Privacy Policy
Last updated: April 8, 2026
Gymilit (“we,” “our,” or “the app”) is a workout tracking and AI-powered program generation application. This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
1. Data Controller
Gymilit is operated independently. For privacy-related questions, contact us at privacy@gymilit.com.
2. Data We Collect
Account Information
- Email address (required for account creation)
- Display name (optional)
Profile Data
- Age, gender, weight, height, and unit preferences
- Training goals (e.g., muscle gain, fat loss, strength)
- Injuries and physical limitations (e.g., shoulder impingement, knee injury)
Workout Data
- Training programs (names, exercises, sets, reps, weights, rest periods, notes)
- Completed workout history (exercises performed, weights lifted, timestamps)
- Gym profiles (gym names and available equipment)
AI Generation Data
When you use AI program generation, your profile data (goals, injuries, equipment) is sent to our AI provider to create your workout program. We log the AI request parameters, generated output, token usage, and cost for quality monitoring.
Technical Data
- Error logs (error type, message, and app context for debugging)
- Rate limit records (request counts for abuse prevention)
- Device platform and app version (included in error reports)
Data Collected by Third Parties
- Supabase Auth: Authentication tokens, sign-in method, last sign-in timestamp
- Apple/Google: Payment and subscription data (processed by their payment systems, not stored by us)
- RevenueCat: Subscription status and purchase validation (we do not store payment card details)
3. How We Use Your Data
- App functionality: Storing your programs, tracking workouts, syncing across devices
- AI program generation: Sending your goals, injuries, and equipment context to generate personalized workout programs
- Account management: Authentication, subscription tier enforcement, account deletion
- Quality and reliability: Error logging for debugging, AI output monitoring for generation quality
- Abuse prevention: Rate limiting on API and authentication endpoints
We use anonymized analytics data (app events, website visits) to measure advertising performance and improve our marketing. We do not sell your personal data to third parties. Your workout data, health-adjacent data, and personal profile are never shared with advertisers.
4. Health-Adjacent Data
Your training goals, injuries, and physical limitations are health-adjacent information. While Gymilit is not a medical application, we treat this data with the care it requires. This data is:
- Encrypted at rest (both server-side and on your device via SQLCipher)
- Only shared with our AI provider when you initiate a program generation
- Deleted when you delete your account
- Never sold or shared with advertisers
5. Data Storage and Security
- Server: Your data is stored in Supabase (cloud database) with encryption at rest and row-level security policies ensuring users can only access their own data.
- Device: Your local database is encrypted using SQLCipher with a 256-bit key stored in your device's secure keychain/keystore.
- Transit: All data is transmitted over HTTPS/TLS.
6. Data Sharing
We share data only with service providers necessary to operate the app:
| Provider | Data Shared | Purpose |
|---|---|---|
| Anthropic (Claude AI) | Goals, injuries, equipment context | AI workout program generation |
| Supabase | All app data | Database hosting and authentication |
| RevenueCat | User ID, subscription events | Subscription management |
| Apple / Google | Payment information | App distribution and payment processing |
| Google (Firebase Analytics) | App events, screen views, device type | App usage analytics |
| Ad platforms (Meta, Google, TikTok) | Conversion events (sign-up, purchase), website visits | Advertising measurement and optimization |
We do not sell, rent, or trade your personal data.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account and workout data | Until you delete your account |
| Error logs | 90 days (automatically deleted) |
| AI generation logs | 180 days (automatically deleted) |
| Rate limit records | 24 hours (automatically deleted) |
| Shared program links | Until expiration date (set at share time) |
8. Your Rights
You have the following rights regarding your data:
- Access: Export all your data as a JSON file from the app (Profile > Export My Data).
- Rectification: Edit your profile, programs, and workout data directly in the app.
- Deletion: Delete your entire account and all associated data from Profile > Delete Account. This is permanent and cannot be undone.
- Portability: Your data export is provided in a standard JSON format that can be used independently of Gymilit.
- Objection: Contact privacy@gymilit.com to raise concerns about data processing.
Account deletion removes all your data from our servers and your device, including programs, workouts, gym profiles, error logs, and AI generation logs. Audit trail entries (admin action records) are anonymized rather than deleted, as required for compliance purposes.
9. Children's Data
Gymilit is not intended for users under 16 years of age. We do not knowingly collect data from children. If you believe a child has created an account, contact privacy@gymilit.com and we will delete it.
10. Cookies and Tracking
The Gymilit mobile app uses Firebase Analytics to collect anonymized usage data (app events, screen views). Our website (gymilit.com) uses cookies and tracking pixels from Google, Meta, and TikTok for advertising measurement. You can manage cookie preferences through your browser settings.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or legal requirements. If we make material changes, we will notify you through the app or via email. The “last updated” date at the top of this page indicates when the policy was last revised.
12. Contact
For privacy questions, data requests, or concerns:
Email: privacy@gymilit.com