OFO Labs
Back to GymWell

Privacy Policy

GymWell

Privacy Policy for GymWell

Last Updated: March 1, 2026

1. Data Controller

The data controller responsible for processing personal data under GDPR and German BDSG is:

Faruk Orman 24105 Kiel, Germany Email: ofolabs@gmail.com

No Data Protection Officer is required as fewer than 20 persons engage in automated data processing.

2. Overview of Data Processing

Contractual necessity (Art. 6(1)(b)): We process account data (email address, username, user ID) for account creation and authentication; authentication data (email and hashed password, or OAuth tokens via Google/Apple) for secure sign-in; body measurements (weight, body fat %, and 16 body measurements including neck, shoulder, chest, waist, hip, biceps, forearm, wrist, thigh, calf, and more) for progress tracking as core app functionality; workout data (workout logs with date and duration, exercise sets with weight, reps, RPE, and rest time, programs, and routines) for workout tracking as core app functionality; and derived data (total volume, workout streaks, progress analytics, estimated 1RM) for progress visualization as core app functionality.

Legitimate interest (Art. 6(1)(f)): We process exercise requests (exercise name and description, user-submitted) for improving the exercise library; and technical data (IP address via Supabase server logs) for security and abuse prevention.

3. Detailed Processing Activities

3.1 Account Registration & Authentication

An account is required to use GymWell. You can sign in via:

  • Email/Password: Your email and a securely hashed password are stored by Supabase Auth. We never store passwords in plain text.
  • Google Sign-In: We receive your email address and basic profile info via OAuth2. We do not receive or store your Google password.
  • Apple Sign-In: We receive your email address (or a private relay address if you choose to hide it) via OAuth2. We do not receive or store your Apple password.

3.2 Body Measurements

You may voluntarily enter body measurement data including weight, body fat percentage, and 16 individual body measurements. This data is stored in your account on Supabase and is used solely to display your progress within the app.

3.3 Workout Tracking

When you log workouts, the app stores workout sessions (date and duration), exercise sets (weight, repetitions, RPE rating, rest time), and your custom programs and routines. The app calculates derived analytics (total volume, streaks, estimated 1RM) for your personal use.

3.4 Exercise Requests

If you submit a request for a new exercise to be added to the library, we collect the exercise name and description. These are stored to improve the app's exercise library and are not linked to personal data beyond your user ID.

3.5 Data We Do NOT Collect

GymWell does not collect or access:

  • Location data or GPS information
  • Photos, camera, or photo library
  • Health data from Apple HealthKit or any health framework
  • Contacts or address book
  • Device identifiers for advertising purposes
  • Browsing history or data from other apps

GymWell does not use analytics SDKs, crash reporting SDKs, advertising networks, or social features.

4. Third-Party Service Providers (Data Processors)

Data Processing Agreements (DPAs) are in place per Art. 28 GDPR:

Supabase (Supabase, Inc., USA) provides the cloud database and authentication, receiving account data, body measurements, workout data, and exercise requests.

Google Sign-In (Google LLC, USA) handles OAuth authentication only, receiving your email address and basic profile info one-time during sign-in.

Apple Sign-In (Apple Inc., USA) handles OAuth authentication only, receiving your email address or private relay address one-time during sign-in.

Apple App Store (Apple Inc., USA) handles app distribution and the in-app review mechanism. Standard App Store data is processed per Apple's privacy policy.

5. International Data Transfers

USA-based providers safeguarded by:

EU-US Data Privacy Framework (DPF): Google and Apple are certified under the European Commission adequacy decision (July 10, 2023, Commission Implementing Decision (EU) 2023/1795) per Art. 45 GDPR.

Standard Contractual Clauses (SCCs): For Supabase, we rely on SCCs per Art. 46(2)(c) GDPR as adopted by Commission Implementing Decision (EU) 2021/914.

Contact ofolabs@gmail.com for specific transfer safeguard details.

6. Cookies & Local Storage

GymWell is a native iOS application. The app manages state through native app storage mechanisms (UserDefaults, Core Data, or equivalent), not browser cookies or localStorage.

Per § 25 TTDSG, native app storage used for core functionality (caching workout data, storing authentication tokens, remembering user preferences) is strictly necessary for the service explicitly requested by the user and is exempt from consent requirements under § 25(2) TTDSG.

No advertising, analytics, or tracking storage is used.

7. Provision of Personal Data

Email address and account data are a contractual requirement necessary for service use. Without this data, account creation and service provision are impossible. Body measurements, workout data, and exercise requests are voluntary but required for the respective app features to function.

8. Data Subject Rights

Under GDPR and BDSG, you have:

  • Right of access (Art. 15 GDPR, § 34 BDSG) — obtain a copy of your personal data and processing information
  • Right to rectification (Art. 16 GDPR) — correct inaccurate data through the app (edit username, measurements, workout data)
  • Right to erasure (Art. 17 GDPR, § 35 BDSG) — delete your account and all associated data directly within the app (cascade deletion of all workout logs, measurements, programs, routines, and exercise requests)
  • Right to restriction (Art. 18 GDPR) — restrict processing in certain circumstances
  • Right to data portability (Art. 20 GDPR) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21 GDPR, § 36 BDSG) — object to legitimate interest processing (exercise requests) anytime; we cease unless demonstrating compelling grounds
  • Right to withdraw consent (Art. 7(3) GDPR) — withdraw anytime without affecting prior processing lawfulness

Contact ofolabs@gmail.com to exercise rights. Response within one month per Art. 12(3) GDPR. Period may extend two further months for complex requests with first-month notice.

9. Automated Decision-Making

No automated decision-making or profiling producing legal effects or significantly affecting you occurs per Art. 22 GDPR. Derived analytics (volume calculations, streak tracking, estimated 1RM) are computed for your personal informational use only and do not produce legal or similarly significant effects.

10. Right to Lodge a Complaint

Lodge complaints with data protection supervisory authorities per Art. 77 GDPR. Competent authority for Kiel, Schleswig-Holstein:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Holstenstraße 98, 24103 Kiel, Germany Website: https://www.datenschutzzentrum.de

You may also contact supervisory authorities in your EU member state of habitual residence, work, or alleged infringement location.

11. Data Retention

  • Account data (email, username, user ID) — retained until you delete your account (contractual necessity)
  • Body measurements — retained until you delete your account (contractual necessity)
  • Workout data (logs, sets, programs, routines) — retained until you delete your account (contractual necessity)
  • Exercise requests — retained indefinitely to improve the exercise library; removable upon request (legitimate interest)
  • Authentication tokens — session duration, auto-refreshed (contractual necessity)
  • Tax-relevant records (if applicable) — 6 years after account deletion (legal obligation — § 147 AO, § 257 HGB, German tax/commercial law)

When you delete your account, all associated personal data is permanently removed from Supabase.

12. Children's Privacy

GymWell is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware a child under 16 has provided personal data, we promptly delete it per Art. 8 GDPR and § 25 TTDSG. If you are a parent or guardian and believe your child has provided us with personal data, contact ofolabs@gmail.com.

13. Security Measures

Appropriate technical and organizational measures per Art. 32 GDPR:

  • All data transmitted between the app and Supabase is encrypted using TLS/HTTPS
  • Passwords are securely hashed by Supabase Auth and never stored in plain text
  • Authentication tokens are used for secure session management
  • Row-level security (RLS) policies in Supabase ensure users can only access their own data
  • Account deletion permanently removes all associated data from the database

14. Changes to This Policy

Privacy policy may update reflecting practice or legal changes. "Last updated" date indicates most recent revision. For significant changes, we make reasonable efforts to notify users through the App Store update notes. We encourage periodic review.

15. Contact

For privacy inquiries or exercising data subject rights:

Faruk Orman 24105 Kiel, Germany Email: ofolabs@gmail.com