const locale = 'es'; const alternateUrl = '/en/privacy'

Gymary Privacy Policy

Effective Date: May 2026 | Last Updated: May 2026
Version 2.0

Gymary ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Gymary mobile application and website (collectively, the "Services").

Gymary serves users in multiple jurisdictions, including the United States, Spain, and Latin American countries. This Policy is designed to comply with the applicable laws in each of these regions, including the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Washington My Health MY Data Act, the Colombian Ley 1581 de 2012, the Brazilian Lei Geral de Proteção de Dados (LGPD), and other applicable privacy laws.

By using the Services, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller / Identity of the Controller

Gymary is the data controller responsible for your personal information.

For users in the European Union and Spain, Gymary acts as data controller within the meaning of Article 4(7) of the GDPR. For California residents, Gymary is the "business" as defined under the CCPA/CPRA.

2. Information We Collect

2.1 Personal Information You Provide

  • Authentication Information: Email address, or details from third-party login providers (Google, Apple) used to sign in and create your account.
  • User Profile: Name, profile picture, gender, date of birth, activity level, and primary fitness goals (e.g., "Lose weight", "Gain muscle").

2.2 Health and Fitness Data (Sensitive Data)

The following categories constitute sensitive personal information and are afforded heightened protection under applicable law:

  • Exercise Data: Workout logs, routines, exercise names, sets, reps, weights, lifetime performance history, and tags.
  • Nutrition Data: Meal logs, calorie and macronutrient records, food descriptions, and food photos you submit for automatic recognition.
  • Body Metrics and Biometrics: Body weight, height, body fat percentage, muscle mass percentage, water percentage, target weight goals, and measurement notes.
  • Body Measurements: Any measurements you manually record (e.g., waist, arms, chest).

2.3 AI Coach Interactions

We collect messages, text prompts, meal logging descriptions, routine requests, and conversational history exchanged with our AI Coach feature. This data is used to provide personalised insights, nutritional tracking, and workout generation.

2.4 Device and Technical Information

  • Device model and operating system version.
  • App crash logs and performance data.
  • Advertising IDs (Google Advertising ID / IDFA) — only collected after obtaining your explicit consent where required by law (e.g., via Apple's App Tracking Transparency framework on iOS).

2.5 Information We Do Not Collect

We do not collect precise real-time GPS location, payment card details (processed entirely by app stores or payment processors), or any biometric identifiers used for authentication (e.g., fingerprint or face data).

3. Legal Bases for Processing (GDPR / Spain / LATAM)

For users in the EU, Spain, and jurisdictions requiring a legal basis for data processing, we rely on the following:

  • Performance of a Contract (Article 6(1)(b) GDPR): Processing necessary to provide the Services you have requested, including account creation, workout and nutrition tracking, and AI Coach features.
  • Legitimate Interests (Article 6(1)(f) GDPR): App performance monitoring, crash analysis, fraud prevention, and service improvement, where not overridden by your interests or fundamental rights.
  • Consent (Article 6(1)(a) GDPR): Processing of health data and biometrics under Article 9(2)(a) GDPR; use of advertising IDs for ad personalisation; and any non-essential analytics or marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Compliance with Legal Obligations (Article 6(1)(c) GDPR): Where required by applicable law.

4. How We Use Your Information

4.1 Service Provision

  • Creating and managing your account.
  • Syncing your workout and nutrition data across devices.
  • Tracking your progress and providing analytics, charts, and 1RM estimates.
  • Providing the AI Coach feature, meal recognition, and routine generation.

4.2 Advertising (Free Tier)

For users on the free tier, we display advertisements via Google AdMob. AdMob may use advertising IDs to personalise ads. On iOS, we will request your permission via the App Tracking Transparency (ATT) prompt before accessing your IDFA. If you decline, only non-personalised ads will be displayed. You may opt out of personalised advertising at any time in your device settings.

4.3 App Improvement

We analyse aggregated, de-identified performance data and crash logs to improve the app's functionality and fix bugs. We do not use your health data for this purpose without your explicit consent.

4.4 Legal Compliance

We may process your information to comply with applicable legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service.

5. Third-Party Services and Data Sharing

We do not sell your personal information. We share data only with the following categories of trusted service providers, under contractual obligations to protect your data:

5.1 Infrastructure and Authentication

Supabase: Backend database and authentication provider. Your personal data and workout/nutrition logs are stored on Supabase servers. Supabase is SOC 2 compliant.
Privacy Policy: https://supabase.com/privacy

5.2 AI Processing

Third-Party AI Providers: Meal photos, text prompts, and AI Coach conversations are transmitted to third-party AI interfaces for processing. Data is processed temporarily to deliver AI functionality and is not retained by providers for training purposes under our agreements. We will update this section with specific provider names as these relationships are formalised.

5.3 Advertising

Google AdMob: Displays advertisements to free-tier users. AdMob may process advertising IDs.
Google Privacy Policy: https://policies.google.com/privacy

5.4 Payment Processing

Apple App Store / Google Play: All subscription payments are processed by the respective app stores. We do not collect or store payment card details. We receive only a confirmation of purchase status and subscription tier.

5.5 Legal and Safety Disclosures

We may disclose your information to law enforcement or government authorities if required by law, court order, or to protect the rights, safety, or property of Gymary or its users.

6. US-Specific Rights and Disclosures

6.1 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, used, disclosed, or sold about you in the past 12 months.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: Request correction of inaccurate personal information we hold about you.
  • Right to Opt-Out of Sale/Sharing: Although we do not sell personal information for money, the use of advertising IDs for personalised advertising may qualify as "sharing" under CPRA. You may opt out by using the "Do Not Sell or Share My Personal Information" option in the app settings or by contacting us.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information (including health and biometric data) to purposes strictly necessary to provide the Services. To exercise this right, contact us at gymary.app@gmail.com.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

To submit a verifiable consumer request, contact us at gymary.app@gmail.com. We will respond within 45 days; we may extend this period by an additional 45 days where reasonably necessary with prior notice.

6.2 Washington State Residents (My Health MY Data Act)

We collect "consumer health data" as defined by the Washington My Health MY Data Act, including workout data, body metrics, and nutrition logs. Washington residents have the following additional rights:

  • Right to confirm whether we collect, share, or sell your consumer health data.
  • Right to withdraw consent to our collection or sharing of your consumer health data.
  • Right to have your consumer health data deleted.

We obtain your affirmative consent before collecting sensitive health data. To exercise your rights, contact gymary.app@gmail.com.

6.3 Other US State Residents

Residents of Colorado, Connecticut, Virginia, Texas, Nevada, and other states with applicable privacy laws may have similar rights regarding access, correction, deletion, and opt-out of targeted advertising. To exercise these rights, contact us at gymary.app@gmail.com.

7. EU / Spain Specific Rights (GDPR / LOPDGDD)

If you are located in the European Union or Spain, you have the following rights under the GDPR and the Spanish Organic Law 3/2018 (LOPDGDD):

  • Right of Access (Article 15 GDPR): Obtain a copy of your personal data.
  • Right to Rectification (Article 16 GDPR): Correct inaccurate or incomplete data. You can update most information directly within the App.
  • Right to Erasure (Article 17 GDPR): Request deletion of your data ("right to be forgotten"), subject to legal obligations.
  • Right to Restriction of Processing (Article 18 GDPR): Request that we restrict processing of your data in certain circumstances.
  • Right to Data Portability (Article 20 GDPR): Receive your data in a structured, commonly used, machine-readable format.
  • Right to Object (Article 21 GDPR): Object to processing based on legitimate interests, including for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with your national supervisory authority. In Spain: Agencia Española de Protección de Datos (AEPD), www.aepd.es. In the EU: the supervisory authority of your Member State.

We will respond to rights requests within 30 days (extendable by two months for complex requests, with notice).

8. Latin America Specific Rights

8.1 Brazil (LGPD)

Brazilian users have rights under Lei 13.709/2018 (LGPD) including access, correction, deletion, portability, information about sharing, and objection to processing. Legal basis for processing health data is consent (Article 11, II, "a" LGPD). Contact gymary.app@gmail.com to exercise your rights.

8.2 Colombia (Ley 1581 de 2012)

Colombian users have rights to know, update, rectify, and suppress their personal data under Ley Estatutaria 1581 de 2012. Health data is considered sensitive data under Colombian law and is processed only with your explicit authorisation. Contact gymary.app@gmail.com.

8.3 Mexico (LFPDPPP)

Mexican users have ARCO rights (Access, Rectification, Cancellation, and Opposition) under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares. Contact gymary.app@gmail.com with your request.

8.4 Argentina (Ley 25.326)

Argentine users have rights of access, rectification, update, and suppression of personal data under Ley 25.326. Gymary is registered as required under applicable Argentine law. Contact gymary.app@gmail.com.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our infrastructure providers are located. For transfers from the EU/EEA to third countries, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission, or other appropriate safeguards as required by Article 46 GDPR. For further information on safeguards in place, contact gymary.app@gmail.com.

10. Children's Privacy

Gymary is not intended for use by individuals under the age of 13 (or 16 in the EU/Spain per Article 8 GDPR and Spanish LOPDGDD). We do not knowingly collect personal information from children below the applicable age threshold. Because we collect date of birth at registration, we use this information to block registration by individuals below the minimum age.

If you are a parent or guardian and believe your child has created an account, please contact us at gymary.app@gmail.com and we will promptly delete the account and associated data.

For users aged 13–17 (or 13–15 in Spain), we apply additional protections and will not use their data for advertising purposes without parental consent.

11. Data Retention

We retain your personal information for as long as your account is active. Specific retention periods:

  • Account and profile data: Retained until account deletion, plus up to 30 days for backup clearance.
  • Workout and nutrition logs: Retained for the duration of your account.
  • AI Coach conversation history: Retained for up to 12 months from date of conversation, then deleted.
  • Crash logs and performance data: Retained for up to 90 days.
  • Advertising IDs: Retained until you withdraw consent or reset your advertising ID.

You may request account deletion at any time at https://gymary.fit/delete-account or by contacting gymary.app@gmail.com. Upon deletion, we will remove your personal data within 30 days, except where retention is required by law.

12. Security

We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data transmission (TLS), secure cloud infrastructure (Supabase), and access controls. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

13. Do Not Sell or Share My Personal Information

We do not sell your personal information for monetary consideration. However, sharing your advertising ID with Google AdMob for personalised advertising may constitute "sharing" under California CPRA. To opt out:

  • iOS: Decline the ATT prompt when first launching the app, or go to Settings > Privacy > Tracking.
  • Android: Go to Settings > Google > Ads > Opt out of Ads Personalisation.

Contact us: gymary.app@gmail.com with subject line "Do Not Sell or Share My Information".

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the revised Policy on this page, updating the "Last Updated" date, and, where required by law, providing notice via the app or email. Your continued use of the Services after the effective date constitutes acceptance of the updated Policy. If you do not agree to the changes, you should discontinue use and request account deletion.

15. Contact Us

For any questions, requests, or complaints regarding this Privacy Policy or our data practices:

For EU/Spain users, if you are not satisfied with our response, you have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es.