Privacy Policy

Personal Data We Collect

• Account dataEmail address, required to create and manage your account, authenticate you, and send you service communications (e.g., OTP verification codes).
• Profile photosProfile picture voluntarily uploaded by the user. Stored privately in Supabase Storage with restricted access.
• Body photos — Fast BodyScanBody photographs submitted for a fast scan are transmitted through our server and processed by Google Gemini. These images are NOT stored in any system after the analysis is complete; they are permanently discarded once the result is obtained.
• Body photos — Progress BodyScanIf the user has given explicit consent during the onboarding process, body photographs from progress scans are stored in encrypted, private form in Supabase Storage. These photographs are not accessible by third parties or the Gymia team, except where required by law. The user may delete them at any time from their profile. IMPORTANT NOTE: Body photographs may constitute biometric data within the meaning of Art. 9 GDPR where they allow a person to be uniquely identified. Their processing is based exclusively on the user's explicit consent (Art. 9.2.a GDPR), which may be withdrawn at any time.
• Usage and training dataData relating to your training sessions, gym check-ins, points (GymPoints), weekly streak, and metrics derived from BodyScan analyses (symmetry, definition, V-Taper, Hourglass scores, etc.). This data does not include clinical health information.
• Payment dataPayments are processed entirely by LemonSqueezy (Merchant of Record). Gymia does not store or have access to credit card numbers, bank account details, or any sensitive financial data. LemonSqueezy acts as an independent data controller for payment data.
• Technical access data (logs)Our backend server (hosted on Render) may automatically record technical data such as IP address, device type, operating system, and timestamps of requests made to the service. This data is used solely to ensure the security, stability, and diagnosis of the service, and is automatically deleted within a maximum of 30 days. It does not contain sensitive user information.
• Technical cookiesWe use strictly necessary cookies for the operation of the service: Supabase session cookie (authentication) and language cookie (NEXT_LOCALE). These cookies do not require prior consent as they are technically essential.
• Advertising cookiesWith your prior consent, we use Google AdSense cookies to display relevant advertisements. You may manage or withdraw your consent at any time through the cookie preferences panel accessible from the consent banner.

Legal Basis for Processing

• Performance of a contract (Art. 6.1.b GDPR)We process your account and usage data in order to provide the service you have subscribed to.
• Explicit consent (Art. 6.1.a and Art. 9.2.a GDPR)The storage of progress body photographs and the use of advertising cookies are based exclusively on your consent, freely, specifically, and informedly given during the registration process. You may withdraw this consent at any time without affecting the lawfulness of prior processing.
• Legitimate interest (Art. 6.1.f GDPR)The temporary analysis of body images to generate BodyScan metrics (Fast Scan) is based on our legitimate interest in providing the core service, given that images are not retained after processing. The recording of technical server logs is also based on legitimate interest to ensure the security and proper functioning of the service.
• Compliance with legal obligations (Art. 6.1.c GDPR)We may retain certain data where required by applicable tax, commercial, or other legislation.

Third-Party Data Processors

Gymia works with the following providers who may process users' personal data on behalf of the Service or as independent data controllers. Gymia reserves the right to replace or incorporate new providers at any time. When such a change affects the processing of your personal data, you will be notified at least 15 days in advance and this section will be updated accordingly.

• SupabaseDatabase, storage, and authentication · European Union (AWS eu-west-3)Acts as a data processor under a signed DPA.
• Google Gemini (Google LLC)Body image analysis using artificial intelligence · United States (with adequate safeguards: signed Data Processing Addendum)Images are processed under the terms of Google Cloud's Data Processing Addendum (DPA). Activation of billing in Google AI Studio ensures that data is not used for model training. Google may temporarily retain data according to its own retention policies.
• Google AdSense (Google LLC)Contextual and personalised advertising · United States (with adequate safeguards: EU-US Data Privacy Framework)Only active with prior user consent. May use first- and third-party cookies for ad personalisation.
• LemonSqueezyPayment processing (Merchant of Record) · United StatesActs as an independent data controller for payment data. Gymia does not receive or store financial data.
• Render (Render Services, Inc.)Backend server hosting (NestJS) · United StatesData in transit through the server is processed on Render's infrastructure. Acts as a data processor. Technical logs are automatically deleted within a maximum of 30 days.

Retention Periods

• Account data (email)For as long as the account is active. Deleted within 30 days following an account deletion request.
• Progress scan photosUntil the user deletes them manually or deletes their account. No minimum retention period applies.
• Fast scan photosNot stored. Permanently discarded after real-time processing.
• Usage data and BodyScan metricsFor as long as the account is active or until the user deletes them.
• Technical server logs (Render)Maximum 30 days, automatically deleted.

Your Rights

As a user residing in the EEA, United Kingdom, or Switzerland, you have the following rights under the GDPR:

• Access (Art. 15)Request a copy of the personal data we process about you.
• Rectification (Art. 16)Request the correction of inaccurate or incomplete data.
• Erasure / 'right to be forgotten' (Art. 17)Request the deletion of your data. You may do so directly from the app (settings → delete account) or by sending a request to contact@gymia.org.
• Restriction of processing (Art. 18)Request that we restrict the processing of your data under certain circumstances.
• Data portability (Art. 20)Receive your data in a structured, commonly used, and machine-readable format.
• Objection (Art. 21)Object to processing based on legitimate interest.
• Withdrawal of consentWithdraw at any time the consent you have given (e.g., for advertising cookies or storage of progress photos) without retroactive effect.
• Complaint to the supervisory authorityLodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es if you believe that the processing of your data violates applicable regulations.

To exercise any of these rights, contact us at contact@gymia.org stating your name, registered email address, and the right you wish to exercise. We will respond within a maximum of 30 calendar days.

Data Controller

The data controller responsible for processing your personal data is: Name: Samuel Navasardyan Vardanyan Trade name: Gymia Website: https://gymia.org Contact email: contact@gymia.org As Gymia is not currently constituted as an independent legal entity, the controller acts as a self-employed individual in the exercise of this activity.

Data Protection Officer (DPO)

Gymia is not required to appoint a Data Protection Officer under Art. 37 GDPR, as it is not a public authority, does not carry out large-scale systematic monitoring of individuals, and does not process special category data as a core activity at large scale. For any queries related to data protection, you may contact the data controller directly at contact@gymia.org.

Minimum Age Requirement

The Service is intended exclusively for individuals aged 18 or over. By registering, you confirm that you are at least 18 years of age. If we become aware that a user is under 18, we will delete their account and all associated data immediately. If you are a parent or legal guardian and believe your minor child has created an account, please contact us at contact@gymia.org.

International Data Transfers

Some of our providers are located outside the European Economic Area (EEA), particularly in the United States. Such transfers are carried out under appropriate safeguards in accordance with Art. 46 GDPR, including Standard Contractual Clauses (SCCs) approved by the European Commission and, in the case of Google, the EU-US Data Privacy Framework (DPF).

Security Breach Notification

In the event of a security breach that may pose a risk to users' rights and freedoms, Gymia will notify the Spanish Data Protection Agency (AEPD) within a maximum of 72 hours of becoming aware of it, in accordance with Art. 33 GDPR. If the breach entails a high risk for the affected users, they will be informed directly and without undue delay, in accordance with Art. 34 GDPR.

Data Security

We apply appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss or destruction, including: storage in private buckets with row-level security (RLS) in Supabase, data transmission via HTTPS/TLS, and restricted access to photographs via short-lived signed URLs.

Cookie Policy

We use cookies and similar technologies. Technical cookies are necessary for the operation of the Service and do not require your consent. Advertising cookies (Google AdSense) will only be activated if you give your explicit consent through the cookie banner that appears on your first visit. You may modify your preferences at any time via the 'Manage cookies' link available in the site footer.

Changes to this Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you via an in-app notice or by email at least 15 days in advance. The date of the last update is always shown at the top of the document.

Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, you can contact us at: Email: contact@gymia.org Website: https://gymia.org