Privacy Policy for Trackist

1. Data Controller and Contact

The data controller is: Adrian Szabłowski, ul. Ludwika Zamenhofa 2/33, 33-300 Nowy Sącz, Poland, Tax ID (NIP): 7343649264, Business ID (REGON): 540236581.

Contact us:

• Email: hello@trackist.me

For EU users: You may contact your local data protection authority. In Poland: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

2. Personal Data We Collect

When you use Trackist, we collect:

• Account Information: display name, email address, password (encrypted at rest)
• Authentication Data: your identifier from the sign-in method you choose — email and password, Apple ID (Sign in with Apple), or Google account (Sign in with Google)
• User Preferences: weight unit (kg/lb), height unit (cm/in), language, and notification preferences
• Workout Data: workout plans you create (plan name, description, days, exercises, sets, reps, and rest periods) and performance logs (per-set weight, reps, RPE 1–10, and optional notes) tied to the training date
• Body Measurements: current and target weight, chest, waist, hips, left and right arm, left and right thigh, and left and right calf — only the fields you choose to enter
• Shared Plans Data:when you publish a plan to the community leaderboard or share it with friends via an invite code, other users can see the plan's contents and your display name. Members who join your plan log their own workouts independently
• Feedback: any feedback or suggestion you voluntarily submit through the in-app feedback form
• Push Notification Tokens:device push tokens used solely to send you workout reminders you've scheduled
• Subscription Status: active/inactive entitlement state received from RevenueCat — we do not receive your payment details
• Product Analytics: anonymized event data (e.g. app open, sign-up completed, paywall viewed, workout logged) sent to Amplitude on EU servers. We use it in aggregate to improve the app — see section 4

We do not collect: profile photos or videos, progress photos, precise location, microphone or audio data, contacts, credit card numbers (handled by the App Store / Play Store), or health data from Apple Health or Google Fit.

Automatic Server Data:our hosting provider (Supabase) may automatically log IP addresses for security and fraud-prevention purposes. Logs are stored separately from your account data and retained according to Supabase's policy.

3. How We Use Your Data

We use your personal data to:

• Provide the Trackist service — let you build and run workout plans, log workouts, track measurements, share plans with friends, and publish to the leaderboard (legal basis: contract performance under GDPR Art. 6(1)(b); business purpose under CCPA)
• Process subscription entitlements (legal basis: contract performance; business purpose)
• Authenticate your account and keep it secure (legal basis: legitimate interest under GDPR Art. 6(1)(f))
• Send workout reminders you've scheduled (legal basis: consent under GDPR Art. 6(1)(a); you can revoke notification permission in your device settings at any time)
• Measure how people use Trackist via anonymized product analytics (Amplitude) to fix bugs and improve the app (legal basis: legitimate interest)
• Respond to your support requests and feedback (legal basis: legitimate interest; business purpose)
• Comply with legal obligations (legal basis: legal obligation under GDPR Art. 6(1)(c))

4. Data Sharing and Third Parties

We do not sell your personal data.

We share data only with the processors we strictly need to operate Trackist:

• Supabase Inc. — authentication and database hosting in the EU region (Frankfurt, Germany). Stores your account, workout plans, logs, and measurements.
• RevenueCat Inc. — subscription management for the iOS App Store and Google Play Store. We receive only your entitlement state and a customer identifier.
• Apple Inc. — Sign in with Apple (if you choose it) and App Store payment processing.
• Google LLC — Sign in with Google (if you choose it) and Google Play payment processing.
• Amplitude, Inc.— anonymized product analytics, processed on Amplitude's EU servers. We do not send workout data, measurements, or plan contents to Amplitude.
• Expo / EAS (Expo Application Services) — over-the-air app updates and push notification delivery through Apple Push Notification Service (iOS) and Firebase Cloud Messaging (Android).

All processors:

• Process data only on our instructions
• Are GDPR-compliant and have signed Data Processing Agreements (DPAs)
• Use industry-standard security measures

Community visibility.When you publish a workout plan to the leaderboard or share it with friends via an invite code, the plan's name, description, and exercise structure — along with your display name — become visible to other Trackist users. You can unshare or archive a plan at any time. Individual workout logs, measurements, and progress data are never shared with other users.

International Transfers:Your data is stored on Supabase servers in the EU (Frankfurt) and anonymized analytics on Amplitude's EU servers. Any transfers outside the EU (e.g. to RevenueCat or Apple / Google payment processors) are protected by Standard Contractual Clauses approved by the European Commission.

5. Data Retention

• Account & Workout Data: kept for as long as your account exists. Deleted within 30 days after you request account deletion (see section below).
• Shared / Published Plans:removed from the community leaderboard and friends' shared plans within the same 30-day window. Plans already imported by other users become their own independent copy.
• Product Analytics (Amplitude): anonymized and retained in aggregate — it cannot be linked back to you after account deletion.
• Technical / Security Logs: 30 days from recording.
• Billing Records (subscription transactions): 5 years — legal requirement under Polish and EU tax law. Held by Apple and Google, not by us.
• Support Communications: 3 years from last contact.

Account Deletion: you can request permanent deletion from inside the app or from the /delete-account page. We confirm within 7 days and permanently delete your data within 30 days. Important: deleting your account does notcancel your App Store or Google Play subscription — you need to cancel that separately in your device's subscription settings.

6. Your Privacy Rights

For EU Users (GDPR Rights):

• Right to access your personal data
• Right to rectify inaccurate data
• Right to erase your data ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

For California Users (CCPA Rights):

• Right to know what personal data we collect, use, disclose, and sell
• Right to delete personal data
• Right to opt-out of the sale of personal data (note: we do not sell personal data)
• Right to non-discrimination for exercising your rights

To exercise your rights: Contact us at hello@trackist.me. We will respond within 30 days (GDPR) or 45 days (CCPA).

7. Mobile App Permissions

Trackist only requests the permissions it actually needs:

• Push Notifications (iOS / Android): used solely to deliver workout reminders you schedule inside the app. You can deny or revoke this permission at any time in your device settings — the rest of the app continues to work.

Trackist does not request access to your location, camera, microphone, photo library, contacts, calendar, or health data.

8. Cookies and Tracking Technologies

Trackist is a mobile app and does not use advertising cookies or third-party advertising SDKs. The only tracking we perform is anonymized product analytics (Amplitude) to understand how the app is used. Authentication tokens are stored locally on your device to keep you signed in.

9. Data Security

We implement industry-standard security measures:

• Encrypted data transmission between the app and our servers (TLS 1.2+)
• Secure data storage on SOC 2 Type II certified servers (AWS Frankfurt) through Supabase
• Password hashing performed by Supabase Auth (bcrypt)
• Row-Level Security policies so users can only access their own data
• Regular security monitoring and automated backups

While we use best practices to protect your data, no system is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In case of a data breach:

• We will investigate and assess the risk within 24 hours
• Notify relevant authorities within 72 hours (as required by GDPR)
• Notify affected users if there is a high risk to their rights
• Take immediate steps to mitigate the breach and prevent future incidents
• Cooperate fully with regulatory authorities

11. Sign in with Apple and Sign in with Google

Trackist supports three sign-in methods: email and password, Sign in with Apple, and Sign in with Google. All three are processed by Supabase Auth and stored the same way.

Sign in with Apple:

• Apple may share your email (or a private relay email) and, on first sign-up, your name
• You can manage what Apple shares from your Apple ID settings
• Apple's privacy policy: apple.com/legal/privacy

Sign in with Google:

• Google shares your email, name, and Google account identifier with Trackist
• You can revoke Trackist's access from your Google account security settings
• Google's privacy policy: policies.google.com/privacy

12. Subscription and Payments

Payment processing is handled by RevenueCat Inc.:

• We do not store your credit card information
• RevenueCat only provides us with subscription status and transaction identifiers
• Actual payment processing is handled by Apple App Store (iOS) or Google Play Store (Android)
• For payment details, see RevenueCat's privacy policy: https://www.revenuecat.com/privacy

13. Children's Privacy

Trackist is intended for adults 18 years or older. We do not knowingly collect data from children under 18 (or 16 in the EU). If you are a parent and believe your child has provided us with personal data, please contact us at hello@trackist.me and we will delete it immediately.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes:

• We will notify you 30 days in advance via email or in-app notification
• Minor changes will be posted in the app with an updated effective date
• Continued use of the app after changes means you accept the updated policy

15. International Users

Trackist is available worldwide. Your data is stored in the EU (Frankfurt, Germany) regardless of where you are located. By using the app, you consent to the transfer and processing of your data in the EU under GDPR protections.

16. Do Not Sell My Personal Information (CCPA)

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.

17. Your Fitness Data

Your fitness data — workout plans, performance logs (sets, reps, weight, RPE, notes), and body measurements — belongs to you. We process it solely to provide you with the Trackist service and to let you share plans with friends or publish them to the community leaderboard when you choose to. We never sell it, never use it for advertising, and never share individual workouts or measurements with other users.

You can request a full export of your data at any time by emailing hello@trackist.me. When you delete your account, all personal fitness data is permanently deleted within 30 days.