherwise remove it from the device.
  • Local-only private progress data can also be removed separately from the Account screen without deleting the rest of your account or normal training history.
  • Cloud account data is kept while your account remains active, unless a longer retention period is required for legal, security, or dispute-handling reasons.
  • If you delete your account in the app, GymOptic will delete or anonymize supported cloud account data and synced workout data, unless limited records need to be kept for legal, security, fraud-prevention, Pro or promo-code abuse-prevention, or dispute-handling reasons. These limited records may include pseudonymous identifiers such as hashed email or account identifiers.
  • Feedback messages are kept for as long as reasonably needed to respond, troubleshoot, and improve the app, and may later be deleted or anonymized.
  • If we introduce inactivity-based cloud deletion in the future, we intend to describe that policy clearly before relying on it.

9. Your Rights

  • Subject to applicable law, you may have rights of access, rectification, erasure, restriction, objection, data portability, withdrawal of consent, and other privacy rights that apply where you live.
  • Inside the app, you can already export local data, export cloud data, import supported files, edit local profile fields, manage Explicit Consent, delete local private progress data, and delete your account and data from the Account screen.
  • You may also contact us at [email protected] to ask privacy-related questions or exercise rights that are not fully available in-app.

10. Required Vs Optional Data

  • Some data is required for specific features. For example, a 16+ confirmation and acceptance of the Privacy Policy and Terms are required to use the app, and an email address is required if you want a linked cloud account.
  • Explicit Consent is optional and is only required for certain private progress or private load-insight features.
  • Notification permission is optional and is only needed for rest-timer alerts outside the active app screen.
  • Pro access, promo code redemption, feedback submission, cloud sync, and Wear OS companion logging are optional feature paths that require the data needed for those paths to work.
  • Other profile fields, such as training preferences and linked-account choices, are optional and can be adjusted later.

11. Automated Decision-Making

  • GymOptic uses formulas and app logic to generate training-related estimates and suggestions from user-entered data, such as Ghost suggestions, training summaries, volume views, and similar product features.
  • Some Pro outputs may be generated by server-side cloud functions after checking account entitlement.
  • These outputs are product features for planning and visualization. They are not solely automated decisions that produce legal effects or similarly significant effects on you.

12. Wear OS Companion

  • If you use the optional GymOptic Wear OS companion app, the watch app is only used as a workout logging remote for the phone app. It may display your active machine, planned set context, and simple log controls.
  • Sets, reps, load, and related workout actions logged from the watch are sent to the GymOptic phone app and become part of your normal workout history.
  • The Wear OS companion does not collect heart rate, sleep, recovery, calories, GPS, Samsung Health, Health Connect, HealthKit, or other wearable health sensor data.
  • The watch app is a remote set logger, not a health sensor collector.

13. Children, Safety, And Scope

  • GymOptic is intended for users aged 16 or older under the product rules of the app.
  • GymOptic is designed as a training-log and performance-planning app. It is not intended to diagnose health conditions, provide medical treatment, or replace professional medical advice.
  • Some profile and training data may still be personal and sensitive from a user perspective, which is one reason the app uses a local-first design for key profile fields.

14. Complaints And Contact

  • If you are located in Denmark, the EU/EEA, or the UK and believe your data rights have been violated, you may contact us first at [email protected].
  • You may also have the right to lodge a complaint with your local data protection authority. In Denmark, this is the Danish Data Protection Agency, Datatilsynet.