Privacy Notice for GymPal

Last updated: May 1, 2026

1. Controller & Contact

Controller: VitaApps S.R.L., Bucharest, Romania
Email: support@vitaapps.dev
Data Protection Contact: privacy@vitaapps.dev

2. Scope of This Notice

This Privacy Notice applies to the GymPal mobile application ("GymPal" or "the App"). GymPal is an AI-powered fitness app that generates personalized workout plans, tracks exercises, runs camera-based challenges using on-device pose detection, and offers premium subscriptions. Unlike some of our other apps, GymPal does require an account and stores certain data in the cloud to provide its features.

If we make material changes to this Notice, we will inform you inside the App or via our website.

3. What Data We Collect

3.1 Account Data

To use GymPal you must create an account. You may sign up with email/password, Google Sign-In, or Sign in with Apple. We collect:

  • Email address
  • Display name (where provided by Google / Apple)
  • Profile photo (where provided by Google / Apple, optional)
  • Authentication identifiers (managed by Firebase Authentication)

3.2 Profile & Fitness Data

During setup onboarding and inside the App you provide fitness information that we store in your user profile (Cloud Firestore):

  • Gender, age, height, current weight, goal weight
  • Fitness level, activity level, primary goals, motivation
  • Health conditions / injuries (optional)
  • Available equipment
  • Preferred workout frequency and days
  • Body measurements you choose to log
  • Generated workout and nutrition plans
  • Exercise sessions, completed challenges, daily duties, meals

Health-related fields (e.g. "back pain", "diabetes") are special category data under GDPR Art. 9. We process them only with your explicit consent (given by completing onboarding) and only to generate your workout plan and warn you about unsafe exercises.

3.3 AI Plan Generation (OpenAI)

When you generate or regenerate a workout plan, we send a structured prompt containing your profile data (age, gender, height, weight, goals, fitness level, equipment, health issues, frequency) to OpenAI. OpenAI returns a structured plan we save back to your profile. We do not send your name, email, photos, or any identifier that would let OpenAI tie the prompt back to you.

OpenAI is contractually bound by their API data usage policy not to use API data to train their models.

3.4 Camera & Pose Detection (On-Device)

Live exercise challenges (push-ups, squats, plank) use Google ML Kit Pose Detection running entirely on your device. The camera feed is processed locally to count repetitions and validate form. Frames are not uploaded, stored, or transmitted anywhere. Only the resulting score / rep count / duration is saved to your challenge record.

3.5 Subscription Data

Premium subscriptions are processed by Apple App Store and Google Play and managed via RevenueCat. We receive (and store) the type of subscription (weekly / yearly), purchase and renewal dates, store identifiers, and refund events. We never see your full payment data — Apple / Google handle that.

3.6 Influencer Referral Codes

If you enter a creator's referral code in the paywall, we store the attribution (which influencer's code you used) so the creator can be compensated for the referral. We never share your identity with the creator — they only see anonymized aggregate statistics and a hashed identifier.

3.7 Push Notifications (Firebase Cloud Messaging)

With your permission, we store an FCM device token on your user document so we can send push notifications about challenges and workout reminders. You can disable notifications at any time in your device settings.

3.8 Analytics & Crash Reports

We use Firebase Analytics and Firebase Crashlytics to understand how the App is used and to diagnose crashes. These tools collect:

  • App version, OS version, device model, language, region
  • Custom events (e.g. plan generated, challenge completed)
  • Crash logs and stack traces
  • A pseudonymous Firebase user identifier (linked to your account)

We do not share this data with advertising networks. The App contains no third-party advertising or tracking SDKs.

3.9 Activity Tracking

We record a "last seen" timestamp on your profile so we can compute aggregate engagement metrics (Daily / Weekly / Monthly Active Users) for our internal dashboard. These metrics are aggregated and never used to identify you to third parties.

4. Purpose & Legal Basis (GDPR)

  • Account & profile management — performance of contract (Art. 6 §1 b GDPR).
  • Health-related onboarding fields — your explicit consent (Art. 9 §2 a GDPR).
  • AI plan generation — performance of contract.
  • Subscription processing — performance of contract.
  • Crash & error reports — legitimate interests (Art. 6 §1 f GDPR — ensuring app quality).
  • Analytics — legitimate interests, with the option to opt out via your device settings.
  • Push notifications — your consent (granted via the system permission dialog).

5. Data Sharing

We do not sell or rent personal data. We share data only with:

  • Google Firebase (Authentication, Firestore, Cloud Storage, Cloud Functions, Cloud Messaging, Analytics, Crashlytics) — our primary backend, processing data on our behalf under a GDPR-compliant Data Processing Agreement.
  • OpenAI — receives anonymized profile prompts to generate workout plans.
  • RevenueCat — manages subscription state on our behalf.
  • Apple / Google — process subscription payments under their own privacy policies.

6. International Data Transfers

Some of our processors (Google, OpenAI, RevenueCat) may process data in the United States. They use Standard Contractual Clauses or other approved transfer mechanisms to provide GDPR-equivalent protection.

7. Data Retention

  • Account & profile data: retained while your account is active. You can delete your account from inside the App, which erases your profile, plans, exercises, challenges, body measurements, and active subscriptions association.
  • Subscription / referral records: retained for as long as legally required (typically 7 years for tax records).
  • Crash reports: retained by Firebase for the period necessary to analyze and fix issues.
  • Camera frames: never stored — only frame-by-frame on-device analysis.

8. Your Rights

Under GDPR you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data
  • Delete your account and data ("right to be forgotten")
  • Export your data (data portability)
  • Withdraw consent (e.g. for analytics)
  • Object to processing based on legitimate interests
  • Lodge a complaint with your local supervisory authority

For privacy inquiries: privacy@vitaapps.dev

9. Children's Privacy

GymPal is not directed at children under 16. We do not knowingly collect personal data from children. If we become aware that a child's personal data was inadvertently processed, we will delete it.

10. Security

We apply industry-standard security measures:

  • Encrypted transport (HTTPS / TLS) for all communication
  • Encrypted at-rest storage (Firebase managed encryption)
  • Cloud Functions run server-side with strict, authenticated access rules
  • Camera frames stay on-device — no transmission of biometric or video data
  • Operational separation between the GymPal mobile app and our internal admin dashboard, on different Firebase projects

However, no system can guarantee absolute protection.

11. Automated Decision-Making

AI-generated workout plans are recommendations only. They do not produce legal effects or significant decisions about you. You can always regenerate, edit, or ignore the plan.

12. Third-Party Links

The App may link to external websites (e.g. App Store, support pages). These sites operate independently and have their own privacy notices.

13. Contact & Updates

Email: privacy@vitaapps.dev
Company: VitaApps S.R.L., Bucharest, Romania

We may update this Privacy Notice when needed. The latest version will always be available through the App or our website.