Privacy Policy

Effective date: May.17, 2026
Last updated: May.17, 2026

This policy explains what information GymCraft collects, why we collect it, who we share it with, and the choices you have. It covers both the GymCraft mobile app (iOS and Android) and the gymcraft.co marketing site.

GymCraft is operated by [LEGAL ENTITY NAME], based in Canada. If you have questions about this policy or your data, email privacy@gymcraft.co.

A quick summary

We've tried to keep this policy honest and short for an app of this kind. The plain-English version:

You can use GymCraft anonymously without giving us any personal information. Sign-in with email or Google is optional, and we use it only to back up your gym across devices.
We collect the workout data you log in the app, your gym contents, your subscription status if you subscribe, and standard app diagnostics. That's it.
We don't collect your location, contacts, photos, calendar, health data from Apple Health or Google Fit, or any other data we don't need to run the app.
We don't sell your data. We don't share it with advertisers. We don't track you across other apps and websites.
You can request deletion of your account and all your data at any time by emailing privacy@gymcraft.co. See gymcraft.co/delete-account for the full process.
If you have a question, email privacy@gymcraft.co. We respond within 30 days.

The rest of the policy is the longer version of the same thing.

1. Information we collect

We group the information we collect into a few categories.

1.1 Account information

GymCraft supports three ways to use the app:

Anonymous use. When you first open GymCraft, we create an anonymous account tied to your device. We collect a randomly generated internal user ID (a "Firebase UID") that lets us store your gym and workouts. No personal information is required at this step.
Email and password. If you choose to back up your gym, you can create an account with an email address and password. We store your email; the password is handled by our authentication provider (Google Firebase) and we never see it directly.
Sign in with Google. If you choose Google sign-in, Google sends us your email address and a Google user ID. Google also sends your display name and profile picture URL to our authentication service, but we do not use, display, or copy those fields anywhere in the app — GymCraft addresses everyone as "champ" regardless of how you signed in.

If you start anonymously and later sign in with email or Google, we link the two so your existing gym and progress carry over.

1.2 Workout and gym data

When you use the app, we collect what you log:

Workouts: duration, sets completed, rest time, and any per-set details you choose to add (exercise name, reps, weight, weight unit).
The mode you used (manual set tracking or timed mode) and the date of each workout.
Derived statistics: daily, monthly, and lifetime totals; current and best streaks; shields earned and consumed.
Your gym contents: the equipment, characters, plaques, wall colours, and floor tiles you've unlocked, and where you've placed them in your gym.
Your gym name and your in-app currency balances (Coins and, for subscribers, Crystals).

This is everything you need to run the app. We do not read data from Apple Health, Google Fit, or Health Connect in v1.

1.3 Subscription information

If you subscribe to GymCraft Premium, our subscription provider (RevenueCat) and the platform you bought it on (Apple App Store or Google Play) handle the transaction. We receive your subscription status — whether it's active, the plan you're on, when it renews — but we do not receive your credit card details, bank information, or any other payment instrument. Those stay with Apple and Google.

1.4 Analytics and diagnostics

To understand how the app is being used and catch bugs, we collect:

App usage events (which screens you visit, which buttons you tap, where you drop off in flows).
Device and OS metadata: device model, operating system version, app version, language, and country (derived from your IP address but not stored as an IP address).
Crash reports: stack traces, device state at the moment of a crash, and a short trail of recent app actions.
Server logs from our Cloud Functions: which functions you called, how long they took, and whether they succeeded.

We use Google's Firebase Analytics and Crashlytics for this. We have disabled the advertising identifier collection that those tools support by default — we do not collect your iOS IDFA or your Android Advertising ID.

1.5 Push notifications

If you allow push notifications, your device shares a push token with us (an APNs token on iOS, an FCM token on Android). We use it only to send you the notifications you've opted in to. Push tokens are scoped to your account and deleted when you delete your account.

1.6 The gymcraft.co marketing site

The marketing site uses basic web analytics. We display a cookie banner on your first visit so you can accept or decline analytics cookies. The site does not require an account and does not collect personal information unless you choose to give it to us (for example, by emailing us).

1.7 What we don't collect

For clarity, here is information we explicitly do not collect:

Your name, phone number, mailing address, or date of birth.
Your gender, race, ethnicity, sexual orientation, religious beliefs, or political affiliation.
Your precise location (GPS or otherwise).
Your contacts, calendar, photos, files, or microphone or camera input.
Your web browsing history or search history.
Government IDs, payment card numbers, or biometric data.
The advertising identifier on your device (IDFA on iOS, AAID on Android).
Health data from Apple Health, Google Fit, or Health Connect.

2. How we use the information

We use the information we collect to:

Run the app. Save your gym, your workouts, your streak, your currency balances, and your unlocked items. Process subscription purchases and grant the benefits that come with them.
Keep the app reliable. Diagnose crashes, monitor errors, prevent abuse of the points economy, and enforce per-user data access on our servers.
Improve the app. Understand which features are used, where new users get stuck, and which improvements have the impact we expected.
Send notifications. Remind you about your weekly progress, celebrate your milestones, and send transactional notices about your subscription if you've subscribed. All notifications are triggered by your own activity in the app — never by inferred patterns or data from outside GymCraft.
Respond to you. If you email us, we use your email address to reply.

We do not use your information for advertising, profiling, or any form of automated decision-making that produces legal or similarly significant effects on you.

3. Who we share information with

We share information with a small number of service providers who help us run GymCraft. They handle the data only on our behalf, under written contracts that prohibit them from using it for their own purposes.

Provider	What they receive	Why
Google (Firebase Authentication)	Email, password hash, Google credentials, user ID	Sign-in and account recovery
Google (Cloud Firestore)	Your gym, workouts, currency balances, and other app data	App data storage
Google (Cloud Functions, Cloud Logging)	Function inputs and operation logs	Server-side processing of points and purchases
Google (Firebase Cloud Messaging)	Push tokens and notification payloads	Push notification delivery
Google (Firebase Crashlytics)	Crash traces and device metadata	Crash reporting
Google (Firebase Analytics / GA4)	App usage events and device metadata	Product analytics
RevenueCat	Your user ID, your subscription receipt, your email (only if you've signed in), basic device metadata	Subscription management and entitlement validation
Apple (App Store, Apple Push Notification Service, AdServices)	Subscription transaction data, push tokens, Apple Search Ads attribution token	Billing, push delivery, and attribution of Apple Search Ads installs
Google (Google Play Billing, Install Referrer)	Subscription transaction data, install referrer string	Billing and install attribution on Android

We do not share information with anyone else. We do not sell your information. We do not allow these providers to use your information to advertise to you or to anyone else.

When you install GymCraft from a paid ad on TikTok, Meta, or Reddit, those platforms learn that an install happened — but only through Apple's privacy-preserving SKAdNetwork / AdAttributionKit system (on iOS) or Google's Install Referrer (on Android). They do not receive any data linked to you as an individual.

4. International data transfers

GymCraft is operated from Canada. Our service providers (notably Google Firebase, RevenueCat, Apple, and Google Play) process data in the United States and other countries.

If you are in the European Economic Area, the United Kingdom, or Switzerland: we rely on the EU-US Data Privacy Framework (and its UK and Swiss extensions, where applicable) for transfers to providers that are certified to it. For transfers to providers that are not DPF-certified, we rely on the European Commission's Standard Contractual Clauses (2021) and, for UK users, the UK Addendum to those clauses.

If you are in Canada: data may be processed outside Canada and is subject to the laws of the jurisdictions where our providers operate.

5. How long we keep information

Category	Retention
Your account, gym, workouts, and other app data	Until you delete your account
Idempotency records (used to make purchases and rewards retry-safe)	About 30 days, then automatically deleted
Subscription state in our database	Until you delete your account
Push notification tokens	Until you delete your account or the operating system rotates them
Crash reports (Firebase Crashlytics)	90 days
Analytics events (Firebase Analytics)	14 months
Server logs (Google Cloud Logging)	30 days
Marketing-site analytics	Per the cookie banner on the site
Data held on your device (preferences, cache, generated share images)	Until you uninstall the app or clear app data

If your account is anonymous-only and you stop using the app, we may keep your account on our servers for a period of time before automatically deleting it. We will publish the exact period when that automatic cleanup is in place.

6. Your rights and how to use them

You have the following rights in relation to your information. Some of these are required by law in certain places (like the EU, UK, Canada, and California); others we extend to everyone regardless of where they live.

Access. You can ask us for a copy of the personal information we hold about you.
Correction. You can ask us to correct inaccurate information.
Deletion. You can request deletion of your account and all your data at any time by emailing privacy@gymcraft.co. We respond to deletion requests within 7 days, usually much sooner. When we process the request, we permanently remove your data from our servers, ask RevenueCat to delete your subscription record, and remove your authentication record. There is no soft-delete and no grace period — once we process the request, deletion is immediate and irreversible. See gymcraft.co/delete-account for the full process and what gets deleted.
Data portability. You can request a machine-readable export of your data by emailing us. We aim to respond within 30 days.
Object to analytics and diagnostics. You can ask us to stop collecting analytics and crash data about your use of the app by emailing privacy@gymcraft.co. An in-app toggle for this is planned in a future release.
Withdraw consent. Where we rely on your consent (for example, for marketing-site analytics or for push notifications), you can withdraw it at any time without affecting our prior processing.
Complain. You have the right to lodge a complaint with a data protection authority in your country.

To exercise any of these rights, email privacy@gymcraft.co. We respond within 30 days. We may need to verify that the request is coming from you before we act on it.

What account deletion actually does

When we process your account deletion request:

We ask RevenueCat to delete your subscription record. If you are still within a paid subscription period, your subscription continues at the platform level (Apple or Google) until it ends or you cancel it through your platform settings — but we no longer hold any record of it.
We delete all your data from our database (your gym, workouts, currency balances, statistics, push tokens, gym layout — everything).
We delete your authentication record.

After deletion, server logs that contain your user ID are retained for up to 30 days as part of our standard logging retention, after which they are also automatically deleted.

7. Account types and what they mean

Because GymCraft supports both anonymous and signed-in use, it's worth being explicit about what each means for your data.

Anonymous accounts are tied to your device install. If you uninstall the app, or if you switch to a new device without first signing in with email or Google, your anonymous account becomes inaccessible to you. Your data still exists on our servers but you can no longer reach it. We will eventually delete inactive anonymous accounts automatically (see "How long we keep information"). To preserve your gym across devices, sign in with email or Google.
Email or Google accounts can be recovered. If you forget your password, you can reset it via the email link Firebase sends. If you signed in with Google, you recover access through Google.
Upgrading from anonymous to email or Google preserves your data. We link the two accounts, your internal user ID stays the same, and nothing in your gym changes.

8. Push notifications

If you allow push notifications, GymCraft will send you:

Streak reminders — when you're short of your weekly workout target near the end of the week.
Milestone celebrations — when you unlock a new plaque or hit a streak milestone.
Shield notifications — when a missed week consumes one of your streak shields.
Subscription transactional notices — billing failures or grace-period notices, if you are a subscriber.
Content drops — when significant new content lands in the app (off by default; opt-in).

You can change your notification preferences in the app's Settings screen, or turn off notifications entirely in your device settings. All notifications are triggered by your own activity in GymCraft. We do not time, target, or personalize notifications using data from outside the app, and we do not use behavioural inference to decide when to send them.

9. Subscriptions

GymCraft offers two subscription plans, both with a 7-day free trial for new subscribers:

GymCraft Premium Monthly — $4.99 USD per month (or equivalent in your local currency). 7-day free trial, then $4.99/month.
GymCraft Premium Annual — $34.99 USD per year (or equivalent in your local currency). 7-day free trial, then $34.99/year.

Trials convert to paid subscriptions unless cancelled at least 24 hours before the trial ends.

Subscriptions auto-renew unless cancelled at least 24 hours before the end of the current billing period. Payment is charged to your Apple ID or Google Play account at the time of confirmation and at each renewal.

You can manage or cancel your subscription at any time through your Apple ID subscription settings (iOS) or Google Play subscription settings (Android). Cancelling stops future renewals; the current billing period continues until its end date.

Refund requests are handled by Apple (iOS) and Google (Android) per their respective policies. GymCraft does not process refunds directly.

10. California Privacy Rights

This section applies to California residents under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

GymCraft does not sell or share personal information for cross-context behavioural advertising. We do not exchange personal information for monetary or other valuable consideration.

We disclose personal information to service providers (Google Firebase, RevenueCat, Apple, and Google Play) under written contracts that prohibit them from using or disclosing that information except as necessary to provide their services to us. This disclosure does not constitute "selling" or "sharing" under California law.

California residents have the following rights:

The right to know what personal information we collect, use, and disclose.
The right to delete personal information we hold about you.
The right to correct inaccurate personal information.
The right to data portability (a machine-readable export).
The right to non-discrimination for exercising these rights.
The right to limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information, so this right has no effect for GymCraft users.
The right to opt out of sale or sharing. We do not sell or share, so there is nothing to opt out of.

To exercise any of these rights, email privacy@gymcraft.co. We respond within 30 days.

11. Children's privacy

GymCraft is not directed at children under the age of 13 (under 16 in the European Economic Area and the United Kingdom). We do not knowingly collect personal information from children under these ages. If you are a parent or legal guardian and believe your child has provided us with personal information, please contact privacy@gymcraft.co and we will delete the account and associated data promptly.

12. Security

We protect your data with standard industry practices:

All connections between your device and our servers use HTTPS / TLS.
Authentication and database access are handled by Google Firebase, with per-user access rules enforced on the server.
Sensitive operations (granting Coins, processing purchases) run on our servers, not in the app, so they can't be tampered with from the client.
We follow the principle of least privilege internally and do not access user data except where necessary to operate the service or respond to a request from the user.

No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a breach affecting your data, we will notify you and the appropriate regulators where required by law.

13. Changes to this policy

We will update this policy from time to time. When we make material changes, we will update the Last updated date at the top of this page, and we'll notify you in the app (or by email if you've given us one) before the changes take effect.

14. Contact

For any privacy question, request, or complaint, email privacy@gymcraft.co. For general support, email support@gymcraft.co.

If you prefer postal mail, you can write to us at:

JOHN KHTARIA
V3H 1P6
Port Moody, BC, V3H 1P6
Canada