GYMMI — Privacy Policy
Last updated: March 21, 2026 Version: 1.0
This Privacy Policy describes how GYMMI (“Company”, “we”, “us”, “our”) collects, uses, shares, and protects your personal information when you use our mobile application (“App”, “Service”).
By using the Service, you consent to the collection and use of your information as described in this Privacy Policy.
1. Data Controller
Company: GYMMI Email: privacy@gymmi.coach Address: [Company Address — to be completed]
For data protection inquiries, contact us at the email above.
2. Information We Collect
2.1 Account Information
- Email address
- First and last name
- Username
- Date of birth
2.2 Health and Fitness Data (Sensitive Data)
- Body weight, height, gender, age
- Fitness level and training experience
- Injuries and movement restrictions
- Daily check-in data: sleep quality, energy level, stress level, muscle soreness, mood
- Workout history: exercises performed, weights, repetitions, sets, duration
- Personal records (1RM estimates)
- Muscle recovery data
- Perceived workout difficulty
2.3 Preferences
- Fitness goal (hypertrophy, strength, etc.)
- Training schedule (days per week, session duration)
- Equipment available
- Muscle priorities
- Cardio preferences
- Coach notes (free-text training preferences)
2.4 Subscription Information
- Subscription status (free/Pro)
- Subscription expiration date
2.5 Technical Data
- Device type and operating system
- App version
- Anonymized usage analytics
We do NOT collect: precise location, contacts, photos (except optional avatar), browsing history, financial information (payments handled by Apple/Google), or biometric identifiers.
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Create and manage your account | Email, name, username | Contract performance |
| Generate AI training plans | Profile, health data, training history, check-ins | Explicit consent |
| Provide post-workout feedback | Workout data, exercise performance | Explicit consent |
| Adjust training sessions based on readiness | Check-in data, training history | Explicit consent |
| Track fitness progress and personal records | Workout data, body measurements | Contract performance |
| Send transactional emails (welcome, account) | Email, first name | Contract performance |
| Process subscriptions | User ID, subscription status | Contract performance |
| Improve the Service | Anonymized, aggregated analytics | Legitimate interest |
4. How We Share Your Information
We do NOT sell your personal information. We share data only with the following service providers who process data on our behalf:
| Provider | Data Shared | Purpose | Location |
|---|---|---|---|
| OpenAI | Profile data (age, weight, gender, level, injuries, goals), training history, check-in scores. NO email, name, or username is sent. | AI plan generation, feedback, and session adjustments | United States |
| Supabase | All account and user data | Database hosting and authentication | United States |
| Resend | Email address, first name | Transactional emails | United States |
| RevenueCat | Anonymous user ID, subscription events | Subscription management | United States |
| Apple / Google | Payment information (handled directly by platform) | Subscription billing | United States |
Each provider is bound by their respective data processing agreements and privacy policies.
5. International Data Transfers
Your data is stored and processed in the United States. If you are located outside the United States (including the European Economic Area or Mexico), your data will be transferred internationally.
These transfers are protected by: - Standard Contractual Clauses (SCCs) approved by the European Commission - The EU-US Data Privacy Framework (where applicable) - Data Processing Agreements with each service provider
6. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Training and workout data | Until you delete your account |
| Check-in data | Until you delete your account |
| AI coaching logs (telemetry) | 90 days, then permanently deleted |
| Anonymized analytics | Indefinite (not linked to your identity) |
After account deletion, all personal data is permanently removed from our systems within 30 days. Backups are purged within 90 days.
7. Your Rights
Depending on your location, you may have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Access | View all personal data we hold | App Settings > Profile, or email us |
| Rectification | Correct inaccurate data | App Settings > Profile |
| Erasure | Delete all your data permanently | App Settings > Delete Account |
| Portability | Receive your data in a machine-readable format | Email us |
| Withdraw Consent | Revoke consent for health data processing | Email us (note: this may limit Service functionality) |
| Restriction | Restrict certain processing activities | Email us |
| Objection | Object to processing based on legitimate interest | Email us |
| Complaint | Lodge a complaint with a data protection authority | INAI (Mexico), or your local DPA |
To exercise any right, contact us at privacy@gymmi.coach. We will respond within 20 business days (Mexico) or 30 days (GDPR).
8. Health Data — Special Protections
Health and fitness data is classified as sensitive personal data under Mexican law (LFPDPPP) and special category data under GDPR.
8.1 We collect health data ONLY with your explicit consent, obtained when you: - Accept these terms during registration - Accept the Health Disclaimer during onboarding - Voluntarily input health information in your profile and check-ins
8.2 You may withdraw consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal.
8.3 Health data sent to OpenAI for AI processing is: - Stripped of identifying information (no email, name, or username) - Not used by OpenAI for model training (per OpenAI’s API data usage policy) - Processed solely to generate your training plan response
9. Data Security
We implement technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted via TLS/HTTPS
- Encryption at rest: Local storage encrypted with MMKV (key stored in OS keychain)
- Database security: Row Level Security (RLS) policies ensure users can only access their own data
- Authentication: Supabase JWT-based authentication
- Access control: Column-level restrictions prevent unauthorized modifications
- Rate limiting: API rate limits prevent abuse
- Security audits: Regular code security reviews
No system is 100% secure. In the event of a data breach affecting your personal information, we will notify you and relevant authorities within 72 hours as required by applicable law.
10. Children’s Privacy
The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18.
If we become aware that we have collected data from a child under 18 without parental consent, we will delete that information immediately. If you believe we have collected data from a minor, contact us at privacy@gymmi.coach.
11. Third-Party Links
The Service may contain links to third-party websites or services (e.g., Apple Health, exercise reference sites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via: - Email notification to your registered address - In-app notification
The “Last updated” date at the top will be revised. Continued use of the Service after changes constitutes acceptance.
13. Contact Us
For privacy-related questions, requests, or complaints:
Email: privacy@gymmi.coach Address: [Company Address — to be completed]
For users in Mexico, you may also contact the INAI (Instituto Nacional de Transparencia, Acceso a la Informacion y Proteccion de Datos Personales) at www.inai.org.mx.
By using GYMMI, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and processing of your personal data as described herein.