Privacy Policy

1. Who We Are

Gymbo is operated by OXWARE LLC. We provide the workout tracking application available at app.gymbo.life and the website at gymbo.life.

This Privacy Policy explains what information we collect, how we use it, who we share it with, and what your rights are. By using Gymbo, you agree to the practices described in this document.

2. Information We Collect

2.1 Account Information

When you register directly, we collect your email address and display name. Passwords are stored as bcrypt hashes; we never see them in plaintext.

If you sign in with Facebook Login or Google OAuth, we receive from that provider: your platform user ID, email address, and display name. Gymbo does not request access to your friends list, your feed, or permission to post on your behalf.

2.2 Profile Preferences

• Preferred language (English or Spanish)
• Weight unit (kg or lb)
• Timezone
• Rest timer duration
• Workout reminder settings
• Experience level

2.3 Workout Data

• Exercises, sets, reps, weight, RPE, duration
• Logged bodyweight
• Body measurements (circumference data such as waist, hip, chest)
• Body fat percentage and measurement method
• Height and biological sex (optional, used for body composition calculations)
• Routines and templates
• Notes attached to workouts or exercises
• Measurement conditions (e.g. fasted, post-workout)
• Which body measurements you choose to track

2.4 Push Notifications

If you enable reminders, we store your browser's push notification subscription endpoint, associated encryption keys, and User-Agent. This is used exclusively to deliver workout reminders.

2.5 Coaching Features

If you use coaching features, we store coach-athlete relationships and workout data snapshots included in coach digests.

2.6 Usage Metadata

Share events and notification delivery logs are stored with a 90-day TTL and deleted automatically. We do not collect navigation paths or click-stream events.

2.7 Local Storage

Your browser stores JWT tokens for authentication, in-progress workout drafts (24-hour TTL), an offline queue for syncing when connectivity returns, and UI preferences such as dark mode. This data stays on your device and is not transmitted except to sync drafts.

2.8 Cookies

Gymbo uses a single cookie: lang, which stores your language preference. It expires after 12 months. No tracking or third-party cookies are used.

3. Information We Do NOT Collect

• IP addresses (not logged)
• Behavioral analytics or device fingerprinting
• Advertising tracking pixels
• Geolocation data
• Contacts or social network friend lists

4. How We Use Your Information

• Operate and sync the workout tracking service
• Authenticate your access and maintain your session
• Send workout reminders when you are subscribed
• Generate coaching digests for authorized coaches
• Respond to support requests or security reports

We do not use your data for advertising, profiling, or sale to third parties.

5. Legal Basis (EU/EEA)

For users in the European Union or European Economic Area, we process your data on the basis of:

• Contract performance — necessary to provide the service you request
• Legitimate interest — security, abuse prevention, and service improvement
• Consent — push notifications and optional features

6. Data Sharing

We do not sell your personal data. We only share information in the following cases:

• AWS (Amazon Web Services) — sub-processor for infrastructure hosting (Lambda, DynamoDB, S3, CloudFront), covered by our AWS Data Processing Addendum.
• Facebook / Google — during the OAuth flow, they receive only the data that is standard protocol (user ID, email). We do not share your workout data.
• Legal obligation — if required by law or a valid court order.

7. International Transfers

Your data is stored and processed in AWS region us-east-1 (United States). Transfers from the EU/EEA are covered by the AWS Data Processing Addendum and the European Commission Standard Contractual Clauses (SCCs).

8. Data Retention

• Profile and workout data — until you delete your account
• Push subscriptions — until you unsubscribe
• Share events and notification logs — 90 days (automatic TTL)
• Security and audit logs — up to 13 months. When a coach or administrator changes your account data, we keep a record of the change for security, dispute resolution, and abuse detection. These records are not deleted when you close your account — they are retained for their full TTL under legitimate interest (security and abuse prevention).
• localStorage drafts — 24 hours from last interaction

When you request account deletion, your account enters a 30-day grace period during which you can cancel the deletion by logging in and choosing to keep your account. After 30 days, all your data is permanently and irreversibly removed from our systems.

9. Your Rights

You have the right to:

• Access the personal data we hold about you
• Correct inaccurate information
• Delete your account and all associated data — available in app Settings (instructions)
• Export your workout data

EU/EEA users also have the right to data portability, to request restriction of processing, and to lodge a complaint with their national supervisory authority.

To exercise any of these rights, contact us at privacy@gymbo.life.

10. Data Security

• All communication is encrypted with HTTPS/TLS
• DynamoDB data is encrypted at rest
• Passwords are stored with bcrypt
• Authentication uses short-lived JWT tokens
• Auth endpoints are protected by rate limiting

11. Children's Privacy

Gymbo is not directed at children under 16. We do not knowingly collect information from minors. If you believe we have collected data from a child, contact us and we will delete it promptly.

12. Vulnerability Reporting

If you find a security issue in Gymbo, please report it responsibly to security@gymbo.life before disclosing publicly. We commit to responding within 72 hours.

13. Changes to This Policy

When we make material changes, we will update the "Last updated" date on this page. We will notify you of significant changes through the application. We encourage you to review this policy periodically.

14. Contact Us

For any privacy questions or to exercise your rights:

OXWARE LLC
privacy@gymbo.life