Privacy Policy

Last updated: June 5, 2026

1. Introduction

Gymacetamol ("we", "our", or "us") operates the Gymacetamol workout tracking application. This Privacy Policy explains how we collect, use, and protect your personal information when you use our service.

By using Gymacetamol, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our service.

2. Data We Collect

We collect the following types of information:

  • Account Information: Email address (provided via email login or Google OAuth)
  • Workout Data: Exercise names, weights, repetitions, sets, tempo, form quality, session notes, and workout history
  • Usage Data: Information about how you use the app, including pages visited and features used
  • Device Information: Browser type, device type, and operating system
  • Subscription and Purchase Information: Subscription tier, purchase history, and entitlement status (mobile app only). Payment card details are never seen or stored by us; they are handled directly by Apple, Google, or Stripe.
  • Crash and Diagnostic Data: Crash reports and technical diagnostic information (mobile app only) used to identify and fix bugs.

3. How We Use Your Data

We use your information to:

  • Provide and maintain the workout tracking service
  • Track your workout progress and calculate statistics
  • Authenticate your account and ensure security
  • Improve and optimize the application
  • Diagnose crashes and maintain app stability
  • Manage subscriptions and entitlements
  • Send service-related communications (if necessary)
  • Process payments for premium features

4. Legal Bases for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we rely on the following legal bases for processing your personal data:

  • Performance of a Contract (Art. 6(1)(b)): Processing your account information and workout data is necessary to provide you with the workout tracking service you signed up for, including authentication, data storage, and progress tracking.
  • Legitimate Interest (Art. 6(1)(f)): We process usage data and device information through PostHog (web) for product analytics, and we collect crash reports and diagnostic data through Sentry (mobile) to detect and fix bugs. We have assessed that this interest does not override your rights: we do not record session replays, and crash reports are not linked to your identity (we do not send Sentry your account ID, email, name, or IP address). Crash reporting is active for all users and is not part of the analytics consent choice.
  • Consent (Art. 6(1)(a)): On the web, we obtain your consent for non-essential cookies and analytics via our cookie consent banner. In the mobile app, users in the European Economic Area, the United Kingdom, and Switzerland are shown an in-app consent screen on first launch before any product analytics (Firebase Analytics) is collected. You may withdraw consent at any time, on the web via cookie preferences and in the mobile app via Settings → Privacy choices.
  • Legal Obligation (Art. 6(1)(c)): We may process and retain certain data where required by law, such as for tax or accounting purposes related to premium subscriptions.

5. Third-Party Services

We use the following third-party services across our web and mobile apps:

Used by both web and mobile

  • Supabase (Supabase, Inc.): Authentication and database hosting (PostgreSQL).
  • Google OAuth: Optional sign-in method.

Web app

  • Vercel (Vercel Inc.): Application hosting.
  • PostHog (PostHog Inc., EU Cloud): Product analytics to understand how users interact with the website (page views, feature usage, aggregated workout statistics). We do not record sessions or capture personally identifiable information through PostHog.
  • Stripe (Stripe, Inc.): Payment processing for web subscriptions. Stripe handles all card data; we never see or store payment card details.

Mobile app

  • Firebase Analytics (Google LLC): Product analytics on mobile only. Collected only with your consent in the EEA, UK, and Switzerland. On Android, Firebase Analytics may read the Google Advertising ID (AD_ID) once consent is granted. On iOS, no advertising identifier (IDFA) is read. See "Mobile Platform Identifiers" below for details.
  • Sentry (Functional Software, Inc., dba Sentry): Crash and error reporting on mobile only, used to detect and fix bugs. When the app crashes or hits an unexpected error, Sentry receives the technical stack trace, your device model and operating-system version, the app version, and a short trail of recent in-app diagnostic events (for example, which screen you were on). Crash reports are not linked to your identity: we do not send Sentry your account ID, email, name, or IP address.
  • Firebase Remote Config (Google LLC): Server-side feature flags used to roll out and disable features. No personal data is sent to Remote Config.
  • RevenueCat (RevenueCat, Inc.): Subscription receipt validation and entitlement management for mobile in-app purchases. RevenueCat receives the purchase token from the App Store or Play Store and your app-instance identifier so we can confirm your Pro status across devices and so the "Restore Purchases" button in Settings can recover your subscription on a new device.
  • Meta (Meta Platforms, Inc.), planned: when we begin running ads on Facebook and Instagram, Meta will act as an install-attribution processor on our behalf, receiving the minimum signal needed for measurement (event name, app-instance identifier, and hashed identifiers where you have consented) to confirm whether your install came from one of our ads. The current app version does not include the Meta SDK and sends no data to Meta. See "Advertising Attribution" below.
  • Apple App Store and Google Play: Mobile in-app purchases are processed by Apple and Google. Card data is handled entirely by Apple or Google; we receive only the resulting subscription status.

These services have their own privacy policies. We recommend reviewing them.

6. Mobile Platform Identifiers

When you use the Gymacetamol mobile app, the following platform identifiers may be processed in addition to the data described elsewhere in this policy:

  • IDFA (Apple Advertising Identifier): the current iOS app does not read the IDFA and does not show an App Tracking Transparency prompt. If we introduce ad-install attribution in a future update, iOS will request ATT permission first, and the IDFA would be read only if you grant it.
  • AD_ID (Google Advertising ID): collected only on Android, subject to your device-level "Ads" settings and, in the EEA and UK, your in-app consent choice. Currently read by Firebase Analytics for product analytics; if we introduce ad-install attribution in a future update, it would also be used to measure whether you installed after seeing one of our ads.
  • App-instance identifier (Firebase): a random identifier generated by Firebase Analytics on first launch. Used to count distinct app installs and group events into sessions. We do not associate this identifier with your name, email, or other contact information.

You can reset IDFA and AD_ID from your device privacy settings at any time (the exact path varies by OS version, look for "Tracking" on iOS and "Ads" on Android). Resetting breaks the link between your prior installs and the new identifier.

7. Advertising Attribution

We do not currently run ads or perform ad-install attribution, and the current app version sends no data to Meta. If, in the future, you reach Gymacetamol through one of our ads on Meta platforms (Facebook, Instagram), Meta will act as a data processor on our behalf to confirm whether the install came from one of our ads. The signal Meta receives is limited to what is necessary for measurement (event name, app-instance identifier, and hashed identifiers where you have consented). We do not sell or share your data with advertising networks for purposes unrelated to measuring our own ads.

Meta's use of this data is governed by Meta's data processing addendum and Meta's own privacy policy. We do not use this data to build profiles about you for marketing inside the Gymacetamol app.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. Our third-party service providers, including Supabase, Vercel, PostHog, Stripe, Google (Firebase Analytics, Remote Config), Sentry, and RevenueCat (and, once ad attribution is introduced in a future update, Meta Platforms), operate servers in the United States.

Where data is transferred outside the EEA, we ensure appropriate safeguards are in place in accordance with GDPR Article 46. Our service providers rely on Standard Contractual Clauses (SCCs) approved by the European Commission to protect your data during international transfers. These contractual commitments require the recipient to protect your data to the same standard as the GDPR.

Additionally, PostHog is configured to use their EU Cloud instance (eu.i.posthog.com), meaning analytics data is processed within the European Union.

9. Data Retention

We retain your personal data for as long as your account is active. When you delete your account, we remove your personal data from our servers without undue delay. Limited records may be retained where required by law (for example, anonymized records of any promotional offers you have redeemed, kept for accounting and tax compliance) or held by the third-party services listed below.

Per-category retention for the third-party services we use:

CategoryRetention
Account and workout dataWhile your account is active, removed without undue delay after account deletion
Firebase Analytics events14 months (Firebase default)
Sentry crash reports30 days
RevenueCat subscription recordsLifetime of your account, plus 6 years for tax purposes
Meta attribution recordsUp to 2 years once ad attribution is active (Meta's retention policy). No data is sent to Meta in the current app version.

10. Your Rights (GDPR/CCPA)

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Delete your account and all associated data.
    To delete your account, sign in and visit this page.
  • Portability: Request your data in a portable format
  • Opt-out: Opt out of marketing communications or data sales (we do not sell your data)
  • Restriction: Request that we limit the processing of your data
  • Object: Object to our processing of your data based on legitimate interests

To exercise any of these rights, please contact us at info@gymacetamol.com.

Account deletion (mobile app): You can delete your Gymacetamol account from inside the app at Settings → Account Management → Delete Account. Deleting your account:

  • Removes your profile data, training history, and measurements from our servers without undue delay.
  • Disconnects your account from Firebase Analytics. Any anonymous usage events tied to your installation are retained by Google according to Firebase's standard retention period (see the table above).
  • Does not cancel your active subscription. To cancel a subscription, use Apple's "Subscriptions" settings or the Play Store's "Subscriptions" page. Cancelling stops future renewals but does not refund the current period.

Refund policy: We offer a full refund within 14 days of any annual subscription purchase or renewal, and within 7 days of any monthly subscription purchase or renewal. Email info@gymacetamol.com from the email address on your account within that window and we will process the refund through the App Store or the Play Store. After that window, refunds are at Apple's or Google's discretion.

If you cannot access the in-app deletion path (for example, you have lost access to your sign-in method), email us at the address above and we will process the deletion within 30 days.

Right to Lodge a Complaint: If you are located in the European Economic Area and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local Data Protection Authority (DPA). A list of EU Data Protection Authorities can be found on the European Data Protection Board website.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the Internet is 100% secure.

12. Cookies, Local Storage, and Mobile Storage

Web: We use essential cookies for authentication and session management. We also use local storage for analytics (PostHog) to understand how you use our service. You can configure your browser to refuse cookies or clear local storage, but this may affect functionality.

Mobile app: The mobile app does not use cookies. Account session tokens are stored in encrypted on-device storage (Android Keystore / iOS Keychain). Subscription state is cached locally and synchronized with RevenueCat. Your consent choice for analytics (in the EEA, UK, and Switzerland) is stored on your device and can be changed at any time via Settings → Privacy choices.

13. Children's Privacy

Gymacetamol is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us, and we will remove it without undue delay.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the service after a change takes effect constitutes your acceptance of the updated policy.

15. Contact Us

If you have any questions about this Privacy Policy, please contact us at: info@gymacetamol.com