Privacy Policy

Last updated: June 27, 2026

Notice: This Privacy Policy describes how Volstack collects, uses, and shares your personal data. It applies to all users of the App regardless of location and is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable international privacy laws.

1. Data Controller / Business Identity

The data controller responsible for your personal data is:

Tomasz Szymanczak Vivivo Solutions Kozłów Biskupi, Poland European Union

Privacy inquiries: contact@uynix.com General contact: contact@uynix.com

Referred to as "we", "us", "Developer", or "Controller" throughout this Policy.

The Controller is an individual independent developer and is solely responsible for the processing of personal data of Volstack users.

2. Definitions

Term	Meaning
App / Volstack	The Volstack mobile application for strength training tracking. The App is currently distributed on Android; an iOS version may be offered in the future.
User / You	Any individual who accesses or uses the App.
Personal Data	Any information relating to an identified or identifiable natural person (GDPR Art. 4(1); CCPA "personal information").
Health Data / Sensitive Data	Data concerning a person's physical health, including fitness and body composition data (GDPR Art. 4(15); CCPA "sensitive personal information").
Processing	Any operation performed on personal data (GDPR Art. 4(2)).
GDPR	EU General Data Protection Regulation 2016/679.
CCPA	California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.), as amended by CPRA.
EEA	European Economic Area.

3. Data We Collect and Why

3.1. Account and Authentication Data

Data collected: Email address; hashed password (email/password registration); or — via Google OAuth — your Google account name, email address, and profile avatar URL.

Purpose:

Creating and managing your user account;
Authentication and account security;
Sending account-related emails (password reset, system notifications).

Legal basis:

GDPR Art. 6(1)(b) — processing necessary for the performance of a contract (providing the App service);
CCPA: Processing is necessary to perform the service requested.

Retention: Until account deletion, then up to 30 days in backups, followed by permanent deletion.

3.2. Profile and Onboarding Data

Data collected: Display name; biological sex; age band (optional); height (cm); weight (kg); training goal (e.g., strength, muscle, weight loss, fitness); experience level; weekly training frequency.

Purpose:

Personalizing analytics and in-app benchmarks;
Computing strength benchmarks, relative strength, and muscle balance metrics;
Generating rule-based training and recovery insights.

Sensitive data note: Biological sex, body weight, and height combined with training data may constitute health data under GDPR Art. 4(15) and sensitive personal information under CCPA.

Legal basis:

GDPR Art. 6(1)(b) — performance of contract (service personalization);
GDPR Art. 9(2)(a) — by voluntarily providing this information during onboarding after accepting this Privacy Policy, you consent to processing of health-related profile data for the purposes described here;
CCPA: Consent for processing sensitive personal information.

Retention: Until account deletion or consent withdrawal.

3.3. Workout and Fitness Data

Data collected: Session history (date, duration, notes), exercise logs (exercise name, type, target muscles), set data (weight, reps, set type: working/warmup/drop/failure), progress metrics (personal records, volume indicators).

Purpose:

Delivering the App's core functionality;
Generating progress analytics, charts, and training metrics;
Computing muscle imbalance and recovery status;
Providing rule-based coaching suggestions (exercise recommendations derived from your logged training patterns).

Sensitive data note: Detailed training data (loads, volume, muscle activation patterns) can reveal information about your physical health and fitness condition.

Legal basis:

GDPR Art. 6(1)(b) — performance of contract;
GDPR Art. 9(2)(a) — consent for health-related data, as described in Section 3.2.

Retention: Until account deletion.

3.4. Workout Share Photos (Local Only)

Data collected: Photographs you optionally add from your camera or photo library when creating a workout share image after a session.

Purpose: Composing shareable workout summary images (e.g., for social media). Photos are not uploaded to our servers.

Sensitive data note: Photos of your physique may constitute health-related or sensitive personal information.

Legal basis:

GDPR Art. 6(1)(b) + Art. 9(2)(a) — consent, by choosing to add a photo after the App requests camera or photo-library permission;
CCPA: Consent for sensitive personal information.

Storage location: Your device only — local app cache (share-photos/). We do not transmit these images to Supabase or any other third party.

Retention: Until you remove the photo, clear app cache, or uninstall the App.

3.5. Derived Analytics

Data collected: Muscle activation patterns, muscle imbalance metrics, training volume trends, recovery indicators, personal records — all computed automatically from your training data on our servers or on your device.

Purpose: Presenting advanced progress insights; improving App algorithms.

Legal basis: GDPR Art. 6(1)(b) — performance of contract.

Retention: Until account deletion (server-side). Locally cached insight statistics are cleared on uninstall or cache clear.

3.6. Usage and Device Analytics

Data collected:

App events (e.g., screen views, onboarding steps, workout started/finished, paywall interactions);
Screen names;
App version;
Device type, model, and operating system;
When you are signed in: your Supabase user ID (used as the analytics distinct ID);
When signed out: a persistent installation/session identifier;
Session replay recordings (with text inputs and images masked by default);
Error and crash events captured for debugging (without intentionally including passwords or payment details).

Purpose:

Analyzing App usage to improve UX and features;
Detecting bugs and technical issues;
Measuring engagement and retention.

Legal basis:

GDPR Art. 6(1)(f) — legitimate interests of the Developer in maintaining and improving the App; we minimize data where feasible;
CCPA: Disclosed as a business purpose; you may object as described in Section 9.

Provider: PostHog (see Section 6).

Retention: 12 months from event, then aggregated or deleted per PostHog configuration.

3.7. Local Device Cache (AsyncStorage and File Cache)

Data stored locally on your device:

Offline queue — training data entered without an internet connection, waiting to sync to the server;
Profile cache — profile fields stored locally to reduce loading time (subscription status is excluded from offline cache to avoid stale access flags);
Insight statistics cache — precomputed workout/set summaries used to speed up the Insight screen;
Workout share photos — see Section 3.4.

Purpose: Enabling offline functionality and improving App performance.

Legal basis: GDPR Art. 6(1)(b) — necessary for the operation of the App.

Location: Your device only. Local cache data (except analytics events sent to PostHog as described in Section 3.6) is not transmitted to third parties.

Retention: Until App uninstallation or manual cache clearing.

4. Legal Bases — Summary Table

Data Category	GDPR Legal Basis
Account data (email, password)	Art. 6(1)(b) — contract performance
Google OAuth data	Art. 6(1)(b) — contract performance
Profile data (name, age band, weight, height, sex)	Art. 6(1)(b) + Art. 9(2)(a) — consent for sensitive data
Workout and fitness data	Art. 6(1)(b) + Art. 9(2)(a) — consent for sensitive data
Workout share photos (local)	Art. 6(1)(b) + Art. 9(2)(a) — consent for sensitive data
Derived analytics	Art. 6(1)(b) — contract performance
Usage analytics (PostHog)	Art. 6(1)(f) — legitimate interests
Local device cache	Art. 6(1)(b) — contract performance

5. Subscription Data and Payments

Payments for the Premium Subscription are processed by Google Play (Android). We do not collect or store your payment card details or banking information.

RevenueCat (see Section 6) manages in-app subscription entitlements in the App and links purchases to your account using your Supabase user ID.

In our Supabase database we store subscription-related fields needed to verify Premium access, including:

Subscription state (e.g., active, canceled, grace period, expired);
Product identifier (volstack_premium);
Subscription expiry date;
Google Play purchase token (Android only);
Trial end date (when applicable).

We do not store full payment instrument details.

6. Third Parties — Data Sharing

We do not sell your personal data. We do not share your data for cross-context behavioral advertising. Data is shared with the following third parties only to the extent necessary to provide the App's services.

6.1. Supabase, Inc. — Database, Auth, Edge Functions

Role: Processor — primary backend infrastructure.
Data shared: Account, profile, and training data stored in the App. Workout share photos are not stored by Supabase.
Servers: United States.
Transfer mechanism: Standard Contractual Clauses (SCC), EU Commission Decision 2021/914; active Data Processing Agreement (DPA) in place.
Privacy policy: https://supabase.com/privacy

6.2. PostHog, Inc. — Product Analytics, Session Replay, Error Tracking

Role: Processor — analytics platform.
Data shared: App events, screen names, device data, App version, Supabase user ID (when signed in), installation/session identifiers, session replay data (with masking), and error events.
Servers: United States (default instance: us.i.posthog.com).
Transfer mechanism: Standard Contractual Clauses (SCC); active DPA in place.
Privacy policy: https://posthog.com/privacy

6.3. Google LLC — OAuth Authentication

Role: Authentication service provider.
Data shared: Authentication request initiated by you; Google returns your name, email, and profile avatar URL to the App.
Servers: USA and globally.
Transfer mechanism: SCC; Google LLC participates in the EU–US Data Privacy Framework (DPF).
Privacy policy: https://policies.google.com/privacy

6.4. RevenueCat, Inc. — Subscription Management

Role: Processor — in-app purchase and entitlement management.
Data shared: Supabase user ID, subscription status, product identifiers, and purchase metadata processed by the relevant app store. RevenueCat does not receive your payment card number.
Servers: United States.
Transfer mechanism: Standard Contractual Clauses (SCC); active DPA in place.
Privacy policy: https://www.revenuecat.com/privacy

6.5. ExerciseDB API — Exercise Library

Role: Third-party data provider (read-only).
Data shared: No personal data is transmitted. The App queries public exercise metadata (names, descriptions, muscle groups, media URLs) from an ExerciseDB-compatible API endpoint. Requests may include a server API key but never your account identifiers.

6.6. Google LLC — Google Play Store and In-App Purchases

Role: App distributor and payment processor (Android).
Data shared: Google processes purchase and subscription data under its own privacy policy.
Privacy policy: https://policies.google.com/privacy

6.7. Public Authorities

We may disclose your personal data to public authorities (e.g., law enforcement, supervisory authorities) when required by applicable law or court order. Legal basis: GDPR Art. 6(1)(c) — legal obligation.

7. International Data Transfers

Your data may be transferred to and processed in the United States, via Supabase, PostHog, and RevenueCat services. The USA does not have an EU adequacy decision for all data transfers.

We have implemented the following safeguards to ensure an adequate level of protection:

Standard Contractual Clauses (SCC) — EU Commission Decision 2021/914, incorporated in contracts with each sub-processor located outside the EEA;
Data Processing Agreements (DPA) — executed with each third-party processor;
Encryption in transit — TLS 1.2 or higher for all data transfers;
Encryption at rest — enforced at the infrastructure level by Supabase.

You may request a copy of the applicable safeguards, including the SCC text, by email at contact@uynix.com.

8. Data Retention

Data Category	Retention Period
Account data (email, password, OAuth tokens)	Until account deletion + up to 30 days in backups
Profile and onboarding data	Until account deletion
Workout and fitness data	Until account deletion
Workout share photos (local)	Until removed by you, cache clear, or App uninstallation
Derived analytics (server)	Until account deletion
Usage analytics (PostHog)	12 months from event
Local device cache	Until App uninstallation
System and security logs	Up to 90 days

After the applicable retention period, data is permanently deleted or irreversibly anonymized.

9. Your Rights

9.1. Rights Under GDPR (EEA and UK Users)

If you are located in the EEA, UK, or Switzerland, you have the following rights:

Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy of it, along with processing details (purposes, categories, recipients, retention periods).

Right to rectification (Art. 16): Request correction of inaccurate data or completion of incomplete data. You may update most profile data (weight, height, goal, etc.) directly in the App's Profile screen.

Right to erasure (Art. 17): Request deletion of your data when: it is no longer necessary for the purposes collected; you withdraw consent; you object and we have no overriding grounds; or it was processed unlawfully. In-app account deletion is available on the Profile screen via Delete account permanently.

Right to restriction of processing (Art. 18): Request that we restrict processing in specified circumstances (e.g., when you contest accuracy or have objected to processing).

Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format (e.g., JSON) and transmit it to another controller — for data processed by automated means on the basis of consent or contract. There is no in-app export button; submit a portability request to contact@uynix.com.

Right to object (Art. 21): Object at any time to processing based on our legitimate interests (Art. 6(1)(f)), including usage analytics via PostHog. Email contact@uynix.com — there is no in-app analytics opt-out toggle at this time.

Right to withdraw consent (Art. 7(3)): Where processing is based on your consent (in particular health data — profile, training data, photos), withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Withdrawing consent for data necessary to provide the App service requires account deletion.

Rights regarding automated decision-making (Art. 22): Volstack does not make fully automated decisions with legal or similarly significant effects on users. Training suggestions are informational and rule-based; you choose whether to follow them.

Right to lodge a complaint: You have the right to lodge a complaint with the supervisory authority in your country of residence or work. Contact details for key authorities:

Poland (UODO): ul. Stawki 2, 00-193 Warsaw | www.uodo.gov.pl
UK (ICO): Wycliffe House, Water Lane, Wilmslow, SK9 5AF | ico.org.uk
EU national authorities: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9.2. Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the CCPA (as amended by CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, business purposes, and third parties with whom it is shared.

Right to Delete: Request deletion of personal information we hold about you, subject to certain exceptions.

Right to Correct: Request correction of inaccurate personal information.

Right to Opt Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising.

Right to Limit Use of Sensitive Personal Information: You may direct us to limit use of your sensitive personal information (body weight, health data, photos) to purposes necessary to provide the App. To exercise this right, email contact@uynix.com.

Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at contact@uynix.com. We will respond within 45 days as required by law.

9.3. Rights for Users in Other Jurisdictions

Users in other jurisdictions may have additional rights under local law. We are committed to respecting privacy rights globally and will honor reasonable requests to the extent required by applicable law:

Australia (Privacy Act 1988): Rights to access and correction of personal information; complaints to the OAIC (oaic.gov.au).
Canada (PIPEDA / Law 25 Quebec): Rights to access, correction, and withdrawal of consent.
Brazil (LGPD): Rights to access, correction, deletion, portability, and objection.

10. How to Exercise Your Rights

To exercise any of the rights described in Section 9, send a request to:

contact@uynix.com

In your message, include:

Your name or the email address associated with your App account (for identification);
A description of your request (e.g., "I request access to my data", "I request account and data deletion");
Optionally: preferred format for the response or additional details.

Response time: We will respond without undue delay and in any event within one month of receiving your request. Where necessary, this may be extended by up to two additional months; you will be informed of any extension.

Identity verification: To protect your data, we may request additional information to verify your identity before fulfilling a request.

11. Data Security

We implement appropriate technical and organizational security measures to protect your data from unauthorized access, disclosure, alteration, or destruction:

Encryption in transit: All connections to Supabase use TLS 1.2 or higher;
Encryption at rest: Data stored by Supabase is encrypted at the database and storage layer;
Secure authentication: Session tokens are managed securely by Supabase Auth; passwords are never stored in plain text;
Row-Level Security: Your data is accessible only under your account (enforced via Supabase RLS policies);
Analytics minimization: PostHog session replay masks text inputs and images by default; we do not intentionally send passwords or payment details in analytics events;
Device-level protection: Local cache data is protected by Android (and iOS, when available) platform security mechanisms.

Despite these measures, no data transmission or storage system is 100% secure. In the event of a personal data breach, we will notify affected users and the competent supervisory authority in accordance with GDPR Art. 33–34 requirements.

12. Children's Privacy

12.1. Volstack is intended only for users aged 16 and over. This minimum age reflects GDPR Art. 8 requirements for information society services directed to children.

12.2. We do not knowingly collect personal data from persons under 16. By creating an account, you confirm you meet the minimum age requirement. The App does not verify age independently beyond this self-declaration.

12.3. If we become aware that personal data has been collected from a person under 16 without required parental consent, we will promptly delete that data and disable the account.

12.4. If you are a parent or guardian and believe your child has registered on the App, please contact us immediately at contact@uynix.com.

13. Local Storage and AsyncStorage

Volstack uses React Native's AsyncStorage and local file cache to store data on your device. This includes:

Offline queue — training data entered without an internet connection, waiting to sync to the server;
Profile cache — profile data stored locally to reduce loading time;
Insight statistics cache — cached workout and set summaries for the Insight screen;
Workout share photos — images you add for share cards (see Section 3.4).

This data is stored only on your device and is not transmitted to third parties (except that synced training data eventually reaches Supabase when you are online). It is cleared when you uninstall the App or when you clear app data in system settings.

Volstack does not use browser cookies — it is a native mobile app. The above local data serves a function analogous to browser cache and app-local storage.

14. External Links

The App may contain links to external websites or services (e.g., hosted Privacy Policy and Terms pages at www.volstack-app.com). We are not responsible for the privacy practices of those external services. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Privacy Policy

15.1. We may update this Privacy Policy at any time, in particular when:

data protection laws change;
we introduce new App features that involve processing new categories of data;
we change third-party service providers;
supervisory authority decisions or court judgments affect our obligations.

15.2. For material changes — especially those affecting your rights or changing the legal basis for processing — we will notify you at least 14 days before the changes take effect via:

an email to the address associated with your account; and/or
a prominent in-app notice on next launch.

15.3. Continued use of the App after the updated Privacy Policy takes effect constitutes your acceptance. If you do not accept the changes, you should stop using the App and delete your account.

15.4. Prior versions of this Privacy Policy will be archived and available on request at contact@uynix.com.

16. Contact

For questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data:

Privacy inquiries: contact@uynix.com General contact: contact@uynix.com

Data Controller: Tomasz Szymanczak Vivivo Solutions Cicha 26 96-513 Kozłów Biskupi, Poland European Union

We aim to respond to privacy inquiries within 72 hours (business days) and to formal rights requests within the statutory one-month period.

17. Changelog

Version	Date	Description
1.0	May 24, 2026	Initial version of the Privacy Policy
1.1	June 27, 2026	Aligned with actual App behavior: local-only share photos, rule-based (non-LLM) coaching, PostHog session replay and user ID, RevenueCat, Android-first distribution, updated local cache and subscription fields

This document is provided for informational purposes. Consult a qualified attorney or data protection officer for legal advice tailored to your specific situation.

Version: 1.1 | Date: June 27, 2026