Muscle OS

Muscle OS

Privacy Policy

Effective May 5, 2026 · Last updated May 5, 2026

This Privacy Policy explains how ALEX DEVELOPMENT (“we”, “us”, “our”) collects, uses, shares and protects personal data when you use the Muscle OS mobile application (the “App”) and the website at https://muscle-os.app (the “Site”, together the “Service”). It is written to comply with the EU General Data Protection Regulation (GDPR / RGPD), the French Loi Informatique et Libertés, the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and equivalent laws.

1. Data controller

The data controller responsible for processing your personal data is:

  • ALEX DEVELOPMENT (EI)
  • Registered address: 8 Chemin de Landouezec, 22500 Paimpol, Britany, France.
  • Trade register: N/A · SIRET 91850643700014
  • Contact for privacy matters: [email protected]

We have not appointed a Data Protection Officer (DPO) because our processing does not meet the thresholds set out in Article 37 GDPR. If this changes we will publish the DPO’s contact details here.

2. Personal data we collect

We collect only the data we need to run the Service. We do not sell your data, we do not use it for advertising, and we do not profile you for third-party marketing.

2.1 Account & identity

  • Email address (required to create an account and sign in)
  • Authentication identifiers from Sign in with Apple or Sign in with Google when you choose those methods (an opaque user ID and, if you consent, your name and email — including Apple’s private-relay email)
  • Display name and optional avatar URL
  • Preferred unit (kilograms / pounds)
  • Account creation timestamp and last sign-in timestamp

2.2 Fitness & training data

This is the core of what the Service does. It is stored on your device and on our backend so it syncs across devices.

  • Custom training programs you build (name, structure, schedule)
  • Workout sessions: start/end time, exercises performed, sets, repetitions, weight lifted, tempo, rest, free-text notes
  • Body weight log entries you record
  • Custom exercises you create (name, target muscle, equipment)

2.3 Subscription & purchase data

  • Subscription status (free, trialing, active, in grace period, cancelled, expired)
  • The product you purchased (plus_monthly_199 or plus_yearly_999), the store (App Store / Google Play), the billing period, the renewal date and the cancellation date if applicable
  • A pseudonymous identifier issued by RevenueCat that lets us match your subscription events to your account

We do not see or store your card number, bank details or any payment credentials. All billing is handled by Apple or Google directly.

2.4 Health data (only if you opt in)

On iOS, the App can read from and write to Apple Health (HealthKit). On Android, the App can read from and write to Health Connect. The specific data types are: workouts (write) and body weight (read & write). Health data accessed through these systems is processed on your device and is not transmitted to our servers unless you explicitly export or sync it.

Health data is never used for advertising, never sold, never shared with third parties, and never used for any purpose other than delivering the fitness-tracking feature you enabled. You can revoke access at any time in iOS Settings → Health → Data Access & Devices, or Android Settings → Apps → Health Connect.

2.5 Technical & diagnostic data

  • App version, operating system version, device model and language (sent with normal API requests)
  • Server logs from our hosting providers, including the IP address of requests, kept for security and abuse prevention

2.6 Data we do NOT collect

  • We do not currently use any analytics or tracking SDK in the App.
  • The Site does not use cookies, pixels or analytics scripts.
  • We do not collect precise location data.
  • We do not access your contacts, photos, microphone or camera.

3. How we collect personal data

  • Directly from you, when you create an account, sign in, log a workout, record a body-weight entry, or contact support.
  • From the App stores (Apple App Store, Google Play) via RevenueCat, when you buy or renew a subscription.
  • Automatically, when your device sends standard metadata (IP, OS, app version) with each API request.
PurposeLegal basis
Creating and operating your account, syncing your training data, providing the ServicePerformance of a contract — Art. 6(1)(b)
Processing subscription payments, refunds and renewalsPerformance of a contract — Art. 6(1)(b)
Reading or writing Apple Health / Health Connect dataYour explicit consent — Art. 9(2)(a)
Keeping logs for security and fraud preventionOur legitimate interests in keeping the Service safe — Art. 6(1)(f)
Complying with tax, accounting and other legal obligationsLegal obligation — Art. 6(1)(c)

5. Purposes of processing

  • Authenticating you and keeping your account secure.
  • Storing and syncing your programs, sessions, sets and body weight across devices.
  • Activating and managing your subscription, including the 7-day free trial.
  • Providing customer support when you contact us.
  • Diagnosing crashes and improving stability (when reported manually by you, or via aggregated server logs).
  • Complying with applicable law (tax records, responding to lawful requests).

6. Who we share data with

We share personal data only with the processors and partners listed below, and only to the extent strictly necessary. Each is bound by a Data Processing Agreement (DPA) and by appropriate technical and organisational safeguards.

RecipientPurposeLocation
Supabase, Inc.Database, authentication, edge functions and file storageEuropean Union (Frankfurt) with sub-processors that may include the United States
RevenueCat, Inc.Subscription receipt validation, lifecycle webhooks, entitlement managementUnited States
Apple Inc. (App Store, Sign in with Apple, HealthKit)App distribution, in-app purchase processing, optional sign-in, optional health data exchange on-deviceIreland (EU representative) and United States
Google LLC (Google Play, Sign in with Google, Health Connect)App distribution, in-app purchase processing, optional sign-in, optional health data exchange on-deviceIreland (EU representative) and United States
OVH SASHosting of https://muscle-os.app2 rue Kellermann, 59100 Roubaix, France

We never sell your personal data, and we never share it with advertisers, data brokers, insurers, employers or credit-scoring agencies.

7. International transfers

Some of our processors are located outside the European Economic Area, in particular the United States. When that is the case, the transfer is protected by the European Commission’s Standard Contractual Clauses (Decision 2021/914) and, where applicable, by the EU–US Data Privacy Framework. You can request a copy of the safeguards in place by emailing [email protected].

8. How long we keep your data

DataRetention
Account & profileFor the lifetime of the account, deleted within 30 days of account deletion
Workout sessions, programs, body-weight logFor the lifetime of the account; you can export or delete entries at any time
Subscription & billing records10 years from the end of the tax year, as required by French and EU accounting law
Server logs containing IP addressesUp to 12 months for security and abuse prevention, then deleted or anonymised
Support correspondence3 years from your last interaction

9. Your rights under the GDPR

You have the following rights, which you can exercise free of charge by emailing [email protected]. We respond within one month (extendable to three months for complex requests, in which case we will tell you within the first month).

  • Right of access (Art. 15): obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17): have your data deleted. You can also delete your account directly from the App; this triggers full deletion within 30 days, except for the records we are legally required to keep.
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20): receive your training and body-weight history in a structured, commonly used and machine-readable format.
  • Right to object (Art. 21) to processing based on our legitimate interests.
  • Right not to be subject to automated decision-making (Art. 22) — we do not make any decisions about you using solely automated means.
  • Right to withdraw consent at any time, where processing is based on consent (e.g. health-data integrations); the withdrawal does not affect the lawfulness of processing carried out before it.
  • Right to lodge a complaint with the French data protection authority (CNIL — cnil.fr) or with the supervisory authority in your country of residence.

10. Security

We use encryption in transit (HTTPS / TLS 1.2+), encryption at rest on the database, scoped row-level security so each user can only access their own rows, secret keys stored outside source control, and regularly rotated credentials. No system is perfectly secure: if a breach is likely to result in a high risk to your rights and freedoms, we will notify you and the CNIL within 72 hours, as required by Art. 33–34 GDPR.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact [email protected] and we will delete it.

12. Cookies and similar technologies

The Site (https://muscle-os.app) does not set any cookies, does not embed third-party trackers, and does not run any analytics scripts. If we ever introduce non-essential cookies, we will publish an updated cookie policy and, where required, ask for your prior consent through a banner that complies with the CNIL’s recommendations.

The App stores authentication tokens locally on your device using secure platform storage (Apple Keychain on iOS, EncryptedSharedPreferences on Android). These are not cookies and are required for you to stay signed in.

13. Notice for California residents (CCPA / CPRA)

California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know what personal information we collect, use, and disclose.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of the sale or sharing of personal information.
  • Right to limit the use of sensitive personal information.
  • Right to non-discrimination for exercising these rights.

We do not sell or share personal information as those terms are defined under the CCPA, and we do not use sensitive personal information for any purpose other than providing the Service. You do not need to submit a “Do Not Sell or Share My Personal Information” request, but you can confirm or exercise your rights at [email protected].

Residents of other US states with comparable privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may exercise the equivalent rights through the same channel.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through an in-app notification or by email at least 30 days before they take effect. The “Last updated” date at the top of this page always reflects the current version. Previous versions are available on request.

15. Contact

For any privacy question or to exercise your rights, contact us at [email protected] or by post at:

ALEX DEVELOPMENT
8 Chemin de Landouezec, 22500 Paimpol, Britany, France.

This Privacy Policy is also available together with our Terms of Service and Legal Notice.