Privacy Policy

2. Data Collected

2.1 Account Information

When you create an account, we collect:

• Email address: for login, communication, and password recovery
• Password: encrypted and never stored in plain text
• Account creation date

2.2 Workout Data

To generate personalized programs, we collect:

• Fitness goal: muscle gain, fat burning, endurance, etc.
• Experience level: beginner, intermediate, advanced
• Available equipment: gym, bodyweight, dumbbells, etc.
• Desired training frequency: number of sessions per week
• Exercise preferences: favorite exercises or exercises to avoid
• Training history: completed sessions, progress

No sensitive health data (diseases, injuries, medical history) is collected or stored.

2.3 Payment Data

Payments are exclusively processed by Lemon Squeezy, our Merchant of Record. Lemon Squeezy handles all payment processing, tax collection, and compliance. We never store your banking information on our servers.

Lemon Squeezy collects and processes:

• Credit card number, expiration date, CVV
• Billing name and address
• Transaction details (amount, date, currency)

We only receive from Lemon Squeezy: subscription status, renewal date, and anonymized transaction ID.

2.4 Technical Data

We collect:

• Device type: iOS, Android, Web
• App version
• Operating system version
• Language preference
• Error logs (to fix bugs)

We do NOT store: precise geolocation, raw IP addresses (PostHog derives country/city then discards the IP), or device identifiers (IDFA/AAID).

2.5 Fitness Condition Data

To generate personalized programs, we collect with your explicit consent:

• Weight: to adapt exercise intensity
• Height: to calculate training parameters
• Age: to adjust program difficulty
• Gender: to customize exercise selection
• Body type: to optimize training strategy
• Training goal: to select appropriate program

These data are processed based on your explicit consent (GDPR Article 9). You can withdraw this consent at any time in app settings.

Important: WorkoutGen is a fitness planning tool, not a medical device. We do not collect medical data, diagnoses, or health conditions.

3. How We Use Your Data

3.1 Service Provision

• Create and manage your account
• Generate personalized workout programs with AI
• Track your progress and training history
• Sync data across your devices

Legal basis: Contract performance (Terms of Service).

3.2 Communication

• Send transactional emails (account confirmation, password reset)
• Notify about subscription status (trial ending, payment failure)
• Provide customer support

Legal basis: Contract performance and legitimate interest.

3.3 Payment Processing

• Process subscription payments via Lemon Squeezy
• Generate invoices
• Manage refunds

Legal basis: Contract performance and legal obligation (tax records: 10 years).

3.4 Service Improvement

• Analyze usage data (via PostHog with consent, or anonymously without)
• Identify and fix bugs
• Develop new features based on user needs

Legal basis: Consent for identified analytics; Legitimate interest for anonymous analytics (GDPR Recital 26 - anonymous data is not personal data).

4. Third-Party Service Providers

We share your data with these trusted partners who help us provide the service:

4.1 Infrastructure

• Strapi Cloud (France): database and backend API
• Cloudflare (Europe): website hosting and CDN
• Bunny.net (Europe): exercise video hosting

4.2 Payment

• Lemon Squeezy: Merchant of Record, payment processing, tax handling, invoicing, PCI-DSS compliant

4.3 Analytics

• PostHog (EU hosting): analytics with consent-based identification or cookieless anonymous tracking

International Transfers: Some providers (Lemon Squeezy) may process data in the US under Standard Contractual Clauses (SCCs) approved by the EU Commission.

5. Data Sharing

We never sell your personal data to third parties.

We may share data only in these cases:

• With your consent: if you explicitly authorize it
• Legal obligation: court order, regulatory request
• Service providers: listed in section 4 above
• Business transfer: in case of merger, acquisition, or asset sale (you will be notified)

6. Use of Data for AI Improvement

To improve the quality of generated programs for all users, we may use anonymized workout data to train and refine our AI models.

Guarantees:

• No personally identifiable data (name, email) is used
• Data is pseudonymized (random identifier)
• Only workout data (goal, level, equipment, progress)
• No health or medical data
• Secure hosting in Europe (Strapi Cloud, France)
• You can opt out via contact@workoutgen.app

Legal basis: Legitimate interest (improving program quality for all users).

7. Data Retention

• Active account: data retained while account is active
• Deleted account: data deleted within 30 days (except legal obligations)
• Invoices: 10 years (tax law requirement)
• Analytics logs: 12 months maximum
• Inactive accounts: 3 years of inactivity → email warning → deletion after 6 months

8. Data Security

We implement industry-standard security measures:

Technical Measures

• Encryption: HTTPS/TLS for data in transit, AES-256 for data at rest
• Passwords: hashed with bcrypt (never stored in plain text)
• Access control: principle of least privilege
• Monitoring: automated intrusion detection

Organizational Measures

• Regular security audits
• Staff training on data protection
• Incident response plan

In case of a data breach affecting your personal data, we will notify you within 72 hours as required by law.

9. Your Privacy Rights

Under GDPR and US privacy laws (CCPA, state laws), you have the following rights:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Correct your personal data directly in the app (Settings > Account) or contact us.

Right to Deletion

Delete your account anytime (Settings > Delete Account). All data will be erased within 30 days, except legal obligations (invoices: 10 years).

Right to Object

Object to processing your data for analytics or AI training.

Right to Portability

Download your data in structured format (JSON) to transfer elsewhere.

Right to Restriction

Request temporary freeze of data processing during a dispute.

Right to Opt-Out (CCPA)

California residents can opt out of data "sales" (we don't sell data, but you can request deletion).

To exercise your rights:
Email: contact@workoutgen.app
Response time: 30 days maximum
ID verification may be required for security

File a complaint:
EU residents: CNIL (cnil.fr)
US residents: State Attorney General or FTC (ftc.gov)

10. Cookies and Trackers

WorkoutGen uses minimal cookies and respects your privacy choices:

Strictly Necessary Cookies (no consent required)

• User session: to stay logged in (JWT token)
• Interface preferences: dark/light theme, language

Analytics (consent-based)

• PostHog: With consent, we use cookies for identified analytics. Without consent, we use cookieless mode with server-side hashing (IP + browser fingerprint) that rotates daily - this is fully anonymous and GDPR-compliant (Recital 26).

You can manage your privacy preferences in Settings > Privacy at any time.

11. Children's Privacy

WorkoutGen is not intended for children under 13 (COPPA) or 16 (GDPR). We do not knowingly collect data from children.

If we discover that a child's data was collected without parental consent, we will delete it immediately.

Users aged 13-17 (US) or 16-17 (EU) must have parental/guardian consent before creating an account.

12. "Do Not Track" Signals

Some browsers offer "Do Not Track" (DNT) signals. WorkoutGen does not currently respond to DNT signals, but we minimize tracking by default (no ads, no third-party trackers).

13. Policy Updates

We may update this Privacy Policy to reflect legal changes or new features. We will notify you of significant changes via email or in-app notification.

Last modified date is displayed at the top of this page.

14. Contact and DPO

For any questions about data protection:

Email: contact@workoutgen.app

Phone: +33 7 84 07 11 53

Mailing address: JCODE, 25 rue de Ponthieu, 75008 Paris, France

Data Protection Officer (DPO): Jean-Baptiste Théry (same email)

EU Supervisory Authority (CNIL):

Commission Nationale de l'Informatique et des Libertés

3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

Tel: +33 1 53 73 22 22

Website: www.cnil.fr