Privacy Policy
Last updated: April 14, 2026
This Privacy Policy describes how GainLogger ("we," "us," or "our") collects, uses, and shares your personal information when you use our mobile application and website (collectively, the "Services").
1. What Information Do We Collect?
Personal information you provide to us
We collect personal information that you voluntarily provide when you register for an account, use our Services, or contact us. This includes:
- Account information: name (optional), email address, and password
- Profile preferences: weight unit (kg/lb), first day of week, timezone
- Fitness data: workout sessions, exercise logs, workout templates, progress records, and personal records. This data may be considered health-related information under certain privacy laws.
- Apple Watch & HealthKit data: if you use the GainLogger Apple Watch companion app, we collect real-time heart rate readings and calories burned from Apple HealthKit during your workout sessions. This data is associated with individual sets and sessions to provide training intensity insights. HealthKit access requires your explicit permission and can be revoked at any time in your device’s Settings > Privacy & Security > Health. We do not read or access any other HealthKit data categories beyond heart rate and active energy burned.
- Photos: you may optionally take or select photos for exercise variants using your device camera or photo library. These images are uploaded and stored on our servers.
- Push notification tokens: if you opt in to push notifications, we store a device token to deliver notifications
Information received from third parties
We may receive limited personal information from third parties in connection with your use of our Services, including:
- Social login providers (Google, Apple): If you choose to register or log in using Google Sign-In or Apple Sign-In, we receive your name and email address from the respective provider to create or link your account.
- Subscription management (RevenueCat): We receive purchase and subscription status data (product ID, expiration date, platform) from RevenueCat to manage your subscription tier.
Information automatically collected
- Timezone data: We store your device's timezone setting (e.g., "Europe/Berlin") to ensure dates, streaks, and workout history display correctly. This does not reveal your precise geographic location. We do not request GPS or location permissions.
- Server logs: Our backend servers automatically log request metadata including your IP address, request timestamps, HTTP method, URL path, and response status codes. These logs are used for security monitoring, debugging, and maintaining service reliability. Logs are not shared with third parties.
- Crash & error reporting (Sentry): Our mobile app uses Sentry, a crash reporting and error monitoring service hosted in the EU (Germany), to detect and diagnose technical issues. Sentry automatically collects crash reports, error logs, device information (model, OS version), and app navigation breadcrumbs. Sentry may also collect your IP address and user ID to help us correlate errors with affected accounts. For more information, see Sentry's privacy policy.
- Website analytics (Google Analytics): Our website uses Google Analytics 4 to collect anonymized usage data such as page views, referral sources, device and browser type, and approximate geographic region. Google Analytics uses cookies to distinguish unique users. This data helps us understand how visitors interact with our website and improve our content. No personally identifiable information is sent to Google Analytics. This applies to the website only, not the mobile app.
Sensitive information
Your fitness and workout data, including heart rate and calorie data collected via Apple HealthKit, may be considered health-related information under certain privacy regulations (including GDPR’s “special categories of data” and HIPAA). We process this data only to provide and improve our Services. We will never sell, share for advertising, or use your HealthKit data for purposes unrelated to the Services.
Device storage
- Mobile application: Our mobile app stores your authentication token and cached data locally on your device using platform-native storage (AsyncStorage). We do not use cookies in the mobile app.
- Apple Watch: The GainLogger companion app stores cached workout templates and a session authentication token locally on your Apple Watch to enable independent operation when your iPhone is not nearby. This data is stored in watchOS-native storage and is protected by your device passcode.
- Website: Our website uses the following storage mechanisms:
- localStorage (
cookie-consent): stores your cookie consent preference. Persistent until cleared.
- Google Analytics cookies (
_ga, _ga_*): set only after you accept the cookie consent banner. Used to distinguish unique visitors. Expire after 2 years (_ga) and 24 hours (_ga_*).
- We do not use advertising cookies or tracking cookies for ad targeting.
Information we do NOT collect
- We do not request GPS, microphone, or contacts permissions. We access Apple HealthKit only for heart rate and active energy data during workouts, with your explicit consent.
- We request camera and photo library access only when you choose to attach a photo to an exercise variant. This permission is optional and can be denied without affecting core functionality.
- We do not use advertising SDKs or ad tracking
- We do not use third-party analytics or advertising SDKs in the mobile app (no Firebase Analytics, no ad networks)
- We do not sell or share your data with data brokers
2. How Do We Process Your Information?
We process your personal information for the following purposes:
- Account management: to create and manage your user account, authenticate your identity, and maintain your profile settings
- Providing the Services: to store, display, and sync your workout data, templates, progress, and personal records across your devices including Apple Watch
- Health & fitness insights: to display heart rate and calorie data captured from Apple HealthKit during your workouts, and to evaluate progression rules that help you track when to increase weight or adjust your training
- Communications: to send you email verification codes, password reset emails, and push notifications (when opted in)
- Subscription management: to verify your subscription status and provide access to premium features
- Security and fraud prevention: to monitor for suspicious activity, enforce our terms, and protect our users
- Service improvement: to maintain, debug, and improve the reliability and performance of our Services
- Crash reporting and diagnostics: to automatically detect, report, and diagnose crashes and errors in the mobile app to improve stability
Legal bases (GDPR): We process your data based on (a) your consent (e.g., opting in to notifications), (b) performance of a contract (providing the Services you signed up for), and (c) our legitimate interests (security, service improvement).
3. When and With Whom Do We Share Your Information?
We may share your data with the following categories of third-party service providers who help us operate our Services:
| Service | Data Shared | Purpose |
|---|
| Supabase (database hosting, EU region) | All account and workout data, exercise photos | Database infrastructure and storage |
| RevenueCat | User ID, subscription/purchase status, platform | In-app purchase and subscription management |
| Resend | Email address | Sending email verification codes and password reset emails |
| Expo Push Notifications | Push notification tokens, notification content | Delivering push notifications to your device |
| Sentry (EU datacenter, Germany) | Crash reports, error logs, device info, IP address, user ID | Crash reporting and error monitoring |
| Google Analytics (website only) | Anonymized usage data (page views, device/browser info, approximate location) | Website traffic analysis and audience insights |
| Google (Sign-In only) | Authentication tokens | Account authentication via Google Sign-In |
| Apple (Sign-In only) | Authentication tokens | Account authentication via Apple Sign-In |
| Apple HealthKit (on-device only) | Heart rate samples, active energy burned (read-only) | Capturing workout intensity metrics during active sessions on Apple Watch. This data is read from HealthKit on your device and transmitted to our servers as part of your workout session data. We do not write data back to HealthKit. |
We do not sell your personal information to any third party.
We use Google Analytics on our website for anonymized traffic analysis only. We do not use advertising networks, data brokers, or analytics platforms that share your data for ad targeting or profiling purposes.
Social features
If you use social features (template sharing, user search), your name and public ID may be visible to other users. Your email address is never exposed to other users.
4. International Data Transfers
Our primary database is hosted in the EU (Supabase, eu-central-1) and crash reporting data is processed in the EU (Sentry, Germany). However, some service providers are based in the United States, which means your personal data may be transferred to and processed in the US:
| Service | Location | Safeguards |
|---|
| Supabase | EU (eu-central-1) | Data remains in EU |
| Sentry | EU (Germany) | Data remains in EU |
| RevenueCat | United States | Standard Contractual Clauses |
| Resend | United States | Standard Contractual Clauses |
| Expo Push Notifications | United States | Standard Contractual Clauses |
| Google (Sign-In, Analytics) | United States | EU-US Data Privacy Framework |
| Apple (Sign-In) | United States | Standard Contractual Clauses |
Where personal data is transferred outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.
5. How Do We Handle Your Social Logins?
We provide you with the option to register or log in using your existing Google or Apple account. If you choose to register this way, we receive your name and email address from the provider to create your account. We do not receive or store your social account password. We do not support Facebook, X (Twitter), or other social media logins.
The profile information we receive may vary depending on the provider and your privacy settings with that provider. We use this information only for authentication and account creation.
Google API Limited Use Disclosure: Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
6. How Long Do We Keep Your Information?
We retain your personal information for as long as your account is active. Specific retention periods:
- Account data (profile, workout history, templates, records): retained until you delete your account
- Email verification codes: automatically expire after 15 minutes
- Password reset codes: automatically expire after 1 hour
- Push notification tokens: retained until your device unregisters or you delete your account
- Server logs: retained for operational purposes and periodically rotated
- Exercise photos: retained until you remove the photo or delete your account
- HealthKit data (heart rate, calories): stored as part of your workout session data and retained until you delete the session or your account. Revoking HealthKit permissions prevents future collection but does not delete previously collected data from our servers—to remove it, delete the associated workout sessions or your account.
- Apple Watch cached data: workout templates and authentication tokens cached on the Watch are cleared when you log out or delete your account from the mobile app
- Crash reports (Sentry): retained by Sentry for 90 days (default retention period)
When you delete your account, all associated data is permanently removed from our systems, including workout history, templates, progress records, exercise photos, and push notification tokens.
Please note that third-party service providers (such as RevenueCat for subscription management, Apple App Store, or Google Play Store) may retain purchase and transaction records in accordance with their own privacy policies and applicable law.
7. How Do We Keep Your Information Safe?
We implement appropriate technical and organizational measures to protect your personal information, including:
- HTTPS/TLS encryption for all data in transit
- Password hashing using industry-standard algorithms (passwords are never stored in plain text)
- Row-Level Security (RLS) policies in our database ensuring users can only access their own data
- JWT-based authentication with 30-day token expiry
- Database hosted in the EU (eu-central-1) with Supabase
However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
8. What Are Your Privacy Rights?
EU/EEA residents (GDPR)
If you are located in the EU/EEA, you have the following rights:
- Access: request a copy of your personal data
- Rectification: request correction of inaccurate data
- Erasure: request deletion of your data (you can delete your account in the app's Account tab)
- Restriction: request that we limit processing of your data
- Portability: request your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests
- Withdraw consent: where processing is based on consent, you may withdraw at any time
California residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your privacy rights
Categories of personal information collected (US state laws)
| Category | Collected | Examples |
|---|
| A. Identifiers | YES | Email address, name, user ID, public ID |
| B. California Customer Records | YES | Name, email address |
| C. Protected classifications | NO | |
| D. Commercial information | YES | Subscription status, purchase history (via RevenueCat) |
| F. Internet activity | YES | Server logs (IP address, request metadata) |
| K. Inferences | NO | |
Do Not Track
Some browsers include a Do Not Track (DNT) setting. No uniform standard for DNT has been finalized, so we do not currently respond to DNT signals. If a standard is adopted, we will update this policy accordingly.
Exercising your rights
To exercise any of these rights, you can:
- Delete your account directly from the Account tab in the app
- Email us at the contact address below
9. Do We Collect Information from Minors?
We do not knowingly collect data from or market to children under 16 years of age. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us.
10. Do We Make Updates to This Policy?
We may update this Privacy Policy from time to time. The updated version will be indicated by the "Last updated" date at the top of this page. We encourage you to review this Privacy Policy periodically. If we make material changes, we will notify you through the app or by email.
11. How Can You Contact Us?
If you have questions or comments about this Privacy Policy, you may email us at:
support@gainlogger.app