Privacy Policy

Last updated: May 2025

1 Data Controller

Julian Blöchl – Sole Proprietor
Keferloherstraße 45, 80809 Munich, Germany
Email: julian@bloechl.io

2 Hosting, App Backend & Infrastructure

Vercel – Website delivery + API

  • Location: FRA region (EU)
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical provision)
  • Recipient category: Data processor (Standard Contractual Clauses if US access applies)

Supabase – Database (user profiles, workouts)

  • Location: FRA region (EU)
  • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • Recipient category: Data processor

3 Web Analytics

We use Vercel Analytics to collect basic usage statistics without personal data or cookies. Legal basis: Art. 6(1)(f) GDPR (legitimate interest); § 25(2)(2) TTDSG.

Google Analytics (with consent)

Additionally, we use Google Analytics to analyze user behavior on this website and optimize our services. Google Analytics sets cookies and may transfer data to the US. Usage only occurs after your explicit consent via our consent banner.

  • Legal basis: Consent (Art. 6(1)(a) GDPR; § 25(1) TTDSG).
  • Recipient: Google Ireland Ltd. (possibly Google LLC, USA — Standard Contractual Clauses).
  • Storage duration: 14 months (standard for Google Analytics 4).
  • Withdrawal: You can withdraw your consent at any time by clearing the website data (cache and cookies) in your browser for this site. The consent banner will then appear again on your next visit.

For more information, see the Google Privacy Policy.

4 Waitlist, Newsletter (optional)

  • Data: Email address
  • Purpose: Sending launch information & (later) newsletter
  • Service provider: Mailgun (EU cluster, backup USA — SCC)
  • Legal basis: Art. 6(1)(a) GDPR (consent)
  • Withdrawal: At any time via unsubscribe link; deletion within 30 days of withdrawal.

5 App Registration & User Account

The following data is processed during registration and use of the app:

  • Email, Name – Login, contact (Art. 6(1)(b))
  • Weight, Height, Gender, Training goal, Fitness level, Limitations, Available equipment – Creation of personalized workouts (Art. 6(1)(b))
  • Workout log (exercise, duration, date) – Training history (Art. 6(1)(b))

Special categories (§ 9 GDPR): We currently do not process any health or vital data.

Storage duration: Until account deletion + 30 days backup.

5.5 Activity Logging & Security Monitoring

To ensure app security, performance optimization, and error analysis, we log your usage activities in anonymized form.

  • Technical data (anonymized IP address, user agent, session ID) – Security monitoring, fraud detection
  • Usage data (API endpoints, timestamps, response times) – Performance analysis, error diagnosis
  • Anonymous user ID (weekly rotating hash ID) – 7-day retention analysis (privacy-friendly)

Privacy-by-Design features:

  • Weekly hash rotation: User IDs are re-hashed weekly
  • Automatic anonymization: No long-term user tracking possible
  • Sensitive data filtering: Passwords and tokens are automatically redacted
  • 90-day auto-deletion: Automatic cleanup of all activity logs

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in IT security and system optimization)
Data recipient: Supabase Inc. (data processor, EU hosting Frankfurt)
Storage duration: 90 days automatic deletion; hash IDs change automatically every Monday

6 In-App Purchases

All payments are processed through Apple In-App Purchase (IAP). The responsible party for payment data is Apple Inc. (USA — SCC). We only receive a pseudonymous transaction ID.

7 Push Notifications (App)

On first launch, the app asks whether push notifications should be enabled (Art. 6(1)(a) GDPR). You can withdraw your consent at any time in your device settings.

  • Purpose: Training reminders, rest timers, engagement notifications
  • Provider: Apple Push Notification Service / Firebase Cloud Messaging (EU endpoints)

8 Contact & Support

Contact forms and the waitlist are operated via Formspree (EU hosting, backup USA — SCC). Data is used exclusively to process your inquiry and deleted 30 days after completion.

9 Recipients / Third Country Transfers

  • Vercel Inc., Mailgun Technologies, Formspree Inc., Apple Inc. – USA – EU Standard Contractual Clauses / Data Privacy Framework
  • Supabase Inc. – EU (Frankfurt) – Data Processing Agreement

10 Your Rights

You have the right to access, rectification, erasure, restriction of processing, data portability, and objection (Art. 15–21 GDPR). Complaints can be directed to the Bavarian State Office for Data Protection Supervision (poststelle@lda.bayern.de).

11 Retention Periods

  • User account – Immediately upon deletion request + 30 days backup
  • Waitlist / Newsletter – Withdrawal + 30 days
  • Server log files – 30 days
  • Activity logs – 90 days automatic
  • Hash rotation (analytics IDs) – Weekly (every Monday)

12 Child Protection

S3SSIONS is intended for persons aged 16 and above. Registration of minors under 16 requires parental consent (§ 8(1) GDPR).

13 Automated Decisions

No decisions with legal effect or profiling within the meaning of Art. 22 GDPR take place.

14 Changes

This policy will be updated when new features or services are introduced (e.g., additional analytics or marketing tools). As of: May 2025.