Gymmit Privacy Policy

1. Overview

This Privacy Policy explains how Gymmit collects, uses, stores, shares, and protects personal data when you use the Gymmit mobile applications, backend services, messaging features, subscription features, support channels, and related services (collectively, the "Service").

Gymmit is operated by Michael Nguetsa.

Gymmit is designed for adults who want to discover workout partners, communicate with training partners, schedule workouts, and manage related account activity.

2. Data Gymmit Collects

Depending on how you use the Service, Gymmit may collect the following categories of data.

Account and identity data

• phone number in E.164 format;
• phone-verification metadata, including verification timing and challenge history needed to operate secure sign-in;
• display name;
• age;
• account id and membership status;
• account creation, refresh-session, and sign-in metadata.

Profile and onboarding data

• city area and normalized place identifiers;
• preferred language;
• bio and profile details;
• current level, desired partner level, competition status, training experience, session frequency, training goals, favorite exercises, workout style, partner preference, social preference, unit system, and strength-related profile inputs;
• primary gym, additional gym selections, travel distance, schedule windows, and workout availability settings.

User content

• profile photo and optional gym or training photo;
• direct messages and conversation metadata;
• workout scheduling content and updates;
• support or feedback messages you send to Gymmit.

Safety and moderation data

• blocks, reports, and related moderation inputs;
• abuse-prevention and rate-limiting signals;
• fraud, policy-enforcement, and trust-and-safety records;
• review notes needed to respond to user reports and safety concerns.

Device and technical data

• IP address and network metadata;
• device token data used for push notifications;
• app, session, and request metadata;
• request identifiers, operational logs, error logs, and diagnostic information.

Billing and entitlement data

• subscription or membership status;
• entitlement state and related provider identifiers;
• App Store or billing-provider purchase metadata needed to validate access;
• reward and redemption history;
• points and workout-related ledger events.

Location-adjacent data

Gymmit currently uses user-selected city and gym information. Gymmit does not rely on continuous background device location tracking as part of the core product flow described here.

Photos and device permissions

Gymmit may ask for access to photos when you choose to upload a profile photo or gym/training photo. Gymmit uses the selected image only for the upload and related app display. You can revoke photo permissions in your device settings.

Push notifications

Gymmit may ask for permission to send push notifications. Notifications may include account, onboarding, workout reminder, buddy, request, chat, reward, membership, and safety-related updates. You can revoke notification permission in your device settings at any time.

3. How Gymmit Uses Personal Data

Gymmit uses personal data to:

• create and secure your account;
• verify phone-based sign-in;
• personalize onboarding and maintain your profile;
• match you with relevant workout partners;
• show discovery candidates and buddy relationships;
• enable messaging, workout scheduling, points, rewards, and membership features;
• deliver push notifications and service communications;
• process and validate subscription entitlements;
• provide account deletion, data export, support, and privacy-rights workflows;
• detect, investigate, prevent, and respond to abuse, fraud, spam, account misuse, or safety issues;
• operate, troubleshoot, secure, and improve the Service;
• comply with legal obligations and enforce the Terms of Service.

4. Legal Bases

Where GDPR or similar laws apply, Gymmit generally processes personal data on one or more of the following bases:

• performance of a contract with you, such as operating your account, matching, messaging, workout, and membership features;
• legitimate interests, such as product security, abuse prevention, service reliability, moderation, and improving core app operations;
• consent, where required by law or platform rules, including permission-based access such as push notifications or photo selection;
• compliance with legal obligations.

5. How Data Is Shared

Gymmit does not sell your personal data for money.

Gymmit may share data in the following circumstances.

With other users

Other users may see profile data needed for the product experience, such as your display name, age, city-level profile details, profile images, training preferences, buddy or workout context, availability signals, and messages you send.

With service providers

Gymmit may use service providers for infrastructure and product operations, such as:

• cloud hosting and managed databases;
• object storage for app media;
• phone verification services;
• push-notification delivery;
• mapping, city search, or place search;
• subscription and entitlement processing;
• support, security, logging, moderation, and operational tooling.

These providers process data on Gymmit's behalf or as independent controllers depending on the service and legal context. Gymmit expects service providers that process user data for Gymmit to provide the same or equivalent protection required by this Privacy Policy, applicable law, and platform rules.

For legal and safety reasons

Gymmit may disclose data where reasonably necessary to:

• comply with law, regulation, legal process, or lawful requests;
• protect users, Gymmit personnel, or the public;
• investigate fraud, abuse, harassment, or security incidents; or
• enforce rights, contracts, or policies.

Business transfers

If Gymmit is involved in a merger, acquisition, financing, reorganization, sale of assets, or similar transaction, personal data may be transferred as part of that transaction, subject to applicable law.

6. Third-Party Services Used by the App

Based on the current product and infrastructure, Gymmit may rely on third parties such as:

• Google Cloud services for hosting, storage, managed databases, and operational infrastructure;
• Twilio for phone verification when enabled;
• Google Places-related services for city and gym search when enabled;
• RevenueCat and app-store billing providers for subscriptions and entitlements;
• Expo services for push notification token and delivery infrastructure.

The specific service mix may change over time as the product evolves.

7. Data Retention

Gymmit keeps personal data only as long as reasonably necessary for the purposes described in this Privacy Policy, including service delivery, security, compliance, dispute handling, safety review, fraud prevention, and enforcement.

Current retention periods and targets include:

• active account, profile, onboarding, photo, buddy, points, reward, and membership data is generally kept while your account remains open, unless you delete it earlier or Gymmit no longer needs it for the Service;
• uploaded profile and gym photos are deleted from active storage when you remove the photo or delete your account, subject to backup and operational limits;
• refresh-session records expire after 30 days and may be deleted earlier when you sign out, delete your account, or Gymmit revokes the session for security reasons;
• workout records are pruned from active app storage after they are more than 30 days past their scheduled end time;
• conversations connected to removed, blocked, or reported buddy relationships are pruned from active app storage after one year of inactivity;
• anti-abuse and rate-limit event records are normally retained for 14 days;
• push-notification device tokens are kept while needed to deliver notifications to your account or until they are revoked, replaced, invalidated, or your account is deleted;
• push-notification jobs and delivery records are kept while needed for delivery, troubleshooting, deduplication, and operational reliability;
• billing and entitlement records are kept while needed to validate subscriptions, restore purchases, handle disputes, satisfy app-store or billing-provider requirements, and meet legal or accounting obligations;
• support, safety, moderation, report, security, and audit records may be kept longer where needed to investigate abuse, enforce policies, resolve disputes, comply with law, or protect users and the Service.

When data is no longer reasonably needed, Gymmit will delete it, de-identify it, or retain it only where law requires.

8. Account Deletion

Gymmit supports in-app account deletion. When you delete your account, Gymmit is designed to remove the profile row and dependent app data, including uploaded profile media, subject to technical limitations, legal obligations, fraud-prevention needs, dispute preservation, unresolved safety reviews, or backup retention windows.

Backup copies and security logs may persist for a limited time before being overwritten or deleted.

9. Consent and Permission Controls

You can withdraw or change certain permissions through your device settings, including push notifications and photo access.

You can stop using the Service, sign out, export account data where available, or request account deletion through in-app controls. If you need help with privacy rights, deletion, export, or consent-related questions, contact Gymmit using the contact details below.

Withdrawing permission may limit some features. For example, disabling push notifications may prevent reminder alerts, and disabling photo access may prevent photo uploads.

10. Your Rights

Depending on your location, you may have rights such as:

• access to your personal data;
• correction of inaccurate data;
• deletion of personal data;
• restriction of processing;
• objection to certain processing;
• data portability;
• withdrawal of consent where processing is based on consent;
• complaint to a competent supervisory authority.

Gymmit includes account deletion and account export capabilities in the app flow. Additional requests may be handled through the contact method below.

11. International Transfers

Gymmit and its providers may process personal data in countries other than your own. Where required, Gymmit will rely on appropriate safeguards for international transfers under applicable law.

12. Security

Gymmit uses administrative, technical, and organizational measures intended to protect personal data, such as authentication controls, access restrictions, secret management, logging, managed infrastructure, and abuse-prevention controls.

No service can guarantee absolute security. You should also protect your device, authentication access, and account session.

13. Children's Privacy

Gymmit is intended only for adults aged 18 and over. Gymmit does not intentionally offer the Service to children.

14. Changes to This Policy

Gymmit may update this Privacy Policy from time to time. When changes are material, Gymmit may provide notice through the app or by another appropriate method.

15. Contact

Gymmit is operated by Michael Nguetsa. For privacy questions, user rights requests, account deletion help, safety concerns, or support requests, contact Gymmit through https://michael-nguetsa.com/contact-2/