GymTempo
EN

Privacy

Privacy Policy

What data GymTempo collects, why we collect it, who we share it with, and what your rights are under GDPR.

Last updated: May 16, 2026

1. Introduction

Alex Antoniuk, the operator of GymTempo, takes your personal data protection seriously. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what your rights are.

This policy is intended to comply with the General Data Protection Regulation (GDPR).

Data Controller:

Alex Antoniuk, Email: [email protected]

2. Data Collected

2.1 Account Information

When you create an account, we collect:

  • Email address: for login, communication, and account recovery.
  • Authentication identifiers: a Supabase user ID, and — if you choose “Sign in with Google” — your Google account identifier (Google sub, email, profile name).
  • Account creation date.

We do not store passwords. Authentication is handled either by a magic link sent to your email, or by Google OAuth.

2.2 Workout Data

To run the app, we store the workouts you enter:

  • Routines and exercise lists.
  • Sets, reps, weights, and any per-set notes.
  • Timestamps of your sessions.
  • Training history and progress.

2.3 Technical Data

We collect:

  • Device type (iOS, Android, web).
  • App version.
  • Operating system version.
  • Language preference.
  • Error logs and crash reports (to fix bugs).

We do not use precise geolocation or mobile advertising identifiers (IDFA/AAID) for tracking. Certain technical identifiers (including IP address) may be processed transiently for security, abuse prevention, and routing, then deleted according to the retention rules below.

2.4 Payment Data

GymTempo is free. We do not process payments and do not collect any payment data.

3. How We Use Your Data

3.1 Service Provision

  • Create and manage your account.
  • Store and display your workouts across your devices.
  • Track your progress and training history.

Legal basis: contract performance.

3.2 Communication

  • Send transactional emails (account confirmation, magic-link login).
  • Provide support when you contact us.

Legal basis: contract performance and legitimate interest.

3.3 Service Improvement

  • Identify and fix bugs through crash and error reports.
  • Measure aggregate traffic to understand which parts of the app are used.

Legal basis: legitimate interest for crash reports and aggregate analytics. Consent where required by law.

4. Third-Party Service Providers

We share your data only with the trusted providers we need to operate the service:

4.1 Infrastructure

  • Supabase, Inc. — database, authentication and file storage, hosted in the EU.
  • Hostinger International Ltd. — hosting of the website gymtempo.app (EU-based).
  • Google LLC — “Sign in with Google” authentication, only if you choose it. Based in the US; transfers protected by EU Standard Contractual Clauses.

4.2 Error Tracking

  • Sentry (Functional Software, Inc.): crash and error reports, so we can fix bugs.

4.3 Analytics

  • Google Analytics (Google LLC, US): aggregate website and app traffic statistics. Transfers protected by EU Standard Contractual Clauses.

International transfers: some providers above are based in the United States. In all such cases we rely on GDPR transfer safeguards (Standard Contractual Clauses and/or adequacy decisions).

5. Data Sharing

We never sell your personal data to third parties.

We may share data only in these cases:

  • With your consent: if you explicitly authorise it.
  • Legal obligation: in response to a valid court order or regulatory request.
  • Service providers: those listed in section 4 above.
  • Business transfer: in case of acquisition or asset sale (you will be notified).

6. Data Retention

  • Active account: data is retained while your account is active.
  • Deleted account: data is removed within 30 days of your request, except where retention is required by law.
  • Crash and error reports: up to 90 days.
  • Server access logs: up to 30 days.
  • Analytics data: up to 14 months.
  • Inactive accounts: after 12 months of inactivity we may send an email warning and then delete the account 30 days later.

7. Data Security

We implement reasonable technical and organisational security measures:

Technical Measures

  • Encryption: HTTPS/TLS for data in transit, encryption at rest as provided by Supabase.
  • No passwords stored: authentication is via magic link or Google OAuth.
  • Access control: principle of least privilege; row-level security in Supabase isolates each user’s data.
  • Monitoring: error and crash reporting through Sentry.

Organisational Measures

  • Regular dependency updates.
  • Incident response handled directly by the operator.

In case of a personal data breach we will notify the competent supervisory authority within legal deadlines (GDPR Art. 33). If the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay (GDPR Art. 34).

8. Your Privacy Rights

Under GDPR you have the following rights:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Correct your personal data directly in the app or by contacting us.

Right to Deletion

Delete your account at any time by contacting us. All data will be removed within 30 days, except where retention is required by law.

Right to Object

Object to processing of your data for analytics or error reporting.

Right to Portability

Request your data in a structured, machine-readable format to transfer elsewhere.

Right to Restriction

Request a temporary freeze of data processing during a dispute.

To exercise your rights:

  • Email: [email protected]
  • Response time: 30 days maximum.
  • ID verification may be required for security.

9. Cookies and Trackers

GymTempo uses minimal cookies and respects your privacy choices:

  • Session token: to keep you logged in.
  • Interface preferences: theme (dark/light), language.
  • Google Analytics: with your consent, Google Analytics may set cookies to measure aggregate usage. You can refuse or withdraw consent at any time.

10. Children’s Privacy

GymTempo is not intended for users under 16 years old. We do not knowingly collect data from children under 16.

If we discover that a child’s data was collected without parental consent, we will delete it immediately.

11. “Do Not Track” Signals

Some browsers offer a “Do Not Track” (DNT) signal. GymTempo does not currently respond to DNT signals, but we minimise tracking by default — no ads, no third-party trackers other than the providers listed in section 4.

12. Policy Updates

We may update this Privacy Policy to reflect legal changes or new features. We will notify you of significant changes by email or via an in-app notification.

The last modified date is displayed at the top of this page.

13. Contact

For any question about data protection: