Only what is necessary to run gymmit. is collected. Personal information is never sold to third parties.
Data can be accessed, updated, exported, or permanently deleted at any time from within the app.
Data is only shared with trusted service providers necessary to operate the platform — never for advertising.
Health metrics, body stats, and nutrition data are treated with extra care and strict access controls.
Contents
gymmit. is a fitness and social tracking application developed and operated by nonch. development. This Privacy Policy explains how personal information is collected, used, stored, and protected when gymmit. is used, and what rights users hold in relation to that data.
By creating an account and using gymmit., the user acknowledges that they have read and understood this Privacy Policy. This policy forms part of the Terms of Service.
During onboarding, users may optionally provide:
This data is used to personalise the experience. It is not required to use the core app.
gymmit. does not collect or store payment card details — all payments are handled entirely by Apple. The following subscription-related data is stored to determine which features an account can access:
This data is received via webhook from RevenueCat, our subscription management provider, and is stored securely on our servers. It is used solely to grant or revoke access to Gymmit Pro features.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the service | All account, workout, nutrition, and content data | Contract performance |
| Personalisation | Fitness profile, goals, history | Contract / Legitimate interest |
| Social features | Profile, posts, follows | Contract performance |
| Subscription management | Subscription status, entitlement data, billing period | Contract performance |
| Content moderation | Uploaded media (scanned, not retained by moderation provider) | Legitimate interest / Legal obligation |
| Push notifications | Notification token, activity triggers | Consent |
| Bug reports & support | Error logs, user-submitted descriptions | Legitimate interest |
| Security & fraud prevention | Account data, usage patterns | Legitimate interest / Legal obligation |
| Legal compliance | Data as required by law | Legal obligation |
Data is not used for advertising purposes. gymmit. does not display ads and does not share personal data with advertising networks or data brokers.
Personal data is not sold. Data is shared only in the following limited circumstances:
Trusted third-party providers are used to operate gymmit. These providers only process data on behalf of nonch. development, according to its instructions, and are bound by strict data protection agreements:
Data may be disclosed if required to do so by applicable law, court order, or governmental authority, or to protect the rights, property, or safety of nonch. development, users, or the public.
If nonch. development is involved in a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. Users will be notified via in-app notification or email if this occurs and given the opportunity to delete their account beforehand.
Content marked as "Public" (posts, workout shares, username, profile picture) is visible to other gymmit. users. Privacy settings can be changed at any time to switch posts or a profile to private.
Uploaded media is stored securely in cloud storage provided by Supabase. Access is restricted to authenticated users with the appropriate permissions. Signed, time-limited URLs are used to serve media.
All uploaded images are passed through an automated AI moderation service (powered by OpenAI) to detect prohibited content. Images are analysed in real time and not stored by OpenAI — only the moderation result is retained.
When a post or account is deleted, associated media files are queued for removal. Media may persist in backups for up to 30 days following deletion.
Images or videos of other people must not be uploaded without their consent. If a user appears in content uploaded by another user and wishes to have it removed, contact details are in Section 13.
How data is visible to others depends on user settings:
| Data | Default Visibility | Changeable? |
|---|---|---|
| Username & display name | Public | Via profile settings |
| Profile photo | Public | Via profile settings |
| Posts | Public or Private (chosen per post) | Yes — per post toggle |
| Workout history | Private (only shown if shared in a post) | Shared via post creation |
| Weight / body metrics | Private | Via settings toggle |
| Calorie data on feed | Visible to followers (if post is public) | Via settings toggle |
| Follow list | Visible to followers | Limited controls |
| Streak data | Visible if shared in a streak post | Via post privacy settings |
| Subscription status | Private | Not shared with other users |
Privacy settings can be reviewed and updated at any time via Settings → Privacy.
Data is retained for as long as an account is active or as needed to provide the service:
When an account is deleted via Settings → Account Management → Delete Account, the deletion process begins immediately. Anonymised or aggregated data that cannot identify a user may be retained indefinitely.
Depending on location, users may hold the following rights in relation to their personal data:
Request a copy of the personal data held.
Correct inaccurate data via profile settings.
Request deletion of personal data.
Request an export of data in a machine-readable format.
Request limited processing in certain circumstances.
Object to processing based on legitimate interests.
Withdraw consent for processing relying on consent (e.g. notifications).
Lodge a complaint with a local data protection authority.
To exercise any of these rights, contact nonch. development using the details in Section 13. Responses will be provided within 30 days.
Industry-standard security safeguards are implemented including:
No method of transmission or storage is 100% secure. While every reasonable precaution is taken, absolute security cannot be guaranteed. If an account is suspected to be compromised, the password should be changed immediately and nonch. development contacted.
In the event of a data breach likely to result in risk to user rights and freedoms, users and applicable regulatory authorities will be notified as required by law, without undue delay.
gymmit. is not directed at children under the age of 13. Personal information is not knowingly collected from children under 13. If it is believed a child under 13 has created an account without parental consent, contact nonch. development immediately and the account and associated data will be deleted.
Users aged 13–17 are considered minors and must have parental or guardian consent to use gymmit. Parents are recommended to review the data their children share on the platform and use the available privacy settings to limit public visibility. In-app purchases by users under 18 require parental approval through Apple's Family Sharing controls.
gymmit. integrates with the following third-party services, each of which has its own privacy policy:
gymmit. is not responsible for the privacy practices of these third-party services. Data shared with them is limited to what is strictly necessary for their respective functions.
This Privacy Policy may be updated from time to time to reflect changes in practices, legal requirements, or the services offered. When material changes are made, users will be notified via push notification, in-app alert, or email at least 14 days before the changes take effect.
Continued use of gymmit. after updates become effective constitutes acceptance of the revised policy.
For any privacy-related questions, data requests, or concerns:
nonch. development
In-app: Settings → Report a Bug
Email: gymmit@nonch.uk
Responses to all data rights requests will be provided within 30 days of receipt. For subscription billing issues, contact Apple directly at reportaproblem.apple.com. See the Terms of Service for the full conditions of using gymmit.