Privacy Policy
Effective date: March 14, 2026
This Privacy Policy describes how Pully - Gym Log & Plan Tracker("App", "we", "us") collects, processes, and protects your personal data. By using the App, you agree to the practices described below.
1. Data Controller
The controller of your personal data is:
Jakub Zakrzewski
Jakub Zakrzewski Consulting
NIP (Tax ID): 5213997741
al. Jana Pawla II 27, 00-867 Warsaw, Poland
Email: privacy@pullyapp.com
2. What Data We Collect
2.1 Account Data
- Email address (email registration or Sign in with Apple)
- Apple User ID (if using Sign in with Apple)
- Display name (optional)
- Preferred units (kg/lbs)
- Preferred language
2.2 Workout Data
- Training plans, templates, workout sessions
- Exercises (including custom)
- Sets, reps, weights, duration
- Exercise notes (global and per session)
- Personal records (PRs)
2.3 Body Measurements
- Body weight, circumferences (optional, only if user enters them)
- Premium feature - data stored locally and synced with account
2.4 Apple Health (HealthKit)
- Writing completed workouts to Apple Health (optional, requires permission)
- We do not read data from Apple Health
- HealthKit data is never sent to our servers
2.5 Analytics
- Anonymous usage events (TelemetryDeck)
- No user identifiers - only aggregated statistics
- Device type, iOS version, app version
2.6 Error Reporting
- Crash reports (Sentry)
- Device diagnostic data
- PII scrubbing - personal data is removed before sending
2.7 Subscription Data
- Subscription status (active/expired)
- Plan type (monthly/annual)
- Payments processed exclusively by Apple - we have no access to payment card data
3. Where We Store Data
| Location | Data Type | Region |
|---|---|---|
| Device (SwiftData) | All workout data, measurements | Local |
| Keychain | Authorization tokens | Local |
| Supabase | Account, workout data (sync) | EU (Frankfurt) |
| TelemetryDeck | Anonymous analytics | EU |
| Sentry | Error reports | EU/USA |
4. Who We Share Data With
We do not sell your data. We share data only with the following parties to provide the service:
| Party | Purpose | Data |
|---|---|---|
| Supabase (EU) | Backend, authorization, sync | Account, workout data |
| TelemetryDeck (EU) | Anonymous analytics | Aggregated events |
| Sentry (EU/USA) | Error reporting | Diagnostic data (no PII) |
| RevenueCat (USA) | Revenue analytics | Anonymous ID, subscription status |
| Apple Inc. | Payments, authorization | Apple User ID, StoreKit transactions |
5. How Long We Retain Data
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion |
| Workout data | Until account deletion (soft delete 30 days, then permanent) |
| Body measurements | Until deleted by user or account deletion |
| Analytics | Automatically deleted after 12 months |
| Error reports | Automatically deleted after 90 days |
| Subscription data | Per Apple's policy |
6. Your Rights (GDPR Art. 15-22)
You have the following rights:
6.1 Right of Access (Art. 15)
You can request a copy of all your data. Use the export function in App Settings (CSV/JSON) or email privacy@pullyapp.com.
6.2 Right to Rectification (Art. 16)
You can edit your data directly in the app (profile, workouts, measurements).
6.3 Right to Erasure (Art. 17)
You can delete your account in Settings > Delete Account. All data is removed from the server within 30 days. Local data can be deleted by uninstalling the app.
6.4 Right to Restriction of Processing (Art. 18)
You can request restriction of processing by emailing privacy@pullyapp.com.
6.5 Right to Data Portability (Art. 20)
The export function (Settings > Export Data) allows you to download all your data in CSV or JSON format.
6.6 Right to Object (Art. 21)
You can disable analytics and error reporting in Settings > Privacy.
6.7 Right to Withdraw Consent
You can withdraw consent for data processing at any time in the app settings or by emailing privacy@pullyapp.com.
6.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority - the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.
7. Data Security
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256 on server)
- Row Level Security (RLS) in Supabase - each user sees only their own data
- Tokens stored in iOS Keychain
- App Switcher blur - app screen is blurred in the task switcher
- No logging of sensitive data on the server side
8. Notifications
- All notifications are local (UNUserNotificationCenter)
- No server-side push notifications
- Types: rest timer, unfinished workout reminder
- You can disable them in app Settings or iOS system settings
9. Cookies and Tracking
- The App does not use cookies
- No advertising tracking
- No advertising SDKs
- No IDFA/IDFV used for advertising purposes
- TelemetryDeck does not use user identifiers - data is anonymous
10. Children
The App is not intended for persons under 16 years of age. We do not knowingly collect data from children. If you learn that a child has provided us with personal data, please contact us at privacy@pullyapp.com.
11. Changes to Privacy Policy
We will notify you of significant changes through:
- In-app notification
- Updated date on this page
- Continued use of the App after changes constitutes acceptance of the new policy
12. Contact
For privacy and personal data matters:
Jakub Zakrzewski
Jakub Zakrzewski Consulting
al. Jana Pawla II 27, 00-867 Warsaw, Poland
Email: privacy@pullyapp.com
We will respond to your inquiry within 30 days.
13. Automated Decision-Making
The App does not make automated decisions that produce legal effects or significantly affect the user. Features such as personal record (PR) detection, progression suggestions, and workout comparisons are purely informational and do not constitute profiling within the meaning of GDPR Art. 22.
14. What We Do NOT Collect
- GPS location
- Contacts
- Photos or files from the device
- Microphone or camera data
- Payment card data (payments via Apple)
- Advertising identifiers (IDFA)
- Data from other apps
- Browsing history