Effective date: 2026-06-05
Hi, and thanks for using GymRhythm. This Privacy Policy explains what data we collect when you use the GymRhythm iOS app and any related services (we'll just call all of it "GymRhythm" or "the app" from here on), why we collect it, who we share it with, and what rights you have over it.
We've tried to keep this readable. If anything is unclear, email us at riccardo.mewis@gmail.com and we'll explain.
GymRhythm is built and operated by an individual sole developer:
For the purposes of the EU General Data Protection Regulation (GDPR), Nikolas Mewis is the "data controller" for your personal data. For users in California, the equivalent term is "business."
We try to collect as little as possible. Here's what we do collect, grouped by category.
When you create an account, we need a way to recognize you next time you open the app. We use Firebase Authentication for this, and you can sign in with an email and password, Google, or Apple. If you sign in with Apple, we also store a one-time authorization code in your device's Keychain so we can fully revoke the Apple sign-in if you ever delete your account.
These are the things you tell us about yourself during onboarding or later in your profile. They power your personalized stats, your weekly goal, and your progress over time. You can change or clear most of this from the Profile screen.
Most profile fields beyond name and basic sign-in details are optional — see Section 5a for what's required vs. optional.
GymRhythm's main differentiator is automatic workout detection: when you walk into your gym, we want the app to notice and log it for you. To do that, we let you save one or more gym locations and we use a small geofence around each one. We do not record a trail of where you go.
We only ask for "Always" location access after you've decided to use the auto-detection feature, and you can change this any time in iOS Settings. If you deny location access, the app still works — you'll just need to log workouts manually.
Every time you complete a workout (whether automatically or manually), we save a record of it so you can see your history and streaks.
If you subscribe to GymRhythm Premium, we work with RevenueCat to validate your subscription with Apple and remember your entitlement across devices.
Apple processes the actual payment. We never see your card details.
These two categories are off by default. You'll see a consent question during onboarding, and you can change your answer any time in Settings.
If you turn on Product analytics, we collect:
If you turn on Crash reporting, we collect:
Both are gated by your consent toggle and stop collecting the moment you turn them off.
Anonymous onboarding metrics. When you first set up GymRhythm, we collect anonymous funnel events — which onboarding step you're on, how long you spent on it, and which category you selected (e.g., "tiktok" as a source, "general fitness" as a goal). These events are NOT linked to any user account or identifier — they're stripped of your user ID, email, name, weight, height, and birth date. They exist only to help us understand where the onboarding flow loses people so we can fix it. You can opt out anytime via Profile → Data & Privacy → Anonymous onboarding metrics.
Promo code attribution. If you redeem a promo code, we record the code itself as a user attribute (the string you entered, not your name). This lets us measure which marketing campaigns are working without identifying individual users. The attribute is anonymous if you have not opted into analytics; once you opt in, it ties to your Firebase Analytics user identifier for cohort reporting.
If you submit a suggestion through the in-app Feedback screen, we store it so we can read it and act on it.
You can delete your own suggestions from the Feedback screen.
So we send you the right amount of nudges and not more.
We use your data for the following purposes:
Analytics and crash reporting are off by default. You choose whether to enable them, and you can change your mind any time in Settings.
If you're in the EU, the European Economic Area (EEA), or the UK, GDPR requires us to tell you the legal basis we rely on for each purpose. Here's the breakdown:
Article 13(2)(e) GDPR requires us to tell you whether providing your data is mandatory and what happens if you don't. Here's the plain-English version:
We use a small number of third-party "sub-processors" to run the app. They process data on our behalf, under contract, for the purposes listed above.
| Provider | What they do for us | What data they receive | Privacy policy |
|---|---|---|---|
| Firebase Authentication (Google) | Creates and manages your account, handles sign-in and password recovery | Email, password hash, display name, authentication tokens | policies.google.com/privacy |
| Google Sign-In SDK | Lets you sign in with your Google account | Google account email, ID token, access token (used only to exchange for a Firebase credential) | policies.google.com/privacy |
| Sign in with Apple | Lets you sign in with your Apple account | An anonymized Apple user ID, an authorization code (stored locally in the Keychain for account-deletion revocation), and your email only if you choose to share it | apple.com/privacy |
| Provider | What they do for us | What data they receive | Privacy policy |
|---|---|---|---|
| Cloud Firestore (Google) | Stores your account data in the cloud so it syncs across devices | All user data: profile (name, weight, height, birthdate, gender, goals), saved gym locations, workout sessions, routines, XP claims, metrics history, consistency history, feedback submissions, and your location-permission status | policies.google.com/privacy |
| Provider | What they do for us | What data they receive | Privacy policy |
|---|---|---|---|
| Firebase Analytics (Google) | Helps us understand which features get used so we can prioritize improvements | Screen views, custom events, user properties (level, premium status, weekly goal, gender, goal type, acquisition source, age group, streak) and session duration — only when analytics consent is on | policies.google.com/privacy |
| Provider | What they do for us | What data they receive | Privacy policy |
|---|---|---|---|
| Firebase Crashlytics (Google) | Captures crashes and non-fatal errors so we can fix them | Stack traces, breadcrumbs, custom crash keys that mirror your user properties (level, premium status, weekly goal, age group, gender, goal type, acquisition source), app version, device model — only when crash-reporting consent is on. Because these keys are tied to your account, this data is linked to you. | policies.google.com/privacy |
| Provider | What they do for us | What data they receive | Privacy policy |
|---|---|---|---|
| Firebase App Check (Google) | Confirms requests to our backend come from a genuine copy of the app, not a bot or tampered build | An attestation token (DeviceCheck on iOS 13, App Attest on iOS 14+, or a debug token in development) | policies.google.com/privacy |
| Provider | What they do for us | What data they receive | Privacy policy |
|---|---|---|---|
| RevenueCat | Validates your Premium subscription with Apple, restores purchases on new devices, and tracks entitlements | Your Firebase Auth user ID (as the RevenueCat app user ID), subscription purchase data, entitlements, subscription dates, and transaction history | revenuecat.com/privacy |
| Provider | What they do for us | What data they receive | Privacy policy |
|---|---|---|---|
| MapKit and Apple Maps | Powers gym search, geocoding, reverse geocoding, and the map display when you pick a gym | Your search queries (gym names), your current location, and coordinates for reverse geocoding | apple.com/privacy |
We do not sell your personal information, and we do not share it with advertisers.
Some of our sub-processors (notably Firebase/Google, Apple, and RevenueCat) process data on servers located in the United States and other countries outside the EU/EEA.
Where data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and any additional safeguards our sub-processors have put in place (for example, Google's and Apple's published Data Processing Addenda). If you'd like more detail on a specific transfer, email us.
You don't need to email us to delete your data — the in-app button does it for you. But you can email us as a backup if anything goes wrong.
You have the right to:
You have the right to know what we collect, to delete it, to correct it, and to not be discriminated against for exercising these rights.
We do not sell your personal information. We do not "share" it for cross-context behavioral advertising. There is no "Do Not Sell or Share My Personal Information" link because there's nothing to opt out of.
We'll respond within 30 days.
We take reasonable steps to protect your data:
No system is 100% secure, and we won't pretend otherwise. If a breach affects your data, we'll notify you and the relevant authorities in line with our GDPR obligations.
GymRhythm is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please email riccardo.mewis@gmail.com and we'll delete it.
We keep this simple:
GymRhythm does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.
The cohort segmentation described in Section 3 (used for product analytics if you have opted in, and mirrored into crash keys if you have opted in to crash reporting) is used only to inform product improvements and bug fixes. It does not determine pricing, entitlements, access to features, or any other outcome that produces legal or similarly significant effects on you.
We may update this policy from time to time. When we do, we'll update the "Effective date" at the top.
If the changes are material (for example, a new sub-processor, a new category of data, or a new purpose), we'll notify you in-app before the changes take effect.
Questions, requests, or complaints about this policy or your data?
Email: riccardo.mewis@gmail.com
We read everything and we'll get back to you.