Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

2. Data We Collect

2.1 Information You Provide

We collect information you voluntarily provide when using our Service:

• Account Information: Name, email address, password, profile picture
• Profile Information: Business name, credentials, specializations, biography
• Payment Information: Payment method details (processed by Paddle)
• Content: Training programs, workouts, exercises, client notes
• Communications: Messages, support tickets, feedback

2.2 Information Collected Automatically

We automatically collect certain information when you use the Service:

• Device Information: Device type, operating system, browser type
• Usage Data: Pages visited, features used, time spent, clicks
• Log Data: IP address, access times, referring URLs
• Location Data: General location based on IP address (country/region)

2.3 Information From Third Parties

We may receive information from:

• Payment Processor (Paddle): Transaction details, billing information
• Analytics Providers: Aggregated usage statistics
• Authentication Providers: If you sign in with Google, Apple, or other providers

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Delivery

• Providing and maintaining the Service
• Processing your transactions and subscriptions
• Managing your account and preferences
• Enabling features and functionality
• Delivering your content to your clients

3.2 Communication

• Sending transactional emails (account confirmations, password resets)
• Providing customer support
• Sending important service announcements
• Marketing communications (with your consent)

3.3 Improvement & Analytics

• Analyzing usage patterns to improve the Service
• Developing new features and functionality
• Conducting research and analysis
• Monitoring and preventing technical issues

3.4 Security & Compliance

• Protecting against fraud and abuse
• Ensuring platform security
• Complying with legal obligations
• Enforcing our Terms of Service

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

4.1 Contract Performance

Processing necessary to fulfill our contract with you, including:

• Providing access to the Service
• Processing payments
• Managing your account

4.2 Legitimate Interests

Processing based on our legitimate business interests:

• Improving and optimizing the Service
• Preventing fraud and ensuring security
• Marketing our services to existing customers

4.3 Consent

Processing based on your explicit consent:

• Marketing communications
• Optional analytics and personalization
• Cookies (non-essential)

4.4 Legal Obligations

Processing required to comply with legal requirements:

• Tax and accounting records
• Responding to legal requests
• Regulatory compliance

5. Data Sharing & Third Parties

We may share your personal data with:

5.1 Service Providers

• Paddle: Payment processing and subscription management
• Cloud Hosting: Data storage and computing services
• Email Services: Transactional and marketing emails
• Analytics: Usage analysis and reporting
• Customer Support: Help desk and support tools

5.2 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity.

5.3 Legal Requirements

We may disclose your data if required by law or in response to valid legal requests from public authorities.

5.4 With Your Consent

We may share your data with other third parties when you have given us explicit consent to do so.

6. Data Retention

We retain your personal data for as long as necessary to:

• Provide the Service to you
• Comply with legal obligations (typically 5-7 years for financial records)
• Resolve disputes and enforce our agreements
• Maintain security and prevent fraud

After account deletion or subscription cancellation:

• Active data is retained for 30 days to allow recovery
• Backups are retained for up to 90 days
• Legal/financial records are retained as required by law
• Anonymized analytics data may be retained indefinitely

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 Access

You have the right to request a copy of the personal data we hold about you.

7.2 Rectification

You have the right to request correction of inaccurate or incomplete personal data.

7.3 Erasure

You have the right to request deletion of your personal data in certain circumstances.

7.4 Data Portability

You have the right to receive your personal data in a structured, machine-readable format.

7.5 Restriction

You have the right to request restriction of processing of your personal data.

7.6 Objection

You have the right to object to processing based on legitimate interests or for direct marketing.

7.7 Withdraw Consent

Where processing is based on consent, you have the right to withdraw your consent at any time.

7.8 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@gymcraft.app. We will respond to your request within 30 days.

7.9 Complaints

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority.

8. Cookies & Tracking

8.1 What Are Cookies

Cookies are small text files stored on your device that help us provide and improve the Service.

8.2 Types of Cookies We Use

• Essential Cookies: Required for the Service to function (authentication, security)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use the Service
• Marketing Cookies: Used to deliver relevant advertisements (with consent)

8.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect the functionality of the Service.

8.4 Do Not Track

We currently do not respond to "Do Not Track" browser signals. We may update this policy as industry standards evolve.

9. Data Security

We implement comprehensive security measures to protect your personal data:

9.1 Technical Measures

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication and access controls
• Regular security audits and penetration testing
• Intrusion detection and prevention systems
• Regular software updates and security patches

9.2 Organizational Measures

• Employee training on data protection
• Access restricted on a need-to-know basis
• Incident response procedures
• Regular security reviews

9.3 Data Breach Response

In the event of a data breach that poses a risk to your rights, we will notify you and relevant authorities as required by law, typically within 72 hours of becoming aware of the breach.

10. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States.

When we transfer data internationally, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses approved by relevant authorities
• Adequacy decisions where applicable
• Other lawful transfer mechanisms

11. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately.

12. Policy Changes

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page
• Sending you an email notification
• Displaying a notice in the Service

We encourage you to review this policy periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: