Privacy Policy

Last updated: June 16, 2025

This policy applies globally and is designed to comply with the Kenya Data Protection Act 2019, EU/UK GDPR, California CCPA/CPRA, Brazil LGPD, South Africa POPIA, Canada PIPEDA, Singapore/Thailand PDPA, Nigeria NDPA 2023, and other applicable privacy laws worldwide.

1. Who we are (Data Controller)

GymApp is operated from Kenya. We are the data controller and data processor for all personal data collected through this platform.

Controller: GymApp

Country: Kenya

Contact: peternjorogeirungu76@gmail.com

2. What data we collect

Account data

Email address, hashed password (never stored in plain text), display name if provided.

Gym & membership data

Gym associations, membership tier, check-in timestamps, staff or trainer role assignments.

Workout data

Exercises, sets, reps, and session history you choose to log.

Billing data

Subscription status and Paystack payment reference IDs. We never store full card numbers — payments are handled entirely by Paystack.

Device data

A random device ID generated on your device for offline sync. We do not collect location, hardware identifiers, or sensor data.

Usage data

Basic usage logs (page views, errors) for service reliability. No behavioural profiling or cross-site tracking.

3. Legal basis for processing

We rely on the following lawful bases (required under GDPR, Kenya DPA, LGPD, POPIA, and equivalent laws):

Contract— processing your account data, sync, and gym membership to deliver the service you signed up for.
Consent— email marketing or optional analytics, where you have explicitly opted in.
Legitimate interest— fraud prevention, security monitoring, and service improvement.
Legal obligation— retaining transaction records as required by applicable law.

4. Who we share your data with

Supabase (USA)
Our database and authentication provider. Data is stored on servers in their cloud. Supabase is SOC 2 Type II certified. Transfers are covered by Standard Contractual Clauses (SCCs) for EU/UK users.
Paystack (Nigeria/USA)
Processes payments. Subject to their own privacy policy. We only share the minimum data required to complete a transaction.
Gym owners and admins
If you join a gym through GymApp, that gym's admin can see your name, email, and check-in history for their gym only.

We do not sell, rent, or trade your personal data to any third party. Ever.

5. International data transfers

Your data may be stored and processed outside your country. When transferring data internationally we use:

EU Standard Contractual Clauses (SCCs) for transfers involving EEA data
UK International Data Transfer Agreements (IDTAs) for UK data
We rely on Supabase's data processing agreements which cover these requirements

6. How long we keep your data

Account data — retained while your account is active.
Workout data — retained until you delete it or close your account.
Billing records — retained for 7 years as required by Kenyan tax law.
Deleted accounts — personal data removed within 30 days of deletion request.

7. Your rights

Depending on your country, you have some or all of the following rights:

Access:Request a copy of all personal data we hold about you.

Rectification:Correct inaccurate or incomplete data.

Erasure / Right to be forgotten:Request deletion of your account and data.

Data portability:Receive your data in a machine-readable format (JSON/CSV).

Objection:Object to processing based on legitimate interest.

Restriction:Request we limit processing while a dispute is resolved.

Withdraw consent:Where processing is consent-based, withdraw it at any time.

Non-discrimination (CCPA):California residents will not be denied service for exercising privacy rights.

Lodge a complaint:You may complain to your local data protection authority.

To exercise any right, email peternjorogeirungu76@gmail.com. We will respond within 30 days (or 45 days for complex requests).

8. Cookies

We use only essential session cookies required for authentication. We do not use advertising cookies or third-party tracking pixels. You can disable cookies in your browser settings, but the app will not function without session cookies.

9. Children's data

GymApp is not directed at children under 16 (or 13 in the USA). We do not knowingly collect data from children. If you believe a child has created an account, contact us immediately and we will delete it.

10. Security

Passwords hashed with bcrypt — never stored in plain text.
All data transmitted over HTTPS/TLS.
Row Level Security (RLS) enforced at the database layer — users can only access their own data.
Supabase is SOC 2 Type II certified.
We review security practices regularly.

11. Data breach notification

In the event of a data breach that affects your personal data, we will notify you and relevant regulators within 72 hours of becoming aware, as required by GDPR and equivalent laws.

12. California residents (CCPA/CPRA)

California residents have additional rights under the CCPA/CPRA:

Right to know what personal information is collected and how it is used.
Right to delete personal information.
Right to opt out of the sale or sharing of personal information — we do not sell or share your data.
Right to correct inaccurate personal information.
Right to limit use of sensitive personal information.

To submit a CCPA request, email peternjorogeirungu76@gmail.com.

13. Changes to this policy

We may update this policy. For material changes, we will notify you by email or in-app notice at least 14 days before the change takes effect. Continued use after that date constitutes acceptance.

14. Applicable regulators

Depending on your location, you may have the right to complain to your local data protection authority, including:

Kenya — Office of the Data Protection Commissioner (ODPC)
EU/EEA — your local EU supervisory authority
UK — Information Commissioner's Office (ICO)
South Africa — Information Regulator
Nigeria — Nigeria Data Protection Commission (NDPC)
Brazil — Autoridade Nacional de Proteção de Dados (ANPD)
Canada — Office of the Privacy Commissioner of Canada

GymApp