Privacy policy

1. Data controller

The controller of personal data within the meaning of the GDPR is Michał Rożenek, ul. Radlińskie Chałupki 123A, 44-313 Wodzisław Śląski, Poland, NIP: 6472505696, REGON: 243202020 (the “Controller”, “we”, “us”). Privacy contact: rozenekdev@gmail.com. This policy explains how we process data of users of the Steelz website and Steelz mobile app.

2. Data we process

We process account data such as user ID, email address, profile name, Google or Apple sign-in provider, provider account ID, and subscription tier. We process workout data saved in the app and synchronized with the backend: workout and routine names, selected exercises, sets, reps, weights, rest times, workout duration, workout history, and personal bests.

We also process technical and security data such as IP address, server logs, API request information, session tokens, refresh token hashes, account creation date, and basic information needed to provide Premium subscription features. Body measurement data is stored only locally on the user's device and is not sent to our servers.

3. Purposes and legal bases (GDPR)

We process data to create and maintain accounts, enable sign-in, synchronize data across devices, save workout history, provide Premium features, and deliver app functionality — Art. 6(1)(b) GDPR. We process technical data, logs, tokens, and security information to protect accounts, prevent abuse, detect errors, and keep the service secure — Art. 6(1)(f) GDPR.

We process data required by law, in particular for billing, complaints, or tax obligations, under Art. 6(1)(c) GDPR. We process data needed to establish, exercise, or defend legal claims under Art. 6(1)(f) GDPR. If we introduce marketing or analytics that requires consent in the future, we will process data for those purposes only after obtaining the required consent — Art. 6(1)(a) GDPR.

4. Google and Apple sign-in

If you sign in with Google or Apple, the app sends a token from the selected provider to our backend, and the backend verifies it with that provider. We receive data needed to confirm identity, in particular the provider account ID, email address, and, if provided by the provider, profile name. We do not have access to your Google or Apple account password.

For Apple sign-in, we may store an encrypted provider token required to revoke access when an account is deleted. For Google sign-in, access revocation is handled by the mobile app after the user deletes their account.

5. Backend synchronization and security

Account, routine, workout, and personal best data is synchronized with the Steelz backend so users can use their account across devices, keep a backup of workout history, and use statistics. The backend API is hosted on Render in the Frankfurt region, and the database is hosted on Neon in the Frankfurt region.

Data is transmitted using TLS encryption. Refresh tokens are stored in the backend as cryptographic hashes and are rotated. In the mobile app, tokens are stored in the device's secure system storage.

6. Subscriptions and RevenueCat

We use RevenueCat and Apple App Store and Google Play payment mechanisms to manage subscriptions and access to Premium features. We do not process full payment card details. We receive and store information needed to recognize Premium entitlements, such as subscription status, transaction identifiers, validity dates, product, and renewal or expiration information.

Deleting a Steelz account does not always cancel an auto-renewing subscription handled by the store operator. If the store continues to manage the subscription, it must also be cancelled in Apple ID or Google Play settings.

7. Notifications

As of the last update, the app does not use push notifications. If we introduce notifications in the future and the user enables them, we may process a device token and notification preferences only to deliver selected messages. The user will be able to turn notifications off in the app or system settings.

8. Retention periods

We keep account, workout, routine, preference, personal best, and subscription data for as long as the account exists, and then delete it when the account is deleted, except for data that we are required or permitted to keep by law.

After account deletion, we may retain a minimal technical record confirming that deletion was completed, including the technical identifier of the deleted account, deletion request and completion dates, request source, subscription tier at deletion, hashed sign-in provider identifier, and account creation date. This record does not include email address, name, workout history, routines, or preferences, and is kept to prevent abuse and defend legal claims for 3 years from account deletion, unless longer retention is necessary due to an ongoing dispute or legal obligation.

We generally keep technical logs for 90 days, unless longer retention is necessary to investigate a security incident, prevent abuse, or pursue claims. Subscription billing data is kept for 5 years from the end of the tax year in which the tax obligation arose, or for another period required by applicable law.

9. Account deletion

You can delete your account in the app's account settings or contact us at the address listed in this policy. Account deletion includes deletion of personal data linked to the account, including profile, tokens, workout history, custom routines, preferences, and personal bests, except for limited data retained in accordance with law.

10. Data recipients

Data may be shared with providers supporting the service: Render as the API hosting provider, Neon as the database provider, RevenueCat as the subscription management provider, Apple and Google as sign-in providers and app store operators, and providers of technical, legal, accounting, or security services where needed to operate the service or comply with legal obligations.

We do not sell your personal data. We currently do not use Firebase, Sentry, Expo push notifications, Google Analytics, Firebase Analytics, Meta Ads, or Google Ads.

11. Transfers outside the EEA

The core backend and database infrastructure for the service launch operates in the Frankfurt region within the European Economic Area. Some providers, in particular Apple, Google, and RevenueCat, may process data outside the European Economic Area. In such cases we use mechanisms required by the GDPR, in particular adequacy decisions, standard contractual clauses, or other legally permitted safeguards.

12. Your rights

You have the right to access, rectify, erase, restrict processing of, and port your data, object to processing based on legitimate interests, and withdraw consent at any time where processing is based on consent. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

You also have the right to lodge a complaint with a supervisory authority. In Poland this is the President of the Personal Data Protection Office. To exercise your rights, contact us at the address listed in this policy. We may ask for information needed to confirm the identity of the person making the request.

13. Voluntary provision of data

Providing data required to create an account and use the app is voluntary, but necessary to provide the service. Without this data we cannot create an account, synchronize workouts, manage Premium subscriptions, or provide Steelz's core features.

14. Automated decisions

We do not make decisions about users that produce legal effects or similarly significantly affect them solely by automated means, including profiling within the meaning of Art. 22 GDPR.

15. Cookies and similar technologies

The Steelz website may use technologies necessary for website operation, security, and remembering basic settings. As of the last update, we do not use analytics or advertising cookies. If we introduce analytics, advertising, or other technologies that are not necessary for the website to function, we will implement an appropriate consent mechanism where required by law.

16. Children and minimum age

Steelz is not directed to children. People under 16 may use the app only with consent and under the supervision of a parent or legal guardian. If we learn that we process data of a person under 16 without the required legal basis or guardian consent, we may ask for confirmation of consent or take steps to delete the account.

17. Policy changes

We may update this privacy policy when the app, service providers, laws, or data processing practices change. The current version will be available on the Steelz website and in the app.

18. Privacy contact

For privacy matters, write to the address listed in the “Data controller” section. Please limit the message to information necessary to handle your request.