gymbro logogymbro

Legal

Privacy Policy

Last updated: June 3, 2026

1. Controller

The controller responsible for processing your personal data under the EU General Data Protection Regulation (GDPR) is:

Bastian Wiede, WI-IM-EX
c/o IP-Management #4150
Ludwig-Erhard-Str. 18
20459 Hamburg, Germany
E-Mail: contact@xx4x.com
Phone: +49 155 65084652

2. Data we process

  • Account data: email address, username, hashed password.
  • Challenge data: pushup counts, attempt timestamps.
  • Camera feed: processed exclusively on your device for pose detection. Video frames are never uploaded or stored.
  • Server logs: IP address, request time, user agent, status code (Art. 6(1)(f) GDPR — legitimate interest in operating the service securely).

3. Purposes & legal bases (EU/EEA users)

  • Providing the service and your account — Art. 6(1)(b) GDPR (contract).
  • Security, abuse prevention, log retention — Art. 6(1)(f) GDPR (legitimate interest).
  • Optional analytics or marketing cookies — Art. 6(1)(a) GDPR (consent).

4. Cookies

We use technically necessary cookies for authentication and session management. Non-essential cookies are only set with your consent and can be withdrawn at any time in your browser settings.

5. Recipients & processors

We use vetted infrastructure providers (hosting, database, authentication) acting as processors under Art. 28 GDPR. Data may be transferred to providers in the United States under EU Standard Contractual Clauses or the EU-US Data Privacy Framework.

6. Retention

Account data is retained until you delete your account. Server logs are retained for up to 30 days. Statutory retention obligations remain unaffected.

7. Your rights (GDPR)

  • Access (Art. 15), rectification (Art. 16), erasure (Art. 17).
  • Restriction of processing (Art. 18), data portability (Art. 20).
  • Object to processing (Art. 21), withdraw consent (Art. 7(3)).
  • Lodge a complaint with a supervisory authority (Art. 77).

You can also delete your account directly in your profile settings, which erases all associated data immediately.

8. Your rights (US — California / CCPA & CPRA)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information. To exercise these rights, contact contact@xx4x.com. We will not discriminate against you for exercising your rights.

9. Children

gymbro is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Data security

We use appropriate technical and organisational measures (TLS encryption in transit, encrypted storage, access controls) to protect your data.

11. Changes

We may update this policy to reflect legal or operational changes. The current version always applies to your use of the service.