Privacy Policy

Last updated: 2026-05-01

Gymlytics ("we", "us") makes Drona, an AI strength-training app. This policy explains what we collect, why, and the rights you have over your data. We try to keep it short and plain. If anything is unclear, email privacy@gymlytics.com.

1. What we collect

When you use Drona, we collect:

• Account info — name, email, phone, password (stored as a hash, never in plain text), gender, age, height, weight.
• Onboarding answers — your training goals, experience level, equipment access, body-focus areas, and any injury flags you share.
• Training data — workout sessions, set logs (weight, reps, RPE), personal records, estimated 1-rep maxes, fatigue and recovery scores.
• Biometrics (only if you grant Apple Health or Health Connect permission) — heart rate, HRV, sleep, resting heart rate, weight.
• Coach chat — the messages you send to the in-app AI coach and its replies.
• Device info — push notification tokens, app version, OS, language and locale.
• Diagnostics — crash reports and basic analytics events (screen views, taps) to fix bugs and improve the product.

We do not store payment-card data. Subscriptions are processed by Apple, Google, or RevenueCat, and we only receive a subscription status flag.

2. How we use it

• Generate your workouts. Your goals, experience, equipment, recovery state, and prior set logs feed the workout generator that picks exercises and weights.
• Power the AI coach. Coach messages, plus a summary of your recent training, are sent to Anthropic's API so the model can reply with context.
• Track progress. We compute charts, PRs, and trend lines from your set logs.
• Send notifications. Workout reminders, deload nudges, and recovery alerts — only if you opt in.
• Improve the app. Aggregated, anonymised analytics help us see what's working. We don't sell your data.

3. Third parties

A small set of well-known providers help us run the app. Each handles data per their own policy:

• Firebase (Google) — Auth, Crashlytics, Analytics, push delivery via FCM. Firebase privacy.
• Anthropic — powers the AI coach. Coach messages and a training summary are sent via API. Anthropic privacy.
• RevenueCat — manages in-app subscriptions across Apple and Google. RevenueCat privacy.
• Razorpay (legacy, India only — being deprecated) — for any older payment records still on file. Razorpay privacy.

4. Your rights

Whatever country you're in, you can:

• Access the data we hold about you.
• Correct anything wrong from inside the app (Profile and Onboarding screens) or by emailing us.
• Delete your account and all training data — Settings → Delete Account, or email privacy@gymlytics.com.
• Export a copy of your data — email us and we'll send a JSON archive within 30 days.
• Withdraw consent for biometrics or notifications at any time in Settings.

This aligns with India's Digital Personal Data Protection Act (DPDPA) and the GDPR style of data-subject rights. We try to honour these in good faith for everyone.

5. How long we keep data

• Workout history, PRs, set logs, coach chat — kept until you delete your account.
• Biometric records (HRV, sleep, RHR) — kept up to 365 days, then auto-purged. You can delete sooner from Settings → Wearables.
• Server logs and crash reports — 90 days.
• Backups — encrypted nightly snapshots, rotated out within 30 days.

6. Children

Drona is for users 13 and older. If you're under 16 in the EU or under 18 in India, you must have a parent or guardian's consent before creating an account. We don't knowingly collect data from children under 13 — if you believe we have, email us and we'll delete the account.

7. Security

• All traffic between your device and our servers uses TLS 1.2 or higher.
• Passwords are stored as one-way bcrypt hashes — we cannot recover them, only reset them.
• Database backups are encrypted at rest.
• Internal access is on a least-privilege basis.

No system is perfectly secure, but we take reasonable steps and patch known issues quickly.

8. Cookies and tracking

The app itself doesn't use browser cookies. The admin website uses a session cookie when you sign in. We do not run advertising trackers, and there are no ads in the Drona app.

9. Contact

Privacy questions, deletion requests, or anything else: privacy@gymlytics.com.

Postal address available on request.

10. Updates

If we make material changes, we'll show an in-app banner before the new version takes effect and update the "Last updated" date above. Continued use of the app after the change means you accept the new policy.

If you'd like a translated version of this policy, email us — we maintain English now and will add Hindi and Tamil at launch.