Privacy Policy

Muscle Diary ("we", "us", "our") is a fitness tracking service consisting of a mobile application and a web platform. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it.

Data Controller: Muscle Diary
Contact: privacy@musclediary.app

2.1 Account and Identity Data

When you create an account we collect:

• Email address — used for authentication and account management
• Display name — optional, used for personalisation
• Encrypted password — stored via Supabase Auth; we never see the plain-text value

2.2 Workout Data

All workout data you enter is stored locally on your device first, then synced to our servers. This includes:

• Exercises logged, with the date and time of each session
• Sets and their metrics: reps, weight (kg), duration (seconds), distance (metres), speed (km/h), resistance level, incline percentage, and effort intensity (RPE 1–10)
• Which QR code was scanned to start a session (links to gym equipment)
• Optional free-text notes attached to any exercise

2.3 Preferences and Settings

We store your in-app preferences so they sync across devices:

• Language, unit system (metric / imperial), theme, and week start day
• Onboarding completion status
• App-specific settings stored as a JSON blob (feature flags and non-critical preferences)

2.4 Device and Technical Data

Collected automatically to operate and maintain the service:

• Device model and operating system version
• App version
• Screen dimensions
• Platform (iOS / Android)
• Authentication session tokens stored in secure local storage on your device
• Network connection type (Wi-Fi or cellular) and mobile carrier name

2.5 Crash Reports

When the app encounters an error we automatically collect a crash report. This is processed on the legal basis of legitimate interest to maintain a working service. A crash report contains:

• Error message and stack trace
• App version, platform, and OS version
• Device model and screen size
• The screen you were on and the action that triggered the error
• Your user ID (if you were logged in at the time)

Crash reports are retained for 90 days and then deleted.

2.6 Feedback You Submit Voluntarily

If you use the in-app feedback form we collect:

• Feedback type, title, and description
• Priority you assign to the item
• Contact email address if you choose to provide it
• Device context appended automatically: app version, platform, OS version, device model, and screen size
• The screen you were on when you submitted the feedback

2.7 Analytics Data (Consent-Gated)

With your explicit consent we send usage events to Mixpanel (EU data residency, api-eu.mixpanel.com). If you decline or withdraw consent no events are sent. Analytics tracking is off by default. We collect:

• Actions you take in the app — e.g. logging a set, completing a workout, scanning a QR code, changing settings, viewing screens
• App version, platform, OS version, and UI language attached to every event
• Your Supabase user ID (a random UUID) to link events to a single user — no name or email is ever sent
• Approximate city and country derived from your IP address by Mixpanel — your IP address itself is not stored by us

Specific data points sent with workout events are limited to counts and boolean flags (for example: "3 exercises, 12 sets, entry via QR scan") — no actual weight values or rep counts are sent.

2.8 Consent Records

When you accept our Terms of Service or Privacy Policy we record:

• Which document version you accepted
• Date and time of acceptance
• Platform used (iOS / Android / web)
• IP address and user agent — retained for GDPR compliance audit purposes

2.9 Data We Do Not Collect

• Precise GPS location or real-time location tracking
• Contact lists or call logs
• Health data from HealthKit, Google Fit, or other health platforms
• Financial or payment information
• Photos or camera content (except optional screenshots you attach to feedback)
• Biometric data

• Provide the service: Store and sync your workouts across devices
• Maintain reliability: Diagnose and fix crashes and errors using crash reports (legitimate interest)
• Improve the app: Analyse aggregated usage patterns when analytics consent is granted
• Account communications: Send essential account notifications such as password reset emails
• Gym analytics: Provide partner gyms with anonymised, aggregated equipment usage statistics — for example how many times a piece of equipment was scanned in a month. Individual workout data is never shared with gyms.
• Legal compliance: Retain consent records and respond to lawful data requests

• Contract: Account data and workout data are processed to deliver the service you signed up for
• Legitimate interest: Crash reports are processed to keep the service functional and secure
• Consent: Analytics tracking and marketing communications require your explicit opt-in
• Legal obligation: Consent records are retained to demonstrate GDPR compliance

5.1 Where Your Data is Stored

• On your device: Workout data is stored locally using encrypted SQLite (WatermelonDB) and synced to the cloud when you are online
• In the cloud: Supabase servers (PostgreSQL) hosted in the European Union
• Authentication tokens: Stored in secure local storage on your device only — never sent to analytics providers

5.2 Security Measures

• All data in transit is encrypted using TLS 1.3
• Data at rest is encrypted using AES-256
• Database access is enforced using Row-Level Security — each user can only access their own data
• Employee access to user data is limited to what is necessary and is logged

We do not sell your personal data. We may share data only in the following circumstances:

• Infrastructure providers: Supabase (cloud database and auth, EU hosted); these providers process data on our behalf under data processing agreements
• Analytics provider: Mixpanel (EU endpoint) — only when you have given analytics consent, and only with anonymised identifiers
• Partner gyms: Aggregated, anonymised equipment usage statistics only; never individual workout records
• Legal requirements: When we are required by law or court order
• Crash reporting provider: Sentry (EU endpoint, ingest.de.sentry.io) — only error message, stack trace, and device context; processed on the basis of legitimate interest

Under GDPR you have the following rights. To exercise any of them contact us at privacy@musclediary.app.

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your account and all associated personal data
• Portability: Receive your workout data in a machine-readable format
• Restriction: Ask us to limit how we process your data while a dispute is resolved
• Objection: Object to processing based on legitimate interest
• Withdraw consent: Opt out of analytics tracking at any time in the app settings; withdraw consent from legal documents by deleting your account

We will respond to requests within 30 days. You also have the right to lodge a complaint with your local supervisory authority. In Poland: UODO (uodo.gov.pl).

• Active account: Data is retained for as long as your account is active
• Deleted account: All personal data is permanently deleted within 30 days
• Crash reports: Deleted after 90 days
• Consent records: Retained for up to 7 years to comply with EU law
• Aggregated analytics: Retained indefinitely — this data contains no personal identifiers

You can delete your account at any time by:

• Using the Delete Account option in the app (Settings → Delete Account)
• Emailing support@musclediary.app

On deletion, all workout data and personal information is permanently removed. Consent records are retained for legal compliance as described above. This action cannot be undone.

10.1 Mobile App

The mobile app does not use cookies. Authentication session tokens are stored in the device's secure local storage and are not accessible to third parties.

10.2 Website

Our website uses:

• Essential cookies: Required for authentication and the website to function correctly
• Analytics cookies: Only placed with your explicit consent; you can opt out at any time

The service is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at privacy@musclediary.app and we will delete the account promptly.

Your data is stored on servers in the European Union. We do not routinely transfer personal data outside the EU. If a transfer outside the EU is ever necessary, we will ensure it is protected by Standard Contractual Clauses or an equivalent mechanism approved by the European Commission.

We may update this Privacy Policy from time to time. For material changes — such as collecting new categories of data or changing how data is shared — we will notify you via the app and require you to accept the updated policy before continuing to use the service. The version number and effective date at the top of this page will always reflect the current version.

For privacy questions or data requests:

• Privacy: privacy@musclediary.app
• Support: support@musclediary.app
• Website: musclediary.app