Privacy Policy

GymRecord is operated by Timeless Web Services ("we", "us", "our"). We are the data controller for personal data collected through this website and the GymRecord application.

Contact: [email protected]

We collect the following categories of personal data:

• Account data: email address and password (hashed) when you register.
• Workout data: session logs, exercise records, weights, and notes you voluntarily enter into the app.
• Mailing list: email address if you opt in to updates via our website form.
• Billing data: payment details are processed by Stripe. We do not store card numbers or full payment credentials.
• Usage data: basic request logs (IP address, timestamp, endpoint) retained for security and debugging purposes.

• Contract: to deliver the GymRecord service to registered users.
• Consent: mailing list subscriptions. You may withdraw consent at any time via the unsubscribe link in any email we send.
• Legitimate interests: security logging and fraud prevention.
• Legal obligation: retaining records required by applicable law.

• To create and manage your account.
• To process subscription payments via Stripe.
• To send transactional emails (account confirmation, password reset).
• To send marketing emails if you have opted in (mailing list).
• To detect and prevent spam, abuse, and fraudulent activity.
• To improve and debug the service.

We share data with trusted third parties only where necessary to provide the service:

• Stripe - payment processing. Stripe processes card data under their own privacy policy and PCI DSS compliance.
• Cloudflare - DDoS protection, CDN, and Turnstile bot verification on forms. Cloudflare may process IP addresses and browser fingerprints to distinguish humans from bots. See Cloudflare's privacy policy for details.
• Amazon Web Services (SES) - transactional and mailing list email delivery.

We do not sell personal data to third parties, and we do not use third-party advertising trackers.

• Account and workout data: retained for as long as your account is active. On account deletion, data is purged within 30 days.
• Mailing list: retained until you unsubscribe or request deletion.
• Security logs: retained for up to 90 days.
• Billing records: retained for 7 years as required by UK tax law.

Under UK data protection law you have the right to:

• Access - request a copy of the personal data we hold about you.
• Rectification - ask us to correct inaccurate data.
• Erasure - request deletion of your personal data, subject to legal retention obligations.
• Portability - receive your workout data in a structured, machine-readable format.
• Objection - object to processing based on legitimate interests.
• Withdraw consent - unsubscribe from the mailing list at any time.

To exercise any of these rights, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

We implement appropriate technical and organisational measures to protect personal data, including encrypted connections (TLS), hashed passwords, and access controls. No system is completely secure; if you become aware of a security issue, please contact us immediately.

We use a small number of essential cookies for authentication and bot protection. For full details, see our Cookie Policy. We do not use advertising or analytics tracking cookies.

We may update this policy from time to time. The "Last updated" date at the top of this page reflects when changes were last made. We will notify registered users of material changes by email.

Questions about this privacy policy or how we handle your data: [email protected]