← GymRhythm Support

GymRhythm Privacy Policy

Effective date: 2026-06-05

1. Introduction

Hi, and thanks for using GymRhythm. This Privacy Policy explains what data we collect when you use the GymRhythm iOS app and any related services (we'll just call all of it "GymRhythm" or "the app" from here on), why we collect it, who we share it with, and what rights you have over it.

We've tried to keep this readable. If anything is unclear, email us at riccardo.mewis@gmail.com and we'll explain.

2. Data Controller

GymRhythm is built and operated by an individual sole developer:

For the purposes of the EU General Data Protection Regulation (GDPR), Nikolas Mewis is the "data controller" for your personal data. For users in California, the equivalent term is "business."

3. What information we collect

We try to collect as little as possible. Here's what we do collect, grouped by category.

Account and identity

When you create an account, we need a way to recognize you next time you open the app. We use Firebase Authentication for this, and you can sign in with an email and password, Google, or Apple. If you sign in with Apple, we also store a one-time authorization code in your device's Keychain so we can fully revoke the Apple sign-in if you ever delete your account.

Profile and fitness data

These are the things you tell us about yourself during onboarding or later in your profile. They power your personalized stats, your weekly goal, and your progress over time. You can change or clear most of this from the Profile screen.

Most profile fields beyond name and basic sign-in details are optional — see Section 5a for what's required vs. optional.

Location data

GymRhythm's main differentiator is automatic workout detection: when you walk into your gym, we want the app to notice and log it for you. To do that, we let you save one or more gym locations and we use a small geofence around each one. We do not record a trail of where you go.

We only ask for "Always" location access after you've decided to use the auto-detection feature, and you can change this any time in iOS Settings. If you deny location access, the app still works — you'll just need to log workouts manually.

Workout activity

Every time you complete a workout (whether automatically or manually), we save a record of it so you can see your history and streaks.

Subscription and purchase data

If you subscribe to GymRhythm Premium, we work with RevenueCat to validate your subscription with Apple and remember your entitlement across devices.

Apple processes the actual payment. We never see your card details.

App usage and diagnostics (only if you opt in)

These two categories are off by default. You'll see a consent question during onboarding, and you can change your answer any time in Settings.

If you turn on Product analytics, we collect:

If you turn on Crash reporting, we collect:

Both are gated by your consent toggle and stop collecting the moment you turn them off.

Anonymous onboarding metrics. When you first set up GymRhythm, we collect anonymous funnel events — which onboarding step you're on, how long you spent on it, and which category you selected (e.g., "tiktok" as a source, "general fitness" as a goal). These events are NOT linked to any user account or identifier — they're stripped of your user ID, email, name, weight, height, and birth date. They exist only to help us understand where the onboarding flow loses people so we can fix it. You can opt out anytime via Profile → Data & Privacy → Anonymous onboarding metrics.

Promo code attribution. If you redeem a promo code, we record the code itself as a user attribute (the string you entered, not your name). This lets us measure which marketing campaigns are working without identifying individual users. The attribute is anonymous if you have not opted into analytics; once you opt in, it ties to your Firebase Analytics user identifier for cohort reporting.

Your feedback

If you submit a suggestion through the in-app Feedback screen, we store it so we can read it and act on it.

You can delete your own suggestions from the Feedback screen.

Notification preferences

So we send you the right amount of nudges and not more.

4. How we use your information

We use your data for the following purposes:

Analytics and crash reporting are off by default. You choose whether to enable them, and you can change your mind any time in Settings.

5. Legal basis under GDPR

If you're in the EU, the European Economic Area (EEA), or the UK, GDPR requires us to tell you the legal basis we rely on for each purpose. Here's the breakdown:

5a. Is providing this data required?

Article 13(2)(e) GDPR requires us to tell you whether providing your data is mandatory and what happens if you don't. Here's the plain-English version:

6. Third parties we share data with

We use a small number of third-party "sub-processors" to run the app. They process data on our behalf, under contract, for the purposes listed above.

Authentication

ProviderWhat they do for usWhat data they receivePrivacy policy
Firebase Authentication (Google)Creates and manages your account, handles sign-in and password recoveryEmail, password hash, display name, authentication tokenspolicies.google.com/privacy
Google Sign-In SDKLets you sign in with your Google accountGoogle account email, ID token, access token (used only to exchange for a Firebase credential)policies.google.com/privacy
Sign in with AppleLets you sign in with your Apple accountAn anonymized Apple user ID, an authorization code (stored locally in the Keychain for account-deletion revocation), and your email only if you choose to share itapple.com/privacy

Cloud storage

ProviderWhat they do for usWhat data they receivePrivacy policy
Cloud Firestore (Google)Stores your account data in the cloud so it syncs across devicesAll user data: profile (name, weight, height, birthdate, gender, goals), saved gym locations, workout sessions, routines, XP claims, metrics history, consistency history, feedback submissions, and your location-permission statuspolicies.google.com/privacy

Product analytics (only if you opt in)

ProviderWhat they do for usWhat data they receivePrivacy policy
Firebase Analytics (Google)Helps us understand which features get used so we can prioritize improvementsScreen views, custom events, user properties (level, premium status, weekly goal, gender, goal type, acquisition source, age group, streak) and session duration — only when analytics consent is onpolicies.google.com/privacy

Crash reporting (only if you opt in)

ProviderWhat they do for usWhat data they receivePrivacy policy
Firebase Crashlytics (Google)Captures crashes and non-fatal errors so we can fix themStack traces, breadcrumbs, custom crash keys that mirror your user properties (level, premium status, weekly goal, age group, gender, goal type, acquisition source), app version, device model — only when crash-reporting consent is on. Because these keys are tied to your account, this data is linked to you.policies.google.com/privacy

App integrity

ProviderWhat they do for usWhat data they receivePrivacy policy
Firebase App Check (Google)Confirms requests to our backend come from a genuine copy of the app, not a bot or tampered buildAn attestation token (DeviceCheck on iOS 13, App Attest on iOS 14+, or a debug token in development)policies.google.com/privacy

Subscriptions

ProviderWhat they do for usWhat data they receivePrivacy policy
RevenueCatValidates your Premium subscription with Apple, restores purchases on new devices, and tracks entitlementsYour Firebase Auth user ID (as the RevenueCat app user ID), subscription purchase data, entitlements, subscription dates, and transaction historyrevenuecat.com/privacy

Maps

ProviderWhat they do for usWhat data they receivePrivacy policy
MapKit and Apple MapsPowers gym search, geocoding, reverse geocoding, and the map display when you pick a gymYour search queries (gym names), your current location, and coordinates for reverse geocodingapple.com/privacy

We do not sell your personal information, and we do not share it with advertisers.

7. International data transfers

Some of our sub-processors (notably Firebase/Google, Apple, and RevenueCat) process data on servers located in the United States and other countries outside the EU/EEA.

Where data is transferred outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs) and any additional safeguards our sub-processors have put in place (for example, Google's and Apple's published Data Processing Addenda). If you'd like more detail on a specific transfer, email us.

8. How long we keep your data

You don't need to email us to delete your data — the in-app button does it for you. But you can email us as a backup if anything goes wrong.

9. Your rights

If you're in the EU/EEA or UK (GDPR)

You have the right to:

If you're in California (California Consumer Privacy Act / California Privacy Rights Act, "CCPA/CPRA")

You have the right to know what we collect, to delete it, to correct it, and to not be discriminated against for exercising these rights.

We do not sell your personal information. We do not "share" it for cross-context behavioral advertising. There is no "Do Not Sell or Share My Personal Information" link because there's nothing to opt out of.

How to exercise your rights

We'll respond within 30 days.

10. Security

We take reasonable steps to protect your data:

No system is 100% secure, and we won't pretend otherwise. If a breach affects your data, we'll notify you and the relevant authorities in line with our GDPR obligations.

11. Children

GymRhythm is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please email riccardo.mewis@gmail.com and we'll delete it.

12. Cookies and tracking technologies

We keep this simple:

13. Automated decision-making and profiling

GymRhythm does not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

The cohort segmentation described in Section 3 (used for product analytics if you have opted in, and mirrored into crash keys if you have opted in to crash reporting) is used only to inform product improvements and bug fixes. It does not determine pricing, entitlements, access to features, or any other outcome that produces legal or similarly significant effects on you.

14. Changes to this policy

We may update this policy from time to time. When we do, we'll update the "Effective date" at the top.

If the changes are material (for example, a new sub-processor, a new category of data, or a new purpose), we'll notify you in-app before the changes take effect.

15. Contact

Questions, requests, or complaints about this policy or your data?

Email: riccardo.mewis@gmail.com

We read everything and we'll get back to you.