Privacy Policy.
Last updated: June 21, 2026
1. Data Controller
The controller of your personal data is:
Tomasz Guziak
ul. Sandomierska 13/120, 26-611 Radom, Poland
Tax ID (NIP): 9482630105
Email: support@gryndapp.com
2. Information We Collect
To provide our services, we collect the following data:
- Account: Email address and authentication data. If you use external login options (Apple, Google), we receive your identifier and email address (which may be a proxy address if you use Apple's "Hide My Email" feature).
- Training data: Training plans, exercises, sets, repetitions, body weight, and measurements that you manually enter into the application.
- AI Interactions: Your chat messages and conversation logs with the AI assistant (see Section 5).
- Subscription data: Anonymous user identifier and purchase history necessary to manage access to premium features.
- Diagnostic data: Application crash reports and performance data, in anonymized form.
- Push notifications: Device token required to send training reminders.
- Wearable device data (optional): If you choose to connect the app to Apple Health (iOS) or Health Connect (Android), we read — in read-only mode only — selected daily activity and recovery indicators such as heart rate variability (HRV), resting heart rate, respiration, oxygen saturation (SpO2), sleep, and steps. The connection is entirely voluntary, requires a separate permission in the Apple/Google system prompt, and you can disable it at any time in your device settings. These indicators are used solely to present a general overview of your activity and well-being and for an optional, informational and motivational AI analysis — they are not used for medical, diagnostic, treatment, or health-monitoring purposes.
3. Legal Basis for Processing
We process your data based on the following legal grounds (GDPR):
- Account and authentication data: Art. 6(1)(b) — necessary for the performance of a contract (providing the service).
- Training data: Art. 6(1)(b) — necessary for the performance of a contract (training personalization).
- AI Interactions: Art. 6(1)(a) — explicit user consent (in-app opt-in before first use of AI features).
- Wearable device data: Art. 9(2)(a) — explicit consent (given the possible classification as a special category of data). We process it only after you voluntarily connect a device, and for the optional AI analysis under the same consent to AI features. You may withdraw consent at any time in Settings.
- Subscription data: Art. 6(1)(b) — necessary for the performance of a contract (providing premium features).
- Diagnostic data: Art. 6(1)(f) — legitimate interest of the controller (ensuring application stability).
- Push notifications: Art. 6(1)(a) — user consent (system permission prompt).
4. Use of Data
Your data is used exclusively for the following purposes:
- Ensuring proper application functionality and maintaining your account.
- Personalizing your training experience, including artificial intelligence features.
- Presenting a general overview of your activity and well-being and an optional weekly AI analysis (after you connect a device and give consent).
- Sending notifications related to your training schedule.
- Processing and managing subscription purchases.
- Diagnosing and fixing technical issues.
- Providing technical support.
Your data is not used to train artificial intelligence models.
5. Artificial Intelligence (AI) Features
The Application offers an optional AI assistant that generates personalized suggestions and analyses based on your data, as well as automated content moderation. Use of this feature requires explicit consent, which you may grant or withdraw at any time in the Settings.
After granting consent, the content of your messages is transmitted to external AI service providers based in the United States for the purpose of generating responses and automated content moderation. These providers operate under data processing agreements (Art. 28 GDPR) and EU Standard Contractual Clauses (see Section 8), and are contractually obligated to: (a) not process your data for purposes other than providing the service, (b) not use it to train artificial intelligence models, and (c) not retain the content of your queries after the response is generated (zero-retention principle).
Premium features also include an optional weekly AI overview of your activity and well-being. If you use it, then — after you have consented to AI features — selected indicators from your connected device (e.g., HRV, resting heart rate, sleep) may also be transmitted to the same providers, under identical terms (data processing agreement, Standard Contractual Clauses, zero retention, no model training). This overview is informational and motivational only — it is not medical advice, a diagnosis, or health monitoring.
As part of the premium "Visual Analysis" feature, you may voluntarily upload a single photo or short video to receive non-binding training feedback. The file is processed in real time by the same AI providers (Section 6) solely to generate the analysis and is not retained by us — we do not store it in our database. The feature requires the same consent to AI features, is available only on paid plans, and is informational only (see Section 10).
The AI assistant generates suggestions and analyses based on your training data (profiling within the meaning of Art. 4(4) GDPR). These suggestions are advisory only — we do not make automated decisions producing legal effects concerning you or similarly significantly affecting you within the meaning of Art. 22 GDPR. Final training decisions always remain yours.
AI-generated suggestions are informational only and do not replace professional medical advice (see Section 10). You may report concerns or errors regarding AI responses at any time using the "Report" button available next to each AI message in the chat, or by contacting us at support@gryndapp.com — your report will be reviewed by a human.
6. Data Recipients (Sub-Processors)
Your data is shared with the following sub-processors acting under data processing agreements:
- Supabase Inc. — cloud infrastructure (EU-region database): account, training data, chat history.
- RevenueCat Inc. — premium subscription management.
- OpenRouter Inc. (USA) — gateway providing access to artificial intelligence models, together with its sub-processors hosting those models in the United States, operating under a data processing agreement (DPA) and OpenRouter's Standard Contractual Clauses; only after consent is granted and without using your data to train models.
- OpenAI OpCo LLC — automated moderation of content sent to AI (only after consent is granted).
- Functional Software Inc. dba Sentry — application error and performance diagnostics.
- Apple Inc. — App Store, Sign in with Apple, and push notification delivery (APNs).
- Google LLC — Sign in with Google, Google Play, and semantic embeddings for exercise search (Gemini API).
The content of your AI queries (and, for the optional health analysis, selected indicators from your connected device) is processed on servers in the United States under EU Standard Contractual Clauses (SCCs) — see Section 8 for details. We do not transfer AI-feature data to countries that do not ensure an adequate level of protection required by the GDPR. We may change AI models and service providers from time to time (e.g., to improve quality or reduce cost), and the current list of specific sub-processors may change — material changes will be announced in the application and via the "Last updated" date of this Policy, and any new sub-processor will be bound by equivalent safeguards (processing only in countries ensuring an adequate level of data protection).
7. Data Security
Your primary data (account, training, chat history) is stored on cloud infrastructure located in the European Union. We apply rigorous access policies (Row Level Security), ensuring that only you have access to your personal training data. All communication between the application and servers is encrypted using HTTPS/TLS protocol.
We do not sell, rent, or share your data with third parties for marketing purposes.
We do not display in-app advertisements and do not use advertising identifiers. On iOS devices, solely to measure the effectiveness of our own advertising campaigns run outside the application, we use Apple's SKAdNetwork framework. It provides the advertising platform (Meta Platforms Ireland Ltd.) only with aggregated, non-identifying statistical data (e.g., the fact that the app was installed from a given campaign) — without advertising identifiers, without a tracking prompt (ATT), and without tracking you across other apps and services. On Android devices we do not transmit any such data.
8. International Data Transfers
Your data may be transferred to third countries outside the European Union / European Economic Area. Such transfers are conducted pursuant to Standard Contractual Clauses (SCCs) approved by the European Commission under Art. 46(2)(c) GDPR, ensuring an adequate level of data protection.
For AI features, the content of your messages — and, in the case of the optional health analysis, selected indicators from your connected device — is transferred to trusted AI service providers in the United States (see Section 6). This transfer is carried out on the basis of EU Standard Contractual Clauses (Art. 46(2)(c) GDPR), supplemented by the providers' contractual commitments to zero data retention and a prohibition on using the data to train artificial intelligence models. Regardless of the transfer mechanism, processing of your data by AI takes place only after you have given your explicit consent (Art. 6(1)(a) GDPR), which you may withdraw at any time in the application Settings. We do not transfer AI-feature data to countries not covered by the appropriate safeguards provided for in the GDPR.
9. Data Retention Period
- Account and training data: Retained for the duration of your use of the application.
- AI chat history: Retained for the duration of your use of the application; you can delete it manually at any time.
- Wearable indicators and AI analysis results: Retained for the duration of your use of these features and deleted together with your account; you can disable the device connection at any time in your system settings.
- Content moderation logs: Retained for 90 days for safety purposes.
- Diagnostic data: Retained for up to 90 days for application stability analysis.
- After account deletion: All personal data is permanently deleted within 30 days, except for information required by tax and accounting laws (regarding subscription purchases), retained according to applicable legal requirements.
10. Medical Disclaimer (AI Disclaimer)
The AI features — including training suggestions, the weekly overview of your activity and well-being, and the visual analysis of uploaded photos and videos — are generated solely from the available data and are educational, informational, and motivational in nature only. They do not constitute professional medical advice, diagnosis, treatment, or health monitoring, and should not be the basis for any health-related decisions. Wearable indicators (e.g., HRV, heart rate, sleep) are shown for general reference and may differ from measurements taken with medical-grade equipment. Always consult a physician before starting a new diet or training plan. You use the application at your own risk.
11. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access — you may obtain information about your processed data (Art. 15).
- Right to rectification — you may correct inaccurate data (Art. 16).
- Right to erasure — "right to be forgotten" (Art. 17).
- Right to restriction of processing (Art. 18).
- Right to data portability — you may receive your data in a machine-readable format (Art. 20) — available from within the application Settings.
- Right to object to processing (Art. 21).
- Right to withdraw consent for AI data processing at any time (Settings → AI Consent in the application).
- Right to lodge a complaint — you may file a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl, or with the supervisory authority in your country of residence (if you reside in another EU member state).
To exercise any of these rights, contact us at: support@gryndapp.com. We will respond within 30 days.
12. Account Deletion
You have full control over your data. You can permanently delete your account and all associated training logs and AI conversations directly from within the application (Profile → Settings → Delete Account). Deletion is irreversible.
13. Children and Minors
The Application is intended for users who are at least 13 years old. If you reside in the European Economic Area and are under 16, parental or legal guardian consent is required to use the Application (Art. 8 GDPR). If we discover that an account has been created by a person below the applicable age without the required consent, it will be deleted.
14. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy. We will notify you of material changes (e.g., expansion of data processing scope, new processing purposes, new categories of recipients) via in-app notification or the email address associated with your account, with reasonable advance notice. Editorial or clarifying changes take effect upon publication of the updated version on this page with a new update date. Continued use of the Application after changes are published constitutes acceptance of those changes.
15. Governing Law
This Privacy Policy is governed by the laws of the Republic of Poland and the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).
16. Contact
For questions regarding privacy or personal data processing, please contact us at:
support@gryndapp.com