Legal

Privacy Policy

Last updated: April 26, 2026
DE · EN

This privacy policy applies to the iOS app Muscles and the website muscles-app.com. The data controller is René Weinhold (see Impressum).

1. Overview

We process as little personal data as possible. Your training and nutrition data live in your account and are used solely to provide app features. We do not sell data and do not use third-party tracking or advertising SDKs.

2. Controller

René Weinhold
Merlinweg 14
44229 Dortmund, Germany
Email: contact@muscles-app.com

3. Data we process

3.1 Account data

When you sign up, we store your email address and a unique user ID. If you use Sign in with Apple, we only receive what Apple forwards (an anonymized or real email address depending on your choice, plus a user ID).

3.2 Profile & fitness data

You can optionally provide profile details (e.g., gender, age, height, weight, training goals, dietary preference). We also store the training, nutrition, weight and progress data you enter. This data is used solely to provide app features.

3.3 Photo uploads for meal recognition

When you use AI meal recognition, the photo you take is sent to our processor OpenAI (OpenAI Ireland Ltd., 1st Floor, The Liffey Trust Centre, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland) to detect the meal, calories and macros. Images are not used for AI model training (OpenAI "API" usage). See openai.com/policies/privacy-policy. Transfers to third countries (USA) cannot be ruled out and take place on the basis of the EU Commission's standard contractual clauses.

3.4 Technical data

When you visit the website, our host Strato (Strato AG, Otto-Ostrowski-Straße 7, 10249 Berlin) automatically collects server log files (IP address, browser type, OS, time of request). This data is required to ensure smooth operation. Within the app, standard iOS systems (e.g., APNs for push notifications) transmit technical data to Apple.

4. Processors and third-party services

We carefully use the following service providers. We have a Data Processing Agreement (DPA) under Art. 28 GDPR or equivalent in place with each of them.

  • Supabase (Supabase Inc.) - Backend, authentication and storage of your account, training and nutrition data. EU region (Frankfurt). Privacy policy: supabase.com/privacy.
  • RevenueCat (RevenueCat, Inc., USA) - Handling and synchronization of in-app subscription status. Only purchase and device information is processed; no training or nutrition data. Privacy: revenuecat.com/privacy.
  • Apple (Apple Inc., USA / Apple Distribution International, Ireland) - App Store, Sign in with Apple, push notifications (APNs), in-app purchases. Privacy: apple.com/legal/privacy.
  • OpenAI (OpenAI Ireland Ltd.) - AI meal recognition from photos (see above).
  • Strato AG (Berlin) - Website hosting. Privacy: strato.de/datenschutz.

Transfers to third countries (USA) take place on the basis of the EU Commission's standard contractual clauses under Art. 46(2)(c) GDPR and, where certified, the EU-US Data Privacy Framework.

5. Push notifications

The app may optionally send reminders (e.g., training reminders). You can disable push notifications at any time in iOS Settings. We process only the push token provided by Apple and the content required to deliver the notification.

6. App Store ratings

At selected moments (e.g., after a finished workout), the app asks for a rating via Apple's official API. Apple handles this completely - we do not see whether or how you rated.

7. Legal basis

  • Art. 6(1)(b) GDPR - processing necessary to perform the contract between you and us (delivering app features, handling your subscription).
  • Art. 6(1)(f) GDPR - legitimate interest (secure operation, abuse detection, technical logs).
  • Art. 6(1)(a) GDPR - consent (e.g., when you voluntarily use AI meal recognition). You may withdraw consent at any time.

8. Storage duration

We store your data for as long as you maintain your account. When you delete your account in the app's settings (Profile → Delete account), your personal data is deleted or anonymized immediately, unless legal retention obligations require otherwise.

9. Your rights

You have the right at any time to:

  • access (Art. 15 GDPR)
  • rectification (Art. 16 GDPR)
  • erasure (Art. 17 GDPR)
  • restriction of processing (Art. 18 GDPR)
  • data portability (Art. 20 GDPR)
  • object (Art. 21 GDPR)
  • withdraw given consent (Art. 7(3) GDPR)
  • lodge a complaint with a supervisory authority (Art. 77 GDPR) - in North Rhine-Westphalia, e.g., LDI NRW.

Send requests at any time to contact@muscles-app.com.

10. Closing your account

You can delete your account yourself at any time: in the app under Profile → Settings → Delete account. To stop subscription billing, also cancel the subscription via the App Store.

11. Data security

The connection to our servers and processors is fully encrypted via SSL/TLS. Authentication tokens are stored exclusively in your device's secure Keychain.

12. Changes to this policy

We may update this privacy policy to reflect changes in legal requirements or app features. The current version is always available on this page.