Privacy Policy (app)

The protection of the user's personal data is important to us. This privacy policy outlines which data we collect, how we process it, and the rights the user has concerning their data. This privacy policy is provided in accordance with the General Data Protection Regulation (GDPR).

Data controller

The data controller and data protection officer responsible under data protection law is:

Bastian Raschke
(contact information is available in the imprint)

User Account

The user can freely choose whether to use the app solely locally or to create an account to synchronize his user and workout session data to our servers so he can use the app on multiple devices and his progress is automatically saved. Additionally, his progress (collected points) and his chosen name is shown on a publicly available leaderboard. This part of the privacy policy applies only to the latter case.

Hosting

We utilize hosting services to provide the infrastructure for this feature. To this end, we have entered into a data processing agreement with the following data processor:

netcup GmbH
Daimlerstr. 25
76185 Karlsruhe

This legally required contract under data protection law ensures that the processor handles users' personal data exclusively in accordance with our instructions and in compliance with the GDPR.

Data collected and purpose of use

In the context of using this feature, we transfer, process and store the following data:

  • Email address is stored in plain text for identification purposes.
  • Password is stored in hashed form for authentication purposes.
  • Displayed public name is stored in plain text to be able to synchronize between multiple devices and to show on the leaderboard.
  • Workout session data is stored in plain text to be able to synchronize between multiple devices and to (partially) show on the leaderboard. This data includes the duration of the user's exercise sessions, collected game achievements, and the number of pauses taken during the workout.
  • IP address (pseudonymized) for brute force protection: To protect against unauthorized access and attacks, we process the IP address in a pseudonymized form, which does not allow conclusions to be drawn about the user's identity.
  • Server logs for protection against attacks and misuse, diagnosing and resolving technical issues, and analyzing the performance and stability of our infrastructure. These logs contain timestamps, request URLs, user-agent identification, status indicating whether the request was successful, and the size of the transferred data. IP addresses are not explicitly stored.

Legal basis

The processing of the user's data is based on Article 6(1)(b) of the GDPR, as the processing is necessary for the performance of the contract regarding the use of the desired server synchronization feature, and on Article 6(1)(f) of the GDPR due to our legitimate interest in the security and stability of our infrastructure.

Data recipients and storage within the EU

The data is exclusively transmitted to our server, which is operated in Vienna, Austria.

No transfer of personal data to third-party countries outside the EU takes place.

Data transfer security

All data is encrypted during transmission between the user's device and our servers.

Storage duration

The collected data is stored only for as long as necessary to fulfill the contractual purpose or as long as there are legal retention obligations. Data processed as part of the server synchronization feature is stored until the user requests the deletion of the user account. After the termination of the contractual relationship and the expiration of any legal retention periods, the data will be deleted.

Server logs are typically stored for 7 days unless further retention is required to analyze attacks or misuse or to preserve evidence. In such cases, the data may be partially or fully exempt from deletion until the incident is fully resolved.

User rights

The user has the right to:

  • Request information about the data stored with us (Art. 15 GDPR).
  • Request the correction of incorrect or incomplete data (Art. 16 GDPR).
  • Request the deletion of stored data, provided there are no legal retention obligations (Art. 17 GDPR).
  • Request the restriction of the processing of their data (Art. 18 GDPR).
  • Object to the processing of their data (Art. 21 GDPR).
  • Request data portability (Art. 20 GDPR).

Mixpanel

We use the analytics service Mixpanel in our app, a service of Mixpanel Inc., 405 Howard Street, Floor 2, San Francisco, CA 94105, USA (hereinafter referred to as "Mixpanel"). Mixpanel helps us analyze user behavior in the app. This is done solely to better tailor the app to the needs of our users (e.g., to prioritize popular and unpopular features in the app's development) or to quickly resolve problems.

Data collected and purpose of use

The following data is transferred, processed and stored by Mixpanel:

  • Event data (so-called "Events"): e.g., interactions within the app, click behavior
  • User profile data (so-called "User data"): e.g., user ID
  • IP address to determine approximate location of the user
  • Version information: e.g., app version, SDK version
  • Device information: e.g., operating system, device model, unique device identifiers
  • Error reports and performance data: e.g., details of crashes

The complete privacy policy for Mixpanel can be found here.

Legal basis

The processing of the user's data is based on Article 6(1)(f) of the GDPR, due to our legitimate interest in the ability to understand the user's needs and provide high-quality service tailored to the user to maintain our business.

Data recipients and storage within the EU

The collected data is transmitted to Mixpanel. As part of Mixpanel's EU Data Residency Program, user data is processed and stored exclusively within the European Union. Mixpanel is committed to complying with the requirements of the GDPR and taking appropriate security measures to ensure the confidentiality and security of user data.

No transfer of personal data to third-party countries outside the EU takes place.

Data transfer security

All data is encrypted during transmission between the user's device and Mixpanel's servers.

Storage duration

Collected event data is stored for a maximum period of 60 months. After this period, the event data is automatically deleted, making it impossible to link the data to the affected user.

Collected user profile data is stored until the user requests the deletion of the user account. After the termination of the contractual relationship and the expiration of any legal retention periods, the data will be deleted.

User rights

The user has the right to:

  • Receive information about the processed personal data (Art. 15 GDPR).
  • Request the correction of incorrect or incomplete data (Art. 16 GDPR).
  • Request the deletion of stored data, provided there are no legal retention obligations (Art. 17 GDPR).
  • Request the restriction of the processing of their data (Art. 18 GDPR).
  • Revoke their consent to the processing of their data at any time (Art. 7 (3) GDPR).
  • Submit a complaint to a supervisory authority if they believe that the processing of their data violates the GDPR (Art. 77 GDPR).

RevenueCat

We use the in-app purchases platform RevenueCat in our app, a service of RevenueCat Inc., 1032 E BRANDON BLVD #3003 BRANDON, Florida, FL 33511, USA (hereinafter referred to as "RevenueCat"). RevenueCat helps us manage subscriptions in the app.

Data collected and purpose of use

The following data is transferred, processed and stored by RevenueCat:

  • Transaction information to provide in-app purchase functionality: e.g., Apple receipt file, device push token
  • IP address to provide secure in-app purchase functionality
  • Version information: e.g., app version, SDK version
  • Device information: e.g., operating system, device model, unique device identifiers, current carrier
  • Locale information: e.g., locale, country, time zone
  • Time the user last used the app

The complete privacy policy for RevenueCat can be found here.

Legal basis

The processing of the user's data is based on Article 6(1)(f) of the GDPR, due to our legitimate interest in the ability to provide in-app purchases to the user to maintain our business.

Data recipients and storage outside the EU

The collected data is transmitted to RevenueCat. The user data is processed and stored in Amazon Web Services ("AWS") data centers in the USA. This is permissible, as RevenueCat complies with EU and UK data-protection laws.

Data transfer security

All data is encrypted during transmission between the user's device and RevenueCat's servers.

Storage duration

The collected data is stored only for as long as necessary to fulfill the contractual purpose or as long as there are legal retention obligations. The data is stored until the user requests the deletion of the user account. After the termination of the contractual relationship and the expiration of any legal retention periods, the data will be deleted.

User rights

The user has the right to:

  • Request information about the data stored with us (Art. 15 GDPR).
  • Request the correction of incorrect or incomplete data (Art. 16 GDPR).
  • Request the deletion of stored data, provided there are no legal retention obligations (Art. 17 GDPR).
  • Request the restriction of the processing of their data (Art. 18 GDPR).
  • Object to the processing of their data (Art. 21 GDPR).
  • Request data portability (Art. 20 GDPR).

App permissions

The following permissions are required by the app:

Camera access

This permission is required to analyze whether the user performs the workout exercise with correct posture. All video data is processed exclusively on the user's device and is neither transmitted nor stored externally.

Changes to the privacy policy

We reserve the right to update this privacy policy to reflect changes in our services or legal requirements. The user will be informed of significant changes in the way we process personal data through a notification in the app.

Continuing to use the app after 30 days from the notification will be considered acceptance of the amended privacy policy.

If the user does not agree to the amended privacy policy, they are required to terminate their account within this period. After this period, and in the case of non-acceptance, all data will be deleted, and access to the service will be permanently terminated.

Contact

If you have any questions or concerns about data protection, you can contact us at any time:

(contact information is available in the imprint)

Effective Date: 2025-12-17