App Privacy Policy
Privacy at a Glance
RepGain is designed to keep your fitness data private. Your workout logs, templates, and settings are stored entirely on your device and never transmitted to any server we control. The limited data listed below is shared with third parties only for analytics and subscription management.
- Workout data — on-device only, never leaves your iPhone
- Analytics — anonymous behavioral events sent to PostHog (EU servers); no fitness content included
- Subscription status — anonymous subscriber ID sent to RevenueCat (US servers, SCCs apply)
- Push tokens — managed by Apple APNs; not stored by us
- No name, email, Apple ID, location, health data, or payment details are ever collected by us
1. Data Controller
The developer is established in Germany (European Union) and acts as the data controller under the GDPR. No Data Protection Officer is required (processing is not large-scale and the developer is not a public authority). No EU representative is required (the controller is already established in the EU).
2. Data Stored on Your Device Only
The following data is created and stored locally on your iPhone using on-device storage. It is never uploaded to, transmitted to, or accessible by us or any third party:
- Workout sessions: exercises, sets, reps, weight, rest times, timestamps
- Workout templates: routine names, exercise selections, set configurations, target weights
- Custom exercises you create
- App settings: weight unit (kg/lbs), rest timer defaults, weekly goal, bodyweight, weekly schedule, notification preferences
This data is protected by your device's iOS encryption and app sandbox. You can export a full JSON backup, import it on another device, or permanently delete all of it at any time from the Profile tab → Your Data.
iCloud Backup: If you have iCloud Backup enabled on your iPhone, your on-device RepGain data may be included in your iCloud backup. iCloud backups are stored and governed by Apple Inc. and subject to Apple's Privacy Policy. You can exclude RepGain from iCloud backups in iOS Settings → [Your Name] → iCloud → Show All → RepGain.
3. Analytics Data — PostHog
We use PostHog to understand how the app is used so we can improve it. PostHog runs on EU servers (eu.posthog.com); no data is transferred outside the European Union.
What PostHog collects
- A random, anonymous device ID — not linked to your name, email, Apple ID, or any identity
- Device type, OS version, and app version
- Country (derived from your IP address at the moment of ingestion; the IP itself is not stored)
- Behavioral events: screens visited, workout started / finished / cancelled, paywall viewed, plan selected, purchase started / completed / failed, settings changed, onboarding steps completed
What PostHog does NOT collect
- Exercise names, weights, reps, or any workout content — this data stays on-device
- Your name, email address, or Apple ID
- Precise location or GPS data
- Health data
Legal basis (EU/GDPR): Art. 6(1)(f) — legitimate interest in understanding product usage to improve the app. The analytics are anonymous, limited to behavioral events, and involve no fitness content. Data location: European Union (eu.posthog.com). A Data Processing Agreement (DPA) is in place with PostHog. PostHog Privacy Policy.
Right to object (Art. 21 GDPR): You can opt out of analytics at any time via Profile → Privacy → Share Analytics in the app. Opting out calls posthog.optOutCapturing() and stops all future data collection for your device. Opting out does not affect previously collected anonymous data.
4. Subscription Management — RevenueCat
RepGain Pro subscriptions are managed through RevenueCat (RevenueCat, Inc., 633 Tasman St., San Francisco, CA 94107, USA).
What RevenueCat receives
- An anonymous App Store subscriber ID (not your Apple ID or personal identity)
- Subscription status: active, expired, trial, grace period
- Product identifier (monthly or annual plan)
- Purchase timestamp and renewal / cancellation events
RevenueCat does not receive your payment card details — all payment processing is handled exclusively by Apple. Legal basis (EU/GDPR): Art. 6(1)(b) — performance of a contract (necessary to manage your subscription entitlements). Data location: United States. Transfer is covered by Standard Contractual Clauses (SCCs). A Data Processing Agreement is in place. RevenueCat Privacy Policy.
5. Push Notifications — Apple APNs
If you grant notification permission, Apple generates a device push token that allows us to send you workout reminders. This token is managed by Apple's Push Notification Service (APNs) and is not stored on any server we control. All reminder scheduling happens locally on your device. You can revoke notification permission at any time in iOS Settings → RepGain → Notifications. Legal basis: Art. 6(1)(a) GDPR — your consent when granting notification permission.
6. In-App Purchases — Apple
All payments for RepGain Pro are processed by Apple Inc. through the App Store. We never receive or store payment card details. Apple's handling of payment data is governed by Apple's Privacy Policy. To manage or cancel your subscription, go to Settings → [Your Name] → Subscriptions on your iPhone.
7. Data We Do Not Collect
To be explicit, RepGain does not collect:
- Your name, email address, or Apple ID
- Precise GPS location or geolocation data
- Photos, camera, or microphone data
- Health data from Apple HealthKit
- Payment card details
- Biometric identifiers
- Data from other apps
- Exercise names, weights, reps, or set types (these remain on-device)
- Any data that could directly identify you as an individual
8. Third-Party Service Providers
A summary of the third parties that receive data when you use RepGain:
- PostHog — product analytics; anonymous device ID, event names, OS/app version, country; EU servers (eu.posthog.com); DPA in place; no US transfer
- RevenueCat — subscription management; anonymous App Store subscriber ID, subscription status; US servers; covered by SCCs; DPA in place; SOC 2 Type II certified
- Apple Inc. — App Store distribution, payment processing, push notifications; governed by Apple's own privacy framework; global infrastructure
No other third-party SDKs that collect personal data are integrated in RepGain.
9. International Data Transfers
PostHog: Data is processed on EU servers (eu.posthog.com). No transfer outside the EU/EEA occurs.
RevenueCat: Data is processed in the United States. Transfer from the EU is covered by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
Apple: Apple operates a global infrastructure with privacy commitments described in its privacy policy.
10. Data Retention
- On-device data: Retained until you delete it via Profile → Your Data → Delete All Data, or until you delete the app.
- PostHog analytics: Retained for 12 months from the date of collection, after which event data is deleted. As the data is anonymous, individual deletion requests cannot be fulfilled, but the data cannot be linked to you.
- RevenueCat subscription data: Retained for the duration of your active subscription and for up to 10 years thereafter, as required under German commercial and tax law (§ 147 Abs. 1 AO; § 257 Abs. 1 HGB) for accounting and business records.
- Email correspondence: Retained for as long as needed to resolve your inquiry, then deleted.
11. Children's Privacy
RepGain is not directed at children. The minimum age to use the app is 13 years globally and 16 years in EU member states that have raised the digital consent age under Art. 8 GDPR. We do not knowingly collect personal data from users under these ages. The app does not require an account and stores no fitness data off-device, minimizing privacy risks for all users. If you believe a child has provided data, contact us at support@repgain.app and we will address it promptly.
12. Security
- All local data is protected by iOS device encryption and the app sandbox
- All third-party communications use TLS 1.2 or higher
- No user accounts means no passwords and no credential breach risk
- Data minimization is applied throughout — we only collect what is necessary
- PostHog and RevenueCat both hold SOC 2 Type II certification
13. Your Rights — EU/EEA (GDPR)
If you are in the EU or EEA, you have the following rights under the GDPR, to be fulfilled within 30 days (extendable by 60 days for complex requests):
- Access (Art. 15): Request a copy of data we hold about you.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your data. For on-device data, use the in-app Delete All Data function.
- Restriction (Art. 18): Request that we restrict processing in certain circumstances.
- Portability (Art. 20): Request your data in a machine-readable format. Use the in-app Download My Data function for a complete JSON export.
- Objection (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent (Art. 7(3)): Withdraw any consent you have given (e.g., push notifications) at any time without affecting prior processing.
- Lodge a complaint: File a complaint with the supervisory authority in your country of residence. Our lead supervisory authority is the LDI NRW (Germany): www.ldi.nrw.de.
To exercise your rights, contact: support@repgain.app. We respond within 5 business days for general inquiries and within the statutory deadline for formal rights requests.
14. Your Rights — California (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA may apply. You have the right to:
- Know what personal information we collect, use, disclose, or sell
- Delete personal information we hold about you (use in-app Delete All Data)
- Correct inaccurate personal information
- Opt out of sale or sharing — we do not sell or share personal information for cross-context behavioral advertising. No "Do Not Sell" opt-out is required.
- Non-discrimination for exercising your rights
PostHog analytics events do not include fitness content. However, to the extent PostHog data constitutes sensitive personal information (device identifiers) under the CPRA, we use it solely to provide and improve the service and do not use it for advertising. To exercise your rights, contact support@repgain.app. We respond within 45 days.
15. Your Rights — Washington State (My Health My Data Act)
The Washington My Health My Data Act (MHMDA, effective March 2024) applies to consumer health data regardless of business size. Workout and exercise data qualifies as consumer health data under the MHMDA. Because all workout data in RepGain is stored locally on your device only and is never transmitted to us or third parties, we do not process consumer health data within the meaning of the Act. Analytics data sent to PostHog contains no exercise names, weights, reps, or any fitness content.
You retain full control over your health data through the in-app tools: Download My Data (export) and Delete All Data (permanent deletion). No authorization is required to delete your local data — it is yours and under your control at all times.
16. Your Rights — Canada (PIPEDA / Quebec Law 25)
If you are in Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies. Quebec residents are additionally covered by Law 25 (Act Respecting the Protection of Personal Information in the Private Sector), one of the strictest privacy laws in Canada.
- Accountability: Mats Jan Biefang is the designated privacy officer for RepGain.
- Purpose limitation: Data is collected only for specified purposes (analytics, subscription management) as described in this policy.
- Access & portability: You can export all your data via the in-app Download My Data function (satisfies PIPEDA access right and Quebec Law 25 portability right).
- Deletion: You can permanently delete all local data via the in-app Delete All Data function.
- Breach notification: In the event of a breach involving real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada (OPC) and, for Quebec residents, the Commission d'accès à l'information (CAI) within 72 hours, and affected individuals without undue delay.
Privacy complaint bodies:
- Office of the Privacy Commissioner of Canada: priv.gc.ca / 1-800-282-1376
- Quebec residents: Commission d'accès à l'information: cai.gouv.qc.ca
To exercise your rights under PIPEDA or Quebec Law 25, contact support@repgain.app.
17. Managing Your Data In-App
RepGain provides three built-in data management tools in the Profile tab → Your Data:
- Download My Data: Exports a complete JSON backup of all workouts, templates, custom exercises, and settings. Satisfies GDPR Art. 20 (data portability), CCPA portability, and Quebec Law 25 portability.
- Import from Backup: Restores data from a JSON backup file — useful when switching devices.
- Delete All Data: Permanently and irreversibly deletes all local workout data, templates, and settings. Satisfies GDPR erasure (Art. 17), CCPA deletion, and Washington MHMDA deletion right.
18. Changes to This Policy
We will update the "Last updated" date at the top of this page when material changes are made. We encourage you to review this policy periodically. Continued use of the app after changes take effect constitutes your acceptance of the updated policy.
19. Contact
For all privacy inquiries, rights requests, or concerns:
We aim to respond to general inquiries within 5 business days, and to formal data subject rights requests within the statutory deadline (30 days under GDPR, 45 days under CCPA).