Privacy Policy

Scope

This policy covers:

• The GymBeat mobile app on iOS and Android (the "App")
• The gymbeat.app marketing website (the "Website")
• Any subdomains and supporting services we operate

The App and the Website share the same team, but data collected on each surface is processed separately. Visiting the Website does not give us access to your App account, and vice versa, unless you choose to sign in on the Website.

Cookies & Tracking Technologies

The Website uses cookies and similar local-storage technologies. The mobile App does not use cookies in the traditional web sense — it uses native device storage for sessions and settings.

2.1 Necessary (Always On)

These are required for the Website to function and cannot be disabled:

• `NEXT_LOCALE` cookie — remembers your language preference (EN or RO)
• `gymbeat_cookie_consent` localStorage entry — remembers your cookie choices so we don't ask on every visit

2.2 Analytics (Opt-In)

With your consent, we use Meta Pixel to measure how visitors find and use the Website. This helps us improve content, evaluate campaigns, and track app-install conversions.

• Meta Pixel ID: `1480741470088030`
• Cookies set: `_fbp`, `_fbc` (advertising/measurement cookies from facebook.net)
• What it tracks: page views, button clicks on app-store links, app-install conversions
• Data goes to: Meta Platforms, Inc.
• Privacy policy: facebook.com/about/privacy

Analytics cookies are only active after you give consent. If you do not consent, no Meta Pixel script is loaded.

2.3 Managing Your Cookie Choices

You can change your preferences at any time using the button below.

You can also clear cookies directly from your browser. Note: clearing browser storage resets your stored consent, so the banner will reappear on your next visit.

2.4 Cookie Retention

• `NEXT_LOCALE` — 1 year
• `gymbeat_cookie_consent` — 1 year
• Meta Pixel cookies (`_fbp`, `_fbc`) — up to 90 days (set by Meta)

Aggregated analytics data is retained by Meta according to their policy; our own derived reports are deleted after 13 months.

Information We Collect (App)

3.1 Account Information

When you create an account, we collect:

• Email address
• Name (first and last)
• Authentication credentials (securely managed by Clerk)

3.2 Profile Information

To provide personalized fitness recommendations, we collect:

• Height and weight
• Age and date of birth
• Gender
• Profile photo (optional)
• Fitness goals (weight loss, muscle gain, maintenance)
• Activity level

3.3 Health & Fitness Data

We collect and store:

• Weight history and progress tracking
• Body measurements
• TDEE (Total Daily Energy Expenditure) calculations
• Calorie and macro recommendations
• Nutrition logs (meals, foods, calories, macros)
• Custom foods and saved meals you create
• Barcode scan data for food lookup

3.4 Health Platform Data (Optional)

If you choose to connect Apple HealthKit (iOS) or Google Health Connect (Android), we may read and/or write:

• Steps and distance
• Active calories burned
• Heart rate data
• Sleep analysis
• Weight (read and write-back to health platform)

Health platform connections are entirely optional. Data is only accessed while you use the app and with your explicit permission. You can disconnect at any time from Settings.

3.5 Location Information

We collect location data to show nearby gyms and calculate distances:

• Precise GPS location (only while using the app — "When In Use" permission)
• Approximate location via IP address (if GPS is unavailable)

Location data is stored temporarily in memory only and is cleared when you close the app. We do NOT track your location in the background or store it permanently.

3.6 Camera Access

We request camera access to scan food barcodes and analyze meal photos for nutrition tracking:

• Camera is only activated when you open the scanner or food photo flow
• Barcode images are processed locally on your device
• Meal photos for AI analysis are uploaded to our servers (see Section 3.11)
• You can revoke camera permission at any time in device settings

3.7 Subscription & Payment Information

If you subscribe to GymBeat PRO, we collect:

• Subscription status (active, expired, cancelled, trial)
• Subscription plan type (monthly or annual)
• Purchase dates and expiration dates
• Anonymous transaction identifiers from the App Store or Play Store

We do NOT collect or store your payment card details, billing address, or any financial account information. All payment processing is handled entirely by Apple or Google through their respective app stores.

3.8 Usage Information

We collect:

• Gyms you've favorited
• App preferences (theme, units)
• App usage data (features accessed, errors encountered)

3.9 Sponsored Content Interactions

When you interact with sponsored content in the app, we collect:

• Click tracking (whether you tapped on sponsored content)
• Anonymized, aggregated analytics (e.g., total views, click-through rates)

3.10 AI Coach Data

When you use the AI Coach feature, we collect and process:

• Workout history (exercises, sets, reps, weights, duration)
• Exercise performance and progression data
• Training structure preferences (split type, frequency)
• Coach suggestion interactions (accepted, dismissed, modified)

This data is sent to OpenAI for analysis and used to generate personalized progression recommendations and coaching insights — see Section 5.6 for details.

3.11 Food Photo Analysis

When you use the food photo scanner, we collect and process:

• Photos of meals you submit for analysis
• AI-generated estimates of foods, portions, and macros
• Your edits and corrections to those estimates

Meal photos are sent to OpenAI's vision model for analysis. No personal identifiers (name, email) are attached to the image payload. Photos are retained on our servers for 30 days and then automatically deleted; the structured estimates and your corrections remain part of your nutrition log.

Information We Collect (Website)

When you visit gymbeat.app, the following may be collected:

• Standard server logs (IP address, browser, OS, referring URL, pages visited) — kept for 30 days for security and debugging
• Language preference (`NEXT_LOCALE` cookie)
• With analytics consent only: page views, button clicks, app-install conversions via Meta Pixel

The Website has no contact form or newsletter signup. The only data we actively collect from you is your cookie consent choice itself.

How We Use Your Information

We use your information to:

• Create and manage your account
• Provide personalized fitness recommendations (TDEE, calorie targets)
• Show nearby gyms based on your location
• Track your fitness progress over time
• Generate AI-powered workout coaching, progression analysis, and meal estimates
• Improve app and website performance
• Send important service updates (e.g., policy changes)
• Display relevant sponsored content from partners
• Measure sponsored-content and marketing performance (aggregated analytics)
• Comply with legal obligations

Third-Party Services

We use the following third-party services to operate GymBeat:

6.1 Clerk (Authentication)

• Manages user authentication and login
• Stores email addresses and authentication credentials
• Privacy Policy: clerk.com/privacy

6.2 Convex (Database & Storage)

• Stores your profile data, fitness data, photos, and meal estimates
• Provides real-time data synchronization
• Privacy Policy: convex.dev/privacy

6.3 ipapi.co (IP Geolocation)

• Provides approximate location when GPS is unavailable
• Privacy Policy: ipapi.co/privacy

6.4 Expo (Mobile Framework)

• Provides mobile development infrastructure
• Handles app updates and notifications
• Privacy Policy: expo.dev/privacy

6.5 OpenFoodFacts (Food Database)

• Provides food nutrition information from barcode scans and searches
• Open-source, community-driven food database
• Privacy Policy: openfoodfacts.org/privacy

6.6 OpenAI (Moderation & AI Features)

• Screens text content (posts, reviews, chat messages) for harmful material
• Powers AI Coach: analyzes workout data to generate progression suggestions
• Powers food photo scanner: analyzes meal images to estimate foods and macros
• Only workout/meal data is sent — no personal identifiers (name, email)
• OpenAI does not use API inputs for model training
• Privacy Policy: openai.com/privacy

6.7 Sightengine (Image Moderation)

• Screens images for objectionable content
• Profile photos, post photos, and gym/equipment photos are analyzed
• Privacy Policy: sightengine.com/privacy

6.8 Apple HealthKit (iOS — Optional)

• Reads health data (steps, calories, heart rate, sleep) with your permission
• Writes weight data back to Apple Health when you log weight
• Data is accessed only while using the app and never sent to third parties
• Privacy Policy: apple.com/privacy

6.9 Google Health Connect (Android — Optional)

• Reads health data (steps, calories, heart rate, sleep) with your permission
• Writes weight data back to Health Connect when you log weight
• Privacy Policy: policies.google.com/privacy

6.10 RevenueCat (Subscription Management)

• Manages subscription status, entitlements, and purchase verification
• Receives anonymous user identifiers and purchase receipts from Apple/Google
• Does NOT receive your name, email, or any personal health data
• Privacy Policy: revenuecat.com/privacy

6.11 Vercel (Website Hosting)

• Hosts the gymbeat.app website
• Processes standard server logs (IP, user agent, request path) as part of hosting
• Privacy Policy: vercel.com/legal/privacy-policy

6.12 Meta (Website Analytics — Opt-In Only)

• Receives event data via Meta Pixel only after you consent to analytics cookies
• Used for marketing campaign attribution and app-install measurement
• Privacy Policy: facebook.com/about/privacy

Data Sharing and Disclosure

We do NOT sell your personal information to third parties. We may share information only in these circumstances:

• With the service providers listed in Section 6
• If required by law or to protect our rights
• In connection with a merger, acquisition, or sale of assets (you will be notified)

We do NOT share your fitness data, weight history, or personal information with gyms or fitness facilities.

Sponsored content partners receive only aggregated, anonymized performance data (e.g., total impressions and click-through rates). They never receive your personal information, fitness data, or health data.

Data Security

We implement industry-standard security measures to protect your data:

• Encrypted data transmission (HTTPS/TLS)
• Secure authentication via Clerk
• Regular security updates
• Limited employee access to personal data

However, no method of transmission over the internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

Data Retention

We retain your information for as long as your account is active or as needed to provide services.

• Account data: retained until you delete your account
• Meal photos: automatically deleted 30 days after upload
• Website server logs: 30 days
• Location data: cleared automatically when you close the app (session only)
• Cookies: see Section 2.4
• Deleted-account data: removed within 30 days of the deletion request

Your Privacy Rights

You have the right to:

• Access your personal data
• Correct inaccurate data (via Edit Profile)
• Delete your account and data
• Revoke location, camera, and health-platform permissions at any time
• Withdraw cookie consent at any time (see Section 2.3)
• Export your data (contact us)

10.1 How to Delete Your Data

You can delete your account and all associated data using any of these methods:

• In the App: Go to Profile → Settings → Delete Account
• By Email: Send a deletion request to support@gymbeat.app
• Via Social Login: If you signed up with Google, you can also use their "Remove App" features, then contact us to complete the deletion

When you delete your account:

• All your data is permanently removed within 30 days
• This includes: profile info, workouts, posts, photos, fitness history, meal logs, and all associated content
• Health platform connections and any synced health data are removed
• Your authentication account (Clerk) is also deleted
• Data previously written to Apple Health or Google Health Connect remains on your device and must be managed through those platforms
• This action cannot be undone

For EU users (GDPR): You have additional rights including data portability and the right to object to processing.

For California users (CCPA): You have the right to know what personal information is collected and request deletion.

Children's Privacy

GymBeat is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Users aged 13-17 should use the app with parental guidance, especially when sharing health and fitness information.

International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Updating the "Last Updated" date
• Sending a notification through the app
• Sending an email to your registered address

Your continued use of the app or website after changes become effective constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, contact us:

Your Consent

By using GymBeat — the App or the Website — you consent to this Privacy Policy and agree to its terms.