Red Gym Reps ("we", "us") operates this structured training tracker at redgymreps.com. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under the EU General Data Protection Regulation (GDPR) and the UK GDPR.

Data controller: Red Gym Reps / el Swan Apps. Questions? Email elswanapps@gmail.com.

When you sign up:

• Name
• Email address
• Password (stored as a salted PBKDF2 hash — we never see the plaintext)
• Role: athlete or coach

When you use the app:

• Workout logs — exercises, sets, reps, weights, and notes you enter
• One-rep max (1RM) estimates for tracked lifts
• Body weight entries
• Secondary activity logs (swim sessions, daily steps, pickleball, or none — your choice)
• Program and phase assignments set by your coach
• Coach comments and feedback on your sessions

Automatically:

• A session cookie (essential — used only to keep you signed in)
• A CSRF token (essential — protects form submissions)
• If something goes wrong, an anonymized error report via Sentry (send_default_pii=False — IP addresses and user identifiers are not sent)

We do not use Google Analytics, advertising cookies, or any third-party tracking scripts.

• Contract (Art. 6(1)(b) GDPR): we need your account details and workout logs to provide the training tracker you signed up for.
• Legitimate interest (Art. 6(1)(f)): keeping the service secure (CSRF tokens, rate limiting, error monitoring).
• Consent (Art. 6(1)(a)): if you're an athlete, your logs and progress are visible to your assigned coach. You agree to this when signing up under a coach-led program.

• You — all of your own data.
• Your coach — can view your workout logs, progress, 1RMs, body weight entries, and secondary activity to support your program. Your coach cannot see your password.
• Railway (railway.com) — our hosting provider, which runs the app servers and stores the database on our behalf (processor under Art. 28 GDPR).
• Sentry — if enabled, receives anonymized error reports only.

We never sell your data and we never share it for advertising.

Our servers are hosted by Railway (railway.com) in the United States. If you access the service from the EU or UK, your data is transferred to the US. Transfers rely on Railway's EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

• Account data: while your account is active.
• Workout logs: while your account is active — they're the core record of your training.
• After account deletion: personal data deleted within 30 days. Aggregated, anonymized statistics may be retained.
• Error logs (Sentry): 90 days.

Under GDPR you have the right to:

• Access — request a copy of your data
• Rectification — correct anything inaccurate
• Erasure — have your account and data deleted
• Portability — receive your data in a machine-readable format
• Restriction — ask us to pause processing while a request is reviewed
• Objection — object to processing based on legitimate interest
• Withdraw consent — e.g. to opt out of coach visibility

To exercise any of these, email elswanapps@gmail.com. We respond within 30 days.

You also have the right to lodge a complaint with your local supervisory authority (for example, the Irish Data Protection Commission or the UK ICO).

Passwords are hashed with PBKDF2-SHA256 (100,000 iterations) and never stored in plaintext. The site is served over HTTPS. All form submissions are protected by CSRF tokens and rate limiting is applied to login and sensitive endpoints.

The service is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has signed up, contact us and we will delete the account.

We'll post any changes on this page and update the date at the top. If the changes are material, we'll notify you by email.