Privacy Policy

Last Updated: February 25, 2026

1. Data Controller

The entity responsible for processing your data:

Name: Christian H. (GymOptic)
Location: Denmark (EU)
Contact: [email protected]

2. Data Categories & Purpose

A. Account Information (Art. 6.1.b / 6.1.f)

Data: Email address, username, hashed password, temporary verification tokens.
Purpose: Account creation, secure login, password reset, identity verification, and protecting the system against automated bots (Security & Integrity).
Legal Basis: Performance of Contract (6.1.b) and Legitimate Interest (6.1.f) for security and fraud prevention.

B. Training & Performance Data (Art. 6.1.b)

Data: Workout logs (sets, reps), Training Capacity Profile (e.g. "High Frequency"), Equipment Configuration (e.g., Seat Height), and **Algorithmic Preferences** (Rep Targets, Inactivity thresholds).
Purpose: To visualize training volume, track consistency, and estimate workload capacity based on mathematical formulas (Iron Engine).
Clarification: GymOptic does not process physiological, medical, or biometric health data (e.g., heart rate, blood pressure, or body composition measurements). All metrics are derived strictly from user-inputted exercise logs. All workload thresholds are calculated from user-input logs and do not infer physiological state.
Rest & Mobility Tools: Features such as "Sleep Audio", "Cool Down", or "Focus Breath" are mechanical pacing tools (timers/audio players). Using these features does NOT collect data about your sleep quality, stress levels, or recovery status.
Legal Basis: Performance of Contract.

C. Local Device Data

Data: Photos of gym equipment and Caffeine Tracking logs.
Storage: Only on your device via IndexedDB / LocalStorage (Local Vault).
Control: You have full control; clearing your browser data or using the in-app flush buttons deletes this data permanently.

Note: This data is never uploaded to our servers.

Non-Health Inference Clause

GymOptic does not analyze, infer, predict, or assess the user’s physical or mental health, fitness level, recovery state, injury risk, or medical condition. All visualizations represent abstract training load derived solely from user-entered workout logs and are not indicators of health or physiological status.

Visual indicators of intra-workout state (e.g., Prime, Active, Depleted) are strictly mathematical counters based on the number of sets logged in a given session. They are NOT biological, physiological, or medical measurements of the user's actual energy levels.

3. Retention & Cookies

Retention: Data is kept only as long as your account is active. Deleting your account deletes all server data permanently; no residual copies remain on our servers beyond necessary brief disaster recovery windows, except where specific retention is required by applicable law (e.g., security logs or legal obligations).

To adhere to the principle of Storage Limitation (GDPR Art. 5), we enforce auto-deletion for inactive data:

Ghost Accounts (30 Days): Unverified or empty accounts with no activity for 30 days are deleted.
Inactive Accounts (24 Months): Accounts with no logins for 2 years are permanently purged.

The "No Cookie Banner" Protocol: You may have noticed the absence of an annoying "Accept Cookies" popup. This is intentional. Because we use ZERO tracking pixels, analytics scripts, or advertising cookies, we are not legally required to annoy you with one. We only use a single, strictly necessary session cookie to keep you logged in. Just log in and lift.

4. Security Measures (Art. 32)

Encryption in Transit: HTTPS/TLS 1.3 for all communication.
Password Hashing: All passwords hashed with Bcrypt.
Session Security: CSRF protection and secure session handling.

5. Your Rights

Access & Portability Export your data as JSON/CSV via Settings.

Other Rights Right to Rectification, Restriction of Processing, and Objection to Processing.

Right to Erasure Permanently delete account instantly.

6. Data Processors

Data Processing Agreements (DPAs) are in place with all sub-processors in accordance with GDPR Art. 28.

Cloudflare: Security and DNS (Standard DPA).
Spaceship / SMTP Provider: Email services for account verification.
No CDNs: We do not use external Content Delivery Networks for fonts, scripts, or styles. All frontend assets are self-hosted to prevent IP leakage to third parties like Google.

7. Complaints

If you believe your rights are violated, you may lodge a complaint with the Danish Data Protection Agency (Datatilsynet).