Privacy Policy for Repgrit
Effective Date: May 10, 2026
This Privacy Policy explains how Repgrit ("Repgrit", "we", "us") processes information when you use the Repgrit iOS app and the Repgrit website.
1. Data Controller
Controller: Denis Kobliha (IČO: 09570446) Business address: Březnice 642, 760 01, Czech Republic Contact: support@repgrit.com
If you are in the EEA/UK/Switzerland, Repgrit acts as the "controller" of your personal data (GDPR/UK GDPR terminology).
2. What We Process
A. Account Data
When you sign in (Sign in with Apple), we process:
- Email address (if provided by Apple)
- User identifier (your Supabase user ID)
B. Profile & Preferences
We process profile settings stored in our backend, such as:
- Experience level
- Preferred units
- Timezone
C. Workout Data (User Content)
We process the content you create in the app, including:
- Workout notes you type (raw text)
- Structured workout data derived from notes (e.g., exercises, sets, reps, weight)
- Timestamps (created/updated time)
D. Apple Health Data (Optional)
If you connect Apple Health, Repgrit may read certain HealthKit data, such as:
- Sleep analysis
- Heart Rate Variability (HRV)
- Resting heart rate
- Steps
- Other recovery-related metrics shown in the app
E. Subscription Data
If you purchase Repgrit Pro, Apple processes payments. Repgrit does not receive your payment card or billing details. Repgrit receives and stores limited subscription entitlement information needed to unlock Pro features, such as your current entitlement tier, source, and expiry time.
If you bought Repgrit through the App Store and delete your Repgrit account, we may keep a minimal subscription-claim record so that an active paid entitlement can be restored later and cannot be claimed by another active account. This record contains the App Store original transaction identifier, App Store environment, a hash of the App Store app account token, product metadata, validity timestamps, transfer counters, and a nullable Repgrit user ID. If account deletion is processed as a recoverable soft delete, the nullable Repgrit user ID may remain linked during the restore/recovery window until hard deletion, a successful restore transfer, or retention cleanup. We do not keep the raw App Store transaction payload, raw app account token, email, billing details, workout notes, HealthKit data, AI prompts/responses, or training content in this record. We retain expired claim records for up to 24 months after subscription expiry or last claim, then delete them.
F. Website Data
We use self-hosted Umami analytics on the Repgrit website only after you enable optional analytics. Umami is hosted on Repgrit-controlled infrastructure in the EU and is used for aggregate visit and CTA metrics. We do not use analytics for advertising targeting or cross-site tracking. We store a required cookie and local storage value to remember your consent choice.
G. Diagnostic Data
We aim to minimize logging. The app may generate standard device logs for troubleshooting. Our backend logs operational metadata needed for security, reliability, abuse prevention, and quota enforcement, but we do not intentionally log your workout notes or AI prompts/responses.
H. Support Requests
If you contact us for support, we may process your email address and the content of your message to respond to your request.
3. Why We Process Data (Purposes)
We process your data to:
- Provide core app functionality (workout tracking, parsing, stats, coaching insights)
- Sync your data across devices
- Provide optional Apple Health based recovery features
- Provide customer support and respond to requests
- Handle subscriptions and entitlements
- Protect the service from abuse, troubleshoot operational issues, and maintain security
- Run consent-based website analytics if you opt in on repgrit.com
4. AI / LLM Processing
Repgrit can use a third-party LLM provider (OpenRouter) to convert workout notes into structured workout data, and to assist with import-related translation/matching. OpenRouter may route a request to the model provider configured for that request.
When this feature is used, relevant workout text (and import text) is sent to our backend proxy, which then sends the request to the configured LLM provider for processing. We aim to send only the text needed for the specific AI feature. You should avoid entering unnecessary sensitive personal information into free-form notes.
We use this server-side architecture to avoid exposing provider credentials in the iOS app and to keep tighter control over logging, access, and vendor configuration.
Repgrit does not intentionally retain AI prompts or AI responses in its logs. OpenRouter requests are sent with data-collection and zero-data-retention restrictions where supported by our configuration. OpenRouter and routed model providers still process the request transiently to return the feature output and may process limited metadata for security, reliability, or abuse prevention under their terms.
5. Legal Bases (GDPR)
If you are in the EEA/UK/Switzerland, our main legal bases are:
- Performance of a contract (Art. 6(1)(b)): to provide the app features you request (account, sync, workout storage, parsing).
- Consent (Art. 6(1)(a)): for optional features such as Apple Health connectivity and optional website analytics. You can withdraw Apple Health consent by disconnecting Apple Health in the app and/or changing permissions in iOS Settings. You can withdraw website analytics consent through the website cookie controls.
- Legitimate interests (Art. 6(1)(f)): for service security, abuse prevention, operational troubleshooting, and limited support record keeping, where those interests are not overridden by your rights.
- Explicit consent (Art. 9(2)(a)): for optional Apple Health access and related recovery features when that data is considered health data under GDPR.
Workout logs and training notes can be health-like because they describe exercise, performance, pain, fatigue, or recovery. We process this data to provide the workout tracking service you request, and we apply extra safeguards such as access controls, backend row-level security, prompt minimization, and blocking Apple Health/recovery-derived data from external AI flows.
6. Sharing & Processors
We share data with the following categories of processors to operate Repgrit:
- Hetzner (hosting provider): we host our backend infrastructure (including a self-hosted Supabase stack) on Hetzner VPS in the EU.
- OpenRouter and routed model providers: LLM APIs used, via our backend proxy, to parse workout notes and assist import.
- Apple: App Store distribution, payments, and subscription infrastructure (StoreKit).
- Self-hosted Umami analytics: website analytics on repgrit.com only if you opt in.
We do not sell your personal data and we do not use third-party advertising SDKs.
7. International Transfers
Our primary application hosting is in the EU. However, some service providers we use for specific features may process data outside the EEA.
In particular, if you use AI features, the relevant workout or import text may be processed by OpenRouter and the routed model provider for that request. This means personal data included in that text may be transferred to and processed outside the EEA, including in the United States.
Where required, we rely on appropriate safeguards for such transfers, such as contractual commitments and the European Commission's Standard Contractual Clauses (SCCs).
8. Retention & Deletion
- We retain synced account, profile, and workout data while your account is active.
- We retain backend subscription entitlement state while needed to provide Pro access and sync subscription status.
- We retain operational AI request metadata, such as operation, prompt length, status, elapsed time, redaction count, and truncation flag, for short-term security, reliability, abuse prevention, and quota enforcement. We do not intentionally retain AI prompts or AI responses in Repgrit logs.
- We retain support emails and deletion/privacy correspondence as long as needed to handle the request and for operational or legal evidence, generally up to 24 months after closure unless a longer period is required or permitted by law.
- Website analytics consent state is stored for up to 180 days unless you change or clear it earlier through the website cookie controls.
- You can delete your account in the app (Settings → Delete Account). This deletes your Supabase user account and, via cascading deletion, your profile, entitlement row, synced workouts, and server-side quota/action rows linked to your account.
- On-device data can be removed by deleting the app from your device. The in-app Delete Account flow also attempts to wipe user-specific local data such as local workout state, templates, custom exercises, import mappings, sync cursors, coach cache, rest timer/session state, HealthKit permission flags, and export temp files.
Operational backups may retain data for a limited period after deletion. Backup retention: 30 days.
9. Security
We apply reasonable technical and organizational measures, including:
- Encryption in transit (HTTPS/TLS)
- Access controls and least-privilege access
- Row Level Security (RLS) in the database to restrict data access to the authenticated user
- Server-side handling of AI provider credentials rather than embedding them in the iOS client
10. Your Rights
Where applicable, you have rights including:
- Access (Art. 15)
- Rectification (Art. 16)
- Erasure (Art. 17)
- Restriction (Art. 18)
- Portability (Art. 20)
- Objection (Art. 21)
- Withdrawal of consent (where consent is used)
To exercise rights, use in-app tools (export/delete) or contact support@repgrit.com. We may need to verify your identity and will respond within the legally required timeframe (typically 1 month under GDPR).
You also have the right to lodge a complaint with your local supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection (UOOU).
11. Children's Privacy
Repgrit is not directed to children. If you are under the age required in your country to use online services, use Repgrit only with parent or guardian permission. We do not knowingly collect personal data from children in violation of applicable law.
12. Medical Disclaimer
Repgrit is NOT medical advice. The app is for informational and tracking purposes only. Always consult a healthcare professional before starting or changing an exercise routine. Use of Repgrit is at your own risk.
13. Changes
We may update this Privacy Policy from time to time. We will update the effective date above and, where required, provide notice in the app or on our website.
14. Contact
Questions or requests: support@repgrit.com