T-SHAPED APPS LTD (hereinafter, "Gymtone" or the "Provider"), with registered office in Griva Digeni, 51, ATHINEON COURT, Flat/Office 202, 8047 Paphos, Cyprus, operates the website www.gymtone.ai (hereinafter, the "Website") as well as the Gymtone app, a digital fitness and workout tracker (hereinafter, the "App" or the "Product") for Android and iOS.
The following Data Protection Policy informs you about the types of personal data of Gymtone users that are processed, the purposes for which they are processed, and the scope of processing. The Data Protection Policy applies to all processing of personal data performed by Gymtone, both in connection with service provision and, in particular, on the Website and in the Gymtone App, which users can install on their mobile end device, as well as within external online presences, such as Gymtone's social media profiles (hereinafter, collectively referred to as the "Online Offer").
The controller within the meaning of the General Data Protection Regulation (GDPR)—i.e., the entity responsible for collecting, processing and using personal user data—is
T-SHAPED APPS LTD
Griva Digeni, 51
ATHINEON COURT,
Flat/Office 202
8047, Paphos, Cyprus
support@gymtone.ai
All incoming and outgoing data—both in the communication with the Apps and in third-party provider communication—are transmitted in encrypted form. The encrypted connection when using the Gymtone Website can be seen, for instance, via the address bar of the browser being used, which begins with "https://", and via the encryption symbol found there. Because of encryption, the transmitted data cannot be read by third parties.
"Personal data" for the purposes of the GDPR means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; Personal data (e.g., e-mail address, workout and nutrition data in the App) will be processed by the Provider only pursuant to the provisions of applicable data protection law. The following provisions inform you about the nature, scope and purpose of the collection, processing and use of personal data.
When visiting the Website www.gymtone.ai, the web server, on the basis of Gymtone's legitimate interests under Article 6(1)(f) GDPR, automatically records log files, which cannot be attributed to any specific person, if this is necessary for the App's functionality and is not outweighed by the interest in protecting the user's personal data. These data include, e.g., the browser type and version, the operating system used, referrer URL (the previously visited site), IP address of the requesting computer, access date and time of server request, and the file requested by the client (file name and URL). These data are collected only for the purpose of statistical analysis and for security reasons (e.g., to investigate acts of misuse or fraud) and are stored for seven days and then erased. If it should be necessary to retain the data for a longer period of time for evidentiary purposes, they are exempt from erasure until final resolution of the respective event.
3.2.1. Use of cookies
In order to make the Website more user friendly and more effective overall, Gymtone itself or third parties engaged by Gymtone for this purpose store cookies on the user's hard drive, provided the user has consented to this in accordance with Article 6(1)(a) GDPR. A cookie is a small text file that is used, inter alia, to record information with respect to use of a website. These cookies cannot execute programs or transmit viruses to the user's computer. They do not contain any personal data, cannot be attributed to specific persons, and, unless described otherwise, will be automatically deleted after one year, at the latest. These data are not combined with other data sources. It is also possible to use websites operated by the Provider without cookies. The storage of cookies can be deactivated or limited to certain websites in the respective browser, or the browser can be configured in such a way that it notifies the user once a cookie is sent. The user can also delete cookies from the hard drive of their PC at any time.
3.3.1. Required information when creating a personalized user account
In order to be able to use the App, the user must provide the required information "name", "e-mail address" and "password". These are used to identify the user and for the purpose of communication between the Provider and the user. The e-mail address and all other user data cannot be viewed by other users. A different situation applies only if the user is using the "Buddies" feature (see 3.3.8). The data are stored on the basis of the consent of each user under Article 6(1)(a) GDPR.
3.3.2. Use of the GYMTONE app with the feature "Sign Up With Apple" / "Continue With Apple"
The user has the option to create a GYMTONE account via his or her Apple account. The user can register for or log in to GYMTONE with this Apple account if he or she uses the "Sign Up With Apple" button on the website or the "Continue With Apple" button in the app when registering. When logging in using the Apple ID, the personal e-mail address can be hidden or shared with GYMTONE. With "Hide e-mail address", the user can use Apple's e-mail relay service to generate a generic alias address through which messages from GYMTONE are forwarded to their private e-mail address. "Continue with Apple" uses two-factor authentication. An additional password does not have to be assigned. Further information about the method of operation and settings is available at: https://support.apple.com/HT210425
The watchOS app for the Apple Watch can additionally be downloaded and used through the Apple Watch itself, unless it is automatically coupled with the user's iPhone. In this case, registration must take place using the feature "Continue With Apple".
3.3.3. Use of the GYMTONE app with the feature "Sign Up With Google" / "Continue With Google"
The user has the option to create a GYMTONE account via his or her Google account. The user can register for or log in to GYMTONE with this Google account if he or she uses the "Sign Up With Google" button on the website or the "Continue With Google" button in the app when registering. In this regard, GYMTONE collects and stores the user's personal data through the Google account, such as the user's e-mail address, optionally also first and last names, and the user's profile picture. The user can individually adjust the data transfer to GYMTONE in their Google account under privacy settings. Further information about the method of operation and settings is available at: https://support.google.com/accounts/answer/2541991
3.3.4. Use of the GYMTONE App without personalized user account
An existing anonymous user account can be converted into a personalized account at any time by adding a name, e-mail address and password. It is not possible to attribute an anonymous account to a user, meaning that if the mobile end device is lost, it is not possible for GYMTONE to restore the account.
3.3.5. Data provided by the user
When creating a personalized user account, the user provides the required information (name, e-mail address and password). The user can optionally also provide last name and place of residence, which are then recorded by GYMTONE.
In addition, GYMTONE records data that are provided by the user through a personalized or anonymous user account, which can be entered when using the App. This comprises a user profile, which includes, but is not limited to, the below-listed body, fitness and health data:
— Age/date of birth
— Gender
— Height
— Diet (e.g., vegan)
— Goal (e.g., lose weight)
— Activity level (high/low)
— Recorded activities and workouts
— Workout history (exercises, sets, repetitions, weight, duration)
— Training plan / selected program
— Calories consumption and activity calories
— Steps
— Starting weight, weight progress and target weight
— Blood pressure
— Status of the App user (PRO subscription in place: yes/no)Fasting details (e.g., hours fasted)
— Water consumption
— Favorite recipes
The data are collected on the basis of the user's consent under Article 6(1)(a) GDPR. The provision of body data is necessary in order to be able to use the App's features. In particular, it is necessary to provide starting weight/target weight, gender, date of birth and height so GYMTONE can calculate the user's personal training plan and calorie goal.
Other data, such as water consumption and workout history, enable the user to track their hydration and training progress. These data are used solely for the stated purposes and, as a rule, cannot be seen by third parties. A different situation applies only if the user is using the "Buddies" feature (see 3.3.8.).
3.3.6. Data automatically recorded by Gymtone
When the App is installed, the following are recorded one time:
Date of installation
Date of registration
Operating system of the device used (Android/iOS)
Country and language (using locale: the “locale” is a set of settings that contains the region parameters (local parameters) for computer programs. These primarily include the language of the user interface, the country and settings for the character set, keyboard layout, andformats for payments, currencies, dates and times.)
These data are recorded in order to improve and personalize our services, and this takes place on the basis of our legitimate interest pursuant toArticle 6(1)(f) GDPR.
3.3.7. Data recorded while using the App
When the App is being used, GYMTONE furthermore records the following:
Current IP address
App version being used
Current time zone
These data are recorded in order to improve and personalize the offered services, and this takes place on the basis of GYMTONE's legitimate interest pursuant to Article 6(1)(f) GDPR.
3.3.8. Contractual relationship and payment procedure
Where a contractual relationship between the user and GYMTONE is to be established, substantively structured or changed, GYMTONE stores personal data of the user on the basis of Article 6(1)(b) GDPR (see the list of personal data under No. 3.3.5 to 3.3.7), provided this is necessary for the performance of the contract. Through an in-app purchase, the user has the ability to acquire a PRO version of the GYMTONE App in connection with a subscription, optionally at the start of a three-day free trial phase (trial subscription). If the user decides to acquire the PRO version and presses the order button, they will be forwarded directly to the Apple App Store, the Google Play Store, depending on their operating system, even if they had first opted for the three-day free trial phase during the temporary subscription. In that case, the corresponding amount for the subscription will be automatically debited after the third day of the trial phase.
When the user is forwarded to the appropriate app store, GYMTONE transmits the starting and ending date and, if applicable, the subscription termination date, as well as the reason for termination (e.g., after a possible cancellation). The payment processing data are collected directly by the app stores. The data protection policies of the app stores can be viewed here:
Apple App Store: https://www.apple.com/privacy/
Google Play Store: https://policies.google.com/privacy
The PRO version of the App can also be purchased through the GYMTONE Website. Depending on the selected payment option (Apple Pay, Google Pay, SEPA payment or credit card payment), the user must provide the relevant account data, even if they are first using the three-day trial subscription.
Applicable to the payment transactions are the business terms and conditions and the data protection policies of the respective payment service providers, which are available on the respective websites or transaction apps:
Further processing is handled by the payment service provider Stripe. The service is offered by Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland. Information provided by the user (name, e-mail address, credit card data, start and end date, and, if applicable, termination data of subscriptions, invoice amount) is transmitted by GYMTONE to Stripe pursuant to Article 6(1)(b) GDPR as part of the order process. User data are shared solely for the purpose of payment processing with the payment service provider Stripe Payments Europe Ltd. and only to the extent they are necessary for this. Further information about data protection by Stripe is available at https://stripe.com/legal.
Moreover, GYMTONE makes the mobile payment system Apple Pay of Apple Inc., One Infinite Loop, 95014 Cupertino, USA, available to users in the GYMTONE App. When Apple Pay is used, Apple does not store any original credit card, debit card or prepaid card numbers used by the user. Apple has no access to them. In addition, no backup of transaction data takes place that permits conclusions to be drawn as to the user. Further data protection notices can be found at https://www.apple.com/privacy/.
In addition, the mobile payment system Google Pay of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is also available to users. Google stores information about the transaction made by the user and the payment method selected (debit or credit card). It collects data such as date, time, merchant location, merchant name and merchandise description. Google may combine these data with the information of other Google services that the user uses with their Google account. Further information is available at https://payments.google.com/payments/apis-secure/get_legal_document?ldo=0&ldt=privacynotice.
Gymtone offers an optional feature that provides AI-generated fitness, wellness and nutrition reports ("AI Health Reports"). These reports are created based on information voluntarily provided by the user, such as responses to questionnaires, training habits, dietary habits, lifestyle details, and other inputs.
Important Disclaimer:
AI Health Reports do not constitute medical advice, diagnosis, treatment, or professional healthcare services. GYMTONE is not a medical provider, does not perform medical evaluations, and does not offer emergency or crisis support.Any insights, assessments, or recommendations generated by the AI are intended for informational and educational purposes only.
Users should consult a licensed healthcare professional regarding any medical questions, laboratory results, symptoms, or health concerns. In emergency situations, users must contact their local emergency services immediately.
3.4.1. Data Processed
To generate AI Health Reports, Gymtone may process the following categories of data:
— user questionnaire responses;
— nutrition, activity, and lifestyle information entered in the App;
— optional health-related data voluntarily provided by the user;
— technical data necessary for the feature to operate (e.g., device type, language settings).
3.4.2. Purpose of Processing
The collected data may be used to:
— generate a personalized, non-medical AI Health Report;
— provide tailored wellness insights;
— improve the accuracy, safety, and performance of the App;
— conduct internal analytics for service improvement;
— develop and enhance Gymtone’s non-medical wellness features.
3.4.3. Limitations
AI Health Reports are not intended to diagnose, prevent, or treat medical conditions and must not be relied upon as professional medical advice. They do not replace consultation with a qualified healthcare provider.
3.4.4. Legal Basis
Processing is carried out under:
— Performance of contract (Article 6(1)(b) GDPR);
— Legitimate interest (Article 6(1)(f) GDPR);
— User consent (Article 6(1)(a) GDPR).
GYMTONE takes the protection of personal user data very seriously. For this reason, GYMTONE treats personal data confidentially and in accordance with statutory provisions concerning data protection as well as this Data Protection Policy. GYMTONE therefore collects and stores only data that are provided by third-party providers on the basis of the respective user consent under Article 6(1)(a) GDPR and transmits corresponding data to them. Subject to statutory or contractual permissions, GYMTONE processes the data in a third country or has the data processed there only where the special requirements of Articles 44 et seqq. GDPR are met. Processing takes place, e.g., on the basis of special safeguards, such as the observance of officially recognized, special contractual obligations ("standard contract clauses").
For data transfers to the USA, GYMTONE primarily relies on the EU-U.S. Trans-Atlantic Data Privacy Framework (DPF), which has been recognised as a secure legal framework by an adequacy decision of the European Commission. Standard contractual clauses may also exist. Further information on the DPF and a list of certified companies can be found (in English) at https://www.dataprivacyframework.gov/.
If the European Commission does not attribute to a third country the same level of data protection as the EU, then GYMTONE ensures the maintenance of the European level of data protection through the use of standard contract clauses (SCC) and binding company rules pursuant to Article 46(1) and (2)(c) GDPR. Nevertheless, it is possible under certain circumstances that authorities in a third country may access user data for control and monitoring purposes and, in this regard, that effective legal remedies and data subject rights may not be enforceable.
The following providers and data are affected:
4.1. Google Fit
GYMTONE offers its users the option to link the App with Google Fit, a health platform of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Fit logs the physical activities of the respective user using sensors of the mobile device or activity sensors. The following data may be transmitted in the case of a linking with GYMTONE:
Total activity
Workouts completed (time, duration, type, calories burned)
Steps (distance, number)
Further data protection notices, particularly about the purpose and scope of data collection and the further processing and use of data by Google Fit as well as the rights in this respect and the settings options concerning data protection, are available at https://policies.google.com/privacy.
The use of information that GYMTONE obtains from Google APIs and the sharing of it with other apps takes place pursuant to Google API Services-User Data Policy, including the requirements for limited use.
4.2 Google Health Connect
GYMTONE offers its users the option to link the app with Google Health Connect, an integrated health data platform provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). Google Health Connect facilitates the consolidation of health and wellness data across multiple applications.
When users link GYMTONE with Health Connect, the following categories of data may be accessed or shared:
Activity Data
Body Measurements
Heart & Vital Signs
DataNutrition
GeneralHealth Data
This integration allows users to enhance their experience within the GYMTONE app by providing more comprehensive health insights and personalized recommendations based on aggregated data.
GYMTONE adheres to the Health Connect Permissions Policy, including Limited Use requirements, ensuring that any data obtained is solely utilized for the enhancement of user features within the app. Users maintain full control over their data and can modify their permissions or unlink Health Connect at any time through the GYMTONE app settings, being informed of any potential impacts on app functionality.
Further data protection notices, particularly concerning the purpose and scope of data collection and the further processing and use of data by Google Health Connect, as well as the rights in this respect and the available settings options concerning data protection, can be found at https://policies.google.com/privacy.
4.3. Apple Health
Users also have the option to link their App with Apple Health, a mobile app of the technology group Apple Inc., One Infinite Loop, 95014 Cupertino, USA. The below-listed data may be transmitted to GYMTONE in the course of this:
Total activitySteps (distance, number)
Workouts (time, duration, type, calories burned)
Weight, waist measurement
Systolic blood pressure, diastolic blood pressure, blood glucose level
Body mass index
Menstruation cycle
In addition, the below-listed data may be transmitted by GYMTONE to Apple:
Total activity
Physical values (weight, waist measurement, blood sugar, systolic and diastolic blood pressure, blood glucose level, body mass index)
Nutritional energy, macronutrients, micronutrients, vitamins
GYMTONE has the ability to directly access the data pool of Apple Health at any time if the user has consented to this. Apple Health collects health-relevant user data and displays them as processed in the App. Further data protection notices can be found at https://www.apple.com/privacy/.
4.4. Samsung Health
Furthermore, health, diet and fitness data of users of Samsung Health, a platform of Samsung Electronics, Ltd, 129, Samsung-ro, Yeongtong-gu, Suwon-si, Gyeonggi-do 16677, Republic of Korea, and Samsung Medison, Pangyogeok-ro, 145, Bundang-gu, Republic of Korea, can be transmitted to GYMTONE if the user uses the connect option in the GYMTONE App:
Total activity
Workouts completed
Steps (distance, number)
Weight
Samsung Health manages the mentioned user data in order to support its users on the path to greater fitness and well-being. GYMTONE has the ability to directly access the data pool of Samsung at any time. Further information is available at https://privacy.samsung.com/privacy/samsung.
4.5. Huawei Health
Health and fitness data of users can be transmitted by Huawei Health, an official app of Huawei, G1, HUAWEI Industrial Base, Bantian, Longgang District, Shenzhen 518129 P.R. China, to GYMTONE if the user uses the connect option in the GYMTONE App:
Total activity
Workouts completed
Steps (distance, number)
Weight
GYMTONE Health monitors the health and physical activities of users. GYMTONE has the ability to directly access the data pool of Huawei at any time. Further data protection notices are available at: https://consumer.huawei.com/minisite/cloudservice/health/privacy-statement.htm?code=HK&language=en_us.
Gymtone uses a customer service platform to process user inquiries submitted through the Website. The Website provides a contact form in which users manually enter their data (name, email address, iOS or Android version, possible PRO status, description of the issue). Based on this information, the Gymtone Support Team can view the user data stored in the user's App.
The personal data that users provide to Gymtone in connection with their contact request is used solely to respond to the inquiry or to establish contact and is processed only for the technical administration associated with this request. The data is not shared with third parties.
If the user has consented to the storage of their data, they have the right to withdraw this consent at any time with effect for the future. In such cases, their personal data will be deleted without delay. The user's personal data will also be deleted without a separate request if Gymtone has completed processing of their inquiry or if storage is not permissible for other legal reasons.
The processing of data is carried out based on the user's consent under Article 6(1)(a) GDPR and a data processing agreement pursuant to Article 28(3) GDPR.
GYMTONE regularly notifies its users by e-mail about current fitness trends, workout programs, diet trends, recipes and other interesting offers and tips from the field of training, fitness, nutrition, weight loss and well-being, etc. Registration is voluntary and takes place using a double opt-in procedure. After registering, the user receives an e-mail requesting that they confirm their registration. This is necessary so that a third party cannot register to receive the newsletter using someone else's e-mail address. In order to document that the registration meets the legal requirements, it is logged on the basis of GYMTONE's legitimate interest pursuant to Article 6(1)(f) GDPR.
As part of registration on the Website or in the App, the user consents to the processing of the provided data for the purpose of sending and receiving e-mails (Article 6(1)(a) GDPR). Furthermore, the user consents that GYMTONE may collect and process data about their usage behavior (namely, opening the e-mail and clicking on links in it) so that the content of the mailings can be tailored to the respective needs, e.g., if a user repeatedly clicks on links about topic A but not about topic B, they will receive only links about topic A in future mailings.
The consent granted by the user to receive these emails may be withdrawn at any time and without providing reasons with prospective effect by sending an e-mail to support@gymtone.ai.
In addition, receipt can be stopped by using a link found at the end of each newsletter. Gymtone may store the provided e-mail address and the data stored in connection with logging the registration for up to three years on the basis of its legitimate interest in order to be able to demonstrate that consent had previously been given. The processing of these data is limited to the purpose of possible defense against claims. An individual erasure request is possible at any time, provided that the former existence of consent is confirmed at the same time.
GYMTONE is aware of the importance of additional measures to protect the privacy of children. Persons under the age of 16 may not open an account unless a parent has consented in accordance with applicable law. Should GYMTONE learn that personal data about a child under the minimum age were collected without parental consent, GYMTONE will initiate steps to erase these data without delay. Parents who believe that their child has sent us personal data and would like to have these erased should contact GYMTONE using the contact data provided in No. 1.
Based on the user's consent within the meaning of Article 6(1)(a) GDPR, GYMTONE utilizes various tools and plug-ins for the purpose of web analysis, remarketing and retargeting. In doing so, cookies are used that forward the IP address and/or record and analyze different types of data. This includes, for example, the number of Website visitors, visit duration, average page-loading time and visitor origin. These cookies are used for the purpose of being able to put together more targeted offers for GYMTONE users.
Specifically:
8.1. Google Tag Manager/Google Analytics/Google Optimize/Google Analytics by Firebase
GYMTONE utilizes Google Tag Manager on its Website. The provider is Google Ireland Ltd. ("Google"), Google Building Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool used to embed tracking or statistics tools and other technologies on the Website. Google Tag Manager does not itself create any user profiles, store any cookies, or perform any independent analyses. It is merely used to manage and run the tools embedded through it. For this purpose, however, Google Tag Manager records certain aggregated data for the purpose of diagnosing how the tracking and statistics tools are running. These data do not contain any IP addresses or IDs that can be linked to a specific person.
GYMTONE uses Google Analytics and Google Optimize on the Website and in the App for the purpose of analyzing use of the Website. The provider of both web analysis services is Google Ireland Ltd. ("Google"), Google Building Gordon House, Barrow Street, Dublin 4, Ireland.
Google Optimize is a tool integrated in Google Analytics. It enables the Provider to adjust and improve parts of its Website in a targeted manner to match user behavior.
Firebase provides app developers with a technical infrastructure and a variety of tools, including Google Analytics by Firebase. With it, GYMTONE can record and analyze user behavior in order to adjust the App to meet the needs of users and to better control features and events. Google Analytics and Google Optimize use cookies, which facilitate an analysis of the use of the Website by users. The information generated by the cookie about user activities on this Website is normally transferred to a Google server in the U.S. and stored there. On behalf of GYMTONE, Google uses this information in order to evaluate user activities on the Website, to compile reports about Website activities for GYMTONE, and to provide additional services associated with Website use and internet use. In addition, Google will, if necessary, transmit this information to third parties if this is required by law or if third parties process these data on behalf of Google.
Further information about Google's use of data for marketing purposes can be found at https://www.google.com/policies/technologies/ads. If the user wishes to object to interest-related advertising by Google marketing services, they can use the settings and opt-out options provided by Google at http://www.google.com/ads/preferences. Google's data protection policy is available at https://www.google.com/policies/privacy.
8.2. Google Ads Remarketing/conversion tracking
On the Website and in the App, the Provider uses Google Ads Remarketing, an online advertising program of Google Ireland Ltd. ("Google"), Google Building Gordon House, Barrow Street, Dublin 4, Ireland. In connection with Google Ads Remarketing, GYMTONE uses what is known as conversion tracking. If the user clicks on an advertisement placed by Google, a cookie is set for the conversion tracking. These cookies lose their validity after 30 days and are not used to personally identify users. If the user visits certain pages on this Website and the cookie has not yet expired, Google and the Provider can recognize that the user clicked on the advertisement and was redirected to this site.
Each Google Ads Remarketing customer receives a different cookie. The cookies cannot be tracked across the websites of Ads Remarketing customers. The information obtained with the aid of conversion cookies is used to compile conversion statistics for Ads Remarketing customers that have elected to use conversion tracking. Customers learn about the total number of users who clicked on their advertisements and were redirected to a site furnished with a conversion tracking tag. However, they do not receive any information that can be used to identify the user. If a user wishes to decline to take part in tracking, they can object to such use by deactivating the Google conversion tracking cookie through their internet browser under user settings. In addition, the user can prevent the capture and processing by Google of the data generated by the cookie relating to their use of the Website (including their IP address) by downloading and installing the browser plug-in available at the following link: tools.google.com/dlpage/gaoptout. The user will then no longer be included in conversion tracking statistics. However, this will likely limit the functionality of this Website.
The information generated by the cookie about the user's use of this Website is transferred to a Google server in the U.S. and stored there. In the event of activation of IP anonymization on this Website, however, the user's IP address is first truncated by Google within the Member States of the European Union or in other Contracting States of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the U.S. and truncated there. Google uses this information on behalf of the operator of this Website in order to evaluate the user's activity on the Website, to compile reports about Website activities, and to provide other services to the Website operator associated with Website use and internet use.
More information about Google Ads Remarketing and conversion tracking can be found in the data protection provisions at https://safety.google/privacy/ads-and-data/.
8.3. Apple Search Ads
GYMTONE utilizes Apple Search Ads in the App. Apple Search Ads is an online advertising program of the technology group Apple, One Infinite Loop, 95014 Cupertino, USA. Through Apple Search Ads, the Provider's App will be displayed to the user as the top result when the user searches in the App Store.
The user can view and limit their personal data that Apple uses in order to display relevant advertising to them. In addition, the user can prevent location-specific information from being used to find out which advertisements they can see. Further data protection notices are available at https://searchads.apple.com/privacy.
GYMTONE stores the user's personal data for the period of use of the App. If the user account is deleted, the e-mail address, first name, last name, profile picture and links to third-party providers will be definitively and irretrievably deleted.
The user has the ability to reset their account. In this regard, a new account will be transparently set up and settings will be copied (e-mail address, password, settings, goals, etc.). The e-mail address, first name, last name and—if applicable—Fitbit ID, Polar ID, Stripe ID and AppsFlyer ID previously associated with the original account will be deleted in it.
The user has the following rights, which, with the exception of No. 11.9, can be asserted with the controller or the data protection officer. The contact data can be found in No. 1.
11.1. Right of access (Article 15 GDPR)
The user has the right at any time to obtain free information about their personal data stored by GYMTONE, the origin and recipients of the data, the purpose of data processing and the planned duration of data storage, including a copy of the personal data that are the subject of the processing.
11.2. Right to rectification (Article 16 GDPR)
In addition, the user has the right at any time to have inaccurate or incomplete personal data rectified or completed without undue delay.
11.3. Right to withdraw consent (Article 7(3) GDPR)
The user has the right to withdraw their consent to data processing at any time with prospective effect, without there needing to be a ground for withdrawal.
11.4. Right to erasure (Article 17 GDPR)
Subject to the prerequisites of Article 17 GDPR, the user may request erasure of their personal data. Their entitlement to erasure depends, inter alia, on whether the data concerning them are still needed by GYMTONE for fulfilling its statutory duties.
11.5. Right to restriction of processing (Article 18 GDPR)
Subject to the prerequisites of Article 18 GDPR, the user may request restriction of the processing of the personal data concerning them.
11.6. Right to data portability (Article 20 GDPR)
The user has the right to receive their provided personal data in a structured, commonly used and machine-readable format or to transmit those data to another controller, where the processing is based on consent and the processing is carried out by automated means.
11.7. Right to object (Article 21 GDPR)
The user may at any time make use of their right to object to the creation of user profiles and to the processing of personal data concerning them, where the processing takes place on the basis of Article 6(1)(e) or (f) GDPR. The personal data will no longer be processed unless compelling, legitimate grounds outweigh the user's interests, rights and freedoms. Where a user's personal data are used for direct marketing purposes, they of course have the right to object at any time to such processing.
11.8. Right not to be subject to automated decision-making (Article 22 GDPR)
The user has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
11.9. Right to lodge a complaint (Article 77 GDPR)
In addition, the user has the right to lodge a complaint with the supervisory authority responsible for the Provider:
T-SHAPED APPS LTD
Griva Digeni, 51
ATHINEON COURT, Flat/Office 202
8047, Paphos, Cyprus
Email: support@gymtone.ai
Web: www.gymtone.ai
In the event that GYMTONE is involved in a merger, acquisition, reorganization, financing, bankruptcy, sale of all or a portion of its assets, or transition of services to another provider, personal data of users may be transferred or disclosed as part of such transaction, provided the receiving entity is bound to handle the data in a manner consistent with this Data Protection Policy. The user will be notified of any change in the controller of their personal data through the usual communication channels (e.g., e-mail or in-App notice), and will be given the opportunity to exercise their applicable rights before the transfer takes effect, where required by applicable law.
GYMTONE processes health, fitness, and nutrition data of users (including, but not limited to, workout history, body measurements, dietary information, calorie tracking, and data received from Apple Health, Google Fit, Google Health Connect, Samsung Health and Huawei Health) solely for the purpose of providing and improving the App's features to the user and for the other purposes expressly described in this Data Protection Policy.
GYMTONE does not sell, rent, license, or otherwise disclose health, fitness, or nutrition data for advertising, marketing, retargeting, behavioral profiling, or any other use-based data mining purposes. Such data is not used to train generalized machine learning or AI models intended for use outside the App's features for the user.
Data obtained through Google API Services (including Google Fit and Google Health Connect) is used in accordance with the Google API Services User Data Policy, including the Limited Use requirements. Data obtained through Apple HealthKit is used in accordance with the applicable Apple HealthKit terms.
The following supplemental disclosures apply to users who reside in the United States. They supplement, and do not replace, the disclosures provided elsewhere in this Data Protection Policy. The rights described in this Section may vary depending on the user's state of residence and applicable law, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), and other applicable U.S. state privacy laws.
14.1. Sensitive Personal Information
Under applicable U.S. state privacy laws, certain categories of personal data are treated as sensitive. GYMTONE treats the following as sensitive personal information:
— account credentials (e-mail address in combination with password);
— health, fitness, and nutrition data, including workout history, body measurements, dietary information, calorie tracking, fasting details, blood pressure, menstruation cycle, and data received from connected platforms (Apple Health, Google Fit, Google Health Connect, Samsung Health, Huawei Health).
GYMTONE uses sensitive personal information only for the purposes of: (i) providing the App and its features as requested by the user; (ii) ensuring the security and integrity of the service; (iii) detecting, investigating, and preventing fraud, abuse, or unauthorized activity; (iv) complying with legal obligations; and (v) protecting the physical safety of users. GYMTONE does not use sensitive personal information to infer characteristics about a user for targeted advertising or for profiling that produces legal or similarly significant effects.
14.2. Deidentified Information
Where GYMTONE holds deidentified information (information that cannot reasonably be linked, directly or indirectly, to a particular user or device), GYMTONE: (i) takes reasonable measures to ensure such information cannot be associated with a user; (ii) publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the user; and (iii) contractually obligates any recipients of such information to comply with these requirements.
14.3. Categories of Personal Information Collected (California)
For purposes of the CCPA, the categories of personal information that GYMTONE collects, the sources of that information, the business or commercial purposes for which it is collected, and the categories of recipients are described in Sections 3 and 4 of this Data Protection Policy. By California statutory category, GYMTONE collects:
— Identifiers: name, e-mail address, account credentials, IP address, device and online identifiers.
— Customer records information: payment-related data processed by Stripe, Apple, and Google.
— Commercial information: subscription status and transaction history.
— Internet or other electronic network activity: App usage data, interaction with newsletters, cookie and analytics data.
— Geolocation data: coarse location derived from device locale (country, language). Precise geolocation is not collected without explicit consent.
— Visual content: profile picture and any other content the user voluntarily uploads.
— Inferences: training-plan recommendations and similar insights derived from user-provided data.
— Sensitive personal information: as described in Section 14.1.
GYMTONE retains each category of personal data for the period described in this Data Protection Policy and otherwise for as long as necessary to fulfil the purposes for which it was collected, comply with applicable legal obligations, resolve disputes, and enforce agreements.
14.4. Sale of Personal Information and Targeted Advertising
GYMTONE does not sell personal information in exchange for monetary consideration. GYMTONE may disclose certain identifiers and Internet activity information to advertising and analytics providers (described in Section 8) in a manner that may qualify as a "sale" or "sharing for cross-context behavioral advertising" under the CCPA, or as "targeted advertising" under other applicable U.S. state privacy laws. GYMTONE does not sell or share health, fitness, or nutrition data (see Section 13).
Users have the right to opt out of such disclosures by sending a request to support@gymtone.ai with the subject line "Do Not Sell or Share My Personal Information". GYMTONE also honors recognized opt-out preference signals, such as the Global Privacy Control (GPC), where required by applicable law.
GYMTONE does not knowingly sell or share personal information of users under 16 years of age without affirmative authorization (from the user, if at least 13 years of age, or from a parent or guardian, if under 13 years of age).
14.5. U.S. Privacy Rights
Subject to applicable U.S. state law and reasonable verification, users may exercise the following rights:
— Right to Know / Right of Access: request confirmation of whether GYMTONE processes the user's personal data and obtain a copy of the categories and specific pieces of personal data processed, the sources, the purposes of processing, and the categories of recipients.
— Right to Correction: request correction of inaccurate personal data.
— Right to Deletion: request deletion of personal data, subject to legally permitted exceptions.
— Right to Portability: receive personal data in a portable, machine-readable format.
— Right to Opt Out of Sale or Sharing: opt out of disclosures qualifying as sale, sharing, or targeted advertising.
— Right to Limit Use of Sensitive Personal Information: instruct GYMTONE to use sensitive personal information only for the purposes set out in Section 14.1.
— Right to Opt Out of Profiling: opt out of profiling in furtherance of decisions producing legal or similarly significant effects. As described in Section 14.7, GYMTONE does not engage in such profiling.
— Right to Non-Discrimination: not to receive discriminatory treatment for exercising any of the above rights.
14.6. Submitting Privacy Rights Requests
A user may submit a privacy rights request by sending an e-mail to support@gymtone.ai. To enable GYMTONE to respond, the request should include sufficient information to verify the user's identity, including the e-mail address associated with the GYMTONE account, and a description of the right being exercised. GYMTONE may request additional information for the sole purpose of identity verification and will not use such information for any other purpose. GYMTONE will respond to verifiable requests within the periods required by applicable law (generally 45 days, extendable once for an additional 45 days where permitted).
14.7. Automated Decision-Making and Profiling
GYMTONE does not make decisions based solely on automated processing (including profiling) that produce legal effects concerning the user or that similarly significantly affect the user. AI-generated content provided through the App (such as the AI Health Reports described in Section 3.4) is informational and educational only, is reviewable by the user, and does not produce legal or similarly significant effects.
14.8. Authorized Agent Requests
A user may designate an authorized agent to submit a privacy rights request on their behalf. The authorized agent must provide either: (i) a copy of a valid power of attorney executed under applicable law authorizing the agent to act for the user; or (ii) a written and signed authorization from the user identifying the agent and the specific right(s) to be exercised. GYMTONE may, in addition, require the user to verify their identity directly with GYMTONE or to confirm directly that the agent is authorized to act on the user's behalf.
14.9. Right to Appeal
A user who resides in a jurisdiction where applicable law provides a right of appeal (including Virginia, Colorado, Connecticut, and any other state whose law provides such a right) may appeal a decision by GYMTONE regarding the user's privacy rights request. To submit an appeal, the user should reply to the e-mail in which GYMTONE communicated the decision, or send a new e-mail to support@gymtone.ai with the subject line "Privacy Rights Appeal", within a reasonable period after receiving the decision. GYMTONE will respond to the appeal in writing within the period required by applicable law (generally 60 days). If the appeal is denied, the user may submit a complaint to the attorney general of their state of residence.
This Data Protection Policy is currently valid in the version of May 2026. If our Website or our Product is enhanced, or if legal requirements should change, it may become necessary to amend this Data Protection Policy. The current version of this Data Protection Policy can be viewed and printed out at any time by visiting https://www.gymtone.ai/policy