Privacy Policy

1. What data do we collect?

1.1 Account data (required)

When you create an account, we collect:

• Email: identification, login, password recovery.
• Password: account security, hashed with bcrypt, never stored in plain text.
• Nickname / Username: interface personalization.
• Age: minimum age verification (16) and metric calculations.
• Sex: health metric calculations (BMI, body fat estimate, etc.).
• Height: body metric calculations.
• Weight: metric calculations and progress tracking.

Alternative sign-in methods: Sign in with Google (OAuth) — we retrieve your email and name only, no access to contacts or Gmail; Sign in with Apple (OAuth) — we retrieve your email (or Apple's masked email) and your name.

No financial data is collected by No Fuss Gym. Payments are handled exclusively by the Apple App Store and Google Play Store.

1.2 Fitness data (generated by your use)

Workout data: sessions logged (date, time, duration), exercises performed (name, sets, reps, weight, tempo), custom programs, full history, personal records (PRs), session notes and comments.

Body measurements: weight, waist, hips, chest, etc., tracked over time.

Calculated health metrics (sensitive data, GDPR Article 9): BMI, estimated body fat percentage, Waist-to-Hip Ratio (WHR), Waist-to-Height Ratio (WHtR), Adonis Ratio. These metrics are calculated locally on your device using standardized mathematical formulas. They do not constitute a medical diagnosis in any way.

Progress photos (Photobook): photos taken via the app or imported from your gallery, along with their EXIF metadata (date, time). These photos are stored locally on your device only. They never leave your phone, except for Premium users who manually enable the specific photo cloud sync from Settings › Preferences › Sync Photos.

User preferences: measurement units, interface language, theme, notifications, cloud sync options.

1.3 Technical data (automatic)

Device information: smartphone model, operating system and version, app version, language and time zone.

Connection data: date and time of login, IP address (for security and abuse detection), connection type.

Crash and error reports (via Sentry): pseudonymized reports, technical error logs for bug fixes. No health, fitness or personally identifying data is included in these reports.

Cookies and trackers: no advertising cookies, no marketing trackers. Only the JWT authentication tokens stored locally (iOS/Android SecureStorage) and local preferences (language, theme, units).

1.4 Referral program data (conditional)

If you enter a referral code at sign-up (this step is optional), we collect:

• Device identifier: identifierForVendor (iOS) or Android ID (Android). Collected solely for fraud prevention purposes, to ensure the same physical device cannot redeem multiple referral codes. Transmitted over HTTPS to our backend (Supabase), stored persistently linked to your account. Not used for advertising or tracking, not shared with any third party.
• Referral code entered at sign-up.
• Referral status (pending / validated) and validation date.

This data is only collected if you choose to enter a referral code. If you skip that step, none of this data is collected.

2. Why do we collect this data?

2.1 Legal bases for processing (GDPR)

• Email, password, nickname: contract performance.
• Age, sex, height, weight: explicit consent and contract performance.
• Fitness data: explicit consent (you actively create this data).
• Health metrics (GDPR Article 9): explicit consent collected at registration.
• Cloud sync: explicit consent, can be enabled or disabled in settings.
• Technical data (IP, device, Sentry): legitimate interest (security, fraud prevention, bug fixes).
• Device identifier and referral data: legitimate interest (fraud prevention in the referral program). Optional collection, only triggered if a referral code is entered.

2.2 Specific purposes

We use your data solely for: account management; app functionality (workouts, metrics, statistics); cloud sync (Premium users); transactional communications (password reset, security alerts); app improvement through aggregated and anonymized statistics; the referral program and its associated fraud prevention; security and fraud prevention.

3. Where is your data stored?

3.1 Local storage (all users)

By default, all your data is stored locally on your smartphone via Isar (a database isolated within the app). Advantage: works 100% offline, your data stays on your device. Drawback: data is lost if you switch phones without an active cloud backup.

3.2 Cloud storage (Premium users only)

Provider: Supabase Inc.
Location: EU-West (European Union)
Compliance: GDPR, ISO 27001, SOC 2 Type II

Data synced to the cloud: user profile, full workout history, body measurements, custom programs.

Photobook photos: stored locally only by default, including for Premium users. Photo cloud sync is an option you must enable manually from Settings › Preferences › Sync Photos. Without this, your photos never leave your device.

Security: encryption in transit (HTTPS/TLS), encryption at rest (AES-256), access restricted to your account only, automatic regular backups.

3.3 Transfers outside the European Union

All fitness and account data is stored within the European Union (Supabase EU-West). For Apple and Google: OAuth authentication only transfers your email and name (no fitness data). For Sentry: pseudonymized technical data only, processed on EU servers. No health or fitness data is transferred outside the EU.

4. Who has access to your data?

4.1 Internal access

Access is strictly limited to the data controller (RoninKa Studio), solely for maintenance and technical support purposes. Your data is never accessed for commercial or marketing purposes.

4.2 Third-party services (GDPR processors)

• Supabase: cloud storage, authentication, database. GDPR certified, ISO 27001, SOC 2. DPA in place.
• Sentry: technical monitoring and pseudonymized crash reports only. No personal or fitness data. DPA in place.
• Resend: transactional email delivery (email address only). GDPR compliant, EU servers.
• Apple / Google (OAuth): email and name only. GDPR compliant (SCCs in place).
• Apple App Store / Google Play Store: subscription management. No Fuss Gym receives no payment data.

4.3 No sharing with commercial third parties

We never share your data with advertisers, data brokers, commercial partners or social networks. Your data is yours.

4.4 Legal obligations

We may be required to disclose your data upon request from a judicial authority or to comply with a legal obligation. In such cases, we will limit disclosure to the strict minimum.

5. How long do we keep your data?

5.1 During active use

As long as you use the app, all your data is retained. No automatic deletion during the active use period.

5.2 After account deletion

Account deletion triggers a 30-day "soft delete" period, during which recovery is still possible in case of a mistake. After 30 days: irreversible and complete deletion of all your data. No recovery is possible after that point.

5.3 Accounting data — legal exception

Billing documents provided by Apple and Google may be retained for up to 7 years in accordance with Belgian accounting law. These documents do not contain your fitness or health data.

5.4 Prolonged inactivity

If you don't log in for 24 consecutive months, a reminder email will be sent 30 days before automatic deletion. Without a response or reconnection, your account and data will be deleted automatically.

6. How do we protect your data?

6.1 Technical security measures

• Passwords hashed with bcrypt (one-way algorithm)
• All communications encrypted in transit (HTTPS/TLS)
• Cloud storage encrypted at rest (AES-256 via Supabase)
• Secure sessions via JWT tokens with automatic expiry
• Secure OAuth with token validation
• Rate limiting (login attempt throttling)
• SQL injection protection and automatic daily backups

6.2 In the event of a data breach

In the event of a compromise: notification to the Belgian DPA within 72 hours; individual notification to all affected users; detailed report on the data involved and corrective measures taken. Full transparency: we will communicate without downplaying the incident.

7. Your rights (GDPR)

7.1 Right of access (Art. 15)

Request a copy of all your data from the app (Settings › My Data › Export) or by email at contact@nofussgym.com. Response time: one month maximum.

7.2 Right to rectification (Art. 16)

Correct your data directly in the app (Settings › Profile or Settings › Account). For data that cannot be edited in-app: contact@nofussgym.com.

7.3 Right to erasure (Art. 17)

Delete your account from Settings › Account › Delete My Account, or by email. Timeline: 30-day soft delete, then permanent deletion.

7.4 Right to data portability (Art. 20)

Export your data in JSON or CSV from Settings › My Data › Export. Portable data includes: user profile, full workout history, body measurements, custom programs.

7.5 Other rights

You also have the right to restriction of processing (Art. 18), the right to object (Art. 21) and the right to withdraw consent (Art. 7). No Fuss Gym does not use any automated decision-making or profiling system.

7.6 How to exercise your rights

Email: contact@nofussgym.com
Legal response time: one month maximum (usually within 48 to 72 hours).
Exercising your rights is completely free of charge.

8. Minors (16-18 years old)

No Fuss Gym is intended for users aged 16 and over. If a user under 16 is found to have created an account, the account will be suspended or deleted immediately.

For users aged 16-18, parental or guardian consent and supervision are strongly recommended, given the injury risks associated with strength training and the importance of adapting programs to a still-developing body.

9. Cookies and similar technologies

No Fuss Gym uses no cookies or trackers for advertising or marketing purposes. No Google Analytics, Facebook Pixel, or behavioral analytics tools. Only the technologies strictly necessary to operate the app: JWT tokens (session management) and local preferences (language, theme, units).

If an analytics tool is added in the future, you will be notified with explicit opt-in consent required.

10. Changes to this Policy

Minor changes (clarifications) will be made silently with an updated date at the top. Significant changes (new processing activities) will trigger an email notification and an in-app notification, with a minimum 7-day notice period. Continued use of the app after notification constitutes acceptance of the updated terms.

11. Transfer of ownership

If the No Fuss Gym project is sold or transferred, your personal data may be passed to the new owner. You will be notified by email at least 30 days before the transfer and will have the right to delete your account beforehand. The new entity must comply with this Policy or an equivalent GDPR-compliant policy.

12. Contact and complaints

Questions about your data:
Email: contact@nofussgym.com
Controller: RoninKa Studio, 6001 Marcinelle, Belgium
Response time: within 48 to 72 business hours.

Supervisory authority (Belgium):
Autorité de Protection des Données (APD)
Rue de la Presse 35, 1000 Brussels
contact@apd-gba.be — autoriteprotectiondonnees.be

Other EU countries: consult the list of supervisory authorities at edpb.europa.eu.

13. Data controller

Karim El Harchi
Trade name: RoninKa Studio
VAT number: BE1037715601
Status: Self-employed (complementary activity)
6001 Marcinelle, Belgium
Email: contact@nofussgym.com

No DPO appointed (not required for an organization of this size). All GDPR requests are handled directly at contact@nofussgym.com.

This Policy complies with GDPR (EU 2016/679) and the Belgian law of 30 July 2018 on the protection of personal data.