What the app collects, and why.

When you create a ChatGymity account and use the app, we store:

• Account info — name, email, sign-in provider (Apple, Google, or email), and authentication tokens.
• Profile— date of birth (used to verify you're 13 or older), height, weight, training goals, and any optional measurements you log.
• Training data — workouts, sets, reps, weights, durations, session notes, and any progress photos you choose to upload.
• Conversations & AI memory — chats with the in-app coach and the long-term notes the coach builds about your training. Scoped to your account only.
• Subscription state — your current plan and renewal status, received from Apple or Google via RevenueCat. We do not see your card details or your store password.
• Crash & error reports — pseudonymous stack traces and metadata sent to Sentry. Chat content and email addresses are filtered out by our redactor before being sent.

The app requests these only when you use the related feature, and you can revoke any of them from your device's settings at any time.

• Camera — to take progress photos. Photos stay on your device unless you choose to save them to your account.
• Photo library / storage — to pick existing photos for progress tracking and to save edited images back to your gallery.
• Microphone — for voice input to the AI coach. When you use voice features, your audio is sent to our AI providers as part of your prompt for transcription and is not retained after that request.

If you live in the EU, UK, Israel, or other jurisdictions with similar law, the following are the lawful bases under which we process your data:

• Contract performance — your account, profile, training data, AI conversations, and subscription state. We need these to deliver the service you signed up for.
• Legitimate interest — crash and error reports for fixing bugs, basic security and fraud prevention.
• Explicit consent — for processing data that may be considered health-related (see below). You give this consent when you create an account, and you can withdraw it at any time by deleting your account.
• Legal obligation — tax and accounting records related to subscription payments.

Some of what the app collects — body weight, measurements, progress photos, training data, and the AI coach's notes about your training — may be considered special-category dataunder GDPR Article 9 because it relates to your physical condition. Equivalent rules exist under Israel's Privacy Protection Law and other regional privacy laws.

By creating a ChatGymity account, you give us your explicit consent to process this data for the sole purpose of operating the app for you (training plans, progress tracking, AI coaching). You can withdraw this consent at any time by deleting your account from Settings → Delete Account, after which we cascade-delete the data as described below.

Your training plans, AI coach replies, and any other AI-generated content are produced by automated systems (OpenAI, Google Gemini). These outputs are informational suggestions — they do not produce legal effects or similarly significant effects on you (no decisions about your finances, employment, medical treatment, or legal rights are made automatically).

Under GDPR Article 22 you have the right to obtain human intervention regarding any automated output, contest it, or express your point of view. To exercise this right, email us at the address below.

Running ChatGymity requires a small set of providers. Each is listed with what they handle and roughly where the processing happens:

• Supabase (EU, Frankfurt) — primary database and file storage for your account, training logs, conversations, and photos.
• OpenAI and Google (Gemini) (US) — AI inference for chat replies and plan generation. Your relevant context (recent training, your prompt) is transmitted to these providers and may be processed in the United States. We do not authorize them to train models on your data.
• RevenueCat (US) — subscription state, device identifiers, and webhook delivery between the app stores and our backend.
• Apple and Google — payments and sign-in. Google additionally provides Firebase Cloud Messaging infrastructure for any push notifications the app may send in the future.
• Sentry (EU) — crash and error reporting.
• DigitalOcean — application hosting for our backend API.

Our database and crash reporting are EU-hosted. AI inference (OpenAI, Gemini) processes your prompt context in the United States. Lootlift Ltd is registered in Israel; the European Commission has issued an adequacy decision for Israel, so EU→Israel transfers are permitted without additional safeguards. The relevant US providers commit to EU-compliant safeguards such as Standard Contractual Clauses. By using ChatGymity, you consent to these transfers.

Account data is kept for as long as your account exists. When you delete your account from Settings → Delete Account, the following are immediately removed from our infrastructure:

• Your account row and authentication identifiers
• Profile, training logs, measurements, and photos (originals and resized variants — both database rows and the underlying Storage files)
• Conversations and AI memory
• Subscription state on our side (Apple or Google still hold the payment record on their end)

A small set of post-deletion records is retained for legitimate fraud-prevention and legal-compliance purposes:

• Account-deletion fingerprints — pseudonymous hashes of your email, Google ID, and Apple ID, kept to prevent abuse (such as creating a new account to evade restrictions). The hashes cannot identify you on their own; they only match a future signup using the same identifier. Lawful basis: legitimate interest in fraud prevention.
• Subscription audit log — webhook payloads from RevenueCat (the events that flipped your tier) are retained for tax compliance and fraud prevention, in line with Israeli legal record-keeping requirements (minimum 7 years). Your direct user identifier in this log is nulled at deletion; the original webhook payload from the store may still contain your store-side user ID. Lawful basis: legal obligation + legitimate interest.
• Pseudonymous crash reports may persist in Sentry per its retention policy (30 days on the tier we use).

You can request earlier deletion of your fingerprints by emailing us at the address below; we may decline only if there is an active fraud or abuse signal that requires preserving the record.

Wherever you live, you can:

• Access & export — download a complete archive of your data from Settings → Download my data, or by emailing us. The export is a ZIP containing your profile, training logs, weights, body measurements, chat transcripts, and your progress photos as JPEG files (one per photo, embedded in the archive). AI-generated content (training plans, the coach's long-term notes, computed insights) is not included — it's data we derived, not data you provided, and is outside the scope of GDPR Art. 20's data-portability right.
• Correct — edit any of your profile or training data directly in the app.
• Delete — wipe your account from Settings → Delete Account, or by emailing us.
• Withdraw consent — for any processing based on consent, including the explicit consent for health-related data described above.
• Lodge a complaint— with your local data protection authority if you believe we've mishandled your data.

EU/UK users: rights under GDPR. California users: see “Do not sell” below. Israeli users: rights under the Privacy Protection Law, 5741-1981 (תשמ"א-1981), including access and correction.

ChatGymity is for users aged 13 and older. The app blocks profile setup if the date of birth you enter indicates an age below 13, and our backend rejects any account update that would result in a sub-13 profile. If we discover that a user is under 13 we delete the account and all data we collected during sign-up.

We do not knowingly collect data from anyone under 13. If you believe a child under 13 has provided us data, please email us and we'll delete it.

All traffic between the app and our backend is encrypted with TLS. Data at rest is encrypted on Supabase. Row-level security policies ensure your data is only readable by your account. Photos are served through signed, time-limited URLs (not public).

If we discover a breach affecting your personal data, we will notify the relevant data protection authority within 72 hours where required by law (e.g., GDPR Article 33), and we will notify you directly when the breach poses a high risk to your rights or freedoms.

Lootlift Ltd is registered in Israel and offers ChatGymity in the EU and EEA. Under GDPR Article 27, we are appointing an EU-based representative as the point of contact for European data subjects and supervisory authorities. The representative's name and contact details will be published here before public launch in the EU.

Until then, EU users can exercise their data-protection rights directly with us at the email below; we will respond promptly and forward any required matters to the appointed representative once available.

The fastest way is in the app: Settings → Delete Account. Or email us at nidal.nawatha@lootlift.comand we'll wipe your record from our database, our email provider, and any cached storage. Usually same day.

If this page changes meaningfully, we'll update the “Effective” and “Last updated” dates at the top. For material changes that affect existing users, we'll send an email or in-app notice.

Privacy questions, deletion requests, or anything else: nidal.nawatha@lootlift.com.