Repport

Privacy

Privacy Policy

Effective Date: December 21, 2025

1. Who We Are

This Privacy Policy applies to the mobile application Repport (the “App”) and any related services (including our beta program signup) provided by Michal Surynt (“we,” “us,” or “our”).

For the purposes of data protection law (including the EU General Data Protection Regulation (GDPR) and UK GDPR), Michal Surynt is the data controller for the personal information processed in connection with Repport.

Contact Information

If you have any questions or requests regarding your personal data, you can contact us at:

Data Controller & Privacy Contact

Given the small scale and nature of Repport, we are currently not required to appoint a separate Data Protection Officer (DPO) under GDPR. For all privacy-related matters, please use the contact details above.

2. Compliance

We are committed to protecting your privacy and complying with applicable privacy laws, including:

  • The EU General Data Protection Regulation (GDPR)
  • The UK GDPR
  • The California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Australia’s Privacy Act 1988
  • Other similar data protection laws, where applicable

This Policy explains:

  • What information we collect
  • How we use it
  • How it may be shared
  • Your rights regarding your information
  • How you can exercise those rights

3. Scope of This Privacy Policy

This Privacy Policy covers our handling of personal information in connection with:

  • The Repport mobile app – a local-first workout logging application
  • Our website (getrepport.app) and beta program – including any personal information you submit when signing up for early access (beta testing)
  • Direct interactions with us – e.g., contacting us via email for support or feedback

By using the Repport app or participating in our beta/early access program, you agree to the collection and use of information as described in this Policy. If you do not agree, please do not use the App or provide personal data to us.

Note: Beta testing participants should also review our Beta Program – Data Handling Addendum (https://getrepport.app/beta-terms), which explains temporary data storage practices during the testing phase.

4. Information We Collect

We strive to minimise the personal data we collect. Repport is designed as a local-first app, meaning that, by default, your workout plans, training logs, notes, and program data remain on your device and are not automatically uploaded or stored on our servers.

However, in order to provide certain features (such as AI-based plan parsing, voice transcription, and subscription management) and to improve the product, we and our third-party service providers may process some data as described below.

4.1 Information You Provide Directly

Beta Program Sign-Up Data

If you sign up for our closed beta or early access through our website, we collect the information you submit in the form. This typically includes:

  • Your email address
  • Optionally, your name or details about your training setup

We collect this information with your consent (you must opt in by checking the form’s consent box) and use it only to:

  • Contact you about the Repport beta program
  • Send you a TestFlight invite or similar access
  • Ask for your feedback

We will not use your email for marketing beyond beta program updates, and we do not share it with third parties for their own marketing.

Customer Support and Contact

If you contact us via email or other channels for support or feedback, you may provide:

  • Your email address
  • Your name
  • The content of your communication

We will use this information to respond to you and resolve issues. Such communications are voluntary, and by contacting us you consent to our use of this data to assist you.

User-Provided Workout Data (Local)

Within the App, you can input or import workout plans and notes, and log your training sessions (e.g., exercises, sets, reps, weights, and similar performance-related metrics). By design:

  • This data is stored locally on your device
  • It is not transmitted to us or stored on our servers (except in the limited cases described in section 4.2 when using specific online features)

We do not create user accounts, and we do not require you to provide profile information like age, gender, or other direct identifiers to use the core features of the App.

Repport is not designed to function as a medical records system, and we do not ask you to enter diagnoses, clinical history, or treatment data. However:

  • You may choose to store body measurements (e.g., body weight, body circumferences) to track your fitness progress
  • Plans imported from coaches or notes you enter could contain health-related information (e.g., “no overhead work this week due to shoulder injury”)

In some contexts, this type of information can qualify as health data or “special categories of data” under GDPR.

Currently:

  • Such information (if you choose to record it) remains solely on your device in the App’s local storage
  • It is not transmitted to us or to our service providers, unless you actively send it (for example, in a support email or as part of a file uploaded for plan parsing)

If in the future we introduce features where such health-related data would be stored or processed on our servers (e.g., optional cloud backup or account-based syncing), we will:

  • Only process that data with your explicit consent (Art. 9 GDPR)
  • Clearly inform you in the UI
  • Implement additional safeguards and legal bases as required

We ask you not to include highly sensitive personal data in any files or messages you submit via email or other channels unless it is strictly necessary.

4.2 Information Collected via App Functionality (Third-Party Processing)

To provide some features, we integrate certain third-party services. When you use these features, the data you input is transmitted to these services for processing. We do not store this data ourselves beyond what is necessary for the feature to function in real time.

Workout Plan Files and Text Uploads (AI Parsing)

When you use the App’s plan import feature to upload a workout plan (e.g., PDF, spreadsheet, image, or text):

  • The entire content of the file or text you provide is sent, via a proxy, to our AI parsing service
  • We use OpenAI’s API (via Google Cloud Firebase Cloud Functions as a proxy) to analyse and convert your plan into structured workout data (weeks, days, exercises, sets, reps)
  • We do not retain a copy of your uploaded file or its contents on our own servers
  • The content is transmitted securely to the parsing service, and only the structured result is returned to your device

OpenAI and Zero Data Retention (ZDR)

For eligible API endpoints, we configure our integration to use OpenAI’s Zero Data Retention (ZDR) option where available. This means that for those requests:

  • OpenAI does not store the input or output data after processing
  • The data is not used to train OpenAI’s models

For endpoints or cases where ZDR is not available, OpenAI may retain API data for up to 30 days for abuse monitoring, as described in their documentation, but will not use it to train their models.

Our Firebase Cloud Function proxy is configured:

  • Not to log or persist the content of your plan in application logs
  • To simply relay input and output between your device and OpenAI

Important: By using the plan import feature, you understand that the content of your uploaded plan will be transmitted to OpenAI (via our proxy) for processing. If your plan contains personal or health-related information, that information is included in what is sent. We recommend not uploading content you are not authorised to share or that contains highly sensitive personal details.

Voice Commands and Transcription

If you use voice-based features (e.g., voice-driven logging or speech-to-text input):

  • The App will request access to your device’s microphone
  • The spoken audio is recorded locally and then transmitted securely to our AI transcription service (currently via OpenAI’s Whisper API or similar)

We use OpenAI’s transcription services to:

  • Convert your speech to text
  • Interpret natural language commands for logging your workout (e.g., “log everything as planned” or “replace squats 70kg with 65kg”)

We do not store your voice recordings on our own servers. They are processed in real time and then discarded. OpenAI may temporarily retain audio input for a limited period (up to 30 days) for abuse detection, unless ZDR is applicable for the endpoint; the data is not used to train their models.

No voice data is stored on your device after processing unless you explicitly save a transcription or note.

Device Permissions

To support the above features, the App may request device permissions such as:

  • File storage access (to allow you to select a plan file)
  • Microphone access (to capture voice commands)

Granting these permissions is optional, but if you decline, those specific features will not work. Information accessed via these permissions is used solely for the intended feature and not for any other purpose. You can revoke permissions in your device settings at any time.

4.3 Information from In-App Purchases and Subscriptions

Repport is a paid application with certain features unlocked via purchase (e.g., subscription or one-time license).

Apple App Store Purchases

If you purchase Repport or a subscription via the Apple App Store:

  • Your payment is processed by Apple
  • We do not receive your credit card details or billing address; Apple handles these under their own privacy policy
  • We receive confirmation of your purchase (e.g., anonymized receipt or transaction identifier, product ID, subscription status)

We use this information:

  • To unlock premium features
  • To track whether your subscription is active or expired

Adapty (Subscription Management)

We use Adapty as a subscription management service. When you make a purchase:

  • Adapty validates your app store purchase receipt
  • Adapty may collect certain identifiers and purchase-related information, such as:
    • Device identifiers (e.g., IDFV on iOS) to pseudonymously identify your installation
    • Purchase receipts and transaction IDs from Apple (product, price, dates)
    • IP address and technical metadata for security and fraud prevention

Adapty processes this data solely to validate your subscription and manage entitlements on our behalf. They act as our data processor and do not use your data for their own purposes.

We do not send Adapty your name or email address from within the App.

4.4 Information from Optional Analytics and Crash Reporting

To improve Repport, we use optional analytics and crash reporting. These are opt-in only – disabled by default or controlled explicitly in settings. If you do not opt in, no analytics or crash data is sent.

Usage Analytics (Mixpanel)

With your permission, we use Mixpanel to collect pseudonymous analytics data:

  • Device information: device type, OS version, app version, and a random analytics/installation ID (not tied to your real identity)
  • App usage events: which screens are used, which features are triggered (e.g., voice logging, plan import) and how often
  • Basic information derived from IP address: e.g., approximate country or city, primarily for understanding geographic distribution and service integrity

We configure Mixpanel to:

  • Avoid storing raw IP addresses
  • Limit the collected data to what we need for product improvement

We do not use Mixpanel to collect your workout content, file contents, or personal notes. We do not use Mixpanel for advertising or behavioural profiling.

You can:

  • Choose not to enable analytics at all
  • Disable analytics at any time in the App’s settings

We retain analytics data in Mixpanel for up to 12 months from collection, after which it is deleted or irreversibly anonymised in our project.

Because we do not have user accounts, analytics data is linked only to a pseudonymous installation ID. This is still considered personal data under GDPR, but it does not include your name or contact details.

Crash and Error Reports (Bugsink)

With your consent, we use Bugsink to collect crash and error reports. A crash report may contain:

  • Technical device data: device model, OS version, app version
  • App state: which screen or operation was active at time of crash
  • Technical details: stack traces, error logs, timestamps
  • Pseudonymous identifier: installation/session identifier

We configure Bugsink to avoid capturing:

  • Email addresses
  • Names
  • Detailed content such as full workout logs

In rare cases, a small snippet of content that triggered a crash may appear in logs. This is used strictly to diagnose and fix issues.

If you opt out, no crash data is sent to Bugsink (system-level crash diagnostics may still exist on your device, controlled by your OS).

We retain crash data in Bugsink for up to 12 months for debugging and stability improvements, after which it is deleted or aggregated.

4.5 Other Data Collected Automatically

We do not use third-party advertising SDKs or social plugins. However, some minimal technical data may be collected automatically:

Log Data

When you use our website or App’s network features, servers operated by our providers (e.g., Firebase, Adapty, OpenAI, Mixpanel, Bugsink) may log:

  • IP address
  • Device and browser type (for web)
  • Requested URLs or API endpoints
  • Timestamps
  • Basic error information

We use such log data primarily for:

  • Security and abuse prevention
  • Debugging and troubleshooting
  • Infrastructure monitoring (e.g., detecting abnormal traffic)

We do not use log data to build behavioural profiles.

Cookies and Similar Technologies (Website)

Our website (getrepport.app) uses minimal tracking:

  • We do not use advertising cookies
  • We may use a cookie or local storage token to maintain a session or remember preferences
  • We may use a privacy-focused analytics service (such as Simple Analytics or similar) that does not use cookies or store personally identifiable information

You can configure your browser to block cookies; this should not significantly affect website functionality.

5. How We Use Your Information

We use the information we collect solely for the following purposes:

5.1 Provide and Maintain the App’s Core Functionality

We process your uploaded workout plans, voice commands, and related inputs in order to:

  • Parse your plan into structured data
  • Enable you to log workouts (via text or voice)
  • Support timers, notes, and history exports
  • Provide subscription entitlements

Legal basis under GDPR: Performance of a contract (to provide the features you request). If you choose not to use certain features (e.g., voice or plan import), those specific data processing activities do not occur.

5.2 Manage Purchases and Subscriptions

We use purchase-related information to:

  • Verify purchases with Apple and Adapty
  • Activate and restore your subscription/license
  • Prevent fraudulent access

Legal basis: Performance of a contract and legitimate interests (preventing fraud and unauthorised access).

5.3 Communicate with You

We may use your contact details:

  • To send beta program invitations and updates (if you opted in)
  • To respond to your support requests
  • To send essential service-related communications (e.g., critical security or legal updates)

We will not send you unrelated marketing emails without separate consent.

Legal basis: Consent (for beta/optional communications) and/or legitimate interests (to respond to your direct enquiries).

5.4 Analyse and Improve the App

If you opt in to analytics and/or crash reporting, we use Mixpanel and Bugsink data to:

  • Understand which features are used
  • Identify usability issues
  • Detect and fix bugs
  • Prioritise improvements

Legal basis: Consent (GDPR) and, where relevant, legitimate interests to maintain a high-quality service.

5.5 Ensure Security and Prevent Misuse

We may process IP addresses, device identifiers, log data, and error reports to:

  • Detect and prevent abuse (e.g., misuse of the AI plan parsing endpoint)
  • Protect our systems against attacks
  • Monitor for unusual usage patterns

Legal basis: Legitimate interests in protecting our service, and possibly legal obligations in some jurisdictions.

5.6 No Selling or Third-Party Marketing

We do not:

  • Sell your personal data
  • Share your data with third parties for their own marketing
  • Use your data for cross-context behavioural advertising

We do not use your personal data to make automated decisions that produce legal or similarly significant effects. AI processing (OpenAI) is used only to transform your input into output (e.g., text to structured plan, voice to text) at your request.

6. How We Share Information

We share personal data only as described here or when required by law.

6.1 Service Providers (Processors)

We use trusted third-party providers to deliver parts of our service. They process personal data on our behalf and under our instructions, including:

  • OpenAI – AI plan parsing and voice transcription. Receives the content of your plan files or voice commands for processing.
  • Google Firebase (Cloud Functions) – hosts our proxy function relaying requests and responses between your device and OpenAI. Configured not to log request bodies.
  • Apple – processes App Store payments and may share minimal purchase metadata with us; also TestFlight for beta distribution.
  • Adapty – subscription status validation by processing app store receipts and device identifiers on our behalf.
  • Mixpanel – analytics (if you opt in). Processes pseudonymous analytics events and device info.
  • Bugsink – crash and error reporting (if you opt in). Processes technical crash data and pseudonymous installation IDs.
  • Email Delivery Providers – if we use a service like SendGrid or a similar provider to send emails (beta invites, updates), they process your email address and message contents strictly to send messages on our behalf.

For all service providers that act as processors under GDPR (OpenAI, Google Firebase, Adapty, Mixpanel, Bugsink, and any email delivery provider), we enter into written Data Processing Agreements (DPAs) that meet the requirements of Article 28 GDPR, including:

  • Confidentiality obligations
  • Measures to protect data security
  • Restrictions on sub-processors
  • Assistance with data subject rights

6.2 Aggregated or De-Identified Data

We may aggregate or anonymise data so that it can no longer be linked to a specific device or person (e.g., “X number of workouts logged this month”). We may use and share such aggregated data without restriction, because it is no longer personal data.

We may disclose personal information if we believe it is necessary to:

  • Comply with a legal obligation or lawful request (e.g., court order, law enforcement request)
  • Protect and defend our rights or property
  • Protect the safety of users or the public
  • Enforce our Terms of Service

Given our local-first design and minimal data collection, the amount of data we can provide in such cases is typically very limited.

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity. In that case:

  • The new entity will be bound by protections at least as strict as those in this Policy
  • You will be notified of any material changes

We do not share your data with third parties for their own marketing or advertising.

7. International Data Transfers

Repport is developed in the European Union (Poland), but some of our service providers are based outside the EEA/UK, particularly in the United States (e.g., OpenAI, Mixpanel, Bugsink, Adapty, some email providers).

When personal data is transferred outside the EEA/UK, we implement appropriate safeguards, such as:

  • Standard Contractual Clauses (SCCs) with non-EEA processors
  • Reliance on recognised data transfer frameworks (such as the EU–US Data Privacy Framework) where our providers participate

We also consider the guidance from EU courts and regulators regarding government access and surveillance risks. For now, given that:

  • Repport processes only minimal personal data on our servers
  • We do not build detailed health profiles or user accounts
  • Our processing via US-based providers is limited and mostly pseudonymous

We assess that this processing does not create a high residual risk for data subjects. If we expand the scope or sensitivity of data processed on servers (e.g., by introducing cloud backups or more detailed health metrics), we will:

  • Carry out a more formal Transfer Impact Assessment (TIA)
  • Where necessary, adjust our data transfer mechanisms or providers accordingly

8. Data Retention

We keep personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law.

8.1 Workout Plans and Voice Data

  • Content you upload for parsing and audio you send for transcription are not stored on our servers after processing
  • Where OpenAI’s Zero Data Retention is in effect, OpenAI does not store your data beyond immediate processing
  • For non-ZDR endpoints, OpenAI may retain data for up to 30 days for abuse monitoring, then delete it
  • We do not keep copies of your plan files or audio on our servers

8.2 Local App Data on Your Device

All workout logs, history, notes, and plan data the App stores remain on your device until you delete them or uninstall the App. We have no direct access to this local data.

To delete your local data:

  • Use any deletion options provided in the App
  • Uninstall the App from your device

We recommend exporting data you wish to keep before uninstalling, as we cannot recover data stored only on your device.

8.3 Beta Sign-Up Information

If you join the beta:

  • We retain your email (and any other info you provided) while the beta is ongoing and as needed to communicate with you
  • After the beta concludes or a stable launch, we may delete beta sign-up data within a reasonable period, unless you choose to continue receiving updates
  • You can request removal from the beta and deletion of your beta data at any time

8.4 Analytics and Crash Data

  • Mixpanel (analytics) – retained for up to 12 months from collection, then deleted or anonymised
  • Bugsink (crash reports) – retained for up to 12 months, then deleted or aggregated

If you opt out of analytics or crash reporting, no new data is sent; existing data remains until it reaches our retention limit. You may also contact us to request deletion of analytics/crash data associated with your installation ID (see section 9).

8.5 Subscription and Purchase Data

We retain minimal purchase and subscription records, such as:

  • Product IDs
  • Purchase dates
  • Subscription status and expiration

These may be kept for as long as you use the App and for a period afterward (e.g., a few years) to:

  • Comply with financial and tax record-keeping obligations
  • Resolve billing disputes
  • Restore purchases if you reinstall

These records generally do not include sensitive personal data.

In some cases, we may retain data longer if:

  • Required by law (e.g., tax or accounting rules)
  • Needed to establish, exercise, or defend legal claims

Once data is no longer needed, we will delete it or irreversibly anonymise it.

9. Your Privacy Rights

Depending on your jurisdiction (especially if you are in the EU/UK), you may have the following rights regarding your personal data:

  • Right of access – to request a copy of your personal data and information about how we process it
  • Right to rectification – to correct inaccurate or incomplete personal data
  • Right to erasure – to request deletion of your personal data in certain circumstances
  • Right to restrict processing – to ask us to limit our processing of your data
  • Right to object – to object to processing based on legitimate interests or, where applicable, direct marketing
  • Right to data portability – to receive certain data in a structured, commonly used, machine-readable format and to transmit it to another controller
  • Right to withdraw consent – where processing is based on your consent, you can withdraw that consent at any time (this will not affect processing already performed)
  • Right to lodge a complaint – with your local data protection authority if you believe your rights have been violated

Because Repport does not use user accounts and much of our analytics/crash data is pseudonymous, some rights (like access or erasure) may require your help to identify your records:

If you wish to exercise your rights in relation to analytics or crash data, we may ask you to provide the installation or analytics ID displayed in the App’s privacy or settings screen. We will then use this identifier to locate and delete or export relevant data in Mixpanel or Bugsink, where technically feasible.

How to Exercise Your Rights

To exercise your rights, please contact:

hello@getrepport.app

We will respond to valid requests within the timeframes required by applicable law (typically within 1 month under GDPR).

10. Data Security

We take the security of your information seriously and implement appropriate technical and organisational measures, including:

  • Encryption in transit – all communications between the App and our cloud services (Firebase, OpenAI, Adapty, etc.) use HTTPS/TLS
  • Local sandbox storage – your workout data is stored in the App’s sandbox on your device; other apps cannot access it directly
  • Access controls – access to dashboards or systems that may store personal data (e.g., beta email lists, Mixpanel, Bugsink, Adapty, Firebase) is limited to the single developer (Michal Surynt) using strong authentication and, where available, two-factor authentication
  • Minimal data collection – by design, we avoid collecting workout content and health-related data on our servers, reducing the potential impact of a breach
  • Secure configuration and updates – we keep dependencies reasonably up to date, apply security patches, and review configuration to reduce vulnerabilities

Incident Response and Breach Notification

Although the risk of a data breach is limited by our local-first approach, we maintain a basic incident response process. In the unlikely event of a personal data breach affecting information we control (e.g., beta emails, subscription data, analytics/crash data), we will:

  • Investigate and contain the incident
  • Document the cause, scope, and impact
  • Notify the competent supervisory authority within 72 hours where required by law
  • Inform affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms

No system can be 100% secure, and transmitting information over the internet always carries some risk. You can help protect your data by:

  • Using a strong passcode or biometric lock on your device
  • Keeping your OS up to date
  • Not sharing your device or App access with others

11. Children’s Privacy

Repport is not directed at children under the age where they can legally provide consent to data processing in their jurisdiction (e.g., 13–16 in the EU, depending on the country). We do not knowingly collect personal data from children without parental consent.

If you believe a child has provided us with personal data, please contact us at hello@getrepport.app, and we will delete such data where required.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example when:

  • We introduce new features
  • We change our processing practices
  • Laws and regulations change

We will:

  • Post the updated Policy on our website and, where appropriate, in the App
  • Update the “Effective Date” at the top

If changes are material (for example, if we introduce cloud storage for workouts or process health data on our servers), we will provide more prominent notice and, where required, ask for your consent again.

Document prepared for Repport – Michal Surynt