Privacy Policy

Last updated: 2025-12-16

1. Controller (Verantwortlicher)

The controller within the meaning of Art. 4(7) GDPR is:

TTI – Technologie-Transfer-Initiative GmbH an der Universität Stuttgart (TTI GmbH)
TGU Exercisable
Nobelstraße 15
70569 Stuttgart, Germany
Phone: +49 711 6868749-0
Fax: +49 711 6868749-19
Email: privacy@exercisable.com

TTI GmbH is the sole data controller for the ATLETICA App. The app is provided in commercial cooperation with ATLETICA Deutschland GmbH, which acts exclusively as a brand and distribution partner. ATLETICA Deutschland GmbH does not have access to, process, or control any personal data collected through the app.

2. Data Protection Contact

For any questions regarding data protection, please contact us at: privacy@exercisable.com

3. Overview of Processing Activities and Legal Bases

We process personal data only in accordance with applicable data protection law. Below is an overview of the data we process, the purposes, and the legal basis under Art. 6(1) and, where applicable, Art. 9(2) GDPR:

3.1 Account Registration and Authentication

Data: Email address, password (hashed), display name.
Purpose: To create and manage your user account and authenticate you when using the Service. To sign up to the ATLETICA App, we may need to verify you are a current ATLETICA customer; however, we do not access or store any personal information from previous purchases.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

3.2 Personalized Fitness Programs

Data: Gender, age, height, weight, lifestyle information, fitness training experience and goals, available workout equipment, and available workout schedule.
Purpose: To create personalized fitness programs tailored to your individual profile.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR). This data is necessary to deliver the core functionality of the Service (personalized fitness programs) and is provided by you voluntarily as part of using the Service.

3.3 Workout Tracking and Video Recordings

Data: Workout logs, exercise performance data, self-recorded videos.
Purpose: To allow you to track your fitness progress and review your exercise form.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).
Video recordings are stored for your personal use only and are not shared with third parties.

3.4 Payment Processing

Data: Payment information (processed by Stripe and/or RevenueCat; we do not store your full payment details).
Purpose: To process subscription payments for premium features.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

3.5 Analytics and App Improvement

Data: Usage data, device information, interaction patterns (collected via Firebase Analytics and Mixpanel).
Purpose: To understand how the app is used and to improve its functionality and user experience.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to continuously improve our Service and ensure its technical stability. You may object to this processing at any time (see Section 9).

3.6 Crash Reporting and Log Data

Data: IP address, device name, operating system version, app configuration, time and date of use, crash logs, and error diagnostics.
Purpose: To identify and fix errors and ensure the stability of the Service.
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR). Our legitimate interest is to maintain a stable and functional application.

3.7 Apple Health Integration (iOS only)

Data: Completed workout data (duration, calories, exercise type).
Purpose: To sync your finished workouts with the Apple Health app on your device, if you choose to enable this feature.
Legal basis: Consent (Art. 6(1)(a) GDPR). You can enable or disable this integration at any time in the app settings. Data is shared directly between the app and Apple Health on your device.

3.8 Search Functionality

Data: Search queries, IP address.
Purpose: To provide search functionality for exercises and content within the app.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR).

4. Third-Party Service Providers (Processors)

We use the following third-party service providers to operate our Service. We have entered into data processing agreements (Auftragsverarbeitungsverträge, Art. 28 GDPR) with each provider:

Google Firebase (Google Ireland Ltd.) — Authentication, database (Firestore), cloud functions, storage, crash reporting (Crashlytics), performance monitoring, and analytics. Privacy policy
Google Analytics for Firebase (Google Ireland Ltd.) — App usage analytics. Privacy policy
Google Sign-In (Google Ireland Ltd.) — Authentication via Google account (optional). Privacy policy
Apple Sign-In (Apple Inc.) — Authentication via Apple ID (optional, iOS only). Privacy policy
Mixpanel (Mixpanel Inc.) — Product analytics. Privacy policy
Algolia (Algolia Inc.) — Search functionality for exercises and content. Privacy policy
Stripe (Stripe Inc.) — Payment processing (server-side). Privacy policy
RevenueCat (RevenueCat Inc.) — Subscription management. Privacy policy
Bunny CDN (BunnyWay d.o.o.) — Video content delivery. Privacy policy
Google Fonts (Google Ireland Ltd.) — Font delivery. When using the app, fonts may be loaded from Google servers, transmitting your IP address to Google. Privacy policy
Sentry (Functional Software Inc.) — Error tracking and performance monitoring. Privacy policy
Google Play Services (Google Ireland Ltd.) — App distribution and in-app purchases on Android. Privacy policy
Apple App Store (Apple Inc.) — App distribution and in-app purchases on iOS. Privacy policy

5. Data Transfers to Third Countries

Some of the third-party service providers listed in Section 4 are based in the United States or may process data outside the European Economic Area (EEA). Where such transfers occur, they are safeguarded by the respective provider's compliance with the EU–U.S. Data Privacy Framework, Standard Contractual Clauses (Art. 46(2)(c) GDPR), or other legally recognized mechanisms. For details, please refer to the privacy policies linked in Section 4.

6. Cookies and Tracking Technologies

Our mobile app does not use cookies. Our website may use technically necessary cookies required for basic operation (e.g., session management). These do not require consent under Section 25 TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz). You can manage cookies at any time through your browser settings.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law. Specifically:

Account data: Retained for the duration of your account. Deleted upon account deletion (see Section 10).
Fitness and health data: Retained for the duration of your account. Deleted upon account deletion.
Payment data: Transaction records are retained for the legally required period under German tax and commercial law (in general 10 years pursuant to Section 147 AO, Section 257 HGB).
Analytics data: Retained in pseudonymized/aggregated form. Individual-level analytics data is deleted after 14 months.
Log/crash data: Retained for up to 90 days, unless required for longer to resolve a specific issue.

8. Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Art. 32 GDPR. These measures include encrypted data transmission (TLS), secure authentication mechanisms, and access controls. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at privacy@exercisable.com.

Right of access (Art. 15 GDPR): You have the right to request confirmation of whether we process your personal data and to obtain a copy of that data.
Right to rectification (Art. 16 GDPR): You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to erasure (Art. 17 GDPR): You have the right to request deletion of your personal data, subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR): You have the right to request that we restrict the processing of your data under certain circumstances.
Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object (Art. 21 GDPR): You have the right to object at any time to the processing of your personal data based on legitimate interests (Art. 6(1)(f) GDPR). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.
Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw that consent at any time with future effect. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our registered office is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
www.baden-wuerttemberg.datenschutz.de

10. Account and Data Deletion

You may request the deletion of your personal data at any time by deleting your account in the app. Upon account deletion, all personal data associated with your account will be permanently deleted, except where we are legally required to retain certain data (e.g., payment records for tax purposes).

11. Automated Decision-Making

Our app uses algorithms to generate personalized fitness programs based on the information you provide (such as fitness level, goals, and available equipment). This constitutes automated processing but does not constitute automated individual decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. The generated programs serve as suggestions that you may freely modify, ignore, or override at any time.

12. Children's Privacy

Our Service is not directed at persons under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that a child under 16 has provided us with personal data without parental consent, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@exercisable.com.

13. Links to Other Sites

This Service may contain links to third-party websites. If you click on such a link, you will be directed to that site. These external sites are not operated by us, and we have no control over their content or privacy practices. We encourage you to review the privacy policies of any third-party sites you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or through a prominent notice within the app prior to the changes taking effect. We encourage you to review this page periodically. The date of the most recent revision is indicated at the top of this policy.

15. Contact Us

If you have any questions about this Privacy Policy or our data processing practices, please contact us at: