Privacy Policy | Workout Lab

Last Updated: February 2026

1. Data Controller

The data controller responsible for processing your personal data is Workout Lab (“we”, “us”, “our”). For any inquiries regarding your data, please contact us via the in-app “Send me a Message” feature in Settings.

2. Types of Personal Data Collected

We collect and process the following categories of personal data:

Account Information: Email address, password (encrypted).
Profile Information: First name, last name, sex, weight history, birthday.
Workout Data: Exercise logs, workout templates, session history, pain entries, goals and performance metrics.
Technical Data: Device type, operating system, and app usage analytics (anonymized).

3. Purposes and Legal Basis for Processing

We process your data for the following purposes:

Contractual Necessity (Art. 6(1)(b) GDPR): To provide the core functionality of the app, including tracking workouts, saving templates, and displaying your history.
Consent (Art. 6(1)(a) GDPR): For optional features, such as receiving personalized AI-powered workout recommendations (if enabled in the future). You can withdraw consent at any time.
Legitimate Interests (Art. 6(1)(f) GDPR): To improve our services, fix bugs, and ensure app security.

4. Data Retention

Your personal data is retained for as long as your account is active. If you delete your account, all associated data will be permanently removed from our systems within 30 days, except where we are legally required to retain certain records.

5. Third-Party Data Processors

We share your data with the following third-party processors who act on our behalf:

Supabase (Database & Authentication): Your account and workout data are stored securely on Supabase servers. Supabase is GDPR-compliant and data is hosted in AWS data centers in the EU.
Future AI Services: In the future, we may integrate third-party AI services to provide personalized insights. Before any such integration, we will update this policy and seek your explicit consent where required.

6. International Data Transfers

Your data is primarily stored within the European Union. In cases where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.

As a data subject in the EU, you have the following rights:

Right of Access: Request a copy of your personal data.
Right to Rectification: Correct inaccurate or incomplete data via your profile settings.
Right to Erasure: Delete your account and all associated data at any time via Settings > Delete Account.
Right to Data Portability: Export your data in a machine-readable format via Settings > Export Data.
Right to Object: Object to processing based on legitimate interests.
Right to Restrict Processing: Request limitation of processing in certain circumstances.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

8. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Secure password storage using industry-standard hashing algorithms.
Encrypted data transmission (HTTPS/TLS).
Row-Level Security policies on our database to ensure users can only access their own data.

9. Children’s Privacy

This app is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes via the app or email. Continued use of the app after such changes constitutes acceptance of the updated policy.

11. Contact & Complaints

If you have questions or wish to exercise your rights, please contact us via the in-app message feature. You also have the right to lodge a complaint with a supervisory authority in your country of residence.