Privacy Policy

2. Roles of Gainz

• When you create a personal account (as an athlete), Gainz is the data controller for your personal data.
• When a coach processes data of their athletes via Gainz Coach, the coach (company) is the data controller and Gainz acts as a processor. Our Data Processing Agreement (DPA) applies to that processing.
• Gainz has two separate payment flows with different roles under GDPR:
  • Payments from companies to Gainz for access to Gainz Coach. In this situation, Gainz is the data controller for the processing of personal data required for invoicing and administration.
  • Payments from clients to coaches via Stripe Connect. In this situation, the coach or company is the data controller for the client's personal data. Gainz acts solely as processor on behalf of the coach and Stripe as sub-processor for the technical payment processing.

  For the technical processing of payments, Gainz uses Mollie B.V. Mollie may process personal data in the context of payment processing, fraud prevention, identity verification (KYC) and compliance with financial legislation. For these processing activities, Mollie may act as an independent data controller. These processing activities fall under Mollie's privacy policy.

3. What personal data is processed?

Depending on the use of the app or web environment, we process the following data:

• Identification and contact details (e.g. first and last name, date of birth, email address)
• Automatically generated information (IP address, device and browser type, OS)
• Health and performance data (weight, training data, recovery, mood, etc.)
• Visual and audiovisual training media, such as progress photos, training videos and audio feedback recorded by coaches, to the extent users upload these themselves or link them to workouts. This media may contain information about physical condition, body composition and training performance.
• Data from Apple Health and/or Google Fit, if you explicitly consent to this
• Communication data (support requests, feedback)
• Payment or billing data (where applicable for business accounts)
• other personal data necessary for the purposes set out in Article 4.

4. Purposes of processing personal data

Gainz processes personal data for the following purposes:

• Creating, managing accounts and providing access to the app/web environment
• Training and health features (logging, charts, recommendations)
• Customer support and communication
• Enabling the uploading, storing and sharing of training media (such as progress photos, training videos and audio feedback) between athletes and coaches within the platform
• Improving the app, website and services
• Statistical analysis via Rybbit (privacy-friendly analytics)
• Security and fraud prevention
• Legal obligations (e.g. bookkeeping, tax)
• Processing payments for Gainz Coach subscriptions
• Facilitating payments between clients and coaches/companies via Stripe Connect;

5. Legal basis for processing

Gainz processes personal data only if and to the extent that a valid legal basis exists, as referred to in Articles 6 and 9 of the GDPR. The legal bases used are:

• Performance of a contract (Article 6(1)(b) GDPR): for creating and managing accounts, access to the app and coach functionalities.
• Legal obligation (Article 6(1)(c) GDPR): for administrative and tax obligations.
• Legitimate interest (Article 6(1)(f) GDPR): for security, fraud prevention, statistical analysis and service improvement.
• Consent (Article 6(1)(a) and Article 9(2)(a) GDPR): for processing health data and (where applicable) integrations with external health platforms.

This basis also includes:

• the processing of personal data for identity verification and fraud prevention in the context of payment processing, to the extent required by financial legislation; and
• media voluntarily uploaded by users such as progress photos, training videos and audio recordings, which may contain health or performance information. This processing takes place solely on the basis of explicit consent from the user.

6. Health data (Apple Health & Google Fit)

If you consent to this, Gainz synchronizes weight information from your Google Health or Apple Health account. This data is used for:

• tracking your progress;
• personalizing insights and recommendations within the app;
• visual display of trends and results.

You can withdraw this consent at any time from your phone settings or within the app. Gainz never uses health data for advertising or marketing and does not sell it to third parties.

6a. Training media (photos, video, audio)

• Users can voluntarily upload media within Gainz, including progress photos, training videos and audio feedback.
• This media is used solely for training analysis, progress tracking and coaching within the platform.

Media is only visible to:

• the user themselves; and
• the coach or organization to which the user is actively connected.

• Gainz does not use this media for marketing, advertising or automated profiling.
• Users can delete media at any time via the app. Deleted media is permanently removed from our systems, except for technical backups which are overwritten within a reasonable period.

7. Third parties and sub-processors

We do not share your personal data with third parties for their own marketing purposes. We do engage carefully selected service providers (processors) to deliver our services, such as:

• Supabase (EU-hosted storage of user and training data)
• Rybbit (anonymous analytics, self-hosted within the EU)
• Brevo (email communications)
• Mollie (payment processing for Gainz Coach subscriptions where Gainz is the seller, and for payments between clients and coaches via Mollie Connect). For regulatory and technical reasons, the Mollie account used for these payments may be operated by R. Bell Beheer BV (Netherlands). In this context R. Bell Beheer BV may process limited transaction-related data solely for the purpose of facilitating payments via Mollie.

• When a third party processes your personal data on behalf of and on the instructions of Gainz, Gainz concludes a data processing agreement with that third party that meets the requirements of the GDPR. Third parties engaged by Gainz that provide services as independent data controllers are themselves responsible for compliance with the GDPR for the (further) processing of your personal data.
• We may also provide your personal data to third parties if we are legally required to do so, if we are compelled to do so in connection with legal proceedings, and/or if we consider it necessary to protect our rights.

8. International transfers

Our data is primarily stored within the European Economic Area (EEA). When transfers to third countries occur (such as the United States), we use:

• the EU–US Data Privacy Framework (where applicable); or
• EU Standard Contractual Clauses (SCCs), supplemented by appropriate technical and organizational measures.

For payment processing via Mollie, personal data may be shared with Mollie B.V., based in the Netherlands. In limited cases, Mollie may use sub-processors outside the European Economic Area. In that case, Mollie ensures appropriate safeguards, such as EU Standard Contractual Clauses (SCCs).

More information is available via Mollie's privacy policy.

More information is available on request at support@gainz.me.

9. Retention periods

We do not retain personal data longer than necessary. Guidelines:

• Account and profile data: for as long as your account is active + max. 12 months after deletion
• Health data (Apple Health / Google Fit): until withdrawal of your consent
• Billing and administrative data: 7 years (statutory retention obligation)
• Support communications: 24 months after last contact

When data is no longer needed, it is securely deleted or anonymized.

10. Security

Gainz takes appropriate technical and organizational measures to protect your personal data against loss and unauthorized access.

Examples:

• Encrypted data transfer (SSL/TLS)
• Secure authentication (password hashing)
• Role-Based Access Control (RLS) in the database
• Regular security tests and backups

No system is 100% secure; Gainz cannot guarantee that unauthorized third parties will never gain access, but minimizes that risk to the greatest extent possible.

Uploaded media is stored in secure storage environments with access controls and is only made accessible via authenticated access within the application.

11. Cookies and analytics

Our website only uses cookies that are necessary for proper functioning, plus privacy-friendly analytical cookies via Rybbit. This Rybbit instance does not store full IP addresses and does not use tracking cookies. No personal data is shared with third parties.

You can block cookies via your browser settings. The app itself does not use cookies.

Rybbit is used solely for website analytics and not for tracking within the mobile applications.

12. Rights of data subjects

You have the following rights:

• Right of access to your data
• Right to rectification or completion
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent (without retroactive effect)

You can exercise these rights via the app or by sending an email to support@gainz.me. You will receive a response within 14 days.

You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or the Comissão Nacional de Proteção de Dados (CNPD) in Portugal.

If your personal data is processed by a coach in the context of a payment or service, you must exercise your rights with the relevant coach as data controller. Gainz will assist where necessary in forwarding requests. For these processing activities, Gainz does not make substantive decisions about the processing and acts solely on the instructions of the coach.

13. Minors

Gainz is intended for users aged 16 and older. We do not knowingly collect personal data from individuals under 16. If a parent suspects that we have inadvertently collected data about their child, they can contact us at support@gainz.me; such data will then be deleted.

14. Account deletion and data export

You can delete your account and associated data via the app (Settings → Delete account). Your personal data will then be permanently deleted, except where statutory retention obligations apply.

15. Business transfer

In the event of a merger, acquisition or sale of (part of) Gainz, personal data may be transferred to the successor entity. We ensure that your privacy rights are preserved.

16. Changes

We may update this privacy policy from time to time, for example when new features are introduced or legislation changes. For significant changes, you will receive a notification in the app or by email. The most current version is always available at gainz.me/privacy.

17. Contact

For questions or requests regarding privacy, please contact:

Email: wesley@gainz.me

EU Representative (Article 27 GDPR):