Gymia
gymia.fit
Back to home

Privacy Policy

Last updated: May 18, 2026

1. Introduction

Gymia ("we", "our", or "us") operates the Gymia mobile application (GymiaFit on Google Play and the App Store) and the gymia.fit website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

Data controller: Gymia, based in Italy. Contact: support@gymia.fit.

2. Information We Collect

Information you provide

  • Account: email address, password (hashed, never stored in plaintext), display name
  • Profile: optional profile photo, bio, gym membership
  • Health & fitness data: workout logs, sets/reps/weight, body measurements (weight, body fat, circumferences), meal logs, fitness goals, experience level
  • Media: exercise videos and photos you upload (used for AI exercise recognition and progress tracking)
  • Social: squad messages, posts, comments, challenge participations
  • Support: contents of any support request you send us

Information collected automatically

  • Device information: model, OS version, language, timezone
  • App identifiers: install ID, push notification token
  • Usage data: features used, session duration, in-app actions
  • Crash logs and performance data (via Sentry)

Information we do NOT collect

  • Precise location (GPS) — we do not track location
  • Contacts, SMS, calendar, or microphone (except when you explicitly record an exercise video)
  • Credit card or banking details — payments are processed entirely by Stripe (see Section 5)

3. How We Use Your Information

  • Provide and personalize workout, nutrition, and challenge features
  • Run AI exercise recognition on videos you upload
  • Compute your rank, leaderboard position, and progress
  • Enable squad chat, posts, and social features
  • Send push notifications (workouts, challenges, squad activity) — you can disable per channel in app settings or device settings
  • Process payments for Premium subscriptions and shop orders (via Stripe)
  • Detect crashes, fix bugs, improve performance
  • Respond to your support requests
  • Comply with legal obligations

Legal bases (GDPR): performance of contract (Art. 6(1)(b) for account, workout, payment features), consent (Art. 6(1)(a) for optional notifications and analytics, Art. 9(2)(a) for health data), legitimate interests (Art. 6(1)(f) for security, crash reporting, fraud prevention), legal obligation (Art. 6(1)(c) for tax records).

4. Health & Fitness Data

Gymia processes health and fitness data (workouts, body measurements, meal logs) under Article 9(2)(a) GDPR — with your explicit consent given at account creation. You may withdraw consent at any time by deleting your account (see Section 8). We do not share health data with third-party advertisers or data brokers.

AI exercise recognition is performed by our gym-tracker service. Videos are stored encrypted on our infrastructure and are not used to train third-party models.

5. Third-Party Services

We share limited data with the following processors, each under a Data Processing Agreement:

Stripe (Ireland) — payments

Processes subscription and shop payments. Receives: email, name, billing address, payment method (handled directly between you and Stripe; we never see card numbers). stripe.com/privacy

Sentry (USA) — crash reporting

Receives: anonymized crash stack traces, device model, OS version, app version, install ID. Personal data is scrubbed before transmission. sentry.io/privacy

Google (USA) — Sign-In, Push, Play Services

Sign in with Google (email, name, profile photo if you authorize), Firebase Cloud Messaging for push notifications (device token only), Google Play Services. policies.google.com/privacy

Apple (USA) — Sign-In, Push, App Store

Sign in with Apple (email or relay address, name), Apple Push Notification service, App Store. apple.com/legal/privacy

Hetzner (Germany / Finland) — hosting & storage

All Gymia servers, databases, and uploaded media are hosted on Hetzner data centers within the EU. hetzner.com/legal/privacy-policy

Skimlinks (United Kingdom) — affiliate link tracking

Used on the gymia.fit website and on outbound product links from the GymiaFit mobile app shop. When you click a product recommendation that links to a partner merchant, Skimlinks may automatically add an affiliate tracking parameter so we can earn a small commission if you purchase. Skimlinks receives: the merchant URL clicked, your IP address, browser or device user-agent, and a tracking cookie or click ID. No personal account data (email, name, health data) is shared. skimlinks.com/privacy

International transfers: Stripe, Sentry, Google, Apple, and Skimlinks may process data in the USA / UK. Transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or UK adequacy decision for Skimlinks.

6. Data Retention

  • Account data: retained while your account is active. Deleted within 30 days of account deletion.
  • Workout, meal, and progress data: same as account.
  • Payment records: retained 10 years to comply with Italian tax law.
  • Crash logs: retained 90 days by Sentry, then automatically purged.
  • Support tickets: retained 2 years after resolution.
  • Backups: encrypted backups may persist up to 35 days after deletion before being overwritten.

7. Data Sharing

We do not sell or rent your personal data. We share data only:

  • With your consent: When you post in a squad, comment publicly, or join a leaderboard, your display name and selected data become visible to other members of that scope.
  • With your gym (white-label tenants only): If you joined via a partner gym, that gym's administrators can see your workout history and ranking within their gym only.
  • Service providers: The processors listed in Section 5.
  • Legal requirements: When required by law, court order, or to protect rights, property, or safety.

8. Account Deletion

You can delete your Gymia account at any time:

  • In the app: Profile → Settings → Account → Delete account. Confirm with your password.
  • By email: Send a deletion request from your registered email to support@gymia.fit. We respond within 30 days.
  • Web: gymia.fit/account/delete

Deletion is irreversible. Your account, profile, workout history, squads memberships, posts, and uploaded media are permanently removed within 30 days. Payment records are retained as required by tax law (Section 6).

9. Cookies and Tracking Technologies (website only)

The gymia.fit website uses limited cookies. The Gymia mobile app does not use cookies but uses local storage and secure storage for authentication tokens.

Cookies we use on the website

Essential Cookies

Necessary for the website to function. Cannot be switched off.

  • gymia-cookie-consent — Stores your cookie consent preferences (browser local storage)
  • Next.js framework cookies — Required for application functionality

Analytics Cookies (Optional)

We may use analytics tools to understand visitor interaction. Currently: none active. Will be added only with your consent.

Third-Party Services

  • Google Fonts — Loads web fonts

Managing cookies

  • Use the cookie consent banner to accept or decline
  • Clear browser cookies through browser settings
  • Enable "Do Not Track" in your browser

10. Data Security

We implement industry-standard security measures:

  • TLS 1.2+ encryption for all data in transit
  • At-rest encryption for databases and object storage
  • Passwords hashed with bcrypt; never stored in plaintext
  • Access tokens stored in device secure storage (Keychain on iOS, Keystore on Android)
  • Role-based access control with audit logs
  • Regular security reviews and dependency updates

No system is 100% secure. In the event of a personal data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours, in accordance with Article 33 GDPR.

11. Your Rights (GDPR)

If you are in the European Economic Area, you have the following rights under the GDPR:

  • Access (Art. 15): obtain a copy of your personal data
  • Rectification (Art. 16): correct inaccurate data
  • Erasure (Art. 17): request deletion of your data ("right to be forgotten")
  • Restriction (Art. 18): limit how we process your data
  • Portability (Art. 20): receive your data in a machine-readable format
  • Object (Art. 21): object to processing based on legitimate interests
  • Withdraw consent (Art. 7(3)): at any time, without affecting prior processing
  • Lodge a complaint: with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, garanteprivacy.it) or your local supervisory authority

To exercise any of these rights, contact support@gymia.fit. We respond within 30 days.

12. Children's Privacy

Gymia is not intended for users under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@gymia.fit and we will delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the app and email at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

14. Contact

For privacy questions or to exercise your rights:

Email: support@gymia.fit

Postal: please request the postal address by email for formal correspondence.