Pully

Privacy Policy

Effective Date: March 14, 2026 · Last Updated: March 14, 2026

1. Data Controller

Your personal data is controlled by:

Jakub Zakrzewski
Jakub Zakrzewski Consulting
Tax ID (NIP): 5213997741
Address: al. Jana Pawła II 27, 00-867 Warsaw, Poland
Email: privacy@pullyapp.com

(hereinafter: "we", "us", "Pully")

2. What Data We Collect

2.1 Account Data (legal basis: performance of contract, Art. 6.1.b GDPR)

Data	Purpose	Source
Email address	Account creation, recovery	Provided by you or Apple Sign In
Name (optional)	Personalization (display name)	Apple Sign In (first login)
Apple identifier	Authentication via Apple	Apple Sign In
Device identifier	Device recognition for sync	Auto-generated (UUID)

2.2 Training Data (legal basis: performance of contract, Art. 6.1.b GDPR)

Workouts: date, duration, status, notes
Sets: weight (kg), reps, RIR, set type
Training plans: name, structure, exercises, goals
Workout templates: name, exercises, usage count
Personal records (PRs): record type, value, date achieved
Custom exercises: name, muscle group, description (created by you)

2.3 Body Measurements (legal basis: explicit consent, Art. 9.2.a GDPR)

Body measurements are health-related data under Art. 9 GDPR. We collect them only with your explicit consent:

Body weight, body fat percentage
Circumferences: neck, chest, biceps (L/R), waist, hips, thigh (L/R), calf (L/R)

You can withdraw consent at any time in Settings > Privacy. Withdrawal results in deletion of all measurements from our servers.

2.4 Apple Health Data (legal basis: explicit consent, Art. 9.2.a GDPR)

If you enable Apple Health integration:

We write: strength training workouts (date, duration)
We do NOT read any data from Apple Health
Apple Health data never leaves your device and is never sent to our servers
You control permissions in iOS Settings > Health > Pully

2.5 Analytics (legal basis: consent, Art. 6.1.a GDPR)

With your consent, we collect anonymized usage data via TelemetryDeck:

Feature usage (e.g., workouts started, screens visited)
Device model and OS version
App version

We do NOT collect: exercise names, weights, notes, or personal information. Your user identifier is hashed (one-way) — TelemetryDeck cannot identify you.

You can disable analytics in Settings > Privacy.

2.6 Crash Reporting (legal basis: consent, Art. 6.1.a GDPR)

With your consent, we collect crash reports via Sentry:

Automatic crash reports (stack traces)
Diagnostic info (OS version, device model)

Before sending, we strip: email address, display name, exercise names, workout notes. User identifier is hashed.

You can disable crash reporting in Settings > Privacy.

2.7 Subscription Data (legal basis: performance of contract, Art. 6.1.b GDPR; legitimate interest, Art. 6.1.f GDPR for revenue analytics)

Payment processing is handled by Apple via StoreKit 2
We do NOT receive your payment card details
We only receive: product identifier, subscription status, expiration dates
RevenueCat processes anonymous subscription data (app user ID, purchase events) solely for revenue analytics

3. Where We Store Data

Location	Data	Encryption
Your device (SwiftData)	All data — source of truth	iOS device encryption
iOS Keychain	Apple identifier, device ID	OS hardware encryption
Supabase (EU, region eu-central-1)	Account backup (sync)	TLS 1.2+ (transit), AES-256 (rest)
TelemetryDeck (EU)	Anonymized events	TLS (transit)
Sentry (EU/USA — processing under SCCs)	Crash reports	TLS (transit)

Pully is offline-first — your data is always available on your device, even without internet. Sync is a background process.

4. Who We Share Data With

We do not sell your data. Ever.

We use the following sub-processors:

Service	Data	Purpose	DPA
Supabase (Singapore Pte. Ltd.)	Account + training data	Sync and backup	Yes
TelemetryDeck (Germany)	Hashed ID + events	Usage analytics	Yes
Sentry (USA, SCCs)	Crash reports	App stability	Yes
RevenueCat (USA, SCCs)	Anonymous ID + purchase events	Revenue analytics	Yes
Apple Inc.	Payment data, Apple Health	Payments, health	Independent controller

For data transfers outside the EEA (Sentry, RevenueCat), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

5. How Long We Keep Data

Data	Retention Period
Account and training data	Until account deletion
Body measurements	Until consent withdrawal or account deletion
Analytics (TelemetryDeck)	Auto-deleted after 24 months
Crash reports (Sentry)	Auto-deleted after 90 days
Backups	Deleted within 30 days of account deletion

6. Your Rights (GDPR Art. 15-22)

6.1 Right of Access (Art. 15)

You can download a copy of all your data in JSON or CSV format. Go to Settings > Export.

6.2 Right to Rectification (Art. 16)

You can edit your data directly in the app (workouts, plans, measurements, profile).

6.3 Right to Erasure (Art. 17)

You can delete your account and all associated data in Settings > Account > Delete Account. Deletion is:

Immediate on your device (all local data)
Immediate on the server (cascade delete across all tables)
Irreversible — we recommend exporting your data first

6.4 Right to Data Portability (Art. 20)

Export in JSON and CSV formats is always free (including free-tier users). Settings > Export.

6.5 Right to Restriction of Processing (Art. 18)

6.6 Right to Object (Art. 21)

You can disable analytics and crash reporting in Settings > Privacy.

6.7 Right to Withdraw Consent (Art. 7.3)

You can withdraw consent for:

Body measurements — Settings > Privacy (data will be deleted)
Analytics — Settings > Privacy
Crash reporting — Settings > Privacy
Apple Health — iOS Settings > Health > Pully

Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, www.uodo.gov.pl — or with the supervisory authority of your EU member state of residence.

7. Data Security

We implement the following technical and organizational measures:

Row Level Security (RLS) — each user can only access their own data on the server
Encryption in transit — TLS 1.2+ for all network communication
Encryption at rest — AES-256 on the server, device encryption on iOS
Keychain — sensitive identifiers stored in iOS Keychain
Soft delete — data is marked as deleted first, then permanently removed
Data minimization — we only collect what is necessary for the app to function
No cross-app tracking — we do not use IDFA or device fingerprinting

8. Notifications

All notifications are local (UNUserNotificationCenter). We do not send server-side push notifications.

Notification types:

Rest timer completed
Unfinished workout reminder
Body measurement reminder
Personal record celebration (premium)
Subscription reminders (trial expiry, grace period)

9. Cookies and Tracking

Pully does not use cookies. The app contains no web browser or web components. We do not use:

Tracking pixels
IDFA
Device fingerprinting
Cross-app tracking

10. Children

Pully is not intended for persons under 16 years of age (per Art. 8 GDPR). We do not knowingly collect data from persons under 16. If you learn that a child under 16 is using the app, please contact us — we will promptly delete their data.

11. Changes to This Privacy Policy

We will notify you of material changes via:

In-app notification
Email (if we have your address)

Continued use of Pully after publication of changes constitutes acceptance. Previous versions of this policy are available upon request.

12. Contact

For data protection inquiries:

Email: privacy@pullyapp.com
Response time: within 30 days (per Art. 12.3 GDPR)

13. Automated Decision-Making

Pully does not employ automated decision-making or profiling within the meaning of Art. 22 GDPR. Calculations displayed in the app (estimated 1RM, personal records, session comparisons) are mathematical computations for display purposes only — they do not make decisions affecting your rights.

14. What We Do NOT Collect

For clarity — Pully never collects:

Location / GPS data
Phone contacts
Photos or media
Biometric data (Face ID/Touch ID is used for device unlock, we do not collect this data)
Browsing history
Audio/video recordings
Data from other apps