Privacy Policy

Effective Date: March 5, 2026

Controller: Marco Rothermel, trading as Maggy Studio

Address: Biegenstraße 24, 35037 Marburg, Germany

This Privacy Policy explains how Kinea collects, uses, stores, and shares personal data when you use the Kinea website, mobile app, and related backend services. Kinea is a fitness tracking and training analysis service. It is not a medical service.

Contents

Scope
Controller and Contact
Data We Process
Purposes of Processing
Legal Bases
Sharing and Service Providers
AI Processing
International Transfers
Retention
Security
Your Rights
Children
Changes
Contact and Complaints

1. Scope

This Privacy Policy applies to:

The Kinea website at kinea-app.com, including password reset pages
The Kinea mobile application
Kinea backend APIs and connected services used to operate the app

This Privacy Policy does not replace the privacy notices of third-party platforms such as Apple, Google Play, or your mobile operating system.

2. Controller and Contact

The controller for the processing described in this Privacy Policy is:

Marco Rothermel
trading as Maggy Studio
Biegenstraße 24
35037 Marburg
Germany
Email: support@kinea-app.com

No separate data protection officer has been appointed at this time because there is currently no legal obligation for Kinea to do so.

3. Data We Process

3.1 Data You Provide Directly

Account data: email address, username, password hash, and account identifiers.
Profile and preferences: optional information such as age or birth date, height, weight, gender, training goal, language, and app preferences.
Workout data: workouts, sets, reps, weights, exercise selections, notes, custom exercises, timestamps, and derived training history.
Gym Buddies data: friend requests, accepted friendships, nudges, comparisons, and in-app social notifications.
Support and email data: content you send to support, and password reset requests.

3.2 Data Collected Automatically

Technical and device data: app version, operating system, device type, language, time zone, and similar technical metadata.
Authentication and security data: login events, refresh token or device records, IP address, timestamps, and security logs.
Push token data: push notification token, platform, and related registration metadata.
Diagnostics and analytics data: app events, crash reports, performance or diagnostic metadata, and app instance identifiers via Firebase services.

3.3 Subscription and Advertising Data

Subscription data: entitlement status, app user ID, store product metadata, renewal or expiration status, and related subscription event metadata.
Advertising and reward data: rewarded ad impressions, ad interaction events, ad unit metadata, and reward-verification data necessary to grant bonus recommendation credits.
Payment information: Kinea does not receive or store your full payment card details. Payments are processed by the relevant app store and related providers.

3.4 Data From Other Users

If you use Gym Buddies, other users may search for you by username or email address, send you friend requests, and see limited shared data necessary for the social feature.

3.5 Biometric Login

If you enable biometric login, your Face ID, Touch ID, or fingerprint templates remain on your device and are handled by your device operating system. Kinea does not receive or store your biometric templates.

Kinea does not currently offer a live end-user feature for uploading PDFs or research papers. If that changes in the future, this Privacy Policy will be updated before the feature is released.

4. Purposes of Processing

We process personal data to:

Create and maintain your account
Store, synchronize, and display your workouts and training history
Generate personalized training analysis and AI-based workout insights
Operate social features such as Gym Buddies, requests, comparisons, and notifications
Manage subscriptions, premium access, free-tier limits, and ad-based bonus credits
Send transactional communications such as password reset emails
Provide app analytics, crash reporting, diagnostics, fraud prevention, and abuse detection
Comply with legal obligations and enforce our Terms of Service

5. Legal Bases

If the GDPR applies, we rely on one or more of the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR): to provide your account, workouts, sync, subscriptions, and core app functionality.
Legitimate interests (Art. 6(1)(f) GDPR): to secure, operate, troubleshoot, improve, and protect Kinea, including fraud prevention, service reliability, and diagnostic analysis.
Consent (Art. 6(1)(a) GDPR): where required for optional permissions or features, such as push notification permissions or other consent-based device features.
Legal obligation (Art. 6(1)(c) GDPR): where processing is required to comply with applicable law.

Some profile and workout information, such as body measurements or related fitness information, may qualify as health-related data or another special category of personal data under applicable law. We process such data only where you choose to provide it for Kinea's fitness features and only where an applicable legal basis under Articles 6 and 9 GDPR is available.

We do not sell your personal data for money. We share personal data only where necessary to operate Kinea, comply with law, or if you choose to use a feature that requires third-party processing.

Provider / Recipient	Purpose	Typical Data Categories
Cloudflare	Website delivery, DNS, security, caching	IP address, request metadata, standard web security logs
Hosting / infrastructure providers	Backend hosting and storage	Account, workout, technical, and application data stored to operate the service
Firebase (Analytics, Crashlytics, Cloud Messaging)	App analytics, crash diagnostics, push notifications	App event data, app instance IDs, crash data, device or app metadata, push tokens
RevenueCat and app stores	Subscription management and entitlement status	App user ID, product IDs, entitlement status, renewal or expiration data, transaction metadata
Google AdMob	Optional rewarded ads and reward verification	Advertising identifiers and ad interaction metadata, if you choose to watch rewarded ads
Google Gemini API	Workout analysis and AI-generated recommendations	Selected workout context such as exercises, sets, reps, weights, timestamps, and goal-related context
Resend	Transactional email delivery	Email address and message metadata for password reset emails
Other Kinea users	Gym Buddies social features	Username, limited profile display data, friendship status, comparisons, and shared feature outputs

We may also disclose personal data to courts, authorities, regulators, or advisers if required by law or reasonably necessary to establish, exercise, or defend legal claims.

7. AI Processing

Kinea uses AI to generate training analysis and recommendations. In production, user workout data used for AI analysis is sent only to the Google Gemini API.

The data sent for analysis is limited to the context needed for the requested feature, such as your selected exercises, sets, reps, weights, training dates, and goal-related context. We do not use AI to make decisions that produce legal effects or similarly significant effects on you.

AI outputs can be inaccurate, incomplete, or unsuitable for your particular situation. Kinea is a fitness tool, not a medical service.

8. International Transfers

Some of our service providers may process data outside the European Economic Area or United Kingdom. Where this happens, we use appropriate safeguards where required, such as adequacy decisions, Standard Contractual Clauses, or comparable lawful transfer mechanisms.

9. Retention

Account and workout data: retained until you delete it, close your account, or we no longer need it to provide the service.
Password reset and support records: retained as needed to process the request and maintain appropriate security and audit trails.
Push tokens: retained until you log out, disable notifications, remove the app, or the token becomes invalid.
Crash, analytics, and security logs: retained for the periods made available by the relevant provider or our operational retention settings, and only as long as reasonably necessary for diagnostics, fraud prevention, and reliability.
Legal, tax, and accounting records: retained for longer if required by law.

10. Security

We use reasonable technical and organizational measures to protect personal data, including encrypted transport, access controls, credential protections, and service-level security controls. Passwords are not stored in plain text.

No system is completely secure. You are responsible for keeping your account credentials confidential and for using a strong password.

11. Your Rights

If the GDPR or similar laws apply to you, you may have the right to:

Request access to your personal data
Request correction of inaccurate or incomplete data
Request deletion of your personal data
Request restriction of processing
Object to certain processing based on legitimate interests
Request data portability where applicable
Withdraw consent at any time where processing is based on consent
Lodge a complaint with a supervisory authority

You can exercise privacy rights by contacting support@kinea-app.com. You can also delete your account from within the app settings if that feature is available in your version of the app.

12. Children

Kinea is not intended for children under 16. If we learn that we have collected personal data from a child under 16 without a valid legal basis, we will take reasonable steps to delete the data.

13. Changes

We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and may provide additional notice through the app or website.

14. Contact and Complaints

For privacy questions or requests, contact: support@kinea-app.com

If you are in Germany or the EU, you also have the right to lodge a complaint with a data protection supervisory authority. For a controller based in Hesse, this includes the Hessian Commissioner for Data Protection and Freedom of Information: datenschutz.hessen.de.