Privacy Policy

Notice: This Privacy Policy describes how Tonnage collects, uses, and shares your personal data. It applies to all users of the App regardless of location and is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable international privacy laws.

1. Data Controller / Business Identity

The data controller responsible for your personal data is:

Tomasz Szymanczak Vivivo Solutions
Cicha 26
96-513 Kozłów Biskupi, Poland
European Union

Privacy inquiries: contact@uynix.com
General contact: contact@uynix.com

Referred to as "we", "us", "Developer", or "Controller" throughout this Policy.

The Controller is an individual independent developer and is solely responsible for the processing of personal data of Tonnage users.

2. Definitions

3. Data We Collect and Why

3.1. Account and Authentication Data

Data collected: Email address; hashed password (email/password registration); or — via Google OAuth — your Google account name, email address, and profile avatar URL.

Purpose:

• Creating and managing your user account;
• Authentication and account security;
• Sending account-related emails (password reset, system notifications).

Legal basis:

• GDPR Art. 6(1)(b) — processing necessary for the performance of a contract (providing the App service);
• CCPA: Processing is necessary to perform the service requested.

Retention: Until account deletion, then up to 30 days in backups, followed by permanent deletion.

3.2. Profile and Onboarding Data

Data collected: Biological sex, age band, height (cm), weight (kg), training goal (e.g., strength, muscle, weight loss, fitness), experience level, weekly training frequency.

Purpose:

• Personalizing training suggestions and analytics;
• Computing strength benchmarks, relative strength, and muscle balance metrics;
• Generating personalized AI recommendations.

Sensitive data note: Biological sex, body weight, and height combined with training data may constitute health data under GDPR Art. 4(15) and sensitive personal information under CCPA.

Legal basis:

• GDPR Art. 6(1)(b) — performance of contract (service personalization);
• GDPR Art. 9(2)(a) — your explicit consent to process special category health data (obtained during onboarding);
• CCPA: Consent for processing sensitive personal information.

Retention: Until account deletion or consent withdrawal.

3.3. Workout and Fitness Data

Data collected: Session history (date, duration, notes), exercise logs (exercise name, type, target muscles), set data (weight, reps, set type: working/warmup/drop/failure), progress metrics (personal records, volume indicators).

Purpose:

• Delivering the App's core functionality;
• Generating progress analytics, charts, and training metrics;
• Computing muscle imbalance and recovery status;
• Providing AI-powered training suggestions.

Sensitive data note: Detailed training data (loads, volume, muscle activation patterns) can reveal information about your physical health and fitness condition.

Legal basis:

• GDPR Art. 6(1)(b) — performance of contract;
• GDPR Art. 9(2)(a) — explicit consent for health-related data.

Retention: Until account deletion.

3.4. Progress Photos

Data collected: Photographs voluntarily uploaded and attached to training sessions.

Purpose: Visual documentation of your training progress, visible only to you.

Sensitive data note: Photos of your physique may constitute biometric or health data.

Legal basis:

• GDPR Art. 6(1)(b) + Art. 9(2)(a) — explicit consent (you are informed of the sensitive nature before uploading your first photo);
• CCPA: Consent for sensitive personal information.

Storage location: Supabase Storage (encrypted object storage, servers in the USA — see Section 7).

Retention: Until deleted by you or until account deletion.

3.5. Derived Analytics

Data collected: Muscle activation patterns, muscle imbalance metrics, training volume trends, recovery indicators, personal records — all computed automatically from your training data.

Purpose: Presenting advanced progress insights; improving App algorithms.

Legal basis: GDPR Art. 6(1)(b) — performance of contract.

Retention: Until account deletion.

3.6. Usage and Device Analytics

Data collected: App events (screen opens, button taps, session completion), screen names, App version, device type and model, operating system, anonymized installation identifier.

Purpose:

• Analyzing App usage to improve UX and features;
• Detecting bugs and technical issues;
• Measuring engagement and retention.

Legal basis:

• GDPR Art. 6(1)(f) — legitimate interests of the Developer in maintaining and improving the App; data is minimized and anonymized where feasible;
• CCPA: Disclosed as a business purpose; opt-out available (see Section 9).

Provider: PostHog (see Section 6).

Retention: 12 months from event, then aggregated or deleted.

3.7. Local Device Cache (AsyncStorage)

Data stored locally on your device: Offline queue (training data awaiting sync), AI suggestion cache, profile data cache.

Purpose: Enabling offline functionality and improving App performance.

Legal basis: GDPR Art. 6(1)(b) — necessary for the operation of the App.

Location: Your device only. Local cache data is never transmitted to third parties.

Retention: Until App uninstallation or manual cache clearing.

4. Legal Bases — Summary Table

5. Subscription Data and Payments

Payments for the Premium Subscription are processed entirely by Apple App Store (iOS) or Google Play Store (Android). We do not collect or store your payment card details or banking information. We store only your subscription status (active/inactive, plan type, trial expiry date) in our Supabase database to verify access to premium features.

6. Third Parties — Data Sharing

We do not sell your personal data. We do not share your data for cross-context behavioral advertising. Data is shared with the following third parties only to the extent necessary to provide the App's services.

6.1. Supabase, Inc. — Database, Auth, Storage, Edge Functions

• Role: Processor — primary backend infrastructure.
• Data shared: All App-stored data (account, profile, training data, progress photos).
• Servers: United States.
• Transfer mechanism: Standard Contractual Clauses (SCC), EU Commission Decision 2021/914; active Data Processing Agreement (DPA) in place.
• Privacy policy: https://supabase.com/privacy

6.2. PostHog, Inc. — Product Analytics

• Role: Processor — analytics platform.
• Data shared: App events, screen names, anonymized user identifier, device data, App version.
• Servers: United States (or EU, depending on instance configuration).
• Transfer mechanism: Standard Contractual Clauses (SCC); active DPA in place.
• Privacy policy: https://posthog.com/privacy

6.3. Google LLC — OAuth Authentication

• Role: Authentication service provider.
• Data shared: Authentication request initiated by you; Google returns your name, email, and profile avatar URL to the App.
• Servers: USA and globally.
• Transfer mechanism: SCC; Google LLC participates in the EU–US Data Privacy Framework (DPF).
• Privacy policy: https://policies.google.com/privacy

6.4. Groq, Inc. — AI Inference (Workout Suggestions)

• Role: Processor — AI/LLM provider (Llama 3.3 70B).
• Data shared: Anonymized training archetype (exercise patterns, muscle groups targeted), muscle imbalance metrics, stated training goal. Your name, email address, and other directly identifying information are never sent to Groq.
• Servers: United States.
• Transfer mechanism: Standard Contractual Clauses (SCC); active DPA in place.
• Privacy policy: https://groq.com/privacy-policy

6.5. ExerciseDB API — Exercise Library

• Role: Third-party data provider (read-only).
• Data shared: No personal data is transmitted to ExerciseDB. The API is queried only to retrieve exercise metadata (names, descriptions, muscle groups).

6.6. Apple Inc. / Google LLC — App Stores and In-App Purchases

• Role: App distributors and payment processors.
• Data shared: Apple and Google process purchase and subscription data under their own privacy policies.
• Apple Privacy Policy: https://www.apple.com/legal/privacy/
• Google Privacy Policy: https://policies.google.com/privacy

6.7. Public Authorities

We may disclose your personal data to public authorities (e.g., law enforcement, supervisory authorities) when required by applicable law or court order. Legal basis: GDPR Art. 6(1)(c) — legal obligation.

7. International Data Transfers

Your data may be transferred to and processed in the United States, via Supabase, PostHog, and Groq services. The USA does not have an EU adequacy decision for all data transfers.

We have implemented the following safeguards to ensure an adequate level of protection:

• Standard Contractual Clauses (SCC) — EU Commission Decision 2021/914, incorporated in contracts with each sub-processor located outside the EEA;
• Data Processing Agreements (DPA) — executed with each third-party processor;
• Data minimization — only anonymized, non-identifying data is transmitted to AI systems (Groq);
• Encryption in transit — TLS 1.2 or higher for all data transfers;
• Encryption at rest — enforced at the infrastructure level by Supabase.

You may request a copy of the applicable safeguards, including the SCC text, by contacting privacy@tonnage.app.

8. Data Retention

After the applicable retention period, data is permanently deleted or irreversibly anonymized.

9. Your Rights

9.1. Rights Under GDPR (EEA and UK Users)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy of it, along with processing details (purposes, categories, recipients, retention periods).

Right to rectification (Art. 16): Request correction of inaccurate data or completion of incomplete data. You may update most profile data (weight, height, goal, etc.) directly in the App's profile settings.

Right to erasure (Art. 17): Request deletion of your data when: it is no longer necessary for the purposes collected; you withdraw consent; you object and we have no overriding grounds; or it was processed unlawfully. In-app account deletion is available under Profile → Settings → Delete Account.

Right to restriction of processing (Art. 18): Request that we restrict processing in specified circumstances (e.g., when you contest accuracy or have objected to processing).

Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format (e.g., JSON) and transmit it to another controller — for data processed by automated means on the basis of consent or contract.

Right to object (Art. 21): Object at any time to processing based on our legitimate interests (Art. 6(1)(f)), including usage analytics via PostHog.

Right to withdraw consent (Art. 7(3)): Where processing is based on your consent (in particular health data — profile, training data, progress photos), withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawing consent for data necessary to provide the App service requires account deletion.

Rights regarding automated decision-making (Art. 22): Tonnage does not make fully automated decisions with legal or similarly significant effects on users.

Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority in your country of residence or work. Contact details for key authorities:

• Poland (UODO): ul. Stawki 2, 00-193 Warsaw | www.uodo.gov.pl
• UK (ICO): Wycliffe House, Water Lane, Wilmslow, SK9 5AF | ico.org.uk
• EU national authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9.2. Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA (as amended by CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and third parties with whom it is shared.

Right to Delete: Request deletion of personal information we hold about you, subject to certain exceptions.

Right to Correct: Request correction of inaccurate personal information.

Right to Opt Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising.

Right to Limit Use of Sensitive Personal Information: You may direct us to limit use of your sensitive personal information (body weight, health data, photos) to purposes necessary to provide the App. To exercise this right, contact privacy@tonnage.app.

Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@tonnage.app. We will respond within 45 days as required by law.

9.3. Rights for Users in Other Jurisdictions

Users in other jurisdictions may have additional rights under local law. We are committed to respecting privacy rights globally and will honor reasonable requests to the extent required by applicable law:

• Australia (Privacy Act 1988): Rights to access and correction of personal information; complaints to the OAIC (oaic.gov.au).
• Canada (PIPEDA / Law 25 Quebec): Rights to access, correction, and withdrawal of consent.
• Brazil (LGPD): Rights to access, correction, deletion, portability, and objection.

10. How to Exercise Your Rights

To exercise any of the rights described in Section 9, send a request to:

privacy@tonnage.app

In your message, include:

• Your name or the email address associated with your App account (for identification);
• A description of your request (e.g., "I request access to my data", "I request account and data deletion");
• Optionally: preferred format for the response or additional details.

Response time: We will respond without undue delay and in any event within one month of receiving your request. Where necessary, this may be extended by up to two additional months; you will be informed of any extension.

Identity verification: To protect your data, we may request additional information to verify your identity before fulfilling a request.

11. Data Security

We implement appropriate technical and organizational security measures to protect your data from unauthorized access, disclosure, alteration, or destruction:

• Encryption in transit: All connections to Supabase use TLS 1.2 or higher;
• Encryption at rest: Data stored by Supabase is encrypted at the database and storage layer;
• Secure authentication: Session tokens are managed securely by Supabase Auth; passwords are never stored in plain text;
• Row-Level Security: Your data is accessible only under your account (enforced via Supabase RLS policies);
• AI data minimization: Only anonymized archetypes — no identifying data — are sent to Groq's inference systems;
• Device-level protection: Local cache data in AsyncStorage is protected by iOS and Android platform security mechanisms.

Despite these measures, no data transmission or storage system is 100% secure. In the event of a personal data breach, we will notify affected users and the competent supervisory authority in accordance with GDPR Art. 33–34 requirements.

12. Children's Privacy

12.1. Tonnage is intended only for users aged 16 and over. This minimum age reflects GDPR Art. 8 requirements for information society services directed to children.

12.2. We do not knowingly collect personal data from persons under 16. By creating an account, you confirm you meet the minimum age requirement.

12.3. If we become aware that personal data has been collected from a person under 16 without required parental consent, we will promptly delete that data and disable the account.

12.4. If you are a parent or guardian and believe your child has registered on the App, please contact us immediately at privacy@tonnage.app.

13. Local Storage and AsyncStorage

Tonnage uses React Native's AsyncStorage mechanism to store data locally on your device. This local cache includes:

• Offline queue — training data entered without an internet connection, waiting to sync to the server;
• AI suggestion cache — recent AI-generated training suggestions, stored for offline access;
• Profile cache — profile data stored locally to reduce loading time.

This data is stored only on your device and is not transmitted to any third party. It is automatically cleared when you uninstall the App or can be manually cleared in your device system settings.

Tonnage does not use browser cookies — it is a native mobile app. The above local data serves a function analogous to browser cache and app-local storage.

14. External Links

The App may contain links to external websites or services (e.g., ExerciseDB documentation). We are not responsible for the privacy practices of those external services. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

15.1. We may update this Privacy Policy at any time, in particular when:

• data protection laws change;
• we introduce new App features that involve processing new categories of data;
• we change third-party service providers;
• supervisory authority decisions or court judgments affect our obligations.

15.2. For material changes — especially those affecting your rights or changing the legal basis for processing — we will notify you at least 14 days before the changes take effect via:

• an in-app push notification;
• an email to the address associated with your account.

15.3. Continued use of the App after the updated Privacy Policy takes effect constitutes your acceptance. If you do not accept the changes, you should stop using the App and delete your account.

15.4. Prior versions of this Privacy Policy will be archived and available on request at privacy@tonnage.app.

16. Contact

For questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data:

Privacy inquiries: privacy@tonnage.app
General contact: contact@tonnage.app

Data Controller:

Tomasz Szymanczak Vivivo Solutions
Cicha 26
96-513 Kozłów Biskupi, Poland
European Union

We aim to respond to privacy inquiries within 72 hours (business days) and to formal rights requests within the statutory one-month period.

17. Changelog

This document is provided for informational purposes. Consult a qualified attorney or data protection officer for legal advice tailored to your specific situation.

Version: 1.0 | Date: May 24, 2026