Privacy Policy

The data controller for GymSweat is:

• Name: Filippo Machnich
• VAT number (P.IVA): 01409080320
• Address: Via Domus Civica 14, Trieste (TS), Italy
• Email: filippomachnich@gmail.com

For any questions about how we handle your personal data, please contact us at the email address above.

We process only the data strictly necessary to provide and improve the GymSweat service. The table below summarises each category, its purpose, and its legal basis under the EU General Data Protection Regulation (GDPR).

2.1 Identity Data

Examples: email address, display name, profile photo URL.

Purpose: account creation, authentication, user support.

Legal basis: Art. 6(1)(b) GDPR — performance of the contract (providing the service you signed up for).

2.2 Workout Data

Examples: workout logs, workout templates, exercise names, sets, reps, weights, workout schedule.

Purpose: core service functionality — recording, tracking, and analysing your training.

Legal basis: Art. 6(1)(b) GDPR — contract performance.

2.3 Health & Wellbeing Data

Examples: injury logs, body weight logs, hydration logs.

Purpose: tracking your physical wellbeing as part of the fitness service.

Legal basis: Art. 6(1)(b) GDPR — contract performance, combined with Art. 9(2)(a) GDPR — your explicit consent to the processing of special-category (health-related) data. You provide this consent during onboarding, and you may withdraw it at any time (see Section 6).

2.4 Coach–Athlete Shared Data

Examples: workout data you choose to share with a coach via the GymSweat Coach platform.

Purpose: enabling your coach to monitor your training and provide guidance.

Legal basis: Art. 6(1)(a) GDPR — your consent. You control which data categories a coach can see through granular permissions in the app. You may revoke coach access at any time.

2.5 Analytics Data

Examples: anonymised usage events, screen views, crash reports (collected via PostHog).

Purpose: understanding how the app is used so we can improve it.

Legal basis: Art. 6(1)(a) GDPR — your consent, requested during onboarding. You may opt out at any time in Settings.

We use the following third-party sub-processors to operate GymSweat. Where data is transferred outside the European Economic Area (EEA), we rely on the EU Standard Contractual Clauses (SCCs) or an adequacy decision to ensure an equivalent level of protection.

Sub-processor	Purpose	Location	Transfer safeguard
Firebase (Google LLC)	Authentication, Firestore cloud database, Cloud Functions	USA / EU	SCCs + supplementary measures
Firebase Analytics (Google LLC)	Usage analytics, screen views, event tracking	USA (with EU processing)	SCCs + supplementary measures
Firebase Crashlytics (Google LLC)	Crash diagnostics and stability monitoring	USA	SCCs + supplementary measures
AppsFlyer (AppsFlyer Ltd.)	Mobile attribution and install analytics	EU / USA	SCCs
RevenueCat, Inc.	Mobile subscription management (iOS & Android)	USA	SCCs
PostHog, Inc.	Product analytics (with consent)	EU / USA	EU hosting preferred; SCCs for US fallback
Paddle.com Market Ltd	Web subscription payments (Merchant of Record)	UK / EU	UK adequacy decision; SCCs where applicable

Data processed by each sub-processor

• Firebase Analytics: device info, app usage patterns, user properties.
• Firebase Crashlytics: crash logs, stack traces, device model, OS version.
• AppsFlyer: device ID, advertising ID, IP address, app install and event data.

A full, up-to-date list of sub-processors is available upon request by emailing filippomachnich@gmail.com.

• Identity data: retained for as long as your account is active. Deleted upon account deletion.
• Workout data: retained for as long as your account is active. Deleted upon account deletion.
• Health & wellbeing data: retained for as long as your account is active. Upon account deletion, this data is erased within 30 days from all systems, including backups.
• Analytics data: anonymised and aggregated; individual-level data is deleted within 90 days of collection.
• Payment records: retained for the legally required period (typically 10 years under Italian tax law) even after account deletion.

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain a copy of all personal data we hold about you.
• Right to rectification (Art. 16) — correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten") (Art. 17) — request the deletion of your data (see Section 8 for how).
• Right to restriction of processing (Art. 18) — ask us to temporarily stop processing your data in certain situations.
• Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) — object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)) — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email us at filippomachnich@gmail.com. We will respond within 30 days.

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In Italy, the competent authority is:

Garante per la protezione dei dati personali
Website: www.garanteprivacy.it
Email: garante@gpdp.it

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

Use of GymSweat and any physical activity undertaken in relation to it is at your sole risk. GymSweat does not provide medical advice. Always consult a physician before starting any workout program.

All metrics displayed in the app — including but not limited to estimated one-rep max, load scores, training readiness, acute-to-chronic workload ratio, and coaching suggestions — are informational only and do not constitute medical advice, diagnosis, or treatment.

You can delete your account and all associated data directly from the app:

1. Open Settings.
2. Tap Account.
3. Tap Delete account.

This will permanently erase all your data from our local database and from our cloud servers (Firebase). Health data may take up to 30 days to be purged from all backup systems. Alternatively, you can email filippomachnich@gmail.com to request deletion.

GymSweat offers a B2B2C coaching platform that allows certified fitness coaches to view and interact with athlete data. Here is what you need to know:

• Your data is shared with a coach only when you accept a coach invitation and grant permission.
• Granular permissions: you choose which data categories your coach can access (e.g., workout logs, body weight, injuries). You can change or revoke these permissions at any time from the app.
• Coaches provide general fitness guidance only — they do not provide medical advice or treatment.
• Coach access is revocable: disconnect from a coach at any time via Settings, and they will immediately lose access to your data.

Note: Athena (menstrual cycle tracking) is a separate application and its data is never shared with GymSweat or with coaches on the GymSweat platform.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via in-app notification or email at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.