Privacy Policy — Notta GYM

Kemmelby ("we", "us", "our") operates the Notta GYM mobile application and website (nottagym.app). This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Finnish data protection laws.

1. Data Controller

Kemmelby
Finland
Contact: hello@nottagym.app

2. Data We Collect

Account Data

Email address (required for registration)
Name (optional)
Password (stored as a bcrypt hash, never in plain text)

Workout & Fitness Data

Workout logs (exercises, sets, reps, weights, duration)
Exercise progress and personal records
Program preferences (fitness goal, experience level, equipment)

Technical Data

Device type and operating system
App version
Anonymous usage analytics (via PostHog)

Subscription Data

Subscription status and tier (managed by RevenueCat)
We do not store or process payment card details

3. How We Use Your Data

To provide and maintain the Notta GYM service
To track your workout progress and calculate progressive overload
To match you with suitable training programs
To generate AI-powered workout insights (Pro subscribers only)
To display relevant advertisements (free tier only)
To send transactional emails (verification, password reset)
To improve our service through anonymous usage analytics

4. Legal Basis for Processing

Contract performance: Processing your workout data and account information to provide the service you signed up for.
Legitimate interest: Anonymous analytics to improve the service.
Consent: Personalized advertising (you may opt out via GDPR consent dialog).

5. Third-Party Services

We share data with the following processors, all of which maintain GDPR compliance:

Vercel (hosting) — USA, EU Standard Contractual Clauses
Neon (database) — USA, SOC 2 compliant
Resend (email) — transactional emails only
PostHog (analytics) — EU-hosted instance, anonymized data
Google AdMob (advertising) — free tier users only, GDPR consent obtained
RevenueCat (subscriptions) — subscription status management
Apple App Store / Google Play — process subscription purchases and enforce platform billing; subject to Apple's and Google's own privacy policies
OpenAI (AI insights) — workout data sent for analysis, no personal identifiers

6. Data Retention

Account data: retained while your account is active
Workout data: retained while your account is active
Analytics data: anonymized, retained for 12 months
Upon account deletion: all personal data is permanently deleted within 30 days

7. Your Rights (GDPR)

You have the right to:

Access your personal data
Rectify inaccurate data
Erase your data ("right to be forgotten")
Restrict processing of your data
Port your data to another service
Object to processing based on legitimate interest
Withdraw consent for advertising at any time

To exercise any of these rights, contact us at hello@nottagym.app.

8. Cookies

Our website uses:

Essential cookies: Authentication session tokens (required for the service to function)
Analytics cookies: PostHog analytics (opt-in via consent banner)

You can manage cookie preferences via the consent banner shown on your first visit.

9. Children's Privacy

Notta GYM is not intended for children under 16. We do not knowingly collect data from children under 16. If you believe a child has provided us with personal data, contact us at hello@nottagym.app.

10. Changes to This Policy

We may update this policy from time to time. We will notify users of material changes via email or in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact

For privacy-related questions or to exercise your GDPR rights:
Email: hello@nottagym.app

If you are unsatisfied with our response, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).