Privacy Policy

Last updated: 5 May 2026

1. Information We Collect

We collect information you provide directly when you create an account and use GymCrew:

• Account data: name, email address, username, birth year.
• Workout data: sets, reps, weights, RPE, exercise selection, workout dates and notes.
• Profile content: profile picture (optional), bio, achievements.
• Wellness data (premium): sleep hours, soreness ratings, body measurements, grip strength, when you choose to log them.
• Authentication: if you sign in with Google, we receive your Google email and Google account ID.
• Subscription data: via RevenueCat — purchase events, entitlement state, product identifiers. We do NOT receive your credit card number; payments are handled by Google Play.
• Usage data: app interactions, screen views, crash reports (via Sentry), device model and OS version, for analytics and reliability.

2. How We Use Your Information

We use your information to:

• Operate and improve GymCrew.
• Provide personalised features (leaderboards, friend activity, challenges, achievements).
• Send notifications you have opted into (workout streak reminders, friend activity, achievements).
• Manage your subscription and billing entitlement.
• Detect bugs, prevent abuse, and comply with legal obligations.

3. Data Sharing

We do not sell your personal data. We share data only with infrastructure providers necessary to operate the service:

• Railway (EU region) — hosting our backend and PostgreSQL database.
• Cloudflare R2 — profile photo storage.
• RevenueCat — subscription state management.
• Google Play Billing — payment processing for subscriptions.
• Sentry — crash and error reporting.
• Google — only if you sign in with Google OAuth.

Workout data marked as public is visible to other users you have not blocked. You can mark any workout as private at any time from the workout detail screen.

4. Your Rights (GDPR)

If you are in the European Economic Area, you have the right to:

• Access your data.
• Rectify inaccurate data.
• Request erasure ("right to be forgotten").
• Restrict or object to processing.
• Data portability (receive your data in a machine-readable format).

To exercise these rights, email [email protected]. You can also delete your account directly from the app — see Delete account.

5. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days. Anonymised aggregate statistics (e.g. total workouts logged across all users) may be retained but cannot be linked back to you.

6. Children

GymCrew is not intended for children under 13. We do not knowingly collect data from children under 13. If you believe a child has provided us data, contact us at [email protected] and we will delete it promptly.

7. Security

We use industry-standard measures to protect your data: bcrypt for password hashing, HTTPS for all communications, JWT tokens with short expiry plus refresh-token rotation, Redis-based rate limiting on authentication endpoints, and signed RevenueCat webhooks.

8. Changes

We may update this policy. We will notify you via the app when material changes occur. The "Last updated" date at the top of this page reflects the most recent revision.

9. Contact

For privacy questions or concerns, email [email protected].