Privacy Policy

GymBro (“we”, “us”, “our”) is an AI-powered gym coaching application available on the web, iOS App Store, and Google Play Store. Our website is www.gymbro.com.au.

This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have. It applies to all users of the GymBro website, iOS app, and Android app.

Account information. When you create an account we collect your email address and password. Your password is stored as a one-way salted hash by our authentication provider (Supabase Auth) and is never stored or transmitted in plain text.

Profile information. Information you provide during onboarding or in your profile settings — name, age, sex, body weight, height, training goal, experience level, training days per week, injuries, available equipment, and coaching style preference.

Workout and training data. Everything you log or upload — sets, reps, weights, RPE, rest times, exercise names, workout names, routines, session durations, and any notes you add.

Health data. If you grant permission, we read step count and sleep duration from Apple Health (iOS) or Google Health Connect (Android). If your device tracks sleep stages (e.g. Apple Watch or compatible wearable), we also read the breakdown of light, deep, REM, and awake periods. We only read the specific data types you authorise. We do not write to or modify your health data without your explicit consent.

Progress photos. If you use the progress photo feature, images you upload are stored securely and associated with your account. Photos are only visible to you and your assigned coach (if applicable).

Check-in and daily tracker data. Responses to check-in questionnaires, daily nutrition logs (calories, macros), water intake, body weight entries, and any other data you submit through the daily tracker.

Coach-client relationship data.If you are a coach, we store your business name, bio, brand colour, and contact email. If you are a coached client, we store the relationship between your account and your coach's account, including invite status and any notes your coach adds to your profile.

AI coaching data. When you request a training audit, workout debrief, in-session analysis, or use the chat feature, we package the relevant slice of your training data into a prompt and send it to our AI provider to generate a coaching response. The prompt does not include your email address. Both the prompt and the response are stored in our database.

Device and usage data. Our hosting provider (Vercel) automatically records standard server logs including IP address, user agent string, and request timestamps. We do not run any third-party analytics, advertising trackers, or fingerprinting scripts.

• To create and maintain your account and sign you in.
• To compute training statistics (volume, frequency, movement balance, progression trends) that drive the coaching experience.
• To generate AI coaching responses by sending packaged training data to our AI provider on your behalf.
• To enable coaches to view their clients' training data, assign programs, and provide coaching.
• To send transactional emails (password resets, coach invites).
• To send push notifications for workout reminders, check-in reminders, and daily tracker nudges — only if enabled.
• To operate, maintain, and improve the service.

We do not sell your data. We do not share your data with advertisers. We do not use your data to train any AI model of our own. We do not use your data for cross-app tracking.

We share data with the following providers, strictly for the purposes described. Each provider processes data under their own privacy policy and data processing terms.

• Supabase (database and authentication) — stores your account, profile, workout data, coaching reports, and all other application data. Passwords are stored only as hashes managed by Supabase Auth. Supabase also sends password-reset emails via their built-in email service.
• OpenAI(AI coaching responses) — receives packaged training data when you request an audit, debrief, analysis, or chat response. Your email address is not included in data sent to OpenAI. Under OpenAI's API data usage policy, API inputs and outputs are not used to train their models.
• Resend (transactional email) — delivers coach invite emails. Resend receives only the recipient email address and the email content.
• Vercel (hosting) — hosts the web application and processes all HTTP requests. Vercel records standard server logs (IP address, user agent, timestamps).
• Apple (HealthKit)— if you grant permission on iOS, we read step count and sleep data from Apple Health. This data is transmitted directly from your device to our servers. We comply with Apple's HealthKit guidelines: health data is not used for advertising, is not sold to data brokers, and is not shared with third parties for purposes unrelated to providing the service.
• Google (Health Connect) — if you grant permission on Android, we read step count and sleep data from Google Health Connect. The same restrictions as HealthKit apply.

We do not share your data with any other third parties. If this changes, we will update this policy and notify you before the change takes effect.

Your data is stored in Supabase-managed infrastructure. All data is encrypted in transit (TLS) and at rest. Access to production databases is restricted to essential personnel. Every database query filters by user ID — your data is never mixed with another user's in application logic.

Progress photos and coach-uploaded files are stored in Supabase-managed storage buckets with access controls that restrict visibility to the owning user and their assigned coach.

• Account and training data is kept for as long as your account exists, or until you request deletion.
• AI coaching responses (audits, debriefs, chat messages) are stored for as long as your account exists. OpenAI does not retain API request data beyond their standard processing window (typically 30 days for abuse monitoring, zero days for training).
• Password-reset links expire automatically within one hour.
• Coach invite links are single-use and expire.
• Server logs are retained by Vercel on their default schedule (typically 30 days).

Depending on your jurisdiction (including under the Australian Privacy Act 1988, the EU General Data Protection Regulation, and the UK GDPR), you may have the following rights:

• Access. Request a copy of all personal data we hold about you. We will provide it in JSON format.
• Correction. You can edit your profile, routines, and workout data directly in the app. For anything you cannot edit yourself, contact us and we will correct it.
• Deletion.Request permanent deletion of your account and all associated data. See the “Account deletion” section below for full details.
• Data portability. Request an export of your data in a structured, machine-readable format (JSON).
• Withdraw consent. You can revoke HealthKit or Health Connect permissions at any time through your device settings. You can disable push notifications at any time.
• Complaint. You have the right to lodge a complaint with your local data protection authority. In Australia, this is the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, email info@gymbro.com.au. We will respond within 30 days.

You can request permanent deletion of your account at any time. Full details are on our account deletion page.

In summary:

• Email info@gymbro.com.au with the subject “GymBro account deletion request” from the email address on your account.
• We will confirm receipt within 3 business days and complete the deletion within 30 days.
• Deletion removes your account, profile, login credentials, all workout data, sets, routines, programs, check-ins, coaching reports, coach memory, progress photos, and any coach-client relationships.
• Deletion is permanent. There is no backup copy to restore from.
• We may retain standard server logs (IP, timestamp) on Vercel's retention schedule and any records required by law for legal, tax, or fraud-prevention purposes. Retained data cannot be used to access your account or training history.

You can request a data export before deletion by emailing the same address.

GymBro is not intended for users under 16. We do not knowingly collect personal data from anyone under 16. If you believe a minor has created an account, please contact us and we will delete it promptly.

Our service providers (Supabase, OpenAI, Resend, Vercel) may process data in countries outside your country of residence, including the United States. These transfers are necessary to provide the service and are covered by each provider's data processing agreements and, where applicable, Standard Contractual Clauses or equivalent safeguards.

We may send push notifications for workout reminders, check-in due dates, daily tracker nudges, and other service-related alerts. You can disable push notifications at any time through your device settings. We do not use push notifications for marketing or advertising.

We use a single session cookie managed by Supabase Auth to keep you signed in. We do not use advertising cookies, tracking cookies, or third-party cookies. The app may use browser local storage for session state and UI preferences.

If we make material changes to what we collect or how we use it, we will update the “Last updated” date at the top of this page and notify account holders by email before the change takes effect. Continued use of the service after notification constitutes acceptance of the updated policy.

Questions, data export requests, deletion requests, or anything else — info@gymbro.com.au.