Privacy Policy – Wrkout

1. Introduction

Welcome to Wrkout. We ("Wrkout," "we," "our," or "us") are committed to protecting your privacy and ensuring transparency about how we collect, use, and protect your personal information.

This Privacy Policy explains:

• What data we collect and why
• How we use your data
• How we protect your data
• Your rights regarding your data
• How to contact us about privacy concerns

By using Wrkout, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

We do not sell your personal data.

2. Data Controller Information

Data Controller:
Wrkout
Email: privacy@wrkout.app
Website: https://www.wrkout.io

For users in the European Economic Area (EEA), we act as the data controller for your personal information.

3. Data We Collect

3.1 Account & Profile Information

Collected when you create an account or update your profile:

• Email address (required for account creation)
• First name and last name
• Profile image (optional, user-uploaded)
• User role (client or trainer)
• Trainer–client relationship status
• App preferences (weight unit, notifications, feature toggles, marketing preferences)

Purpose:

• Account authentication and security
• Personalization of app experience
• Enabling trainer–client functionality
• Communication with you about your account

3.2 Workout & Activity Data

Collected when you log workouts or activities:

• Workouts created, started, and completed
• Exercise selections and order
• Sets, repetitions, and weights lifted
• Rest periods and timing
• Rate of Perceived Exertion (RPE) scores
• Cardio sessions (distance, duration, pace, calories)
• Personal records and progress history
• Workout notes and comments
• Timestamps (created, updated, completed)
• Workout templates created by you

Purpose: Core app functionality, progress tracking, statistics, personal record tracking, workout template creation, strength progression analysis.

Note: This data is considered health-related information under GDPR and requires explicit consent.

3.3 Media Uploads

Collected when you upload media:

• Exercise images (for custom exercises)
• Exercise videos (for custom exercises)
• Profile images

Storage: Media is stored securely in Cloudflare R2 with access controlled via presigned URLs.

3.4 Messaging Data

For in-app messaging between users and trainers, we store message content, sender/receiver IDs, timestamps, read/unread status, and attachments.

Messages are only visible to participants and are not used for analytics or marketing.

3.5 Authentication & Security Data

We collect authentication tokens, session metadata, device identifiers, and IP addresses for security and fraud prevention.

4. Analytics & Monitoring

4.1 Google Analytics for Firebase

We use Google Analytics to understand how the app is used. Data collected may include app usage events, device type, OS version, app version, and approximate location (country-level). We do NOT collect message content, detailed workout data, or sensitive personal data via analytics.

You can opt out of analytics tracking in app settings. Analytics data is retained according to Google Analytics policies (typically 14 months).

4.2 Sentry (Error Tracking)

We use Sentry to monitor app stability and detect crashes. Data collected includes error logs, stack traces, app version, OS version, device model, and anonymous session identifiers.

Error logs are retained for 90 days, then automatically deleted.

5. Third-Party Services & Data Sharing

We use the following third-party services to operate and improve Wrkout:

• Cloud Storage (Cloudflare R2): Secure storage of user-uploaded media
• Payment Processing (Stripe): Process subscription payments (we do not store payment card details)
• Email Services (SendGrid): Send transactional emails
• Push Notifications (Firebase): Send push notifications (requires separate opt-in)
• Analytics (Google Analytics): App usage analytics (with your consent)
• Error Tracking (Sentry): App stability monitoring

All providers are subject to their own privacy and security obligations and are used strictly to operate and improve the app.

We do NOT sell your data to third parties or share it with advertisers.

6. What We Do NOT Collect

We do not collect:

• Precise GPS location data
• Contacts or address book information
• SMS or call logs
• Payment card details (handled by third-party payment providers)
• Background audio or video
• Biometric data (used only for device authentication, not collected by us)
• Health data from HealthKit or other health apps (unless explicitly shared by you)
• Browsing history or web activity outside the app

7. How We Use Your Data

We use the information we collect to:

• Core Functionality: Create and manage your account, authenticate your identity, provide workout tracking, enable trainer–client relationships, process payments, send transactional emails
• Personalization: Customize your app experience, display workout history and progress, show relevant exercises
• Product Improvement: Analyze app usage patterns (with your consent), identify and fix bugs, improve performance, develop new features
• Communication: Send important account notifications, respond to support requests, send marketing communications (only with your consent)
• Security & Legal: Prevent fraud and abuse, comply with legal obligations, enforce terms of service, protect user safety

8. Data Storage & Security

We implement appropriate technical and organizational measures to protect your personal data:

• Technical Measures: Encryption in transit (HTTPS/TLS) and at rest, secure authentication protocols (JWT tokens), regular security audits, access controls and role-based permissions, secure password storage (hashed, never plain text)
• Organizational Measures: Limited access to personal data, employee training on data protection, incident response procedures, regular security reviews

In the event of a data breach, we will notify affected users within 72 hours (as required by GDPR) and take immediate steps to contain and remediate the breach.

9. Data Retention

• Active accounts: Data is retained while your account is active
• Deleted accounts: Upon account deletion, personal data is removed or anonymized within 30 days
• Analytics data: Retained according to Google Analytics policies (typically 14 months)
• Error logs: Retained for 90 days, then automatically deleted
• Legal & Compliance: Some data may be retained temporarily for legal obligations, security, fraud prevention, dispute resolution, or backup purposes

10. Your Rights (GDPR & CCPA)

You have the right to:

• Right to Access: View your data in the app or request a copy via the data export feature
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your account and personal data
• Right to Restrict Processing: Restrict how we process your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format (JSON export available)
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time for data processing that requires consent
• Right to Lodge a Complaint: Lodge a complaint with a data protection authority if you believe we have violated your privacy rights

California Privacy Rights (CCPA): If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know, delete, and opt-out of the sale of personal information (we do not sell data).

How to exercise your rights: Use features in app settings, use the "Export Data" feature, or contact us at privacy@wrkout.app

11. Children's Privacy

Wrkout is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@wrkout.app. We will delete the child's information upon verification.

12. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States and European Economic Area. We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) and service provider agreements.

You have the right to know where your data is processed and to request information about transfer safeguards. Contact privacy@wrkout.app for more information.

13. Marketing Communications

Marketing communications require your explicit consent. You can opt in during registration or later in app settings.

If you opt in, you may receive:

• Workout tips and training advice
• New feature announcements
• Exercise tutorials and guides
• Motivational content
• Special offers and promotions (for trainers)
• App updates and improvements

Frequency: Maximum 2-4 emails per month. We will never spam you with excessive messages.

You can unsubscribe at any time by clicking "Unsubscribe" in any marketing email, updating preferences in app settings, or contacting support. Even if you opt out of marketing, you'll still receive important account notifications, security alerts, service updates, and transactional messages.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, new features or services, legal or regulatory requirements, or user feedback.

We will notify you of material changes by posting the updated policy on our website, updating the "Last Updated" date, sending an email notification (for significant changes), or showing an in-app notification (for major changes).

Your continued use of Wrkout after changes are posted constitutes acceptance of the updated policy. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.

15. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

• Privacy Inquiries: privacy@wrkout.app
• Data Protection Officer (EU): dpo@wrkout.app
• General Support: support@wrkout.app

We aim to respond to privacy inquiries within 30 days, as required by GDPR.

16. Acceptance

By using Wrkout, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with any part of this policy, please do not use our services.