This Privacy Policy explains how Kinea collects, uses, stores, and shares personal data when you use the Kinea website, mobile app, and related backend services. Kinea is a fitness tracking and training analysis service. It is not a medical or healthcare service.
This Privacy Policy applies to:
kinea-app.com, including password reset pagesThis Privacy Policy does not replace the privacy notices of third-party platforms such as Apple, Google Play, or your mobile operating system.
The controller for the processing described in this Privacy Policy is:
Marco Rothermel (Maggy Studio)
Biegenstraße 24
35037 Marburg
Germany
Email: support@kinea-app.com
Contact form: kinea-app.com/contact
No separate data protection officer has been appointed at this time because there is currently no legal obligation for Kinea to do so.
Kinea currently uses non-personalized ad requests by default. We do not currently use ATT/IDFA-based tracking for ads on iOS. In regions or contexts where Google or applicable law requires advertising consent choices before ads load, supported app versions show an in-app consent flow before requesting ads. In supported app versions, you can later change or withdraw ad-related privacy choices in Settings > Privacy choices. Depending on your choices, region, and Google's supported serving modes, Kinea may request non-personalized ads or limited ads. If ads cannot be requested in the relevant context, Kinea will not request them there. If Kinea later moves to personalized ads, this notice and the app privacy flow will be updated first.
If you use Gym Buddies, other users may search for you by username or email address, send you friend requests, and see limited shared data necessary for the social feature. If you pin a public Spotify playlist to your profile, your buddies may also see the linked playlist title, owner name, Spotify link, and playlist artwork.
If you enable biometric login, your Face ID, Touch ID, or fingerprint templates remain on your device and are handled by your device operating system. Kinea does not receive or store your biometric templates.
Kinea stores some data locally on your device so the app can work reliably, remember your preferences, and support offline use. This can include workouts, templates, exercises, cached profile data, friends, requests, notifications, blocked users, synchronization queues, sync metadata, temporary ID mappings, authentication tokens, device identifiers, locale, units, theme, biometric-login settings, and the last signed-in user ID.
If you use Delete Workout History in the app settings, Kinea removes your stored workout history from the service and clears related local workout data after the request succeeds. If you use Delete Account, Kinea removes account-scoped local data such as authentication tokens, the stored device identifier, biometric-login account settings, and the last signed-in user ID. Some general app preferences, such as language, theme, or units, may remain on your device until you change them, clear app data, or uninstall the app.
We process personal data to:
If the GDPR applies, we rely on one or more of the following legal bases, depending on the feature or processing activity:
| Processing activity | Main legal basis | Details |
|---|---|---|
| Account creation, login, authentication, and core app access | Art. 6(1)(b) GDPR | Necessary to create and maintain your account and provide the service you request. |
| Workout logging, training history, synchronization, offline recovery, export, and import | Art. 6(1)(b) GDPR | Necessary to store, sync, restore, export, and import your Kinea data as part of the requested service. |
| AI recommendations, training analysis, recovery or plateau analysis, and related comparison features | Art. 6(1)(a) GDPR and, where required, Art. 9(2)(a) GDPR | Processed only when you request these optional features and provide the relevant consent. |
| Gym Buddies, requests, comparisons, and social notifications | Art. 6(1)(b) GDPR | Necessary to operate the social features you choose to use inside Kinea. |
| Push notifications | Art. 6(1)(a) GDPR | Based on your device-level permission and your choice to allow notifications. |
| Rewarded ads, advertising consent choices, and reward verification | Art. 6(1)(a) GDPR | Applies when you choose to watch optional rewarded ads and where ad-related consent choices are required. |
| Subscriptions, entitlement checks, billing-status synchronization, and app store purchase validation | Art. 6(1)(b) GDPR | Necessary to manage premium access, renewals, and subscription status. |
| Password reset emails and other transactional service communications | Art. 6(1)(b) GDPR | Necessary to send requested account and security communications. |
| Crash reporting, diagnostics, access logs, backend logs, fraud prevention, and abuse detection | Art. 6(1)(f) GDPR | Necessary for service security, reliability, troubleshooting, and protection against misuse. |
| Compliance, recordkeeping, and legally required disclosures | Art. 6(1)(c) GDPR | Necessary where we must comply with applicable law, court orders, or regulatory obligations. |
Kinea is a fitness app, not a medical or healthcare service. Some fitness and training information you choose to provide, such as body weight, height, gender, age or birth date, workout history, exercise notes, RPE or effort information, recovery-, fatigue-, or plateau-related analysis, and bodyweight-based comparisons, may in some contexts be considered health-related data or another special category of personal data under Art. 9 GDPR. Where required, we process this data based on your explicit consent under Art. 9(2)(a) GDPR, together with the applicable Art. 6 GDPR legal basis for the feature you request. You may withdraw consent with effect for the future, but this may limit or disable features that rely on that data.
We do not sell your personal data for money. We share personal data only where necessary to operate Kinea, comply with law, or if you choose to use a feature that requires third-party processing.
| Provider / Recipient | Purpose | Typical Data Categories |
|---|---|---|
| Cloudflare | Website delivery, DNS, security, caching | IP address, request metadata, standard web security logs |
| Google Fonts package (mobile app) | App font rendering where fonts are requested at runtime by the mobile app; the website marketing pages use self-hosted font files | IP address, browser or device metadata, and font request metadata when app-hosted fonts are loaded at runtime |
| Hetzner and Kinea self-hosted infrastructure | Backend hosting, storage, backups, database, cache/rate-limiting, and vector retrieval | Account, workout, technical, application, log, backup, PostgreSQL, Redis, Qdrant, and vector-search data stored to operate the service |
| Firebase (Crashlytics, Cloud Messaging) | Crash diagnostics and push notifications | Crash data, device or app metadata, and push tokens |
| Apple Push Notification service (APNs) | Delivery of push notifications to iOS devices | Push tokens, device and delivery metadata, and notification payload metadata |
| RevenueCat and app stores | Subscription management and entitlement status | App user ID, product IDs, entitlement status, renewal or expiration data, transaction metadata |
| Google AdMob | Optional rewarded ads, banner ads, consent or privacy-choice handling, and reward verification | Advertising identifiers, ad delivery data, ad interaction metadata, and reward-verification data where relevant to the ad format you use |
| Google Gemini API and Google embedding services | Workout analysis, AI-generated recommendations, semantic retrieval, and ranking of relevant training or research context | Selected workout context such as exercises, sets, reps, weights, timestamps, goal-related context, query text, and retrieved context needed for the requested feature |
| Spotify Web API | Fetch public playlist metadata and artwork for user-linked Gym Buddies profile playlists | Public playlist URL or derived playlist identifier submitted by the user, standard server-side request metadata, and Spotify's returned public playlist metadata and artwork |
| Resend | Transactional email delivery | Email address and message metadata for password reset emails |
| Other Kinea users | Gym Buddies social features | Username, limited profile display data, friendship status, comparisons, shared feature outputs, and any optional public Spotify playlist metadata and artwork you choose to show on your profile |
We may also disclose personal data to courts, authorities, regulators, or advisers if required by law or reasonably necessary to establish, exercise, or defend legal claims.
Kinea uses AI to generate training analysis and recommendations. In production, user workout data used for AI analysis is sent only to Google Gemini API and related Google embedding services used for retrieval.
The data is sent only when you request the relevant AI feature and is limited to the context needed for that feature, such as your selected exercises, sets, reps, weights, training dates, goal-related context, and query or retrieval context. We do not use AI to make decisions that produce legal effects or similarly significant effects on you.
AI outputs can be inaccurate, incomplete, or unsuitable for your particular situation. Kinea is a fitness tool, not a medical service.
Some of our service providers may process data outside the European Economic Area or United Kingdom. Where this happens, we use appropriate safeguards where required, such as adequacy decisions, Standard Contractual Clauses, or comparable lawful transfer mechanisms.
Depending on the feature you use, this can affect providers such as Google, Firebase, Google AdMob, RevenueCat, Spotify, Resend, or Cloudflare. The applicable transfer mechanism depends on the provider and processing context, but where required we rely on recognized safeguards such as adequacy decisions, Standard Contractual Clauses, or comparable lawful measures.
We use reasonable technical and organizational measures to protect personal data, including encrypted transport, access controls, credential protections, and service-level security controls. Passwords are not stored in plain text.
No system is completely secure. You are responsible for keeping your account credentials confidential and for using a strong password.
If the GDPR or similar laws apply to you, you may have the right to:
You can exercise privacy rights by contacting support@kinea-app.com. In supported app versions, you can also use two in-app deletion controls in the settings: Delete Workout History, which removes stored workout history while keeping your account, and Delete Account, which removes your account and associated server-side data such as workout history, custom exercises, workout templates, favorites, linked Spotify profile playlist data, Gym Buddies relationships, requests, and notifications. These deletion actions require an internet connection and complete only after the request succeeds. For ad-related privacy choices, supported app versions also provide Settings > Privacy choices. You can find a public description of that flow at kinea-app.com/privacy-choices.
This section is provided for transparency for users in California and certain other U.S. states with privacy laws that may grant additional rights. It does not mean that every U.S. state privacy law automatically applies to Kinea in every case.
Where applicable law grants these rights and applies to Kinea, you may have additional rights to request access to, correction of, deletion of, or a copy of certain personal data, and to opt out of certain processing such as the sale or sharing of personal data or targeted advertising as those terms are defined by applicable law.
Kinea does not sell personal data for money. In supported app versions, ad-related privacy choices can be managed in Settings > Privacy choices. Depending on your region, platform, and Google's supported privacy flows, this may include options related to advertising, sharing, or similar privacy choices for eligible users.
You can also submit privacy requests by contacting support@kinea-app.com. We may need to verify your identity before processing a request. Where applicable law allows requests through an authorized agent, we may request proof of that authorization. If a state law gives you a right to appeal a denied request, you can reply to the denial message or contact us again with the subject line Privacy Appeal.
Kinea is not intended for children under 16. If we learn that we have collected personal data from a child under 16 without a valid legal basis, we will take reasonable steps to delete the data.
We may update this Privacy Policy from time to time. If we make material changes, we will update the effective date and may provide additional notice through the app or website.
For privacy questions or requests, contact: support@kinea-app.com
If you are in Germany or the EU, you also have the right to lodge a complaint with a data protection supervisory authority. For a controller based in Hesse, this includes the Hessian Commissioner for Data Protection and Freedom of Information: datenschutz.hessen.de.