Privacy Policy

Last updated: May 2026

1. Data controller

The data controller within the meaning of the GDPR is Michael Kamleiter, Deutenbacherstraße 46, 90547 Stein, Germany. Contact: info@getreppd.app.

2. Data protection officer

Given the current scale of the service, appointing a data protection officer is not legally required. You can reach the controller directly at info@getreppd.app for any privacy-related inquiry.

3. What data we process

3.1 Website (getreppd.app)

This site is a static website. We do not use analytics, tracking pixels, advertising cookies, external fonts, or third-party embeds. Beyond simply serving the page, we only process the technical connection data described below.

3.1.1 Server log files

When you access getreppd.app, our hosting provider automatically processes the following technical connection data in log files:

  • truncated IP address
  • date and time of the request
  • URL requested and HTTP status code
  • amount of data transferred
  • referrer URL
  • user agent (browser / operating system identifier)

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the secure and stable operation of the website and defense against abusive access). Storage period: as a rule, no longer than 14 days, after which the data is automatically deleted. This data is not combined with other data sources.

Hosting processor: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA (Cloudflare Pages). A data processing agreement under Art. 28 GDPR is in place. Cloudflare is certified under the EU-U.S. Data Privacy Framework; additionally, EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) apply. Content is served primarily from edge servers in the user's region.

3.1.2 Contact by email

If you contact us by email, we process the data you provide (email address, name, content) to handle your inquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures / contract performance) or Art. 6(1)(f) GDPR (legitimate interest in responding). We delete the correspondence as soon as it is no longer required for its purpose, at the latest after three years, unless statutory retention periods (e.g. § 257 HGB) require longer retention.

3.2 reppd App

a) Authentication data

When you create an account, we store your email address and a hashed password verifier. This data is processed in unencrypted form on our servers to enable login and account security. Legal basis: Art. 6(1)(b) GDPR (contract performance).

b) Training and body data (special category, Art. 9 GDPR)

Workouts, sets/reps/weights, and optional body measurements (e.g. weight, body fat percentage) are health data within the meaning of Art. 4(15) GDPR and fall under the special category of Art. 9 GDPR. This data is end-to-end encrypted on your device using a key derived from your credentials (zero-knowledge architecture, KEK/DEK) before it reaches our servers. We cannot technically decrypt this content. Details on our encryption page.

Legal basis: Art. 9(2)(a) GDPR (explicit consent, given when creating the account) in conjunction with Art. 6(1)(b) GDPR (contract performance). You may withdraw your consent at any time by deleting your account in the app — all encrypted data will be deleted immediately via cascading delete.

c) Apple Health Sync (optional)

If you enable the Health integration, reppd reads selected data from Apple Health (in particular workouts as well as body measurements such as weight and body fat percentage) and, where applicable, writes workouts back to Apple Health. Processing initially takes place locally on your device; the data is transmitted to our servers only in the same end-to-end encrypted form as your other training data. You can revoke the Health permission at any time in your iOS system settings.

Legal basis: Art. 9(2)(a) GDPR (consent, given when you first enable the Health integration).

d) Subscriptions & payment (Pro)

Purchases and subscriptions are processed exclusively via Apple In-App Purchase. We receive from Apple only a pseudonymous purchase token to unlock the Pro features. We receive no payment data, no credit card information, and no Apple ID details. The contractual partner for the payment is Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Legal basis: Art. 6(1)(b) GDPR.

e) AI features (Pro)

In the Pro tier, you can import or generate workouts via AI. To do this, the inputs necessary for the function (e.g. a workout plan you describe, an exercise description) are transmitted in decrypted form to our AI processor Anthropic PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA. We do not pass on your email address, profile identifier, or any identifier that would allow conclusions to be drawn about your person.

Legal basis: Art. 6(1)(b) GDPR (contract performance, where you actively use the AI feature). A data processing agreement under Art. 28 GDPR is in place with Anthropic. The transfer to the USA is based on EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where applicable, the EU-U.S. Data Privacy Framework. Anthropic states that it does not use API inputs to train its models.

f) Crash reports / diagnostics

To maintain app stability, we use Sentry (Functional Software, Inc., 45 Fremont St, 8th Floor, San Francisco, CA 94105, USA). In the event of a crash, technical diagnostic data (stack trace, device and OS version, app version, anonymized session ID) is transmitted. Content data (your training or health data) is not transmitted; personally identifying identifiers are removed before sending.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in debugging and app security). A data processing agreement under Art. 28 GDPR is in place with Sentry; the transfer to the USA is based on EU Standard Contractual Clauses and, where applicable, the EU-U.S. Data Privacy Framework.

4. How we use your data

  • Authentication and account management
  • Providing the reppd service (syncing encrypted data)
  • Responding to support inquiries
  • Stability and error diagnostics
  • Providing optional AI features (Pro)

We do not use your data for advertising, external tracking, or sale to third parties. No automated decision-making with legal effect against you within the meaning of Art. 22 GDPR takes place. Within the service, we use your training data exclusively to display progression suggestions and statistics — this analysis happens on your device on the decrypted data.

5. Recipients / processors

We do not sell, share, or rent your data. The following processors support us under Art. 28 GDPR:

  • Cloudflare, Inc. (USA) — hosting / edge delivery of the website
  • Anthropic PBC (USA) — AI features in the Pro tier (only when actively used)
  • Functional Software, Inc. (Sentry) (USA) — crash and error diagnostics for the app
  • Apple Distribution International Ltd. (Ireland) — app distribution, in-app purchases, optional Health sync

Beyond this, we share data with third parties only where we are legally required to do so (e.g. under a binding government order).

6. International data transfers

Insofar as data is transferred to providers in the USA (see Sections 3 and 5), this takes place on the basis of:

  • the European Commission's adequacy decision regarding the EU-U.S. Data Privacy Framework (Art. 45 GDPR), where the respective recipient is certified, and/or
  • EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) with supplementary technical and organizational measures, in particular client-side end-to-end encryption for health data.

7. Data storage & security

User content data is stored in encrypted form within the EU. Sensitive personal data is end-to-end encrypted using a zero-knowledge architecture (KEK/DEK). We employ TLS transport encryption, regular security updates, and access controls in line with Art. 32 GDPR.

8. Your rights (GDPR)

Under the GDPR you have the right to:

  • Access (Art. 15 GDPR) — request a copy of your data
  • Rectification (Art. 16 GDPR) — correct inaccurate data
  • Erasure (Art. 17 GDPR) — delete your account and all data
  • Data portability (Art. 20 GDPR) — export your data
  • Restriction (Art. 18 GDPR) — limit how we process your data
  • Objection (Art. 21 GDPR) — object to data processing
  • Withdrawal of given consent (Art. 7(3) GDPR) with effect for the future

To exercise any of these rights, contact us at info@getreppd.app. Account deletion is also available directly in the app and removes all data permanently via cascading delete.

9. Cookies and similar technologies

We currently set neither cookies nor comparable storage on your terminal device on getreppd.app. Should we introduce strictly necessary cookies in the future, this will be based on § 25(2)(2) TDDDG in conjunction with Art. 6(1)(f) GDPR. Details in our cookie policy.

10. Retention

We retain your data for as long as your account exists and as required to provide the service. When you delete your account, all content data is deleted immediately and permanently (cascading delete, no soft-deletes). Technical log files are deleted after at most 14 days. Email correspondence is deleted as soon as it is no longer required.

11. Minors

reppd is not directed at children under 16. We do not knowingly collect personal data from children under 16. Should we become aware that an account was created by a person under 16, we will delete it without undue delay.

12. Changes to this policy

We may update this privacy policy to reflect changes in the law or in our processing. The current version is always available on this page with a date stamp. For material changes, we will additionally notify you via the app or by email.

13. Contact & supervisory authority

For privacy inquiries, contact us at info@getreppd.app.

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18, 91522 Ansbach, Germany
Phone: +49 981 180093-0
Email: poststelle@lda.bayern.de
Web: www.lda.bayern.de