Privacy Policy

Account information. When you sign in with Apple, Google, or email, we receive your email address and, depending on the provider, your name. We create an account identifier that links your data to you. If you use Sign in with Apple's private relay, we only see the relay address.

Fitness profile. During onboarding you can share your age group, gender, weight, fitness level, goals, injuries, and weekly training schedule. We use this to personalize the workouts the app generates. Everything is editable in the app at any time.

Workout activity. The workouts you generate, import, or save, the exercises, sets, reps, and weights you log, your workout streak, and the recovery state of your muscle groups.

Health data. With your explicit permission, steps, active calories, body weight, and workouts from Apple Health. This is a special category of data and is covered in detail in section 6.

Gym scans. The photos and videos you capture in the app to detect gym equipment, and the resulting equipment list. Covered in section 5.

Gyms and spaces. The gyms you create or save: name, address and coordinates of the gym, and its equipment. Spaces you mark as public are visible to other users on the map, and workouts you share to a public space display your profile picture.

Location. With your permission, your device location, used on the device to center the gym map and show gyms near you. We do not store your device location on our servers.

Purchase information. Your subscription status, product, and transaction history. Payments are processed entirely by Apple. We never see or store your payment card details.

Device and usage data. Device model, iOS version, app version, language, the screens you visit, and the features you use (for example that a workout was generated, started, or completed). Like any internet service, the servers that respond to the app's requests also see your IP address.

Advertising identifier. Only if you allow tracking when iOS asks (App Tracking Transparency), your device's advertising identifier (IDFA), used solely to measure our own ad campaigns.

Communications. Messages you send through the support form or by email, and feature requests and votes you post on our feedback board.

Website. The gymvision.app website sets no cookies. We measure visits with Vercel's privacy-friendly, cookieless analytics, which gives us aggregate statistics such as page views, countries, and referrers, and cannot identify you. If you use the support form, the name, email, and message you enter are transmitted to us by our form provider.

• Directly from you: your onboarding answers, the training you log, the scans you capture, the gyms you create, and the messages you send us.
• Automatically: device and usage data collected by the app as you use it.
• From third parties: your name and email from Apple or Google when you sign in with them, health data from Apple Health with your permission, and purchase receipts from Apple to validate your subscription.

• To provide the service: create and sync your account, generate workouts adapted to your profile, your equipment, and your recovery, track your training history and streak, and show your health stats.
• To run AI features: analyze your gym scans into equipment lists and build personalized workout plans (section 5).
• To manage purchases: activate your subscription, restore it across devices, and enforce free-tier limits.
• To improve the app: understand which features are used, where users get stuck, and which changes help, using product analytics.
• To measure our advertising: attribute app installs to our own ad campaigns, only with your tracking consent.
• To support you: answer your messages and act on your feature requests.
• To keep the service safe: prevent abuse, secure accounts, and debug failures.
• To comply with the law: respond to lawful requests and meet our legal obligations.

We do not sell your personal information, we do not show third-party ads in the app, and we do not use your data for purposes other than those listed here without telling you first.

For users in the European Economic Area and the UK, every use of your data rests on a legal basis:

• Performance of a contract: providing your account, workout generation and history, syncing, sharing, and subscription management.
• Explicit consent: reading and writing Apple Health data, which is health data under Article 9 of the GDPR. You give this consent through the iOS Health permission screens and can withdraw it there at any time.
• Consent: device location, camera access for scans, notifications, and ad tracking. Each is requested separately by iOS and can be withdrawn at any time in Settings without affecting the rest of the app.
• Legitimate interests: product analytics to improve the app, fraud and abuse prevention, and service security. You can object at any time (section 12).
• Legal obligation: record keeping and responding to lawful requests.

Gym scans. When you scan a gym, the video or photos you capture are uploaded to Google and analyzed by the Gemini model to detect equipment. Google deletes the uploaded media automatically within about 48 hours. We keep only the resulting equipment list. Please avoid filming other people when you scan.

Workout generation. When you generate a workout, your fitness profile (such as goals, fitness level, and injuries) and the equipment available to you are processed by Anthropic's Claude models to build your plan. When you import a workout from a shared video link, the video is analyzed the same way as a scan.

No training on your data. These providers process your data only to deliver the feature. Under our API agreements, neither Google nor Anthropic uses your content to train their models.

With your explicit permission, GymVision reads your steps, active calories, body weight, and workouts from Apple Health, and writes the workouts you complete and the weight entries you add back to it. This data is synced to your GymVision account so your stats appear correctly across reinstalls and devices.

We treat health data with the strictest rules in this policy:

• It is never used for advertising, marketing, or any form of profiling beyond the fitness features you see in the app.
• It is never sold and never shared with data brokers, advertisers, or analytics providers.
• It is disclosed to no one except the infrastructure that stores it encrypted on our behalf.
• You can revoke access at any time in the iOS Settings app under Health, and the app keeps working without it.

We use a small number of service providers to run GymVision. Each receives only the data it needs for its role, under a data processing agreement:

• Supabase (backend hosting): stores our database, accounts, and authentication.
• Apple: Sign in with Apple, payments and subscriptions, Apple Health, and push notifications.
• Google: Sign in with Google, and gym scan analysis with the Gemini model.
• Anthropic (AI provider): workout generation with the Claude models.
• RevenueCat (subscriptions): validates purchase receipts and tracks subscription status.
• PostHog (analytics): receives usage events tied to your account identifier, hosted in the United States.
• TikTok (ad attribution): receives app events to measure our ad campaigns, and your advertising identifier only if you allowed tracking.
• WishKit (feedback board): hosts the feature requests and votes you submit.
• Mapbox (maps): serves map tiles and receives the standard network requests needed to load them, including your IP address.
• iCloud: stores a small free-tier usage counter in your private iCloud key-value storage, which we cannot read outside your devices.
• Vercel (website only): hosts gymvision.app and provides cookieless, aggregate visit statistics.
• FormSubmit (website only): relays support form submissions to our inbox.

Beyond these providers, we disclose personal data only if required by law, to protect our rights or our users, or as part of a business transfer such as a merger or acquisition, in which case this policy continues to apply to your data.

Public content. Workouts and spaces you share via a link are visible to anyone who has the link. Spaces you mark as public are visible to all users on the map.

On the website: gymvision.app sets no cookies at all. Visits are measured with Vercel's cookieless, privacy-friendly analytics: aggregate counts only, no advertising trackers, no cross-site tracking, nothing that identifies you.

In the app: there are no cookies, but two kinds of identifiers exist. Our analytics uses your account identifier to understand feature usage. Ad attribution uses your device advertising identifier only if you allow tracking when iOS shows the App Tracking Transparency prompt. If you decline, the identifier is never shared and attribution falls back to Apple's privacy-preserving framework, which gives us aggregate numbers without identifying you.

You can change your tracking choice at any time in iOS Settings under Privacy & Security, then Tracking.

We operate from Canada, which benefits from a European Commission adequacy decision, so data of EEA users handled by us in Canada keeps an equivalent level of protection. Some of our providers, including PostHog, RevenueCat, and Anthropic, process data in the United States and other countries. Where personal data leaves the EEA, the transfer is protected by recognized safeguards: an adequacy decision such as the EU-US Data Privacy Framework where the provider is certified, or the European Commission's Standard Contractual Clauses, in each case under the provider's data processing agreement.

We keep data only as long as it serves you:

• Account, profile, workouts, logs, spaces: for the life of your account, deleted when you delete it.
• Apple Health cache: for the life of your account; revoking Health access stops new data from syncing.
• Gym scan media: deleted by Google within about 48 hours of upload. Only the detected equipment list is kept.
• Analytics events: kept only as long as needed to understand product usage, then deleted or aggregated.
• Support messages: as long as needed to resolve your request and for a reasonable period after.
• Purchase records: as long as required for accounting and tax obligations.
• Backups: deleted data may persist in encrypted backups for a short period before being purged on rotation.

You can delete your account directly in the app from your profile, no email required. Deletion permanently removes your profile, workouts, exercise logs, health data cache, and private spaces from our database. Public gyms you contributed remain on the map for other users but are no longer linked to you. Data the app wrote to Apple Health stays on your device, under your control in the Health app. The free-tier counter in your private iCloud storage is yours and can be removed by deleting the app's iCloud data.

Wherever you live, we extend these rights to you. If you are in the EEA or the UK, they are guaranteed by the GDPR:

• Access: ask for a copy of the personal data we hold about you.
• Rectification: correct inaccurate data. Most of your data is directly editable in the app.
• Erasure: delete your data. The fastest path is in-app account deletion (section 11).
• Portability: receive your data in a structured, machine-readable format.
• Restriction and objection: limit or object to specific processing, including analytics based on legitimate interests.
• Withdraw consent: at any time, for Health, location, camera, notifications, or tracking, via iOS Settings, without affecting prior processing.

To exercise any of these rights, email contact@gymvision.app from the address linked to your account. We respond within 30 days. We never discriminate against you for exercising your rights.

If you are in the EEA, you can also lodge a complaint with the data protection authority of your country, for example the Belgian Data Protection Authority if you are in Belgium.

Canadian residents. We comply with PIPEDA and, in Quebec, with the Act respecting the protection of personal information in the private sector (Law 25). You have the rights to access and correct your personal information, and you can address concerns to us first and to the Office of the Privacy Commissioner of Canada or, in Quebec, the Commission d'accès à l'information.

California residents. Under the CCPA/CPRA you have the rights to know, access, correct, delete, and port your personal information, and to opt out of its sale or sharing. We do not sell personal information. The only data flow that could qualify as "sharing" for cross-context advertising is the advertising identifier sent to TikTok with your tracking consent; you can opt out by declining or revoking tracking in iOS Settings. We do not knowingly process sensitive personal information for purposes requiring a right to limit.

Your data is encrypted in transit and at rest. Access to our database is restricted by row-level security, so each account can only reach its own data. Authentication is handled by established identity providers, internal access to production systems is limited, and our API credentials are scoped to the minimum needed. If a breach ever affects your personal data, we will notify you and the relevant authority as required by law. No system is perfectly secure, but we design for the failure modes that matter.

GymVision is not intended for anyone under 16, and we do not knowingly collect personal data from children under 16. If you believe a child has created an account, contact us at contact@gymvision.app and we will delete it promptly.

We may update this policy as the app evolves. Changes are posted on this page with the date above updated. For material changes, such as a new category of data or a new purpose, we will notify you in the app before the change takes effect, and where the law requires it we will ask for your consent.

• No sale of data. We have never sold personal data and have no plans to.
• Third-party links. The app and website may link to external sites and services, such as exercise videos or our providers' policies. Their privacy practices are their own.
• Governing law. This policy is governed by the laws of the Province of Quebec and the federal laws of Canada applicable in it, without prejudice to the protections your local law gives you.

For any question about this policy or your data, including privacy rights requests: contact@gymvision.app. We aim to answer every email, and privacy requests are answered within 30 days.