Gainflow Fitness Tracking App Logo

Privacy Policy for Gainflow

Last updated: May 9, 2026

Data Controller: The controller of your personal data is Dawid ZarΔ™ba. You can contact him regarding any data protection matters at dawid@gainflow.app.

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

At a glance: you're in control

You can turn off analytics, delete your account, or get a copy of your data β€” all without leaving the app.

  • Turn off analytics: open the app β†’ Settings β†’ Privacy β†’ toggle "Help improve Gainflow" off. We stop tracking immediately.
  • Delete your account: Settings β†’ Account β†’ Delete account. Your profile, workouts, and measurements are removed. Some data is kept briefly for backups and legal reasons (see "How long we keep data" below).
  • Export your data: email us at dawid@gainflow.app and we'll send a copy within 30 days.
  • Withdraw any consent: the same Settings β†’ Privacy screen lets you revoke consent for analytics, AI features, and coach integration anytime.
  • Questions? dawid@gainflow.app β€” we read every email.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of this Privacy Policy:

  • Account means a unique account created for You to access our Service or parts of our Service.
  • Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
  • Application refers to Gainflow, the software program provided by the Company.
  • Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Gainflow.
  • Country refers to: Poland
  • Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
  • Personal Data is any information that relates to an identified or identifiable individual.
  • Service refers to the Application.
  • Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
  • Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
  • Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Collecting and Using Your Personal Data

Types of Data Collected

Personal Data

While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

  • Email address
  • Username
  • Usage Data
  • Push notification token (if you enable notifications)
  • Subscription status (active / trial / expired) from Apple, Google, or RevenueCat
  • Analytics events and properties β€” only if you opt in (see "Analytics & product improvement")
  • Crash reports including device info and your account ID (see "Crash & error reporting")

Usage Data

Usage Data is collected automatically when using the Service.

Usage Data may include information such as Your Device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, Your mobile device unique ID, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.

We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

Information from Third-Party Social Media Services

The Company allows You to create an account and log in to use the Service through the following Third-party Social Media Services:

  • Google

If You decide to register through or otherwise grant us access to a Third-Party Social Media Service, We may collect Personal data that is already associated with Your Third-Party Social Media Service's account, such as Your name, Your email address, Your activities or Your contact list associated with that account.

You may also have the option of sharing additional information with the Company through Your Third-Party Social Media Service's account. If You choose to provide such information and Personal Data, during registration or otherwise, You are giving the Company permission to use, share, and store it in a manner consistent with this Privacy Policy.

Information Collected while Using the Application

While using Our Application, in order to provide features of Our Application, We may collect, with Your prior permission:

  • Information regarding your location
  • Pictures and other information from your Device's camera and photo library
  • Contacts permission

We use this information to provide features of Our Service, to improve and customize Our Service. The information may be uploaded to the Company's servers and/or a Service Provider's server or it may be simply stored on Your device.

You can enable or disable access to this information at any time, through Your Device settings.

Use of Your Personal Data

The Company may use Personal Data for the following purposes:

  • To provide and maintain our Service, including to monitor the usage of our Service.
  • To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
  • For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
  • To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application's push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
  • To provide You with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless You have opted not to receive such information.
  • To manage Your requests: To attend and manage Your requests to Us.
  • For business transfers: We may use Your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Data held by Us about our Service users is among the assets transferred.
  • For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Service, products, services, marketing and your experience.

We may share Your personal information in the following situations:

  • With Service Providers: We may share Your personal information with Service Providers to monitor and analyze the use of our Service, to contact You.
  • For business transfers: We may share or transfer Your personal information in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of Our business to another company.
  • With Affiliates: We may share Your information with Our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include Our parent company and any other subsidiaries, joint venture partners or other companies that We control or that are under common control with Us.
  • With business partners: We may share Your information with Our business partners to offer You certain products, services or promotions.
  • With other users: when You share personal information or otherwise interact in the public areas with other users, such information may be viewed by all users and may be publicly distributed outside. If You interact with other users or register through a Third-Party Social Media Service, Your contacts on the Third-Party Social Media Service may see Your name, profile, pictures and description of Your activity. Similarly, other users will be able to view descriptions of Your activity, communicate with You and view Your profile.
  • With Your consent: We may disclose Your personal information for any other purpose with Your consent.

How long we keep your data

We keep your data while your account is active, and for a short period after you delete it for backups and legal reasons.

When you delete your account, your profile, workouts, body measurements, and AI history are removed from our active systems. Some data may stay in encrypted backups for a limited period before being purged, and we may keep certain records longer if the law requires it (for example, tax records for paid subscriptions). Analytics data in PostHog and crash reports in Sentry are kept for the period set by those processors' default retention policies β€” we do not extend it.

Where your data lives

Most of your data stays in the EU. Some of it goes to the US under approved safeguards.

EU: your account, workouts, photos, and measurements live on our backend; PostHog analytics in Frankfurt; Sentry crash reports in Germany.

US: RevenueCat (subscription validation), Apple Sign-In, Google Sign-In, and AI features (Mistral, Gemini) may process data in the United States. These transfers rely on Standard Contractual Clauses or equivalent safeguards under GDPR Chapter V.

Delete Your Personal Data

You have the right to delete or request that We assist in deleting the Personal Data that We have collected about You.

Our Service may give You the ability to delete certain information about You from within the Service.

You may update, amend, or delete Your information at any time by signing in to Your Account, if you have one, and visiting the account settings section that allows you to manage Your personal information. You may also contact Us to request access to, correct, or delete any personal information that You have provided to Us.

Please note, however, that We may need to retain certain information when we have a legal obligation or lawful basis to do so.

Disclosure of Your Personal Data

Business Transactions

If the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.

Law enforcement

Under certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

Other legal requirements

The Company may disclose Your Personal Data in the good faith belief that such action is necessary to:

  • Comply with a legal obligation
  • Protect and defend the rights or property of the Company
  • Prevent or investigate possible wrongdoing in connection with the Service
  • Protect the personal safety of Users of the Service or the public
  • Protect against legal liability

Security of Your Personal Data

The security of Your Personal Data is important to Us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While We strive to use commercially acceptable means to protect Your Personal Data, We cannot guarantee its absolute security.

Gainflow AI (AI Assistants)

The AI Assistant provided in the application is powered by language models from Mistral.ai and Gemini (Google LLC). When you use the Assistant, the data you input may be transmitted securely to Mistral.ai’s and Google’s servers for processing.

AI Video Analysis

Gemini (Google LLC)

To provide technical analysis of your exercise form, the Application uses Gemini language models provided by Google.

  • Data processed: Video recordings selected or recorded and uploaded by the User.
  • Purpose: Analyzing body movements, providing feedback on exercise technique, and improving user performance.
  • Processing method: Videos are transmitted to Google’s servers for processing.
  • Privacy Note: We do not use your videos for any purpose other than providing you with the analysis. We do not share these videos with any third parties except for the AI processing service (Google).

Gainflow Coach Integration

Gainflow integrates with the Gainflow Coach platform, which allows personal trainers and fitness coaches to monitor and support their clients. When You accept an invitation from a coach, certain data from Your account becomes accessible to that coach through the Gainflow Coach dashboard.

The following data may be shared with Your assigned coach:

  • Profile information: Your username, email address, and profile avatar.
  • Workout data: Your workout logs, exercise history, sets, repetitions, volume, and duration.
  • Body measurements: Weight, body composition, and other measurement data You log in the app.
  • Progress data: Your workout calendar, streaks, and progress trends over time.
  • Program compliance: Whether You are following assigned workout programs and Your completion status.

Data sharing with a coach requires Your explicit consent β€” You must accept the coach's invitation before any data is shared. You can revoke this access at any time by disconnecting from the coach through the app settings.

Your coach acts as an independent data controller for the data they access through the platform. We require coaches to handle Your data responsibly and in accordance with applicable data protection laws, but We are not responsible for how a coach uses the data outside of the Gainflow platform.

Your data is only shared with coaches You have explicitly accepted. No data is shared with other coaches, other users' coaches, or any third parties through the coach integration.

Detailed Information on the Processing of Your Personal Data

The Service Providers We use may have access to Your Personal Data. These third-party vendors collect, store, use, process and transfer information about Your activity on Our Service in accordance with their Privacy Policies.

Analytics & product improvement

We use PostHog to see which features people use, so we can fix bugs and build the right things. It's opt-in. You can turn it off anytime.

  • PostHog Inc.
      • When you tap "Allow" on the analytics consent screen, we send data to PostHog. Data location: Frankfurt, Germany (PostHog EU Cloud).
      What we send: your account ID, email, and username (so we can debug issues tied to your account); product usage events tied to your activity in the app β€” for example, when you start or complete workouts, view subscription screens, or navigate between major features (the full event taxonomy is available on request); app preferences (language, units, experience level), tutorial progress, whether you have a coach; device basics from PostHog's SDK (OS, app version, device model, IP address).
      Legal basis: your consent (GDPR Art. 6(1)(a)). You can withdraw it anytime in Settings β†’ Privacy.

Crash & error reporting

When the app crashes, we get a report so we can fix it. It does not include your workouts or messages.

  • Sentry GmbH
      • We use Sentry to capture crashes and errors. Data location: Germany.
      What we send: the error stack, the screen you were on, app version, OS, and your account ID β€” so we can reproduce the issue. We don't send the contents of your workouts, AI conversations, or measurements.
      Legal basis: legitimate interest (GDPR Art. 6(1)(f)) β€” keeping the app stable is essential to providing the service. You can object at dawid@gainflow.app.

Push notifications

We use Firebase to deliver push notifications. We do not use Firebase to track you.

  • Firebase Cloud Messaging (Google LLC)
      • When you allow notifications, your device receives a push token from Firebase Cloud Messaging, which we use to send notifications such as workout reminders and coach updates.
      We have explicitly disabled Firebase Analytics β€” we only use Firebase for delivering messages.
      To stop notifications, turn them off in your device settings or in Settings β†’ Notifications inside the app.

Platform services and hosting

These services have the purpose of hosting and running key components of this Application, therefore allowing the provision of this Application from within a unified platform. Such platforms provide a wide range of tools to the Owner – e.g. analytics, user registration, commenting, database management, e-commerce, payment processing – that imply the collection and handling of Personal Data. Some of these services work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

  • Apple App Store (Apple Inc.)
      • This Application is distributed on Apple's App Store, a platform for the distribution of mobile apps, provided by Apple Inc. By virtue of being distributed via this app store, Apple collects basic analytics and provides reporting features that enables the Owner to view usage analytics data and measure the performance of this Application. Much of this information is processed on an opt-in basis. Users may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on this page. Personal Data processed: Usage Data. Place of processing: United States – Privacy Policy.
  • Google Play Store (Google LLC)
      • This Application is distributed on the Google Play Store, a platform for the distribution of mobile apps, provided by Google LLC. By virtue of being distributed via this app store, Google collects usage and diagnostics data and share aggregate information with the Owner. Much of this information is processed on an opt-in basis. Users may opt-out of this analytics feature directly through their device settings. More information on how to manage analysis settings can be found on this page. Personal Data processed: Usage Data. Place of processing: United States – Privacy Policy.

Hosting and backend infrastructure

This type of service has the purpose of hosting Data and files that enable this Application to run and be distributed or to provide a ready-made infrastructure to run specific features or parts of this Application.

Some services among those listed below, if any, may work through geographically distributed servers, making it difficult to determine the actual location where the Personal Data are stored.

  • Vercel (Vercel Inc.)
      • Vercel is a hosting and backend service provided by Vercel Inc. Personal Data processed: Usage Data; various types of Data as specified in the privacy policy of the service. Place of processing: United States – Privacy Policy.

Subscriptions & payments

We never see your card. Apple and Google handle payments. We use RevenueCat to know whether you're a paying member.

  • Apple App Store (Apple Inc.)
      • When you subscribe on iOS, Apple processes the payment. Gainflow never receives or stores your card details. Data processed by Apple: payment info. Place of processing: United States – Apple privacy policy.
  • Google Play Store (Google Ireland Limited)
      • When you subscribe on Android, Google processes the payment. Gainflow never receives or stores your card details. Data processed by Google: payment info. Place of processing: Ireland – Google privacy policy.
  • RevenueCat, Inc.
      • We use RevenueCat to validate your subscription with Apple and Google and to tell our app whether your subscription is active, in trial, or expired. RevenueCat sees your account ID and a transaction receipt β€” not your card details. Place of processing: United States – transfers rely on Standard Contractual Clauses. RevenueCat privacy policy.

Registration and authentication

By registering or authenticating, Users allow this Application to identify them and give them access to dedicated services.
Depending on what is described below, third parties may provide registration and authentication services. In this case, this Application will be able to access some Data, stored by these third-party services, for registration or identification purposes.

  • Direct registration (this Application)
      • The User registers by filling out the registration form and providing the Personal Data directly to this Application. Personal Data processed: email address; password; username.

Social features

Users may have public profiles that other Users can display. In addition to the Personal Data provided, this profile may contain Users' interactions with this Application.
Personal Data processed: username.

Your rights

You can see, change, or delete everything we have about you.

Wherever you live, you have the right to:

  • Access a copy of your data.
  • Correct anything that's wrong.
  • Delete your account and your data.
  • Export your data in a structured, commonly used, machine-readable format.
  • Object to processing based on legitimate interest (such as crash reporting).
  • Restrict processing in certain situations.
  • Withdraw any consent you previously gave (analytics, AI features, coach integration).
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, email dawid@gainflow.app β€” we'll respond within 30 days, free of charge.

California residents (CCPA): you have these same rights, plus the right to know the categories of personal data we collect and the right to opt out of any "sale" of personal information. We do not sell your personal information to anyone.

  • EU / UK residents: if you're not happy with how we handle a request, you can file a complaint with your local data protection authority. In Poland, that's the President of the Personal Data Protection Office (UODO) β€” uodo.gov.pl.
  • Direct marketing: we do not send you marketing emails unless you explicitly opt in. If you ever do, you can unsubscribe at any time using the link in the email or by emailing us.

How we handle your request: we answer requests as soon as we can β€” at the latest within 30 days. If we have to ask other processors (PostHog, Sentry, RevenueCat) to act on your behalf, we will, unless it would require disproportionate effort. We will tell you which processors received your request.

Children's Privacy

Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.

If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent's consent before We collect and use that information.

Links to Other Websites

Our Service may contain links to other websites that are not operated by Us. If You click on a third party link, You will be directed to that third party's site. We strongly advise You to review the Privacy Policy of every site You visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Changes to this Privacy Policy

We may update Our Privacy Policy from time to time. We will notify You of any changes by posting the new Privacy Policy on this page.

We will let You know via email and/or a prominent notice on Our Service, prior to the change becoming effective and update the "Last updated" date at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

Prevailing Language

This Privacy Policy has been translated into multiple languages for your convenience. In the event of any discrepancy or conflict between the translated versions and the original English version, the English version shall prevail.

Contact Us

If you have any questions about this Privacy Policy, You can contact us:

By email: dawid@gainflow.app