Privacy Policy for Trackist

1. Data Controller and Contact

The data controller is: Adrian Szabłowski, ul. Ludwika Zamenhofa 2/33, 33-300 Nowy Sącz, Poland, Tax ID (NIP): 7343649264, Business ID (REGON): 540236581.

Contact us:

• Email: hello@trackist.me

For EU users: You may contact your local data protection authority. In Poland: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

2. Personal Data We Collect

When you use Trackist, we collect:

• Account Information: display name, email address, password (encrypted at rest)
• Authentication Data: your identifier from the sign-in method you choose — email and password, Apple ID (Sign in with Apple), or Google account (Sign in with Google)
• User Preferences: weight unit (kg/lb), height unit (cm/in), language, and notification preferences
• Workout Data: workout plans you create (plan name, description, days, exercises, sets, reps, and rest periods) and performance logs (per-set weight, reps, RPE 1–10, and optional notes) tied to the training date
• Body Measurements: current and target weight, chest, waist, hips, left and right arm, left and right thigh, and left and right calf — only the fields you choose to enter
• Fitness Profile: the details you provide so we can build your AI training plan — your primary goal, experience level, age, gender, available equipment, preferred training style, focus areas, and any injuries or movements you ask us to avoid
• Feedback: any feedback or suggestion you voluntarily submit through the in-app feedback form
• Push Notification Tokens: device push tokens used solely to send you workout reminders you've scheduled
• Subscription Status: active/inactive entitlement state received from RevenueCat — we do not receive your payment details
• Product Analytics: pseudonymous event data (e.g. app open, sign-up completed, paywall viewed, workout logged) and a small set of user properties (such as your training goal and experience level), sent to Amplitude on EU servers and linked to a random analytics identifier. Amplitude also derives an approximate (city-level) location from your IP address. We use this to understand how the app is used and to improve it — see section 4. We never send your workout logs, body measurements, or plan contents to Amplitude

We do not collect: profile photos or videos, progress photos, precise (GPS) location, microphone or audio data, contacts, credit card numbers (handled by the App Store / Play Store), or health data from Apple Health or Google Fit. The approximate location described above is inferred by our analytics provider from your IP address — the app never requests device location access.

Automatic Server Data:our hosting provider (Supabase) may automatically log IP addresses for security and fraud-prevention purposes. Logs are stored separately from your account data and retained according to Supabase's policy.

3. How We Use Your Data

We use your personal data to:

• Provide the Trackist service — let you build and run workout plans, log workouts, and track measurements (legal basis: contract performance under GDPR Art. 6(1)(b); business purpose under CCPA)
• Generate and adapt your AI training plans, suggest exercise alternatives, and produce your weekly recap based on your fitness profile and workout history (legal basis: contract performance under GDPR Art. 6(1)(b); business purpose under CCPA) — see section 18
• Process subscription entitlements (legal basis: contract performance; business purpose)
• Authenticate your account and keep it secure (legal basis: legitimate interest under GDPR Art. 6(1)(f))
• Send workout reminders you've scheduled (legal basis: consent under GDPR Art. 6(1)(a); you can revoke notification permission in your device settings at any time)
• Measure how people use Trackist via pseudonymous product analytics (Amplitude) to fix bugs and improve the app (legal basis: legitimate interest)
• Respond to your support requests and feedback (legal basis: legitimate interest; business purpose)
• Comply with legal obligations (legal basis: legal obligation under GDPR Art. 6(1)(c))

4. Data Sharing and Third Parties

We do not sell your personal data.

We share data only with the processors we strictly need to operate Trackist:

• Supabase Inc. — authentication and database hosting in the EU region (Frankfurt, Germany). Stores your account, workout plans, logs, and measurements.
• RevenueCat Inc. — subscription management for the iOS App Store and Google Play Store. We receive only your entitlement state and a customer identifier.
• Apple Inc. — Sign in with Apple (if you choose it) and App Store payment processing.
• Google LLC — Sign in with Google (if you choose it) and Google Play payment processing.
• Anthropic PBC— the AI provider that generates and adjusts your training plans, suggests exercise swaps, and writes your weekly recap. We send your fitness profile and relevant workout history to Anthropic's API to produce these results; we do not send your name, email address, or contact details. Anthropic processes this data in the United States, does not use it to train its models, and retains it only briefly under its commercial terms. See section 18.
• Amplitude, Inc.— pseudonymous product analytics, processed on Amplitude's EU servers. We send app usage events and a small set of user properties (such as your training goal and experience level); Amplitude also derives an approximate location from your IP address. We do not send workout logs, measurements, or plan contents to Amplitude.
• Expo / EAS (Expo Application Services) — over-the-air app updates and push notification delivery through Apple Push Notification Service (iOS) and Firebase Cloud Messaging (Android).

All processors:

• Process data only on our instructions
• Are GDPR-compliant and have signed Data Processing Agreements (DPAs)
• Use industry-standard security measures

Your data stays yours. Trackist is a private, single-player app — your workout logs, body measurements, and progress data are never shared with or made visible to other users.

International Transfers:Your data is stored on Supabase servers in the EU (Frankfurt) and pseudonymous analytics on Amplitude's EU servers. Any transfers outside the EU — e.g. AI processing by Anthropic in the United States, or RevenueCat and Apple / Google payment processors — are protected by Standard Contractual Clauses approved by the European Commission.

5. Data Retention

• Account & Workout Data: kept for as long as your account exists. Deleted within 30 days after you request account deletion (see section below).
• AI Processing Data: the fitness profile and workout history sent to Anthropic to generate your plans are retained by Anthropic only briefly under its commercial terms and are not used to train its models. The resulting plans live in your account and are deleted with it.
• Product Analytics (Amplitude): keyed to a random analytics identifier rather than your account, and retained by Amplitude under its own retention policy. It is not used to re-identify you after your account is deleted.
• Technical / Security Logs: 30 days from recording.
• Billing Records (subscription transactions): 5 years — legal requirement under Polish and EU tax law. Held by Apple and Google, not by us.
• Support Communications: 3 years from last contact.

Account Deletion: you can request permanent deletion from inside the app or from the /delete-account page. We confirm within 7 days and permanently delete your data within 30 days. Important: deleting your account does not cancel your App Store or Google Play subscription — you need to cancel that separately in your device's subscription settings.

6. Your Privacy Rights

For EU Users (GDPR Rights):

• Right to access your personal data
• Right to rectify inaccurate data
• Right to erase your data ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

For California Users (CCPA Rights):

• Right to know what personal data we collect, use, disclose, and sell
• Right to delete personal data
• Right to opt-out of the sale of personal data (note: we do not sell personal data)
• Right to non-discrimination for exercising your rights

To exercise your rights: Contact us at hello@trackist.me. We will respond within 30 days (GDPR) or 45 days (CCPA).

7. Mobile App Permissions

Trackist only requests the permissions it actually needs:

• Push Notifications (iOS / Android): used solely to deliver workout reminders you schedule inside the app. You can deny or revoke this permission at any time in your device settings — the rest of the app continues to work.

Trackist does not request access to your location, camera, microphone, photo library, contacts, calendar, or health data.

8. Cookies and Tracking Technologies

Trackist is a mobile app and does not use advertising cookies or third-party advertising SDKs. The only tracking we perform is pseudonymous product analytics (Amplitude) to understand how the app is used. Authentication tokens are stored locally on your device to keep you signed in.

9. Data Security

We implement industry-standard security measures:

• Encrypted data transmission between the app and our servers (TLS 1.2+)
• Secure data storage on SOC 2 Type II certified servers (AWS Frankfurt) through Supabase
• Password hashing performed by Supabase Auth (bcrypt)
• Row-Level Security policies so users can only access their own data
• Regular security monitoring and automated backups

While we use best practices to protect your data, no system is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In case of a data breach:

• We will investigate and assess the risk within 24 hours
• Notify relevant authorities within 72 hours (as required by GDPR)
• Notify affected users if there is a high risk to their rights
• Take immediate steps to mitigate the breach and prevent future incidents
• Cooperate fully with regulatory authorities

11. Sign in with Apple and Sign in with Google

Trackist supports three sign-in methods: email and password, Sign in with Apple, and Sign in with Google. All three are processed by Supabase Auth and stored the same way.

Sign in with Apple:

• Apple may share your email (or a private relay email) and, on first sign-up, your name
• You can manage what Apple shares from your Apple ID settings
• Apple's privacy policy: apple.com/legal/privacy

Sign in with Google:

• Google shares your email, name, and Google account identifier with Trackist
• You can revoke Trackist's access from your Google account security settings
• Google's privacy policy: policies.google.com/privacy

12. Subscription and Payments

Payment processing is handled by RevenueCat Inc.:

• We do not store your credit card information
• RevenueCat only provides us with subscription status and transaction identifiers
• Actual payment processing is handled by Apple App Store (iOS) or Google Play Store (Android)
• For payment details, see RevenueCat's privacy policy: https://www.revenuecat.com/privacy

13. Children's Privacy

Trackist is intended for adults 18 years or older. We do not knowingly collect data from children under 18 (or 16 in the EU). If you are a parent and believe your child has provided us with personal data, please contact us at hello@trackist.me and we will delete it immediately.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes:

• We will notify you 30 days in advance via email or in-app notification
• Minor changes will be posted in the app with an updated effective date
• Continued use of the app after changes means you accept the updated policy

15. International Users

Trackist is available worldwide. Your data is stored in the EU (Frankfurt, Germany) regardless of where you are located. By using the app, you consent to the transfer and processing of your data in the EU under GDPR protections.

16. Do Not Sell My Personal Information (CCPA)

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.

17. Your Fitness Data

Your fitness data — workout plans, performance logs (sets, reps, weight, RPE, notes), and body measurements — belongs to you. We process it solely to provide you with the Trackist service, including generating and adapting your AI training plans through our AI provider (Anthropic). We never sell it, never use it for advertising, and never share individual workouts or measurements with other users.

You can request a full export of your data at any time by emailing hello@trackist.me. When you delete your account, all personal fitness data is permanently deleted within 30 days.

18. AI-Powered Features

Several Trackist features are powered by artificial intelligence provided by Anthropic PBC ("Anthropic"): generating your initial training plan, adjusting a training day, suggesting alternative exercises, and writing your weekly recap.

What we send:to produce these results, we send Anthropic's API only the information it needs — your fitness profile (goal, experience level, age, gender, body weight, available equipment, training style, focus areas, and any injuries or movements to avoid) and the relevant parts of your workout history. We do not send your name, email address, or other contact details.

How it is handled:Anthropic processes this data in the United States solely to generate the requested output. Under Anthropic's commercial terms, your data is not used to trainits models and is retained only for a short period. International transfers are covered by Standard Contractual Clauses. See Anthropic's privacy policy: anthropic.com/legal/privacy.

Important: AI-generated plans and suggestions are produced automatically and may not be perfect. They are general fitness guidance, not medical advice — always train within your limits and consult a healthcare professional before starting a new program.