Privacy Policy for Trackist

1. Data Controller and Contact

The data controller is: Softnest, ul. Ludwika Zamenhofa 2/33, 33-300 Nowy Sącz, Poland, Tax ID (NIP): 7343649264, Business ID (REGON): 540236581.

Contact us:

• Email: hello@trackist.me

For EU users: You may contact your local data protection authority. In Poland: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

2. Personal Data We Collect

When you use Trackist, we collect:

• Account Information: name (username), email address, password (encrypted)
• Authentication Data: Apple ID identifier (if using Apple Sign In)
• User Preferences: app settings, notification preferences, unit preferences (metric/imperial)
• Fitness Data: workout plans (names, descriptions, exercises), exercise logs (sets, reps, weight, time, RPE, training dates), performance metrics, body measurements (weight, chest, waist, hips, arms, thighs, calves), personal fitness goals, weekly targets, and exercise notes you create within the app
• User Content: workout plans you create and share, custom share codes, and feedback you submit
• Subscription Status: active/inactive subscription status (processed by RevenueCat)

We do not collect: photos or videos, device identifiers or device information, app usage analytics or session duration, precise location data, credit card numbers (processed by payment providers), or health data from Apple Health/Google Fit without your explicit permission.

Automatic Server Data: Our hosting provider (Supabase) may automatically log IP addresses for security and fraud prevention purposes. This data is not linked to your identity and is retained according to their privacy policy.

3. How We Use Your Data

We use your personal data to:

• Provide and maintain the Trackist app services (legal basis: contract performance under GDPR Art. 6(1)(b); business purpose under CCPA)
• Process subscription payments (legal basis: contract performance; business purpose)
• Authenticate your account and maintain security (legal basis: legitimate interest under GDPR Art. 6(1)(f); business purpose)
• Send you push notifications about workout reminders and training alerts (legal basis: consent under GDPR Art. 6(1)(a); you can opt-out anytime)
• Communicate with you about app updates and support (legal basis: legitimate interest; business purpose)
• Improve app functionality and user experience (legal basis: legitimate interest; business purpose)
• Comply with legal obligations (legal basis: legal obligation under GDPR Art. 6(1)(c))

4. Data Sharing and Third Parties

We do not sell your personal data to anyone.

We share data only with trusted service providers:

• Supabase Inc. - Database hosting in EU region (Frankfurt, Germany)
• RevenueCat Inc. - Subscription management (iOS/Android)
• Apple Inc. - Authentication services (only if you use Apple Sign In)
• Push notification services - Apple Push Notification Service (iOS) and Firebase Cloud Messaging (Android)

All service providers:

• Process data only on our instructions
• Maintain GDPR compliance and have signed Data Processing Agreements (DPAs)
• Use industry-standard security measures

International Transfers: Your data is stored on Supabase servers in the EU (Frankfurt). Any necessary transfers outside the EU are protected by Standard Contractual Clauses approved by the European Commission.

5. Data Retention

• Account Data: Deleted immediately when you delete your account
• Fitness Content: Workout plans, exercise logs, measurements, goals, and user content are deleted immediately when you delete your account
• Technical Logs: 30 days from recording
• Billing Records: 5 years (legal requirement for tax purposes)
• Support Communications: 3 years from last contact

Account Deletion: You can permanently delete your account at any time from the app settings. This action is immediate and irreversible. All your data will be permanently deleted from our servers.

6. Your Privacy Rights

For EU Users (GDPR Rights):

• Right to access your personal data
• Right to rectify inaccurate data
• Right to erase your data ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

For California Users (CCPA Rights):

• Right to know what personal data we collect, use, disclose, and sell
• Right to delete personal data
• Right to opt-out of the sale of personal data (note: we do not sell personal data)
• Right to non-discrimination for exercising your rights

To exercise your rights: Contact us at hello@trackist.me. We will respond within 30 days (GDPR) or 45 days (CCPA).

7. Mobile App Permissions

Trackist may request the following device permissions:

• Push Notifications (iOS/Android): To send workout reminders and training alerts. Optional - you can manage these in app settings.

You can revoke these permissions at any time in your device settings.

8. Cookies and Tracking Technologies

Trackist uses minimal tracking technologies. We use session cookies essential for app functionality (authentication, security, user preferences). We do not use advertising cookies or third-party tracking pixels in the mobile app.

9. Data Security

We implement industry-standard security measures:

• Encrypted data transmission between the app and our servers (TLS/SSL)
• Secure data storage on SOC 2 Type II certified servers (AWS Frankfurt) through Supabase
• Password encryption using bcrypt hashing
• Access controls and authentication protection
• Regular security monitoring and automated backups
• Two-factor authentication for sensitive operations

While we use best practices to protect your data, no system is 100% secure. We cannot guarantee absolute security.

10. Data Breach Notification

In case of a data breach:

• We will investigate and assess the risk within 24 hours
• Notify relevant authorities within 72 hours (as required by GDPR)
• Notify affected users if there is a high risk to their rights
• Take immediate steps to mitigate the breach and prevent future incidents
• Cooperate fully with regulatory authorities

11. Apple Sign In

If you use "Sign in with Apple":

• Apple may share your email address (or a private relay email) and optionally your name
• You can manage what information Apple shares in your Apple ID settings
• Apple Sign In is an alternative to email/password registration
• Data received via Apple Sign In is processed the same way as email registration data

12. Subscription and Payments

Payment processing is handled by RevenueCat Inc.:

• We do not store your credit card information
• RevenueCat only provides us with subscription status and transaction identifiers
• Actual payment processing is handled by Apple App Store (iOS) or Google Play Store (Android)
• For payment details, see RevenueCat's privacy policy: https://www.revenuecat.com/privacy

13. Children's Privacy

Trackist is intended for adults 18 years or older. We do not knowingly collect data from children under 18 (or 16 in the EU). If you are a parent and believe your child has provided us with personal data, please contact us at hello@trackist.me and we will delete it immediately.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. For material changes:

• We will notify you 30 days in advance via email or in-app notification
• Minor changes will be posted in the app with an updated effective date
• Continued use of the app after changes means you accept the updated policy

15. International Users

Trackist is available worldwide. Your data is stored in the EU (Frankfurt, Germany) regardless of where you are located. By using the app, you consent to the transfer and processing of your data in the EU under GDPR protections.

16. Do Not Sell My Personal Information (CCPA)

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration.

17. Your Fitness Data

Your fitness data (workouts, measurements, workout plans, exercise logs, and progress tracking) belongs to you. We process it solely to provide you with the Trackist service. You can export your data at any time by contacting us at hello@trackist.me. When you delete your account, all fitness data is permanently deleted.