Privacy Policy

When you register for a WorkoutPath account, we collect:

• Email address — used as your primary account identifier and login credential
• Password — we never store your password in plain text; Supabase Inc. handles authentication and stores only a cryptographic hash of your password using industry-standard hashing algorithms (bcrypt)

Legal basis (GDPR Art. 6(1)(b)): Processing necessary for the performance of the contract (providing you with access to the service).

To personalize your workout program, we collect the following profile information:

• Name — used to personalize the app experience
• Gender — used to generate appropriate workout recommendations
• Activity level — used to calibrate program intensity (stored in both our database and your browser's localStorage under the key wpActivityLevel)

Legal basis (GDPR Art. 6(1)(b)): Necessary for the performance of the service you requested.

We collect and store:

• Training program selection — your chosen workout split from our 14 available programs (stored under localStorage key wpSelectedProgram and synced to Supabase)
• Workout days and schedule — which days of the week you train
• Exercise data — exercises completed, sets, reps, and workout progress from our library of 104+ exercises

Legal basis (GDPR Art. 9(2)(a) / KVKK Art. 6): Explicit consent, provided during account registration.

We use Google Analytics 4 (GA4) to understand how users interact with WorkoutPath. GA4 automatically collects the following data through cookies and tracking scripts:

• IP address — automatically collected by Google; used to infer approximate geographic location (city/region level); Google anonymizes IP addresses by default in GA4
• Device type and model — e.g., mobile, tablet, desktop; manufacturer and model where available
• Browser and operating system — browser name, version, and operating system information
• Pages visited — which pages or screens of WorkoutPath you viewed and in what order
• Session duration — how long you spend in the application per session
• Referral source — how you arrived at WorkoutPath (e.g., search engine, direct, social media)
• Events and interactions — button clicks, navigation events, and feature interactions as configured in GA4

Legal basis (GDPR Art. 6(1)(a)): Consent obtained before loading Google Analytics scripts. GA4 ID: G-146133G10J.

WorkoutPath uses your browser's localStorage to enable offline functionality and reduce server requests. The following data is stored locally on your device:

• wpUser — your basic account identifier (for session persistence)
• wpProfile — your profile preferences (name, gender, activity level)
• wpSelectedProgram — your active workout program selection
• wpActivityLevel — your configured activity level

This data remains on your device and is not transmitted to our servers independently — it is synced to Supabase only when you are online and actively using the application. You can clear this data at any time through your browser settings.

Role: Data Processor. Supabase provides our backend database and authentication infrastructure.

Data processed: Account data (email, hashed password), profile data, fitness data, and all structured data in our application database.

Servers: Supabase operates on Amazon Web Services (AWS) infrastructure. Our database is hosted at zftocjpdkiqvurnxmjdh.supabase.co. Data may be processed in both EU and US regions depending on the AWS region configuration.

Privacy information: supabase.com/privacy

Role: Data Processor. Google provides our analytics service (Google Analytics 4, GA4).

Data processed: Usage data including IP address (anonymized), device information, browser information, pages visited, session duration, and behavioral events.

How it works: GA4 uses JavaScript tracking code embedded in our pages. This code sets cookies (see Section 5) and sends data to Google's servers. We only load GA4 scripts after obtaining your consent. Our GA4 Property ID is G-146133G10J.

Data transfers: Google may process analytics data in the United States. Google LLC is certified under the EU-US Data Privacy Framework.

Privacy information: policies.google.com/privacy | GA Opt-out Browser Add-on

Role: Data Processor. Vercel hosts and delivers the WorkoutPath web application.

Data processed: Vercel may process server access logs, which can include your IP address, request timestamps, pages requested, and HTTP headers — standard data for web hosting and CDN delivery.

Servers: Vercel operates a global CDN with edge nodes in multiple regions. Vercel is headquartered in the United States.

Privacy information: vercel.com/legal/privacy-policy

• Right of Access (Art. 15) — Request a copy of all personal data we hold about you, along with information about how it is processed.
• Right to Rectification (Art. 16) — Request correction of inaccurate or incomplete personal data.
• Right to Erasure / Right to be Forgotten (Art. 17) — Request deletion of your personal data when it is no longer necessary for the purposes collected, consent is withdrawn, or you object to processing.
• Right to Restriction of Processing (Art. 18) — Request that we limit how we use your data in certain circumstances (e.g., while contesting accuracy).
• Right to Data Portability (Art. 20) — Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Art. 21) — Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent — Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint — Lodge a complaint with your national supervisory authority (e.g., your country's Data Protection Authority).

• Explicit consent at signup: We obtain your separate, explicit consent to process fitness data before you can begin using the workout tracking features.
• Access control: Your fitness data is accessible only to you through your authenticated account. Our team does not review individual user fitness records.
• No third-party sharing: We do not share your individual fitness data with any third party for research, commercial, insurance, or advertising purposes.
• Encrypted in transit: All data transmitted between your device and Supabase is encrypted using TLS/HTTPS.
• Encrypted at rest: Supabase encrypts stored data at rest using AES-256 encryption.

You may withdraw consent for processing your fitness data at any time by deleting your account. Deleting your account will permanently erase all fitness data from our systems within 30 days. To delete your account, contact pathworkout@gmail.com.

Please note that withdrawing consent will result in the termination of your WorkoutPath account, as fitness data is core to the service we provide.

Supabase is headquartered in the United States and operates infrastructure on AWS, which may include regions both within and outside the EU. Data transfers from the EEA to the US via Supabase may be covered by Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms as described in Supabase's Data Processing Agreement.

Google Analytics data is processed by Google LLC in the United States. Google LLC participates in the EU-US Data Privacy Framework (DPF), which provides an adequacy decision basis for data transfers from the EEA to the US. Additionally, Google's Analytics Data Processing Terms include Standard Contractual Clauses.

Vercel is headquartered in the United States and operates a global edge network. Server access log data may be processed in various regions. Vercel provides Standard Contractual Clauses for EU data transfers.