Privacy Policy of the Barbell Application

Last updated: 2026-04-27 Document version: 1.0

⚠️ Notice: This document is a draft prepared as a starting point. It should be reviewed by a lawyer specializing in data protection before publication. The content describes the state of data processing as of the date of last update — any material change in infrastructure, vendors, or application features must be reflected here.

1. Data Controller

The controller of your personal data is:

Cezary Ciosek sole proprietorship ul. Jana Kazimierza 66/122 01-248 Warsaw, Poland Tax ID (NIP): 573 281 54 19

Contact for data protection matters: e-mail: cezary.ciosek@gmail.com

The controller has not appointed a Data Protection Officer — please address all data protection matters directly to the e-mail above.

2. Scope

This Privacy Policy describes how personal data of users of the Barbell mobile application ("Application"), the website at barbell.cloud ("Website"), and the administrative panel are processed.

The Application enables users to log workouts, track exercise progress, monitor body measurements, and use community features tied to athletic activity.

3. Categories of Personal Data Processed

Depending on how you use the Application, we process the following categories of personal data:

3.1. Registration data

e-mail address,
username,
password (stored only in hashed form, never in plain text),
preferred interface language.

3.2. Third-party authentication data (OAuth)

When you register or sign in via external accounts, we receive from identity providers:

Google account identifier (google_id) — when signing in with Google,
Apple account identifier (apple_id) — when signing in with Apple ID,
first and last name (if provided by the provider),
e-mail address linked to the external account.

3.3. Profile data

first and last name,
gender,
date of birth,
address (if provided),
profile picture.

3.4. Health data (special category — Article 9 GDPR)

For the body-measurements feature we process:

body weight,
body height,
body circumferences (chest, waist, hips, arm, thigh, calf),
body fat percentage,
other body composition metrics entered manually by the user.

These data fall within the special category of personal data under Article 9(1) GDPR and we process them solely based on your explicit, separate consent (Art. 9(2)(a) GDPR), provided when activating the body measurements feature.

You may withdraw this consent at any time, which results in immediate cessation of processing and deletion of the body-measurement data.

3.5. Training data

exercise results (sets, repetitions, weight, time, intensity),
Workout-of-the-Day (WOD) results — time, repetitions, completion status, Rx type,
text notes about training (up to 1000 characters per entry),
training dates and times.

Training data are not a special category under GDPR but we apply the same security standards.

3.6. Technical data

device token (device_token) used to deliver push notifications,
device identifier (device_id),
platform type (iOS / Android),
IP address recorded in server logs (kept only as long as necessary for security),
crash reports (Firebase Crashlytics).

3.7. Subscription and payment data

For premium subscription handling we process:

subscription validity (subscription_validity),
transaction identifiers from the store (App Store / RevenueCat),
subscription status (active, cancelled, in trial).

We do not process payment card data or other financial information — payments are handled exclusively by Apple App Store and RevenueCat under their own privacy policies.

3.8. Account verification data

On registration we generate a 6-digit verification code and store its hash (never plain text) along with an expiry timestamp (15 minutes). These data are deleted upon successful e-mail verification.

4. Purposes and Legal Bases

Purpose	Legal basis	Data categories
Account creation and management	Art. 6(1)(b) GDPR (performance of a contract)	registration, profile, OAuth
Providing the application's features (training logs, WODs, progress)	Art. 6(1)(b) GDPR (performance of a contract)	training data, profile
Processing body measurements	Art. 9(2)(a) GDPR (explicit consent)	health data
Sending verification code via e-mail	Art. 6(1)(b) GDPR (performance of a contract)	e-mail, username
Sending operational push notifications	Art. 6(1)(f) GDPR (legitimate interest — informing the user about changes to their account)	device token
Managing premium subscription	Art. 6(1)(b) GDPR (performance of a contract)	subscription data
Account security and fraud prevention	Art. 6(1)(f) GDPR (legitimate interest — security)	logs, IP, authentication data
Crash diagnostics (Crashlytics)	Art. 6(1)(f) GDPR (legitimate interest — quality of service)	technical data, crash reports
Compliance with legal obligations (accounting, responses to authorities)	Art. 6(1)(c) GDPR	subscription data, contact details

5. Retention Periods

User account data — for the duration of account activity. Upon account deletion (the "Delete account" feature in the Application), data are anonymised — identifying fields (name, e-mail, username, OAuth identifiers) are replaced with random values in the format deleted_USERID_RANDOM@barbell.com. The account is marked inactive and all sessions are removed.
Training data and body measurements — anonymised together with the account. Once anonymised, the data are no longer attributable to a natural person and fall outside the scope of GDPR.
Server logs (IP, requests) — up to 90 days, after which they are overwritten.
Crash reports (Firebase Crashlytics) — per Firebase default policy, up to 90 days.
Subscription data — for the period required by tax law (5 years from the end of the financial year of the transaction).
Verification codes — deleted upon use or after 15 minutes, whichever occurs first.

6. Recipients of Data

We engage the following processors under Article 28 GDPR:

6.1. Hosting and infrastructure

OVH SAS (registered office: 2 rue Kellermann, 59100 Roubaix, France) — application server hosting and database. Data are processed within the European Union.

6.2. Transactional e-mail

Resend, Inc. (registered office: 2261 Market Street #5039, San Francisco, CA 94114, USA) — delivery of transactional e-mails (verification codes, important account notifications). Data transfer outside the European Economic Area — see section 7.

6.3. Third-party authentication (OAuth)

Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) — Google Sign-In. Transfer outside the EEA — see section 7.
Apple Inc. (One Apple Park Way, Cupertino, CA 95014, USA) — Apple ID Sign-In. Transfer outside the EEA — see section 7.

6.4. Push notifications and diagnostics

Google LLC (Firebase Cloud Messaging, Firebase Crashlytics) — push notification delivery and crash reporting. Transfer outside the EEA.

6.5. Subscriptions and payments

Apple Inc. (App Store) — handling of premium subscription payments on iOS devices. Payment card data and billing details are processed exclusively by Apple under their privacy policy.
RevenueCat, Inc. (575 Market Street, Suite 1675, San Francisco, CA 94105, USA) — subscription status aggregation. Transfer outside the EEA.

6.6. Other recipients

Data may be disclosed to:

public authorities and courts — to the extent and on the terms set forth in applicable law,
the Controller's professional advisors (lawyer, accountant) to the extent necessary for their services, under data processing agreements.

We do not sell your personal data to third parties. We do not share your data with third parties for marketing purposes.

7. Transfers Outside the European Economic Area

Some of our processors (Resend, Google, Apple, RevenueCat — see section 6) are established in the United States. Your data may therefore be processed outside the European Economic Area (EEA).

These transfers take place on the basis of:

adequacy decisions by the European Commission regarding the EU-US Data Privacy Framework (DPF) — for processors certified under DPF (including Google, Apple),
Standard Contractual Clauses (SCC) under Commission Implementing Decision 2021/914 — for processors not certified under DPF,
other appropriate safeguards under Article 46 GDPR.

You may request a copy of the safeguards in place by contacting: cezary.ciosek@gmail.com.

8. Your Rights

Under GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15) — to obtain information about, and a copy of, data we process about you.
Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
Right to erasure (Art. 17, "right to be forgotten") — fulfilled in the Application by the "Delete account" function.
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — to receive your data in a structured, commonly used, machine-readable format.
Right to object (Art. 21) — to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)) — for health data (body measurements), without affecting the lawfulness of processing carried out before the withdrawal.
Right to lodge a complaint with the supervisory authority — President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, https://uodo.gov.pl

To exercise your rights, contact us at: cezary.ciosek@gmail.com. We respond within 30 days of receipt.

9. Data Security

We apply technical and organisational measures appropriate to the risk of processing, including:

TLS-encrypted data transmission (HTTPS),
passwords stored only in hashed form (HMAC-SHA512 with a per-user salt),
verification codes stored hashed (SHA-256 with salt),
restricted database access — application processes only,
regular database backups,
automatic verification code invalidation after 5 incorrect attempts,
e-mail verification required before first sign-in.

Despite these measures, no method of transmission or storage is 100% secure. Should we detect a personal data breach, we will notify the supervisory authority and affected data subjects without undue delay, in accordance with Articles 33 and 34 GDPR.

10. Cookies and Local Storage

10.1. Mobile application

The mobile application stores locally on your device:

authentication token (token) and refresh token (refreshToken) — required to maintain your session,
pending verification e-mail (pendingVerificationEmail) — to resume verification after restarting the app.

These data are stored in the device's secure storage (Keychain on iOS, EncryptedSharedPreferences on Android) and are removed on sign-out or uninstallation.

10.2. Website and admin panel

The admin panel uses only session cookies essential for authenticating the administrator. We do not use analytics or marketing cookies.

11. Age of Users

The Application is intended for persons aged 16 and over.

For users aged 13–16, use of the Application requires the consent of a parent or legal guardian (Art. 8 GDPR).

If we learn that an account has been created by a person under 13, or by a person aged 13–16 without their guardian's consent, we will promptly delete such an account along with all associated data.

To report such an account: cezary.ciosek@gmail.com.

12. Automated Decision-Making and Profiling

Your personal data are not used for automated decision-making producing legal effects concerning you or similarly significantly affecting you, including profiling within the meaning of Article 22 GDPR.

13. Marketing

We currently do not carry out electronic marketing activities and do not send newsletters. Should we introduce such functionality in the future, we will require prior, freely given consent — separate from the consent to process data for other purposes.

14. Changes to this Policy

We reserve the right to periodically update this Privacy Policy. We will inform you of material changes through:

a notification in the Application on the next launch after the change,
an e-mail to the address associated with your account — for changes significant from the standpoint of your rights.

The current version of the Privacy Policy is available at barbell.cloud/privacy and within the Application under "Settings → Privacy Policy".

15. Contact

For all questions, requests, and remarks regarding this Privacy Policy and the processing of your personal data, please contact:

Cezary Ciosek ul. Jana Kazimierza 66/122 01-248 Warsaw, Poland e-mail: cezary.ciosek@gmail.com

This Privacy Policy is effective as of 2026-04-27.