Privacy Policy
This Privacy Policy describes how GYMMI, a commercial brand operated by Luis Alonso Martinez Garcia, an individual with business activity (persona fisica con actividad empresarial) under the laws of the United Mexican States (hereinafter “GYMMI”, “we”, “us”, “our”, or “the Data Controller”), collects, uses, shares, and protects your personal information when you use our mobile application (“App”, “Service”).
This Notice is issued in compliance with Mexico’s Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), its Regulations, and the Privacy Notice Guidelines.
By using the Service, you consent to the collection and use of your information as described in this Privacy Policy.
1. Data Controller
Data Controller: Luis Alonso Martinez Garcia, an individual with business activity, operating under the commercial brand “GYMMI”.
Email: privacy@gymmi.coach
Address: Morelia, Michoacán, Mexico
For data protection inquiries, contact us at the email above.
2. Information We Collect
2.1 Account Information
- Email address.
- First and last name.
- Username.
- Date of birth.
2.2 Health and Fitness Data (Sensitive Data)
- Body weight, height, gender, age.
- Fitness level and training experience.
- Injuries and movement restrictions.
- Daily check-in data: sleep quality, energy level, stress level, muscle soreness, mood.
- Workout history: exercises performed, weights, repetitions, sets, duration.
- Personal records (1RM estimates).
- Muscle recovery data.
- Perceived workout difficulty.
2.3 Preferences
- Fitness goal (hypertrophy, strength, etc.).
- Training schedule (days per week, session duration).
- Equipment available.
- Muscle priorities.
- Cardio preferences.
- Coach notes (free-text training preferences).
2.4 Subscription Information
- Pro subscription status (active, in trial, or cancelled).
- Subscription expiration date.
2.5 Technical Data
- Device type and operating system.
- App version.
- Anonymized usage analytics.
2.6 Cookies and Tracking Technologies
The mobile app does NOT use cookies (cookies are a web technology that does not apply to native apps).
The GYMMI website (gymmi.coach) uses Vercel Web Analytics and Vercel Speed Insights only. These services are cookieless by design — they do not set cookies, do not store IP addresses, and do not identify individual visitors. As a result, no cookie consent banner is required under GDPR / ePrivacy / LFPDPPP.
We do NOT use third-party advertising cookies, behavioral tracking pixels, retargeting tags, or session replay tools.
We do NOT collect: precise location, contacts, photos (except optional avatar), browsing history, financial information (payments handled by Apple/Google), or biometric identifiers.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Email, name, username | Contract performance |
| Generate AI training plans | Profile, health data, training history, check-ins | Explicit consent |
| Provide post-workout feedback | Workout data, exercise performance | Explicit consent |
| Adjust training sessions based on readiness | Check-in data, training history | Explicit consent |
| Track fitness progress and personal records | Workout data, body measurements | Contract performance |
| Send transactional emails (welcome, account) | Email, first name | Contract performance |
| Process subscriptions | User ID, subscription status | Contract performance |
| Improve the Service | Anonymized, aggregated analytics | Legitimate interest |
4. How We Share Your Information
We do NOT sell your personal information. We share data only with the following service providers who process data on our behalf:
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| OpenAI | Profile data (age, weight, gender, level, injuries, goals), training history, check-in scores. NO email, name, or username is sent. | AI plan generation, feedback, and session adjustments | United States |
| Supabase | All account and user data | Database hosting and authentication | United States |
| Railway | All account and user data routed through our API | Backend API hosting | United States |
| Vercel | Web traffic (anonymous analytics, performance metrics) | Website and legal pages hosting | United States |
| Sentry | User ID, technical events, application errors, execution traces | Error monitoring and application stability | United States |
| Expo (EAS) | Device identifiers, push notification tokens, crash reports | App distribution, OTA updates, and notifications | United States |
| Resend | Email address, first name | Transactional emails | United States |
| RevenueCat | Anonymous user ID, subscription events | Subscription management | United States |
| Apple / Google | Payment information (handled directly by platform) | Subscription billing | United States |
Each provider is bound by their respective data processing agreements and privacy policies. International transfers are based on your express consent when using the Service, in accordance with article 37 of the LFPDPPP.
5. International Data Transfers
Your data is stored and processed in the United States by the providers listed in section 4. By accepting this Privacy Policy, you give your express consent to such international transfer.
Transfers are protected through:
- Data processing agreements with each service provider.
- Contractual commitments from providers to maintain equivalent security measures.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Training and workout data | Until you delete your account |
| Check-in data | Until you delete your account |
| AI coaching logs (telemetry) | 90 days, then permanently deleted |
| Anonymized analytics | Indefinite (not linked to your identity) |
After account deletion, all personal data is permanently removed from our systems within 30 days. Backups are purged within 90 days.
7. Your Rights (ARCO Rights)
Under the LFPDPPP, you have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access | View all personal data we hold | App Settings > Profile, or email us |
| Rectification | Correct inaccurate data | App Settings > Profile |
| Cancellation | Delete all your data permanently | App Settings > Delete Account |
| Opposition | Object to the processing of your data | Email us |
| Portability | Receive your data in a machine-readable format | Email us |
| Withdraw Consent | Revoke consent for health data processing | Email us (note: this may limit Service functionality) |
| Complaint | Lodge a complaint with a data protection authority | INAI (www.inai.org.mx) |
To exercise any right, contact us at privacy@gymmi.coach. We will respond within 20 business days as required by the LFPDPPP, and implement the response within 15 business days thereafter.
8. Health Data — Special Protections
Health and fitness data is classified as sensitive personal data under the LFPDPPP (article 3, fraction VI) and requires express, written consent.
8.1 We collect health data ONLY with your express consent, obtained when you:
- Accept the Terms and Conditions during registration.
- Accept the Health Disclaimer during onboarding.
- Voluntarily input health information in your profile and check-ins.
8.2 You may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
8.3 Health data sent to OpenAI for AI processing is:
- Stripped of identifying information (no email, name, or username).
- Not used by OpenAI for model training (per OpenAI’s API data usage policy).
- Processed solely to generate your training plan response.
9. Data Security
We implement technical, administrative, and physical measures to protect your data:
- Encryption in transit: All data transmitted via TLS/HTTPS.
- Encryption at rest: Local storage encrypted with MMKV (key stored in OS keychain).
- Database security: Row Level Security (RLS) policies ensure users can only access their own data.
- Authentication: Supabase JWT-based authentication.
- Access control: Column-level restrictions prevent unauthorized modifications.
- Rate limiting: API rate limits prevent abuse.
- Security audits: Regular code security reviews.
No system is 100% secure. In the event of a security breach that significantly affects your patrimonial or moral rights, we will notify you without delay and notify the relevant authorities as required by article 20 of the LFPDPPP.
10. Children’s Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.
If we become aware that we have collected data from a child under 18 without parental or legal guardian consent, we will delete that information immediately. If you believe we have collected data from a minor, contact us at privacy@gymmi.coach.
11. Third-Party Links
The Service may contain links to third-party websites or services (e.g., Apple Health, exercise reference sites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via:
- Email notification to your registered address.
- In-app notification.
The “Last updated” date at the top will be revised. Continued use of the Service after changes constitutes acceptance.
13. California Privacy Rights (CCPA / CPRA)
This section applies to residents of California, USA, and supplements the rights described elsewhere in this Policy. We provide it in compliance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).
13.1 Categories of Personal Information We Collect
In the past 12 months we have collected the following CCPA categories of personal information:
| CCPA Category | Examples Collected by GYMMI |
|---|---|
| A. Identifiers | Email address, first and last name, username, account ID |
| B. Customer records | Account information |
| D. Commercial information | Subscription status, purchase history |
| F. Internet activity | Anonymized usage analytics, device type, app version |
| K. Inferences | Fitness level and training preferences derived from your profile |
| Sensitive PI | Health and fitness data: body weight, height, age, gender, injuries, daily check-ins (sleep, energy, stress, mood, muscle soreness), training history |
13.2 Sources of Personal Information
- Directly from you (during signup, onboarding, and daily use).
- Automatically from your device (technical data).
- From Apple/Google (subscription events only).
13.3 Purposes for Collection
See Section 3 of this Policy. We collect personal information only to provide the Service.
13.4 Sale and Sharing of Personal Information
We do NOT sell your personal information. We do NOT share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months and have no plans to do so.
13.5 Use of Sensitive Personal Information
We use sensitive personal information (health and fitness data) only for the purposes disclosed in Section 3 and as authorized by you. We do not use sensitive personal information to infer characteristics about you beyond what is necessary to generate your training plan.
13.6 Your California Rights
As a California resident you have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell or share.
- Delete personal information we hold about you (subject to legal exceptions).
- Correct inaccurate personal information.
- Opt out of sale or sharing of personal information (we don't do this — exercising this right is automatic).
- Limit the use of sensitive personal information to disclosed business purposes.
- Non-discrimination for exercising your rights.
13.7 How to Exercise Your Rights
- In-app: Settings → Delete Account deletes all your data.
- Email: send a request to privacy@gymmi.coach with subject "CCPA Request". Identify yourself by the email address on your account. We will respond within 45 days as required by CCPA.
- Authorized agent: you may designate an authorized agent in writing to act on your behalf. We will require verification of your identity and the agent's authority.
13.8 Minors Under 16
We do not knowingly collect personal information from minors under 18. We do not sell or share personal information about any user — including minors — under any circumstances.
13.9 California "Shine the Light" Disclosure
California Civil Code §1798.83 permits California residents to request once per year a list of third parties to which we have disclosed personal information for direct-marketing purposes. GYMMI does not share personal information with third parties for their direct-marketing purposes.
13.10 Retention
We retain personal information only as long as necessary for the purposes described in Section 6 of this Policy.
13.11 Updates to This Section
We will update this section to reflect changes in California law or our practices. The "Last updated" date at the top of this Policy will be revised accordingly.
14. Contact Us
For privacy-related questions, requests, or complaints:
Data Controller: Luis Alonso Martinez Garcia (individual with business activity)
Email: privacy@gymmi.coach
Address: Morelia, Michoacán, Mexico
You may also contact the National Institute for Transparency, Access to Information and Personal Data Protection (INAI) at www.inai.org.mx.
For users in California, see Section 13 for your CCPA/CPRA rights.
By using GYMMI, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein.