gymal-legal

Gymal Privacy Policy

Last updated: June 2026

Gymal (“Gymal”, “we”, “us”, “the App”) is a fitness and gamification app operated jointly by Igal Mekonen and Yuval Shamis, individuals residing in Israel, who are joint controllers of your personal data under the GDPR (Art. 26) and the equivalent provisions of Israeli law. This Privacy Policy explains what personal data we collect when you use the App, how we use it, how we share it, how long we keep it, and what rights you have over it. If anything is unclear, or to exercise any of the rights below, contact us at gymonzapp@gmail.com.

1. Information We Collect

Information you provide directly:

• Email, display name / Tamer Name, password (hashed by Firebase Authentication — we never see plain-text passwords)
• Fitness profile: gender (male / female / prefer-not-to-say), height (cm), weight (kg), fitness level (beginner / intermediate / professional), and an initial body-fat percentage calculated automatically from those values. You may overwrite the body-fat estimate manually.
• Equipment availability, workout split preferences, custom workout programs
• Language and theme preferences
• Feedback or bug-report text you submit

Information generated through your use of the App:

• Workout history (exercises, sets, reps, weights, dates), cardio sessions, personal records, battle history, monster/Gymal data (names, levels, stats, happiness, inventory), Coins balance, achievement and challenge progress, streaks, friend relationships

Purchase-related information:

• A purchase token (Android) or original transaction identifier (iOS) supplied by Google Play Billing or Apple StoreKit, plus the resulting subscription tier, expiry, and auto-renew status. We do NOT receive your payment card number, billing address, or other payment details — those are handled exclusively by Google Play and Apple.

We do NOT collect: precise or approximate location; HealthKit, Google Fit, or any device-sensor data; calories or heart rate; photos, microphone audio, or contacts; advertising identifiers (IDFA, AAID); browsing activity outside the App; cookies or tracking pixels.

Consequences of refusing. Email, password, display name, and the fitness profile are required to register. Other information is generated only as you use the corresponding features.

2. How We Use Your Information & Legal Basis

Each purpose is matched to its lawful basis under the GDPR and the equivalent provisions of Israel’s Privacy Protection Law:

• Create and authenticate your account — performance of the contract.
• Personalize daily workouts and balance your Gymal’s stats using your fitness profile (gender, height, weight, fitness level, body-fat estimate). The body-fat starting value is calculated automatically from height/weight/gender/fitness level — the only automated decision the App makes about you, and one that does not produce any legal or similarly significant effect on you. Because the combination of gender, body-fat estimate, weight, and height may qualify as “special category” health/biometric data under GDPR Article 9, “sensitive personal information” under the CPRA, or “especially sensitive data” under Israeli law (Amendment 13), processing of this fitness profile is carried out exclusively on the basis of your explicit consent, given through the legal-consent screen at registration and reaffirmed each time you update your fitness profile in Settings — legal basis: GDPR Art. 9(2)(a) explicit consent (and equivalent provisions of Israeli and California law). You may withdraw this consent at any time by deleting your account; withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Track your progress (workouts, PRs, streaks, achievements, challenges, battle history) — performance of the contract.
• Enable social features (friends, leaderboards, rivals) — performance of the contract and our legitimate interest in providing a social experience.
• Process in-app purchases and verify subscriptions — performance of the contract.
• Send account-related emails (verification, password reset, security notices) — performance of the contract and our legitimate interest in account security.
• Respond to feedback and bug reports — our legitimate interest in operating and improving the App.
• Maintain platform safety: review and act on moderation reports submitted about other users — our legitimate interest in preventing harassment, abuse, and fraud on the platform.
• Comply with legal obligations and retain proof of consent — legal obligation.

We do NOT use your information for advertising, profiling for marketing, behavioral targeting, or sale to third parties.

3. How We Share Your Information

Service providers (processors) acting on our behalf:

• Google Cloud / Firebase (Google LLC) — hosts Firestore (database) and Firebase Authentication.
• Cloudflare Workers (Cloudflare, Inc.) — runs our purchase-verification backend. Your device sends your account ID and the purchase token / original transaction identifier; the backend verifies with Google Play or Apple and writes the resulting subscription state to Firestore. It does not store data outside Firestore.
• Google Play Billing (Android) and Apple App Store / StoreKit (iOS) — process payments and provide purchase confirmations. They are the controllers of your payment data.
• Google Sign-In — if you sign in with Google, handles authentication; we receive only the basic profile (email, display name).
• Sign in with Apple (Apple Inc.) — if you sign in with Apple on iOS, handles authentication; we receive your Apple user identifier and the email address you authorize. If you use Apple’s “Hide My Email” feature, the address we receive is an anonymized Apple private-relay address (ending in @privaterelay.appleid.com) that forwards to your real inbox — we never see your real email address.
• Resend (Resend, Inc.) — our transactional email provider. It delivers our account emails (address verification, password reset, security notices) from noreply@gymalapp.com, and for that purpose receives your email address and the contents of those messages. It does not use your address for any other purpose.

Other users of the App:

• Friends you add can see your display name, avatar, monster roster, simple progress indicators (e.g., win streak), and aggregate stats. We never expose your email, password, workout details, settings, body measurements, or fitness profile to other users.
• Leaderboards may show your display name alongside an aggregate stat such as total power, level, or streak length.

Legal disclosure. We may disclose information if required by a binding legal request from a competent authority, or if necessary to protect rights and safety, in each case to the minimum extent legally required.

We do NOT sell, rent, or trade your personal information. We do NOT share data with advertisers, data brokers, or analytics providers — the App contains no third-party analytics or crash-reporting SDK.

4. Data Storage, Security & International Transfers

Your data is stored on Google Cloud Firestore. Google Cloud operates data centers worldwide. If you use the App from the EEA, UK, or Israel, your data may be transferred to and stored on Google Cloud servers outside your country of residence, including in the United States. Transfers are protected by:

• the European Commission’s Standard Contractual Clauses (SCCs) and/or the EU-U.S. Data Privacy Framework, as contracted between us and Google Cloud;
• equivalent transfer safeguards under the UK International Data Transfer Agreement (IDTA) and Israeli law.

Security relies on Firebase Authentication and Firestore: encryption in transit (TLS/HTTPS), encryption at rest, hashed and salted passwords, and Firestore security rules that limit each user to their own data.

No system is perfectly secure. We make a good-faith effort to safeguard your information but cannot guarantee absolute security. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authorities and you in accordance with applicable law.

5. Your Rights

Wherever you live, you have the rights to:

• Access — request a copy of your personal data.
• Correction / rectification — change inaccurate data. You can change display name, email, fitness profile, and preferences directly in the App; contact us for other corrections.
• Deletion / erasure — delete your account and all associated data from Settings → Account → Delete account.
• Portability — request your data in a structured, machine-readable format.
• Restriction of processing — ask us to pause processing while we investigate a request.
• Objection — object to processing based on our legitimate interest (e.g., leaderboards).
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Lodge a complaint with your local supervisory authority (see Sections 6, 7, 8).

To exercise any right, email gymonzapp@gmail.com from the address on your account. We will respond within the time required by law — generally 30 days under GDPR and Israeli law, 45 days under CCPA.

6. EEA / UK / GDPR Rights

If you are in the EEA, UK, or Switzerland, GDPR / UK GDPR gives you the rights in Section 5, plus:

• The right to lodge a complaint with your local Data Protection Authority. EU authorities are listed at edpb.europa.eu. UK users may contact the ICO at ico.org.uk.
• The right to be informed of the lawful basis for each purpose (Section 2) and of international transfers and their safeguards (Section 4).

EU Representative (GDPR Art. 27): [EU REPRESENTATIVE TBD — appointment in progress. Until completed, EEA/UK users may direct questions to gymonzapp@gmail.com.]

7. Israeli Privacy Rights

If you are located in Israel, your data is processed in accordance with the Protection of Privacy Law, 5741-1981, as amended (including Amendment 13, in force from August 14, 2025). You have the rights in Section 5. In addition:

• You may lodge a complaint with the Israeli Privacy Protection Authority (PPA), Ministry of Justice — gov.il/en/departments/the_privacy_protection_authority.
• You have the right to be informed of collection purposes, data recipients, and consequences of refusal — set out in Sections 1, 2, and 3.

Data Protection Officer (DPO): [DPO TBD — appointment in progress under Amendment 13. Until completed, Israeli users may direct questions to gymonzapp@gmail.com.]

8. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you these additional rights.

Categories of personal information we collect (using CCPA’s defined categories). The categories below describe the personal information we have collected, used, and disclosed for a business purpose in the preceding 12 months. We have NOT sold or shared personal information in the preceding 12 months (CCPA §1798.115).

• Identifiers — email (if you use Sign in with Apple’s “Hide My Email”, this is an anonymized Apple private-relay address ending in @privaterelay.appleid.com), account ID, display name, and — if you sign in with Apple — the Apple user identifier linked to your account
• Customer records — password (hashed), fitness profile
• Commercial information — purchase history, subscription tier, Apple original transaction identifier (iOS) or Google Play purchase token (Android)
• Internet activity — your in-App activity (we do NOT collect external browsing)
• Inferences — the body-fat starting estimate computed from your fitness profile

Sources: directly from you; generated by your use of the App.

Business purposes: as set out in Section 2.

Sensitive Personal Information. Your gender and the body-fat estimate may qualify as Sensitive Personal Information under CPRA. We use this information solely to provide the App’s core service (personalizing workouts and balancing Gymal stats) and for no other purpose. Because we only use SPI for permitted business-service purposes, we are not required to offer a “Limit the Use of My Sensitive Personal Information” link.

Subscription and purchase data linked to your account. When you purchase a subscription, your purchase history, subscription tier, expiry, auto-renew status, and the Apple original transaction identifier (iOS) or Google Play purchase token (Android) are linked to your account ID in our database. Apple App Store guideline 5.1.1(i) and the CPRA require us to make this linkage explicit so that you understand subscription and transaction data are not anonymous in our system, even though we never see your payment card or billing address (those remain with Apple or Google). Purchase data is treated as “Commercial information” under the CCPA and is subject to all rights described in this Section 8.

Your rights: to know, delete, correct, opt out of sale/share (we do not sell or share), and non-discrimination. We do not sell or share personal information for cross-context behavioral advertising. You will not be denied service or charged differently for exercising any right.

To submit a request: email gymonzapp@gmail.com. We verify identity by confirming you can receive mail at the account email. Authorized agents may submit requests with proof of authorization.

9. Children’s Privacy

Gymal is not intended for and is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. During registration, users confirm they are at least 13.

Notice for EEA / UK users. Under GDPR Article 8, the digital age of consent for online services varies by member state (13 to 16). In Germany, the Netherlands, and Luxembourg the age is 16; in France, 15; in Austria, 14. If you are below the digital age of consent in your member state, do not use the App without the consent of the holder of parental responsibility. We encourage parents to review this policy with their child.

If you believe a child under the applicable age has provided us data, contact gymonzapp@gmail.com and we will delete it promptly.

10. Data Retention

We retain most of your data for as long as your account is active. As an exception, three kinds of history are deleted automatically on a rolling schedule based on your subscription tier, even while your account stays active: your workout logs, your cardio-session logs, and your rivals (battle) history. Each such record is stamped with an expiry date when it is created, and is then pruned automatically by our database once that date passes. On the Free tier, workout and cardio logs are kept for about 4 months and rivals history for about 1 month; on the Pro tier, all three are kept for 1 year; on the Max tier they are kept for as long as your account exists. This automatic clean-up removes only old history entries — it does not affect your account, your Gymals, their stats, your personal records, streaks, or lifetime totals.

When you delete your account from within the App:

• Account profile, monsters, workouts, cardio, achievements, inventory, friends, battle history, personal records, custom programs — deleted from our database immediately on request. Backups and replicas may retain copies for up to 30 days before being overwritten.
• Subscription state — deleted with your account. Cancellation behavior is platform-specific (see our Terms of Service Section 3): on Android, we send a best-effort server-side cancellation request to Google Play on account deletion; on iOS we have no ability to cancel and you must cancel through Apple’s subscription settings yourself.
• Legal-consent records (proof you accepted our Terms and Privacy Policy at registration: email, display name, consent type and version, timestamp) — retained up to seven (7) years after account deletion, for the purpose of defending legal claims and complying with legal obligations. After seven years they are deleted, unless we are subject to a litigation hold. Legal basis: our legitimate interest in defending legal claims and our legal obligation under Israeli and EU/UK law.
• Feedback and bug reports you submitted — retained indefinitely after account deletion, in anonymized form where reasonably possible, for the purposes of reviewing reported issues, identifying abuse patterns, and improving the App. Legal basis: our legitimate interest in operating a safe and functional service.
• Moderation reports submitted about other users (Settings → Report user) — retained indefinitely after account deletion. These records are write-only from the user side and cannot be retrieved or deleted by clients, so that bad-faith deletions cannot erase a history of misconduct. Legal basis: our legitimate interest in maintaining platform safety and preventing harassment / abuse, and our legal obligation to maintain records of moderation decisions.
• Purchase ledger entries (in the purchaseLedger collection, written by our purchase-verification backend on each transaction: purchase token / original transaction identifier, product, timestamp) — retained for seven (7) years after the corresponding subscription ends or account is deleted, for tax, audit, anti-fraud, and refund-dispute purposes. Legal basis: our legal obligation under tax and consumer-protection law and our legitimate interest in fraud prevention.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last Updated” date at the top. Material changes will be announced in the App or by email at your account address before the change takes effect. Continued use after the effective date constitutes acceptance.

12. Contact

Email: gymonzapp@gmail.com

Joint Controllers: Igal Mekonen and Yuval Shamis, Israel (individuals / joint developers). A Data Protection Officer (for Israeli law) and an EU Representative (for the GDPR) are being appointed. Until appointments are complete, please use the email above and we will respond within the time required by applicable law.