Privacy Policy – Wrkout
Last Updated: July 2026
Effective Date: July 2026
1. Introduction
Welcome to Wrkout. We ("Wrkout," "we," "our," or "us") are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal information.
This Privacy Policy explains:
- What data we collect and why
- How we use your data
- How we protect your data
- Your rights regarding your data
- How to contact us about privacy concerns
By using Wrkout, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.
We do not sell your personal data.
2. Data Controller Information
Data Controller:
Wrkout
Email: privacy@wrkout.app
Website: https://www.wrkout.io
For users in the European Economic Area (EEA), we act as the data controller for your personal information.
3. Data We Collect
3.1 Account & Profile Information
Collected when you create an account or update your profile:
- Email address (required for account creation)
- First name and last name
- Profile image (optional, user-uploaded)
- User role (client or trainer)
- Trainer–client relationship status
- App preferences (weight unit, notifications, feature toggles, marketing preferences)
Purpose:
- Account authentication and security
- Personalization of app experience
- Enabling trainer–client functionality
- Communication with you about your account
3.2 Workout & Activity Data
Collected when you log workouts or activities:
- Workouts created, started, and completed
- Exercise selections and order
- Sets, repetitions, and weights lifted
- Rest periods and timing
- Rate of Perceived Exertion (RPE) scores
- Cardio sessions (distance, duration, pace, calories)
- Personal records and progress history
- Workout notes and comments
- Timestamps (created, updated, completed)
- Workout templates created by you
Purpose: Core app functionality, progress tracking, statistics, personal record tracking, workout template creation, strength progression analysis.
Note: This data is considered health-related information under GDPR and requires explicit consent.
3.3 Media Uploads
Collected when you upload media:
- Exercise images (for custom exercises)
- Exercise videos (for custom exercises)
- Profile images
Storage: Media is stored securely in Cloudflare R2 with access controlled via presigned URLs.
3.4 Messaging Data
For in-app messaging between users and trainers, we store message content, sender/receiver IDs, timestamps, read/unread status, and attachments.
Messages are only visible to participants and are not used for analytics or marketing.
3.5 Authentication & Security Data
We collect authentication tokens, session metadata, device identifiers, and IP addresses for security and fraud prevention.
3.6 Marketing Attribution & Advertising Identifiers
When you reach our websites (wrkout.io or the trainer portal) from an advertisement, campaign, or referral link, we capture and store the following on a first-touch basis in your browser's local storage, so we can measure which campaigns lead to trainer sign-ups:
- Ad-click identifiers — Google Click ID (gclid) and Meta Click ID (fbclid)
- Campaign parameters — UTM source, medium, campaign, content, and term
- Meta advertising cookies (_fbp, _fbc) — only present if a Meta pixel is installed
- The Google Analytics client identifier (read from the _ga cookie)
- The referring page address (referrer)
Storage & purpose: These identifiers are stored locally in your browser and are transmitted to our servers only when you start a trainer trial or proceed to checkout. We use them solely to attribute paid trainer conversions to the marketing that produced them. They are never stored alongside, or linked to, your workout or health data, and we do not use them to build advertising profiles about you.
Note: This data is shared with advertising platforms only where you have granted advertising/analytics consent — see section 4.4. Where you decline, none of it leaves our systems for advertising purposes.
4. Analytics & Monitoring
4.1 Google Analytics for Firebase
We use Google Analytics to understand how the app is used. Data collected may include app usage events, device type, OS version, app version, and approximate location (country-level). We do NOT collect message content, detailed workout data, or sensitive personal data via analytics.
You can opt out of analytics tracking in app settings. Analytics data is retained according to Google Analytics policies (typically 14 months).
4.2 Sentry (Error Tracking)
We use Sentry to monitor app stability and detect crashes. Data collected includes error logs, stack traces, app version, OS version, device model, and anonymous session identifiers.
Error logs are retained for 90 days, then automatically deleted.
4.3 Website Analytics (wrkout.io)
On this website we use Google Analytics to understand how visitors use the site so we can improve it. It sets cookies and only loads after you accept via our cookie banner — if you reject, it is not loaded and no analytics cookies are set. You can change your choice at any time using the "Cookie settings" control.
4.4 Advertising & Conversion Measurement (Meta & Google)
To measure the effectiveness of our advertising and import paid trainer conversions back into our ad campaigns, we share a limited set of conversion data with Meta (Facebook) and Google through their server-side measurement interfaces (the Meta Conversions API and the Google Analytics Measurement Protocol). For a trainer conversion this may include:
- A one-way hashed (SHA-256) version of your email address — never your email address in readable form
- The advertising identifiers and campaign parameters described in section 3.6 (for example gclid, _fbp, _fbc)
- The conversion event (trial started, subscription activated, or canceled) and its value and currency
Consent-gated: This sharing happens on our servers and only where you have granted advertising/analytics consent. If you have not consented, no conversion data is sent to Meta or Google. Our legal basis for this processing is your consent (GDPR Art. 6(1)(a)), which you may withdraw at any time via the "Cookie settings" control. We share this data to measure our own advertising only — we do not sell your personal data.
5. Third-Party Services & Data Sharing
We use the following third-party services to operate and improve Wrkout:
- Cloud Storage (Cloudflare R2): Secure storage of user-uploaded media
- Payment Processing (Stripe): Process subscription payments (we do not store payment card details)
- Email Services (SendGrid): Send transactional emails
- Push Notifications (Firebase): Send push notifications (requires separate opt-in)
- Analytics (Google Analytics): App and website usage analytics (with your consent)
- Advertising & Conversion Measurement (Meta, Google): Server-side sharing of a hashed email address plus campaign identifiers to measure ad conversions — only with your consent (see section 4.4)
- Error Tracking (Sentry): App stability monitoring
All providers are subject to their own privacy and security obligations and are used strictly to operate, improve, and measure the reach of our services.
We do not sell your personal data. The only information we share with advertising platforms is the limited, consent-gated conversion-measurement data described in section 4.4 — used to measure our own advertising, never to enable others to advertise to you based on data we provide.
6. What We Do NOT Collect
We do not collect:
- Precise GPS location data
- Contacts or address book information
- SMS or call logs
- Payment card details (handled by third-party payment providers)
- Background audio or video
- Biometric data (used only for device authentication, not collected by us)
- Health data from HealthKit or other health apps (unless explicitly shared by you)
- Browsing history or web activity outside the app
7. How We Use Your Data
We use the information we collect to:
- Core Functionality: Create and manage your account, authenticate your identity, provide workout tracking, enable trainer–client relationships, process payments, send transactional emails
- Personalization: Customize your app experience, display workout history and progress, show relevant exercises
- Product Improvement: Analyze app usage patterns (with your consent), identify and fix bugs, improve performance, develop new features
- Communication: Send important account notifications, respond to support requests, send marketing communications (only with your consent)
- Advertising Measurement: Measure the effectiveness of our advertising and attribute paid sign-ups to the campaigns that drove them (only with your consent — see section 4.4)
- Security & Legal: Prevent fraud and abuse, comply with legal obligations, enforce terms of service, protect user safety
8. Data Storage & Security
We implement appropriate technical and organizational measures to protect your personal data:
- Technical Measures: Encryption in transit (HTTPS/TLS) and at rest, secure authentication protocols (JWT tokens), regular security audits, access controls and role-based permissions, secure password storage (hashed, never plain text)
- Organizational Measures: Limited access to personal data, employee training on data protection, incident response procedures, regular security reviews
In the event of a data breach, we will notify affected users within 72 hours (as required by GDPR) and take immediate steps to contain and remediate the breach.
9. Data Retention
- Active accounts: Data is retained while your account is active
- Deleted accounts: Upon account deletion, personal data is removed or anonymized within 30 days
- Analytics data: Retained according to Google Analytics policies (typically 14 months)
- Error logs: Retained for 90 days, then automatically deleted
- Legal & Compliance: Some data may be retained temporarily for legal obligations, security, fraud prevention, dispute resolution, or backup purposes
10. Your Rights (GDPR & CCPA)
You have the right to:
- Right to Access: View your data in the app or request a copy via the data export feature
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Request deletion of your account and personal data
- Right to Restrict Processing: Restrict how we process your data in certain circumstances
- Right to Data Portability: Receive your data in a structured, machine-readable format (JSON export available)
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent at any time for data processing that requires consent
- Right to Lodge a Complaint: Lodge a complaint with a data protection authority if you believe we have violated your privacy rights
California Privacy Rights (CCPA/CPRA): If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know, delete, and opt out. We do not sell your personal information for money. Our consent-gated sharing of conversion-measurement data with Meta and Google (section 4.4) may qualify as "sharing for cross-context behavioral advertising" under California law — you can opt out (or decline in the first place) at any time using the "Cookie settings" control, which withholds this data from those platforms.
How to exercise your rights: Use features in app settings, use the "Export Data" feature, or contact us at privacy@wrkout.app
11. Children's Privacy
Wrkout is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@wrkout.app. We will delete the child's information upon verification.
12. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States and European Economic Area. We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) and service provider agreements.
You have the right to know where your data is processed and to request information about transfer safeguards. Contact privacy@wrkout.app for more information.
13. Marketing Communications
Marketing communications require your explicit consent. You can opt in during registration or later in app settings.
If you opt in, you may receive:
- Workout tips and training advice
- New feature announcements
- Exercise tutorials and guides
- Motivational content
- Special offers and promotions (for trainers)
- App updates and improvements
Frequency: Maximum 2-4 emails per month. We will never spam you with excessive messages.
You can unsubscribe at any time by clicking "Unsubscribe" in any marketing email, updating preferences in app settings, or contacting support. Even if you opt out of marketing, you'll still receive important account notifications, security alerts, service updates, and transactional messages.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, new features or services, legal or regulatory requirements, or user feedback.
We will notify you of material changes by posting the updated policy on our website, updating the "Last Updated" date, sending an email notification (for significant changes), or showing an in-app notification (for major changes).
Your continued use of Wrkout after changes are posted constitutes acceptance of the updated policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
15. Contact Us
For questions, concerns, or requests regarding this Privacy Policy or your personal data:
- Privacy Inquiries: privacy@wrkout.app
- Data Protection Officer (EU): dpo@wrkout.app
- General Support: support@wrkout.app
We aim to respond to privacy inquiries within 30 days, as required by GDPR.
16. Acceptance
By using Wrkout, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with any part of this policy, please do not use our services.
Last Updated: July 2026
Effective Date: July 2026
For the most current version of this Privacy Policy, please visit: https://www.wrkout.io/privacy-policy