Privacy Policy

2. Data Collected

2.1 Account Information

When you create an account, we collect:

• Email address: for login, communication, and password recovery
• Password: encrypted and never stored in plain text
• Account creation date

2.2 Workout Data

To generate personalized programs, we collect:

• Fitness goal: muscle gain, fat burning, endurance, etc.
• Experience level: beginner, intermediate, advanced
• Available equipment: gym, bodyweight, dumbbells, etc.
• Desired training frequency: number of sessions per week
• Exercise preferences: favorite exercises or exercises to avoid
• Training history: completed sessions, progress

2.3 Payment Data

Payments are exclusively processed by Lemon Squeezy, LLC (our Merchant of Record). Lemon Squeezy handles payment processing, tax collection, refunds and chargebacks, and payment-related compliance such as PCI. We never store your banking information on our servers.

Lemon Squeezy collects and processes:

• Credit card number, expiration date, CVV
• Billing name and address
• Transaction details (amount, date, currency)

We receive limited billing and subscription metadata from Lemon Squeezy to operate the service, such as subscription status, plan, renewal or end dates, Lemon Squeezy customer and subscription IDs, payment processor, portal links, and transaction references. We may also retain the billing email linked to the subscription for support, reconciliation, and account recovery. We never receive or store full card details.

2.4 Technical Data

We collect:

• Device type: iOS, Android, Web
• App version
• Operating system version
• Language preference
• Error logs (to fix bugs)

We do not use precise geolocation or mobile advertising identifiers (IDFA/AAID) for tracking. Certain technical identifiers (including IP) may be processed transiently for security, fraud prevention, and routing, then minimized or deleted according to retention rules.

2.5 Fitness Condition Data

To generate personalized programs, we collect with your explicit consent:

• Weight: to adapt exercise intensity
• Height: to calculate training parameters
• Age: to adjust program difficulty
• Gender: to customize exercise selection
• Body type: to optimize training strategy
• Training goal: to select appropriate program

3. How We Use Your Data

3.1 Service Provision

• Create and manage your account
• Generate personalized workout programs with AI
• Track your progress and training history
• Sync data across your devices

Legal basis: Contract performance (Terms of Service).

3.2 Communication

• Send transactional emails (account confirmation, password reset)
• Notify about subscription status (renewal reminders, payment failure)
• Provide customer support

Legal basis: Contract performance and legitimate interest.

3.3 Payment Processing

• Process subscription payments via Lemon Squeezy
• Generate invoices
• Manage refunds

Legal basis: Contract performance and legal obligation (tax records: 10 years).

3.4 Service Improvement

• Analyze usage data (via PostHog with consent, or anonymously without)
• Identify and fix bugs
• Develop new features based on user needs

Legal basis: Consent for identified analytics. Legitimate interest applies only to aggregate statistics generated from limited pseudonymized technical signals in cookieless mode.

4. Third-Party Service Providers

We share your data with these trusted partners who help us provide the service:

4.1 Infrastructure

• Fly.io, Inc. (US): backend API hosting across multiple regions (Frankfurt DE, Virginia US, Singapore, São Paulo BR)
• Cloudflare, Inc. (US, EU operations): web-app PWA hosting (my.workoutgen.app), DNS, DDoS protection, CDN, Turnstile CAPTCHA, and R2 object storage (temporary PDF generation with 24h TTL)
• Bunny.net (BunnyWay d.o.o., Slovenia, EU): exercise video hosting and CDN for static assets
• Resend (Plus Five Five, Inc., US): transactional emails (account confirmation, password reset)
• ipapi.co (US): IP geolocation for checkout country pre-fill
• Turso (Chiselstrike Inc., US, primary database in Ireland, EU): SQLite database with local read replicas synced to each API server region
• Upstash, Inc. (US): Redis-based distributed rate limiting

4.2 Payment

• Lemon Squeezy, LLC: Merchant of Record, payment processing, tax handling, invoicing, PCI-DSS compliant

For details on how Lemon Squeezy processes your data, see Lemon Squeezy's Privacy Policy.

4.3 Analytics

• PostHog (EU hosting): consent-based identified analytics, or cookieless analytics using limited pseudonymized technical signals for aggregate statistics.

International Transfers: Our infrastructure operates across multiple regions (EU, US, Singapore, Brazil). User data is replicated outside the EEA to provide low-latency access from each server region. Providers such as Fly.io, Turso, Lemon Squeezy, Resend, and Upstash may process data outside the EEA. In all cases we apply GDPR transfer safeguards (Standard Contractual Clauses - SCCs and/or adequacy decisions).

5. Data Sharing

We never sell your personal data to third parties.

We may share data only in these cases:

• With your consent: if you explicitly authorize it
• Legal obligation: court order, regulatory request
• Service providers: listed in section 4 above
• Business transfer: in case of merger, acquisition, or asset sale (you will be notified)

6. Use of Data for AI Improvement

To improve the quality of generated programs for all users, we may use anonymized workout data to train and refine our AI models.

Safeguards:

• No direct identifiers (name, email) are used in this AI-improvement workflow.
• Data is pseudonymized (random identifier)
• Only workout data (goal, level, equipment, progress)
• No medical diagnosis or treatment data is processed.
• Secure hosting in Europe (Fly.io, EU - Frankfurt, Germany)
• You can opt out via support@workoutgen.app

Legal basis: Explicit consent (opt-in via Settings > Privacy). You can withdraw your consent at any time.

7. Data Retention

• Active account: data retained while account is active
• Deleted account: data deleted within 30 days (except legal obligations)
• Invoices: 10 years (tax law requirement)
• Analytics logs: 12 months maximum
• Inactive accounts: 1 year of inactivity → email warning → deletion after 30 days

8. Data Security

We implement industry-standard security measures:

Technical Measures

• Encryption: HTTPS/TLS for data in transit, AES-256 for data at rest (via infrastructure providers)
• Passwords: hashed with scrypt (never stored in plain text)
• Access control: principle of least privilege
• Monitoring: automated intrusion detection

Organizational Measures

• Regular security audits
• Staff training on data protection
• Incident response plan

In case of a personal data breach, we notify the competent supervisory authority within legal deadlines (GDPR Art. 33). If the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay (GDPR Art. 34).

9. Your Privacy Rights

Under GDPR and US privacy laws (CCPA, state laws), you have the following rights:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Correct your personal data directly in the app (Settings > Account) or contact us.

Right to Deletion

Delete your account anytime (Settings > Delete Account). All data will be erased within 30 days, except legal obligations (invoices: 10 years).

Right to Object

Object to processing your data for analytics or AI training.

Right to Portability

Download your data in structured format (JSON) to transfer elsewhere.

Right to Restriction

Request temporary freeze of data processing during a dispute.

Right to Opt-Out (CCPA)

California residents can opt out of data "sales" (we don't sell data, but you can request deletion).

To exercise your rights:
Email: support@workoutgen.app
Response time: 30 days maximum
ID verification may be required for security

File a complaint:
EU residents: your national data protection authority or the CNIL (cnil.fr)
US residents: State Attorney General or FTC (ftc.gov)

10. Cookies and Trackers

WorkoutGen uses minimal cookies and respects your privacy choices:

Strictly Necessary Cookies (no consent required)

• User session: to stay logged in (JWT token)
• Interface preferences: dark/light theme, language

Analytics (consent-based)

• PostHog: With your consent, we use analytics cookies for identified usage analysis. Without consent, analytics runs in cookieless mode with pseudonymized technical signals. These signals are used for aggregate statistics, retained for a limited period, and are not used for advertising.

You can manage your privacy preferences in Settings > Privacy at any time.

11. Children's Privacy

WorkoutGen is not intended for users under 15 years old. We do not knowingly collect data from minors.

If we discover that a child's data was collected without parental consent, we will delete it immediately.

Users aged 15-17 must have parental or guardian consent before creating an account.

12. "Do Not Track" Signals

Some browsers offer "Do Not Track" (DNT) signals. WorkoutGen does not currently respond to DNT signals, but we minimize tracking by default (no ads, no third-party trackers).

13. Policy Updates

We may update this Privacy Policy to reflect legal changes or new features. We will notify you of significant changes via email or in-app notification.

Last modified date is displayed at the top of this page.

14. Contact and DPO

For any questions about data protection:

Email: support@workoutgen.app

Phone: +33 7 84 07 11 53

Mailing address: JCODE, 25 rue de Ponthieu, 75008 Paris, France

Data Protection Officer (DPO): Jean-Baptiste Thery (same email)

EU Supervisory Authority (CNIL):

Commission Nationale de l'Informatique et des Libertés

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

Tel: +33 1 53 73 22 22

Website: www.cnil.fr