GymBroTools App Privacy Policy

Last updated:

1. Introduction and Scope

GymBroTools is a mobile fitness application available worldwide. This Privacy Policy describes how GymBroTools collects, uses, and protects users' personal data. The app is developed and operated by a single independent developer (not a company) and is committed to safeguarding all users' privacy.

IMPORTANT: the app is intended for users aged 13 and over. Use of the app by children under 13 is not permitted.

This notice applies to all services offered through the GymBroTools app.

2. Minors

Children under 13: GymBroTools is not intended for children under 13 and we do not intentionally collect personal data from children under this age. If a parent or guardian believes that a child under 13 has provided personal data through the app, please contact us immediately at [email protected] to request its deletion.

Users aged 13 to 17: minors (13-17 years old) may use the app. Parental or guardian supervision is recommended to help ensure responsible use of the application.

3. Types of Data Collected

We do not collect personally identifiable data except what is strictly necessary for the operation of the app. In particular, GymBroTools collects the following categories of data:

User-provided data: information that the user voluntarily enters, such as registration data (e.g., email or username) and workout details (sets, repetitions, weights lifted). This data is used to create the account and allow the user to save and review their workouts. Information entered remains private, visible only to the user and not shared with other users or third parties beyond what is described in this policy. Important: GymBroTools does not require or collect any "sensitive" personal or biological data such as photos, GPS location, contacts, or other data not necessary to use the app, with the exception of health and fitness data that the user may optionally share through the Apple Health (HealthKit) or Health Connect integration described in Section 4 below.

Technical usage data (telemetry): the app uses Microsoft Application Insights to automatically collect anonymous technical data about app usage and operation. This information includes error logs, performance metrics, device data (such as model and operating system), and general technical events (e.g., a screen load or an API call). This telemetry does not contain personally identifiable data: names, emails, addresses, or users' personal content are not recorded. We have configured telemetry to exclude potentially identifiable information (e.g., full URLs, email addresses, user IDs) and to collect only data useful to ensure the app's stability and security. Application Insights is always active to monitor the application's status and is configured with limited sampling (in production) to minimize the amount of data collected.

4. Health and Fitness Data

GymBroTools offers an optional integration with Apple Health (HealthKit) on iOS and Health Connect on Android, allowing users to synchronize health and physical activity data between GymBroTools and their device's health platform. This integration is entirely optional and requires the user's explicit consent, granted through the operating system's native permission dialog.

Data we may read from the device's health platform: body weight, height, body fat percentage, and lean body mass. This data may originate from other devices or apps (e.g., smart scales) connected to the health platform.

Data we may write to the device's health platform: body weight, height, body fat percentage, lean body mass, BMI (Body Mass Index), BMR (Basal Metabolic Rate), and waist circumference; workout sessions including exercise type, duration, calories burned, distance, and heart rate where available.

Purposes of health data processing: health data is used exclusively to (a) import body measurements from external devices (e.g., smart scales) to consolidate them in the user's fitness profile within GymBroTools; (b) export workouts and body measurements recorded in the app to the device's health platform so they are available to the user in a centralized location; and (c) calculate derived metrics such as BMI, FFMI (Fat‑Free Mass Index), and waist‑to‑height ratio.

Legal basis (GDPR Art. 9): health data constitutes a "special category" of personal data under Art. 9 of the GDPR. The legal basis for processing this data is the user's explicit consent (Art. 9(2)(a) GDPR), obtained through the operating system's native permission dialog (Apple Health permission screen on iOS; Health Connect permission screen on Android). Permissions are granular: the user may authorize or deny access to each individual data type independently. Only the minimum data types necessary to provide the fitness integration features are requested, in accordance with the principle of data minimization.

Storage and sharing: health data synchronized via Apple Health or Health Connect is transmitted to GymBroTools servers as part of the user's body measurements, protected by authentication and encryption in transit (HTTPS). Health data is not sold to third parties, shared with third parties for advertising or marketing purposes, used for profiling, or used for any purpose other than the app functionalities described above.

User control: health data synchronization is disabled by default. The user may enable or disable it at any time from the app's Settings. On iOS, Apple Health permissions can be managed from Settings > Health > Data Access & Devices. On Android, the user can revoke Health Connect permissions directly from the device settings (Settings > Health Connect > App permissions). Upon revocation, GymBroTools will no longer read or write health data. Deletion of the user's account entails the removal of all data from GymBroTools servers; data previously written to Apple Health or Health Connect remains under the user's control on their own device.

Platform compliance: GymBroTools complies with Apple's HealthKit usage guidelines and Google's Health Connect developer policies. Health data is processed in accordance with the GDPR, applicable health data protection laws, and the platform‑specific requirements for apps that access health data.

5. Purposes of Processing

We process the collected data for the following purposes, in line with the principles of lawfulness and data minimization:

Providing the service and app features: we use user-provided data (e.g., account and workout data) to let the user register, access their profile, save exercises, and view statistics. This processing is essential for GymBroTools to function and to provide the requested features (e.g., syncing workouts across devices in an offline-first mode).

Improving stability, security, and performance: technical data collected via Application Insights is used exclusively to monitor the app's health, identify bugs, prevent crashes, analyze performance, and ensure the service's security. This information helps us fix errors, optimize the infrastructure, and ensure the app works reliably across different devices.

Support communications: contact data (such as the email provided during registration) may be used for service communications strictly related to the app, for example to respond to support requests or to send important notices about app operation. GymBroTools does not send promotional newsletters or unsolicited marketing communications.

Please note that data is never used for commercial profiling, third-party advertising, or automated decisions that produce legal effects on the user. All processing is limited to the purposes described above.

6. Legal Basis for Processing

We process users' personal data only when there is a legal basis under applicable law (EU Regulation 2016/679 "GDPR" and equivalent laws in other jurisdictions). In relation to the purposes above, the legal bases are:

Performance of a contract or pre-contractual measures: for data provided directly by the user (such as account and workout data), processing is necessary to provide the requested service. When a user creates an account and uses GymBroTools, an implicit contractual relationship is established: their data is processed to enable use of the app and its features (Art. 6(1)(b) GDPR). Without this data we could not provide registration, exercise saving, and other key app features.

Legitimate interest: processing of technical telemetry data via Application Insights is based on the developer's legitimate interest (Art. 6(1)(f) GDPR). That interest consists in ensuring the service's stability, security, and continuous improvement, benefiting both the developer and users. We have assessed that this processing, limited to anonymous technical data, does not harm users' rights and freedoms (also thanks to the absence of personally identifiable information). The app anyway requires acceptance of Terms and Privacy on installation, making users aware of this basic telemetry. Users have the right to object for reasons related to their particular situation (see the Rights section), considering that telemetry is fundamental to prevent malfunctions and protect data.

In addition to these main bases, GymBroTools may process personal data to comply with applicable legal obligations (Art. 6(1)(c) GDPR) or to protect vital interests of users or others (rare cases, Art. 6(1)(d)), although in practice these circumstances do not arise in ordinary app use.

7. Processing Methods and Data Retention

We process users' personal data primarily in electronic and automated form, adopting appropriate security measures to prevent unauthorized access, disclosure, or alteration of data. Data is stored on secure servers (e.g., Microsoft Azure cloud infrastructure) and protected using encryption and access controls. The sole developer of GymBroTools is the only person with direct access to data for app operations and handles such data in strict confidence. No other staff or third parties access personal data, except for the external services mentioned (Microsoft), which act as technical providers as described.

We retain data only for as long as necessary to achieve the purposes for which it was collected, after which we delete it or anonymize it. Below are specific retention periods for each data type:

Account data and workout data: information provided by the user (e.g., registration email, username, saved sets/reps/weights) is retained for as long as the account remains active. In practice, this data remains stored while the user continues to use the app and keeps their account active, so they can access their workout history. The user can always edit or delete individual data (e.g., remove a workout) directly from the app. They may also request deletion of their entire account at any time (see Users' Rights): in that case all personal data associated with the account will be permanently deleted from our systems within a short technical timeframe. Limited data may be kept beyond deletion only in aggregated or anonymous form, or to comply with legal obligations (e.g., security logs), but not in a way that identifies the user.

Technical telemetry data (Application Insights): data collected automatically about errors and performance via Application Insights is retained for a maximum of 90 days. This retention limit is aligned with the platform's standard settings and serves to keep recent history for analysis and debugging without retaining information longer than necessary. After about 90 days, older logs and telemetry are automatically deleted or overwritten. In any case, because the data is anonymous, it is not possible to trace these entries back to a specific user, and deletion occurs in accordance with Microsoft Azure Application Insights' retention policies.

Data transfers abroad: personal data collected by GymBroTools may be transferred to and processed in countries outside the European Economic Area (EEA), in particular where servers of the cloud providers used — such as Microsoft Azure — are located. In such cases, we ensure that appropriate safeguards are in place, such as the use of EU Commission-approved Standard Contractual Clauses or other legal tools provided by applicable law, to guarantee a level of protection equivalent to that required under the GDPR.

At the end of the periods indicated above, data is securely deleted or irreversibly anonymized (so that it can no longer be associated with a user). Remember that users can always request early deletion of their personal data, and GymBroTools will comply within the time limits set by law (see Users' Rights).

8. Users' Rights

GymBroTools users, as data subjects, enjoy a number of rights regarding personal data protection. In particular, users may at any time exercise the following rights:

Right of access: the right to obtain confirmation as to whether or not personal data concerning them is being processed and, if so, to access such data together with information on purposes, categories of data processed, recipients, retention period, and the other rights listed here. In practice, users can request a copy of their data held by us and information on how we use it.

Right to rectification: the right to obtain the correction of inaccurate personal data concerning them and to have incomplete data completed. Users can correct their data directly in the app where possible (e.g., account details) or by contacting us for updates.

Right to erasure ("right to be forgotten"): the right to obtain deletion of personal data concerning them when it is no longer necessary for the purposes for which it was collected or when consent is withdrawn (where processing is based on consent), subject to legal obligations that may require retention. In practice, users can request deletion of their account and associated personal data; following the request, the data will be permanently erased from our systems within a short technical timeframe.

Right to restriction of processing: the right to obtain restriction of processing of personal data in specific circumstances (e.g., when accuracy is contested or processing is unlawful and the user, instead of erasure, requests restriction).

Right to data portability: the right to receive the personal data concerning them, which they have provided to us, in a structured, commonly used, and machine-readable format and to transmit those data to another controller where technically feasible and where processing is based on consent or contract.

Right to object: the right to object, on grounds relating to their particular situation, to processing based on legitimate interest (such as technical telemetry via Application Insights).

Right to lodge a complaint: if users believe that their data is being processed in violation of data protection law, they have the right to lodge a complaint with the competent supervisory authority. For users in the European Union, the lead authority is the Italian Data Protection Authority (or another competent local authority based on the user's country of residence). We nevertheless invite users to contact us first with any questions or requests so we can resolve the issue amicably.

GymBroTools does not sell, and does not intend to sell, users' personal data as defined by the California Consumer Privacy Act (CCPA). California users can exercise their rights by writing to [email protected].

To exercise their rights, users can contact us at any time at [email protected]. Requests will be fulfilled within the time limits set by law (normally within 30 days, extendable for complex requests) and at no cost to the user, unless requests are manifestly unfounded or excessive.

9. Data Security and Protection

The security of our users' data is a priority. We have implemented appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. In particular:

All communications between the GymBroTools app and the server take place over HTTPS, ensuring that transmitted data (such as authentication credentials or workout updates) is encrypted in transit and not interceptable by third parties.

Users' data (including account and exercise data) is stored on secure cloud servers provided by Microsoft Azure. These servers benefit from Microsoft's advanced security measures, such as encryption at rest, firewalls, intrusion prevention systems, and continuous vulnerability monitoring. Only the authorized developer can access these systems, and solely for app maintenance and operations.

Authentication credentials and other sensitive information are handled securely. GymBroTools integrates Microsoft Entra ID (Azure AD) for authentication: this means the app does not store passwords in plain text in its databases, relying on Microsoft for secure access management (e.g., via OIDC/PKCE tokens). Any authentication tokens are stored securely on the user's device and are not accessible to other apps.

We have configured telemetry services to minimize collected data and we anonymize any potentially personal information. For example, Application Insights does not use cookies in the app (being a mobile app) and automatically removes potential references to personal identifiers in logs.

10. Data Controller and Contact

The data controller for the GymBroTools app is Marco Crupi, an independent developer, who can be contacted at [email protected] for any requests regarding privacy and personal data protection.

11. Changes and Updates to this Privacy Policy

This Privacy Policy may be subject to changes and updates over time, including due to regulatory changes, technological developments, or updates to the app's features. In the event of material changes, we will inform users through in-app notifications or other appropriate channels. We encourage users to review this notice periodically to stay informed about how personal data is processed.