Privacy Policy for Pushup Club

Last updated: 6 May 2026

1. Controller
The controller responsible for data processing in connection with the Push-Up Club app is:

Roman Koch
Germany
Email: apps@romankoch.online

If you have any questions about this Privacy Policy or want to exercise your privacy rights, you can contact us at the email address above.

2. Overview

Pushup Club is a push-up tracking app with optional account and community features. You can use parts of the app without creating an account. Some features, such as challenges, leaderboard participation, badges, and profile-based community features, require an account.

We process personal data only to the extent necessary to provide the app, operate its features, maintain security and stability, and improve the app. The backend is operated on our own server infrastructure in Germany rather than through a third-party analytics platform.

3. What data we collect
Depending on how you use the app, we may process the following categories of data.

3.1 Account and profile data
If you create an account using Sign in with Apple, we may process:
- Apple user identifier (the `sub` claim issued by Apple)
- email address
- first name
- family name
- profile alias, if available
- profile image, if provided through the Apple account

The Apple user identifier is required to create and maintain your account. Other profile data is only processed if it is available. The email address is used only at the moment of account creation and during authentication; it is not stored on our backend after account linking is complete.

3.2 Workout and feature data
If you use an account, we may store data needed to provide account-based features, such as:
- workout history (rep counts and timestamps only)
- joined challenges
- leaderboard position
- badges and badge progress
- related profile and participation data needed for community features

If you do not create an account, your workout data remains locally on your device and is not linked to a backend user account.

3.3 Camera and TrueDepth sensor data
Pushup Club uses your device's front camera and, on supported devices, the TrueDepth sensor to detect push-up repetitions during a workout. This is the core mechanism by which the app counts reps.

What the app accesses:
- On devices with TrueDepth (default detection mode on supported iPhones): the app reads depth data via Apple's ARKit framework. Specifically, the app reads only the real-time distance between your face and the device along the device's vertical axis. This distance value oscillates as you lower and raise your body during a push-up, and the app uses this oscillation to count valid reps.
- On devices without TrueDepth (or when you select camera mode in Settings): the app uses the front camera and on-device vision processing to detect push-up motion.

What the app does NOT collect, store, or transmit:
- face images, photographs, or video frames
- face mesh geometry, face landmarks, or facial feature points
- facial expressions or blend shape data
- biometric identifiers of any kind
- any data that could be used to identify a specific person from their face

How this data is handled:
- All camera and TrueDepth data is processed entirely on your device, in real time, during an active workout session.
- Camera frames and depth measurements exist only as transient in-memory values and are discarded immediately after each frame is processed for rep detection.
- This data is never written to disk, never stored in any local database, never transmitted to our backend, and never shared with any third party.
- The only output of this processing that leaves your device is the final aggregated rep count and timestamp of your workout (and only if you have an account; for users without an account, even this remains on the device).

3.4 Analytics data
We use our own internal, first-party analytics system. This analytics is anonymized and is not directly linked to your real identity. Analytics events are tied to a randomly generated anonymous identifier (UUID) created on your device, which is not connected to your name, email, or Apple identifier.

The analytics may include event data such as:
- app started
- workout session completed
- user created an account
- challenge started

The analytics may also include limited technical metadata such as:
- iOS version
- app version
- app language

We use this data only to understand app usage and improve the app. We do not share analytics data with any third-party analytics provider.

3.5 Technical and operational data
When you use the app and backend services, certain technical data may be processed automatically as part of standard server and network operation. This may include, for example:
- request timestamps
- technical request information
- connection-related information
- basic operational log entries needed for stability, troubleshooting, and security

This data is processed only as part of standard technical operation and is not used to build personal marketing profiles.

4. How we collect data
We collect data:
- directly from you when you create an account or use app features
- from Apple when you use Sign in with Apple and Apple provides account information to the app
- from your app usage when app events are generated
- from your device when the app sends limited technical metadata such as iOS version, app version, and app language
- automatically through standard backend operation where technically necessary

We do not collect data from your device's camera or TrueDepth sensor in any form. As described in Section 3.3, camera and TrueDepth data is processed only on your device and never reaches our servers.

5. Why we process your data
We process personal data for the following purposes:

5.1 To provide the app and its features
We use account and profile data to:
- create and manage your account
- authenticate you
- provide account-based features
- sync eligible account data with the backend
- enable participation in challenges, leaderboard features, badges, and profile-based community functions

5.2 To store and display progress
We process workout and feature data to:
- save your account-linked workouts
- display progress and achievements
- support challenge participation
- calculate leaderboard-related results
- award and show badges

5.3 To detect push-up repetitions
We use camera and, where available, TrueDepth sensor data on your device exclusively to count push-up repetitions during an active workout session. This data is processed only on your device and is not retained or transmitted, as described in Section 3.3.

5.4 To improve the app
We process anonymized analytics events to better understand how the app is used, for example how often the app is opened, whether workouts are completed, whether accounts are created, and whether challenges are used.

5.5 To operate and secure the service
We process technical and operational data where necessary to run the backend, maintain functionality, ensure stability, and protect the service against misuse. The backend supports user identity handling, workout processing, and account-linked features as part of the app's own infrastructure.

5.6 To comply with legal obligations
We may process data where necessary to comply with applicable legal obligations or to establish, exercise, or defend legal claims.

6. Legal bases for processing
Where the GDPR applies, we process personal data on the following legal bases, depending on the specific context:
- Performance of a contract or steps taken at your request before entering into a contract, where processing is necessary to provide the app and its account-based features
- Legitimate interests, where processing is necessary for app operation, security, reliability, and limited internal analytics, provided your rights and interests do not override those interests
- Legal obligation, where processing is required by law

7. Use without an account and use with an account
7.1 Use without an account
If you do not create an account:
- your workout data remains locally on your device
- no backend profile is created for your workouts
- some community and account-based features are not available

7.2 Use with an account
If you create an account using Sign in with Apple:
- your account data is processed on the backend
- eligible workout and feature data may be stored on the backend
- you can participate in challenges and leaderboard features
- badges and related progress may be linked to your profile

8. Profile image
If a profile image is available through your Apple account and is provided to the app, that image may be used and stored as part of your profile in the app. If no image is available through the Apple account, no profile image will be stored or displayed. Users cannot upload their own custom profile image under the current setup.

9. Sharing of data
We do not sell your personal data.
We do not share your data with third-party analytics providers.
We do not share camera or TrueDepth data with anyone — this data never leaves your device.

Your account and workout data is processed on our own backend infrastructure. However, certain third parties may be involved where this is necessary to provide the app, including:
- Apple, when you use Sign in with Apple or Apple payment-related services
- the VPS hosting provider, which hosts our backend infrastructure in Germany

Data is not disclosed to third parties for advertising purposes.

10. Data storage location
Both the app operator and the backend server are located in Germany. Account and workout data is stored within the European Union.

11. Data retention
We retain personal data only as long as necessary for the purposes described in this Privacy Policy:
- account-related and profile-related data is retained while the account remains active
- if an account remains inactive for more than 12 months, related account data may be deleted
- if you delete your account, related stored data is deleted immediately
- camera and TrueDepth data is not retained at any time, as it is processed only in memory on your device

12. Account deletion
You can delete your account at any time in the app under:
Settings → My Account → Delete Account

When you delete your account, related account data is deleted immediately. Aggregated, non-identifying contributions to the global push-up counter may remain in the community total, but are no longer linked to you.

13. Your rights
Where applicable under data protection law, you have the right to:
- request access to your personal data
- request correction of inaccurate data
- request deletion of your data
- request restriction of processing
- object to certain processing
- receive your data in a portable format where applicable
- lodge a complaint with a competent data protection authority

To exercise your rights, contact: apps@romankoch.online

14. Children
Pushup Club is not directed at children. The app is intended for users aged 13 and older. If you are under 13, please do not use the app or provide any personal information. If we become aware that we have collected personal data from a child under 13 without verified parental consent, we will delete that information promptly. In jurisdictions where the minimum age of digital consent is higher than 13 (such as 16 in some EU member states), the higher age applies.

15. Security
We take appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or disclosure. The backend includes security-oriented baseline measures such as request validation, environment-based secrets management, and HTTPS encryption in production.

16. Third-party services
The app currently relies on the following third-party services or providers where relevant to privacy:

Apple
Used for:
- Sign in with Apple
- App Store distribution
- payment-related platform handling where applicable

VPS hosting provider
Used to host the backend infrastructure in Germany.

17. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example if app features, data processing, or service providers change. The current version will be made available in the app or wherever the Privacy Policy is published. The "Last updated" date at the top of this policy reflects the most recent revision.

18. Contact
If you have questions about this Privacy Policy or about how your personal data is processed, contact:
apps@romankoch.online