Back

Privacy Policy / Datenschutzerklärung

1. Controller / Verantwortlicher

The controller responsible for data processing on this website and app is:

MR Digital Solutions UG (haftungsbeschränkt)

Düsseldorfer Str. 26

51379 Leverkusen, Germany

Email: [email protected]

The controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (e.g., names, email addresses, etc.).

2. General Information on Data Processing

2.1 Scope of Processing

We process personal data of our users only to the extent necessary to provide a functional website and app, as well as our content and services. Processing of personal data occurs regularly only with user consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and data processing is permitted by law.

2.2 Legal Basis (GDPR)

Data processing is based on:

  • Art. 6(1)(a) GDPR - Processing with your explicit consent
  • Art. 6(1)(b) GDPR - Processing for contract performance (subscription)
  • Art. 6(1)(f) GDPR - Processing based on legitimate interests (service improvement, security)

2.3 Data Deletion and Storage Duration

Personal data is deleted or blocked as soon as the purpose of storage ceases to apply. Storage may continue if provided for by European or national legislators in EU regulations, laws, or other provisions to which the controller is subject. Data is also blocked or deleted when a storage period prescribed by the standards expires, unless further storage is necessary for contract conclusion or fulfillment.

3. Data We Collect

3.1 Anonymous User Data

When you use GymDJ, we collect:

  • Device identifier (hashed for security)
  • Anonymous user ID (UUID)
  • Workout session data (duration)
  • Music preferences and listening history
  • Track interactions (plays, skips, likes)

3.2 Subscription Data (iOS App)

When you purchase a subscription through Apple:

  • Apple ID (processed by Apple, not stored by us)
  • Subscription status and expiration date
  • Purchase receipts (validated via Apple servers)
  • Payment is processed entirely by Apple - we never see your credit card data

3.3 Technical Data

  • Device type and operating system version
  • App version
  • IP address (for security and fraud prevention)
  • Access times and dates

4. How We Use Your Data

We process data for the following purposes:

  • Provide and improve our music streaming service
  • Personalize workout music recommendations
  • Manage free demo sessions, trials, and subscriptions
  • Prevent abuse (one free demo workout per device)
  • Ensure service security and prevent fraud
  • Analyze usage patterns to enhance user experience (aggregated, anonymized)
  • Comply with legal obligations

5. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

5.1 Apple Inc. (Subscription Processing)

Subscription payments are processed entirely through Apple's App Store. Apple's privacy policy applies: https://www.apple.com/legal/privacy/

5.2 RevenueCat (Subscription Management)

We use RevenueCat to manage subscriptions and in-app purchases. RevenueCat processes subscription data on our behalf. Their privacy policy applies: https://www.revenuecat.com/privacy

5.3 Hosting Provider

Our servers are hosted in Germany, complying with strict EU data protection standards. Server provider has signed data processing agreements (DPA) per Art. 28 GDPR.

5.4 Legal Obligations

We may disclose data if required by German or EU law, court orders, or government requests.

6. Data Security

We implement state-of-the-art technical and organizational measures to protect your data:

  • End-to-end encryption (HTTPS/TLS)
  • Hashed device identifiers (SHA-256 with server salt)
  • Secure JWT token authentication
  • Regular security audits and updates
  • Access controls and logging
  • Data minimization principle (we collect only what's necessary)

7. Your Rights Under GDPR

Under the EU General Data Protection Regulation, you have the following rights:

7.1 Right of Access (Art. 15 GDPR)

Request information about your stored personal data, processing purposes, and recipients.

7.2 Right to Rectification (Art. 16 GDPR)

Request correction of inaccurate personal data.

7.3 Right to Erasure (Art. 17 GDPR)

Request deletion of your data when no longer needed or processing is unlawful.

7.4 Right to Restriction (Art. 18 GDPR)

Request restriction of processing under certain conditions.

7.5 Right to Data Portability (Art. 20 GDPR)

Receive your data in a structured, machine-readable format.

7.6 Right to Object (Art. 21 GDPR)

Object to processing based on legitimate interests (Art. 6(1)(f) GDPR).

7.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Withdraw consent at any time without affecting prior lawful processing.

7.8 Right to Lodge a Complaint

File a complaint with a supervisory authority. In Germany, contact your state's data protection authority or the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

To exercise your rights, contact us at:
[email protected]

8. Analytics and Tracking

We use privacy-focused analytics to improve our service. We do not use advertising cookies or sell data to third parties.

8.1 PostHog (EU-Hosted)

We use PostHog for product analytics to understand how users interact with our service. PostHog is hosted in the European Union (Frankfurt, Germany), ensuring GDPR compliance.

  • Data processed: Page views, feature usage, anonymized user journeys
  • Data location: EU (Frankfurt, Germany)
  • Purpose: Service improvement and bug detection
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

PostHog privacy policy: https://posthog.com/privacy

8.2 Umami (Self-Hosted)

We use Umami for website analytics. Umami is self-hosted on our own servers in Germany, giving us full control over the data.

  • Data processed: Page views, referrers, device type, country (no personal data)
  • Data location: Germany (our servers)
  • Cookies: None - Umami is cookie-free
  • IP addresses: Not stored (anonymized)
  • Purpose: Understanding website traffic patterns
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

8.3 iOS App

Our iOS app does not use cookies. Analytics data from the app is processed through our backend API and follows the same privacy principles outlined above.

9. Children's Privacy

GymDJ is not intended for users under 13 years old. We do not knowingly collect data from children. If you believe a child has provided us with data, contact us immediately.

10. Data Transfers Outside the EU

All data is stored on servers located in Germany (EU). Apple may process subscription data internationally, subject to their privacy policy and EU-approved safeguards.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Updates will be posted with a new "Last updated" date. Continued use after changes constitutes acceptance.

12. Contact

For questions, concerns, or to exercise your rights, contact us at:
[email protected]

Last updated: December 22, 2024