Legal

Privacy Policy

Last updated: June 18, 2026

This Privacy Policy explains how GymAI (“we”, “us”) — a personal project operated by an individual developer — collects, uses, and protects your information when you use the GymAI app and website. We built GymAI to help you train: your training data is yours, and we aim to collect only what we need to provide the service.

Information we collect

  • Account information — your email address and a password. Passwords are stored only in hashed form by our authentication provider; we never see your plaintext password.
  • Training data — workouts, exercises, sets, reps, weights, personal records, routines, gym locations, body-weight entries, and any notes or workout history you log or import.
  • Coaching conversations — the goals, constraints, and messages you send to the in-app AI coach.
  • Limited technical data — basic diagnostic and request information (such as error logs) needed to operate and secure the service. The mobile app does not use third-party advertising or analytics tracking SDKs; the website uses privacy-friendly, cookieless analytics (Cloudflare Web Analytics).

Voice coaching using your microphone is planned for a future release. The current version of the app does not record or transmit audio. This policy will be updated before any audio feature is enabled.

How we use your information

  • To provide core features — logging, analytics, AI coaching, and data import.
  • To generate personalised coaching, workout suggestions, and insights from your own training data.
  • To authenticate you and keep your account secure.
  • To operate, maintain, secure, and improve the service.

AI processing & third-party processors

To deliver AI coaching and workout generation, the workout-related text and coaching messages you submit are sent to third-party AI providers for processing. We share only what is needed to deliver these features, we do not sell your data, and we do not permit these providers to use your personal data for their own independent purposes. The providers we rely on are:

  • Supabase — authentication and database hosting (EU region).
  • OpenAI and Anthropic — large-language-model processing of your workout descriptions and coaching messages to generate responses.
  • Fly.io — application and server hosting.
  • Cloudflare — website hosting and privacy-friendly analytics.

Each provider processes data on our behalf under its own terms and privacy policy.

Your rights and choices

  • Access & correction — you can view and edit your profile and training data directly in the app.
  • Account & data deletion — you can permanently delete your account and its data at any time from Profile → Delete account in the app. You may also request deletion by emailing us.
  • Depending on where you live, you may have additional rights (such as data portability or the right to object). Contact us to exercise them.

Data retention

We retain your data while your account is active. When you delete your account, we delete your associated personal and training data, subject to limited legal or operational requirements. Backups and logs are rotated and expire over time.

Security

We use industry-standard measures — encryption in transit, hashed credentials, and access controls — to protect your data. No system is perfectly secure, but we work to protect your information.

Children

GymAI is not directed to children under 16, and we do not knowingly collect data from them. If you believe a child has provided us data, contact us and we will delete it.

Changes to this policy

We may update this policy as the product evolves. Material changes will be reflected here with an updated date, and where appropriate we will notify you in the app.

Contact

Questions about privacy or a data request? Email support@gymai.fitness.