Trainer Gym AITrainer Gym AI

Privacy Policy

Last updated: March 31, 2026

1. Overview

Trainer Gym AI ("the App") is designed with privacy as a core principle. Your personal data stays on your device. This Privacy Policy explains what data we collect, how we use it, and your rights.

The App is developed by Iago Cavalcante ("we", "us"), an independent developer based in Brazil. We comply with the Brazilian General Data Protection Law (LGPD) and, where applicable, the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

2. Data We Do NOT Collect

The following data is stored ONLY on your device and is never transmitted to our servers:

  • Your name, age, email, gender
  • Body measurements (height, weight, body measurements)
  • Workout history, exercise logs, sets, reps, weight data
  • Streak data and training patterns
  • Training type and onboarding responses
  • Personal records and analytics data

We have no way to access, view, or recover this data. If you delete the App, this data is permanently lost.

3. Data We DO Process

3.1 Third-Party AI Data Sharing (with explicit consent)

This App shares personal data with OpenAI, Inc. (San Francisco, USA), a third-party artificial intelligence service provider, to generate personalized workout plans. Specifically, we use OpenAI's GPT-4o-mini model accessed via their API.

Data sent to OpenAI and its specific purpose:

  • Physical profile (age, gender, height, weight) — used to calibrate exercise intensity and training volume appropriate for the user's body
  • Health conditions and injuries — used to avoid contraindicated exercises and ensure safe training recommendations
  • Body measurements (if voluntarily provided) — used for progression tracking recommendations
  • Training preferences, goals, and availability — used to personalize the workout plan structure, exercise selection, and scheduling
  • Training history summary (anonymous aggregated metrics only: adherence rate, volume trends, detected plateaus) — used to adapt plan difficulty and progression

Data NOT sent to OpenAI: Email address, full name, payment information, device identifiers, or any data that could directly identify you outside the fitness context.

How data is transmitted:

Your data is sent from the App to our secure proxy server (hosted on Cloudflare Workers) over HTTPS. The proxy server forwards the request to the OpenAI API over HTTPS. The proxy server does not store, log, or retain any personal data — it only forwards requests and returns responses.

Consent and control:

  • Legal basis: Explicit, informed consent. Before any data is sent to OpenAI, the App presents a detailed consent screen that identifies exactly what data will be shared, who it will be shared with, and for what purpose. You must actively agree before any data is transmitted.
  • Revocation: You can revoke your consent at any time in the App's Privacy & AI Consent settings. Once revoked, no further data will be sent to OpenAI. Your existing workout plans will continue to work locally.
  • No data is shared before consent is granted. The consent screen appears after onboarding data collection but before any data is transmitted to OpenAI.

Data retention by OpenAI:

OpenAI processes the data exclusively to generate the workout plan response and does not retain personal data after processing, per their API Data Usage Policy. Specifically: data sent via the API is not used to train or improve OpenAI's models. OpenAI may retain API inputs/outputs for up to 30 days for abuse monitoring, after which they are deleted.

OpenAI's data protection:

OpenAI, Inc. maintains data protection standards that provide equivalent or greater protection to the data shared by this App. OpenAI is SOC 2 Type II certified, encrypts data in transit and at rest, and processes API data in accordance with their Privacy Policy and Terms of Use. For EU data subjects, OpenAI provides Standard Contractual Clauses (SCCs) for international data transfers.

3.2 Anonymous Analytics

We use PostHog for anonymous usage analytics. Events tracked include:

  • App opens, screen views, feature usage (e.g., "workout completed", "plan generated")
  • Training type selected, purchase events
  • Error events for debugging

What is NOT tracked: Names, emails, workout details, exercise names, body measurements, or any personally identifiable information.

Legal basis: Legitimate interest (product improvement). Analytics are disabled in development mode.

PostHog's privacy: PostHog is hosted in the US/EU. See PostHog Privacy Policy.

3.3 OTA Update Checks

The App checks for Over-the-Air updates via Expo's update service. This transmits:

  • App version and runtime version
  • Platform (iOS/Android)
  • Update channel identifier

No personal data is included in update checks. See Expo Privacy Policy.

3.4 Exercise GIF Data

Exercise demonstration GIFs are fetched from the ExerciseDB API. These requests include only the exercise name — no personal data is transmitted.

4. Local Notifications

The App may send local notifications (training reminders, streak alerts, progress celebrations). These are:

  • Generated and scheduled entirely on your device
  • Based on your local training pattern data
  • Not sent through any external push notification service
  • Controllable through your device's notification settings

You can deny notification permission at any time. The App functions fully without notifications.

5. In-App Purchase Data

Purchases are processed entirely by Apple (App Store) or Google (Play Store). We do not collect, process, or store any payment information. We receive only a confirmation that a purchase was made.

6. Children's Privacy

The App is not intended for children under 18. The onboarding process requires users to be at least 18 years old. We do not knowingly collect data from minors.

7. Your Rights

All Users

  • Revoke AI consent: In-app Privacy settings. Stops all AI data transmission.
  • Delete local data: Uninstall the App or use the in-app reset options.
  • Disable analytics: Contact us to opt out of PostHog tracking.
  • Disable notifications: Through device settings at any time.

Brazilian Users (LGPD)

Under the LGPD, you have the right to: access your data, correct inaccurate data, request anonymization or deletion, be informed about data sharing, revoke consent, and file complaints with the ANPD (National Data Protection Authority).

EU/EEA Users (GDPR)

Under the GDPR, you have the right to: access, rectification, erasure, data portability, restriction of processing, objection to processing, and to lodge a complaint with your supervisory authority.

California Users (CCPA)

We do not sell personal information. You have the right to know what data is collected, request deletion, and not be discriminated against for exercising your rights.

8. Third-Party Services

ServicePurposeData Sent
OpenAI, Inc. — GPT-4o-mini (via Cloudflare Worker proxy)AI workout plan generationPhysical profile, health conditions, training preferences, aggregated history (with explicit consent; see Section 3.1)
PostHogAnonymous analyticsUsage events (no PII)
ExpoOTA updatesApp version, platform
ExerciseDBExercise GIFsExercise name only
RevenueCatPurchase managementAnonymous purchase status
Apple / GoogleApp distribution, paymentsPer their policies

9. Data Security

Local data is stored in an encrypted SQLite database (SQLCipher on iOS). AI requests are transmitted over HTTPS through our Cloudflare Worker proxy, which enforces rate limiting, input validation, and output validation. We do not store API keys in the app binary. All prompts sent to OpenAI use XML-structured formatting with guardrails to prevent prompt injection. Input is sanitized against 20+ known injection patterns before transmission.

We confirm that all third-party services used by this App (listed in Section 8) provide the same or equivalent level of data protection as described in this policy.

10. Service Discontinuation

If we discontinue the App or its AI services:

  • We will provide 30 days notice via in-app notification
  • All locally stored data remains on your device
  • Existing workout plans continue to work offline
  • Only AI plan generation would cease functioning
  • We will provide data export instructions if technically feasible

11. Changes to This Policy

We may update this Privacy Policy. Significant changes will be communicated via in-app notification. The "Last updated" date at the top reflects the most recent version.

12. Contact

For privacy questions, data requests, or concerns:

Email: iagocavalcante.dev@gmail.com

Developer: Iago Cavalcante

Location: Brazil

For LGPD complaints, you may also contact the ANPD (Autoridade Nacional de Protecao de Dados) at www.gov.br/anpd.