Privacy Policy
Last updated:
1. Introduction
JCODE, publisher of the WorkoutGen application, takes your personal data protection very seriously. This Privacy Policy explains what data we collect, why we collect it, how we use it, and what your rights are.
This policy complies with the General Data Protection Regulation (GDPR) and applicable US privacy laws including CCPA and state privacy regulations.
Data Controller:
JCODE
25 rue de Ponthieu, 75008 Paris, France
SIREN: 911 451 615
Email: support@workoutgen.app
2. Data Collected
2.1 Account Information
When you save your program, we collect:
- Email address: for login, communication, and password recovery
- Password: hashed with scrypt and never stored in plain text
- Program saved date
2.2 Workout Data
To generate personalized programs, we collect:
- Fitness goal: muscle gain, fat burning, endurance, etc.
- Experience level: beginner, intermediate, advanced
- Available equipment: gym, bodyweight, dumbbells, etc.
- Desired training frequency: number of sessions per week
- Exercise preferences: favorite exercises or exercises to avoid
- Training history: completed sessions, per-set logs (weight, reps, rest time), personal records (estimated 1RM), volume per muscle group, weight measurements, session feedback
2.3 Payment Data
Payments are exclusively processed by Lemon Squeezy, LLC (our Merchant of Record). Lemon Squeezy handles payment processing, tax collection, refunds and chargebacks, and payment-related compliance such as PCI. We never store your banking information on our servers.
Lemon Squeezy collects and processes:
- Credit card number, expiration date, CVV
- Billing name and address
- Transaction details (amount, date, currency)
We receive limited billing and subscription metadata from Lemon Squeezy to operate the service, such as subscription status, plan, renewal or end dates, Lemon Squeezy customer and subscription IDs, payment processor, portal links, and transaction references. We may also retain the billing email linked to the subscription for support, reconciliation, and account recovery. We never receive or store full card details.
2.4 Technical Data
We collect:
- Device type: web browser or installed PWA (iOS, Android, desktop)
- App version
- Operating system version
- Language preference
- Error logs (to fix bugs)
We do not use precise geolocation or mobile advertising identifiers (IDFA/AAID) for tracking. Certain technical identifiers (including IP) may be processed transiently for security, fraud prevention, and routing, then minimized or deleted according to retention rules.
2.5 Fitness Condition Data
To generate personalized programs, we collect with your explicit consent:
- Weight: to adapt exercise intensity
- Height: to calculate training parameters
- Age: to adjust program difficulty
- Gender: to customize exercise selection
- Body type: to optimize training strategy
- Training goal: to select appropriate program
3. How We Use Your Data
3.1 Service Provision
- Save your program and manage your access
- Generate personalized workout programs with AI
- Track your progress and training history
- Sync data across your devices
Legal basis: Contract performance (Terms of Service).
3.2 Communication
- Send transactional emails (account confirmation, password reset)
- Notify about subscription status (renewal reminders, payment failure)
- Provide customer support
Legal basis: Contract performance and legitimate interest.
3.3 Payment Processing
- Process subscription payments via Lemon Squeezy
- Generate invoices
- Manage refunds
Legal basis: Contract performance and legal obligation (tax records: 10 years).
3.4 Service Improvement
- Analyze usage data (via PostHog with consent, or anonymously without)
- Identify and fix bugs
- Develop new features based on user needs
Legal basis: Consent for identified analytics. Legitimate interest applies only to aggregate statistics generated from anonymous memory-only analytics events and non-personal campaign parameters.
4. Third-Party Service Providers
We share your data with these trusted partners who help us provide the service:
4.1 Infrastructure
- Cloudflare, Inc. (US-incorporated): full application hosting on Cloudflare Workers (Smart Placement), primary database on Cloudflare D1 (SQLite on Cloudflare's network), R2 object storage in EU jurisdiction (exercise media), KV cache, Durable Objects (per-user data restricted to EU jurisdiction; distributed locks and account lockout use Western Europe placement hints), Workers Rate Limit, Cloudflare Pages (landing site), DNS, DDoS protection, CDN, country detection via Cloudflare network signals.
- Cloudflare Turnstile (CAPTCHA): bot and abuse protection when saving a program, resetting a password, and requesting an email OTP. Processes minimal browser signals only, no cookies, no fingerprinting.
- Resend (Plus Five Five, Inc., US): transactional emails (account confirmation, email OTP, password reset, retention notices). Transfers covered by Standard Contractual Clauses.
- Bunny.net (BunnyWay d.o.o., Slovenia, EU): image CDN for the marketing landing site only. No authenticated user data is processed.
- Strapi (Strapi SAS, France, EU): headless CMS hosting blog content on the marketing landing site only. No authenticated user data is processed.
A Data Processing Agreement (Cloudflare Standard DPA v4.3) is signed between JCODE and Cloudflare, Inc., dated 2026-05-10, including the EU Standard Contractual Clauses (SCCs) for transfers to non-adequate countries.
4.2 Payment
- Lemon Squeezy, LLC: Merchant of Record, payment processing, tax handling, invoicing, PCI-DSS compliant
For details on how Lemon Squeezy processes your data, see Lemon Squeezy's Privacy Policy.
4.3 Analytics
- PostHog (eu.posthog.com, EU region): consent-based identified analytics, or anonymous memory-only analytics with no persistent PostHog storage for aggregate statistics.
International Transfers: Your primary database (Cloudflare D1) and object storage (Cloudflare R2 with EU jurisdiction) operate on Cloudflare's edge network; transfers between Cloudflare regions are covered by Cloudflare's Data Processing Addendum and the Standard Contractual Clauses (SCCs). Cloudflare itself, Lemon Squeezy and Resend are US-incorporated and may process data outside the European Economic Area; in all cases we rely on GDPR transfer safeguards (SCCs and/or adequacy decisions).
5. Data Sharing
We never sell your personal data to third parties.
We may share data only in these cases:
- With your consent: if you explicitly authorize it
- Legal obligation: court order, regulatory request
- Service providers: listed in section 4 above
- Business transfer: in case of merger, acquisition, or asset sale (you will be notified)
6. Use of Data for AI Improvement
With your explicit consent, to improve the quality of generated programs for all users, we may use aggregated and anonymized workout data to refine the rules and heuristics that power our AI features (e.g. exercise clustering, plateau detection, load progression). The AI Coach report (WorkoutGen Max) is generated locally by WorkoutGen from aggregated tracker signals - no personal data is shared with third-party LLM providers.
Safeguards:
- No direct identifiers (name, email) are used in this AI-improvement workflow.
- Data is pseudonymized (random identifier)
- Only workout data (goal, level, equipment, progress)
- No medical diagnosis or treatment data is processed.
- EU-restricted storage for per-user data and R2 objects; global edge processing covered by Cloudflare's DPA and SCCs
- You can opt out via support@workoutgen.app
Legal basis: Explicit consent (opt-in via Settings > Privacy). You can withdraw your consent at any time.
7. Data Retention
- Active account: data retained while account is active
- Deleted account: data deleted within 30 days (except legal obligations)
- Invoices: 10 years (tax law requirement). Security audit log (account deletion, email change, subscription cancellation events with hashed identifiers): 3 years.
- Analytics logs: 12 months maximum
- Inactive accounts: 1 year of inactivity → email warning → deletion after 30 days
- Unverified accounts: deleted automatically after 90 days if the email address is not verified.
8. Data Security
We implement industry-standard security measures:
Technical Measures
- Encryption: HTTPS/TLS for data in transit, AES-256 for data at rest (via infrastructure providers)
- Authentication: passwords hashed with scrypt; email OTP (one-time passcodes) hashed before storage; account lockout after 10 failed attempts within a 15-minute window.
- Access control: principle of least privilege
- Monitoring and abuse prevention: automated rate limiting (Cloudflare Workers Rate Limit and Durable Objects), account lockout after 10 failed sign-ins within 15 minutes, bot protection via Cloudflare Turnstile when saving a program, resetting a password, and requesting an email OTP, automated intrusion detection.
Organizational Measures
- Regular security audits
- Staff training on data protection
- Incident response plan
In case of a personal data breach, we notify the competent supervisory authority within legal deadlines (GDPR Art. 33). If the breach is likely to result in a high risk to your rights and freedoms, we will inform you without undue delay (GDPR Art. 34).
9. Your Privacy Rights
Under GDPR and US privacy laws (CCPA, state laws), you have the following rights:
Right to Access
Request a copy of all personal data we hold about you.
Right to Correction
Correct your personal data directly in the app (Settings > Account) or contact us.
Right to Deletion
Delete your account anytime (Settings > Delete Account). All data will be erased within 30 days, except legal obligations (invoices: 10 years).
Right to Object
Object to processing your data for analytics or AI training.
Right to Portability
Download your data in structured format (JSON for the full account export, CSV for weight tracking history) to transfer elsewhere.
Right to Restriction
Request temporary freeze of data processing during a dispute.
Right to Withdraw Consent
Where processing is based on your consent (analytics, AI training improvements), you can withdraw it at any time in Settings > Privacy. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Right to Opt-Out (CCPA)
California residents can opt out of data "sales" (we don't sell data, but you can request deletion).
To exercise your rights:
Email: support@workoutgen.app
Response time: 30 days maximum
ID verification may be required for security
File a complaint:
EU residents: your national data protection authority or the CNIL (cnil.fr)
US residents: State Attorney General or FTC (ftc.gov)
10. Cookies and Trackers
WorkoutGen uses minimal cookies and respects your privacy choices:
Strictly Necessary Cookies (no consent required)
- User session: to stay logged in (session cookie tied to a server-side session record stored in our database)
- Interface preferences: dark/light theme, language
Analytics (consent-based)
- PostHog: With your consent, we use analytics cookies and local storage for identified usage analysis. Without consent, analytics stays anonymous with memory-only PostHog storage: no PostHog cookie or localStorage identifier is persisted. Events are used for aggregate statistics, retained for a limited period, and are not used for advertising.
On first visit, a consent banner lets you accept or reject non-essential analytics cookies. Your choice is stored locally and can be changed at any time in Settings > Privacy.
11. Children's Privacy
WorkoutGen is not intended for users below the digital consent age in their country: 15 in France (under French GDPR implementation), 16 in countries that retained the GDPR default, and 13 in the United States (COPPA) and the United Kingdom. We do not knowingly collect data from children below these thresholds.
If we discover that a child's data was collected without parental consent, we will delete it immediately.
Users aged 15-17 must have parental or guardian consent before saving their program.
12. "Do Not Track" Signals
Some browsers offer "Do Not Track" (DNT) signals. WorkoutGen does not currently respond to DNT signals, but we minimize tracking by default (no ads, no third-party trackers).
13. Policy Updates
We may update this Privacy Policy to reflect legal changes or new features. We will notify you of significant changes via email or in-app notification.
Last modified date is displayed at the top of this page.
14. Contact and DPO
For any questions about data protection:
Email: support@workoutgen.app
Phone: +33 7 84 07 11 53
Mailing address: JCODE, 25 rue de Ponthieu, 75008 Paris, France
Data Protection Officer (DPO): Jean-Baptiste Thery (same email)
EU Supervisory Authority (CNIL):
Commission Nationale de l'Informatique et des Libertés
3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Tel: +33 1 53 73 22 22
Website: www.cnil.fr