Back to home
GymTree Trainee

Privacy Policy

How GymTree collects, uses, and protects your personal data.

1. Data Controller

The data controller for your personal data is:

Matteo Dante
Email: privacy@gymtree.app

For any requests regarding your personal data, you may contact us at the email address above.

2. Personal Data We Collect

GymTree collects the following categories of personal data:

2.1 Registration Data

  • Name
  • Email address
  • Google account identifier (when using Google Sign-In)

2.2 Fitness and Health Data (special categories — Art. 9 GDPR)

  • Workout programs and exercise history
  • Diet plans, foods, and quantities
  • Progress photos uploaded by the user
  • Check-in data (weight, measurements, notes)

2.3 App Usage Data

  • Interactions with app features
  • Diagnostic and error data (crash reports)
  • Device type, operating system, app version

2.4 Purchase Data

  • PRO subscription status (active, expired, cancelled)
  • Apple transaction identifier (we do not collect direct payment data — purchases are handled entirely by Apple)

2.5 AI Coach Conversation Data

  • Text and voice messages sent by the user to the AI coach
  • Responses generated by artificial intelligence

3. Purposes and Legal Basis

PurposeLegal Basis
Account creation and managementPerformance of contract (Art. 6(1)(b) GDPR)
Service delivery (workouts, diet, progress)Performance of contract (Art. 6(1)(b) GDPR)
Processing of fitness and health dataExplicit consent (Art. 9(2)(a) GDPR)
AI Coach features (AI-powered chat)Explicit consent (Art. 9(2)(a) GDPR)
In-app subscription managementPerformance of contract (Art. 6(1)(b) GDPR)
Push notificationsConsent (Art. 6(1)(a) GDPR)
Diagnostics and error correctionLegitimate interest (Art. 6(1)(f) GDPR)
Security and abuse preventionLegitimate interest (Art. 6(1)(f) GDPR)

4. AI Coach and Artificial Intelligence

GymTree offers an AI-powered coaching feature. When you use the AI Coach:

  • Your messages and relevant context data (such as your current workout program and diet plan) are sent to OpenAI Ireland Ltd., our AI technology provider, to generate responses.
  • OpenAI acts as a data processor (sub-processor) under Art. 28 GDPR.
  • OpenAI applies a zero data retention policy for API requests: data is not retained beyond the time needed to process the response and is not used to train AI models.
  • Using the AI Coach is optional. You can use all other app features without activating the AI Coach.
  • AI Coach responses are automatically generated and informational in nature. They do not replace the advice of a doctor or healthcare professional.

5. Data Recipients and Sharing

Your personal data may be shared with the following recipients, solely for the purposes indicated:

RecipientPurposeCountry
OpenAI Ireland Ltd.AI Coach and program generationIreland / USA
Sentry (Functional Software Inc.)Error monitoring and diagnosticsUSA
Railway Corp.Server and database hostingEU (Netherlands)
Apple Inc.In-app purchase management and push notificationsUSA
Google LLCAuthentication via Google Sign-InUSA

We do not sell, trade, or share your personal data with third parties for marketing purposes.

6. International Data Transfers

Some of our service providers are based in the United States. Transfers of personal data to countries outside the European Economic Area (EEA) are carried out in compliance with Art. 46 GDPR safeguards, through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914 of June 4, 2021);
  • EU-US Data Privacy Framework, where the recipient is certified.

You may request a copy of the safeguards in place by contacting us at privacy@gymtree.app.

7. Data Retention

Your personal data is retained for as long as necessary to fulfill the purposes for which it was collected:

  • Account data: until account deletion by the user.
  • Fitness data and progress: until account deletion. You can delete individual data at any time from the app.
  • AI Coach conversations: until account deletion or manual removal of conversations.
  • Diagnostic data (Sentry): maximum 90 days.
  • Transaction data: retained for the period required by applicable tax law (10 years).

Upon account deletion, all personal data is erased within 30 days, unless legal obligations require longer retention.

8. Your Rights

Under Articles 15–22 of the GDPR, you have the right to:

  • Access — obtain confirmation of processing and access your data;
  • Rectification — update or correct inaccurate or incomplete data;
  • Erasure ("right to be forgotten") — request deletion of your data;
  • Restriction — request restriction of processing in certain circumstances;
  • Portability — receive your data in a structured, machine-readable format;
  • Objection — object to processing based on legitimate interest;
  • Withdraw consent — withdraw consent at any time, without affecting the lawfulness of prior processing.

To exercise your rights, write to privacy@gymtree.app. We will respond within 30 days of receiving your request.

You can also delete your account directly from the app in the Profile section.

9. Automated Decision-Making

GymTree uses artificial intelligence to generate workout programs, diet plans, and coaching responses. These processes are assistive and informational: AI-generated content consists of suggestions that the user is free to follow, modify, or disregard. No automated decisions with legal or similarly significant effects on the user are made under Art. 22 GDPR.

10. Children

GymTree is not intended for children under 16 years of age. We do not knowingly collect personal data from individuals under 16. If we become aware that we have collected data from a child, we will promptly delete it.

11. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Data encryption in transit (TLS/HTTPS) and at rest;
  • Access restricted to authorized personnel;
  • Regular backups and disaster recovery procedures;
  • Continuous security monitoring of our systems.

12. Changes to This Policy

We reserve the right to update this privacy policy. In case of material changes, we will notify you via an in-app notification or email. We encourage you to review this page periodically.

13. Complaints

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with the supervisory authority:

Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma, Italy
www.garanteprivacy.it