Who is responsible for your data
Repz is operated by Xenin Ltd, a company registered in England and Wales (company number 16872372). For UK GDPR purposes, Xenin Ltd is the data controller for everything described below.
- Controller: Xenin Ltd
- Company number: 16872372
- Registered office: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, United Kingdom
- Contact: support@repzworkouts.co.uk
The short version
- We collect the bare minimum needed to run a workout-tracking app with friend features.
- We don't use third-party analytics, advertising trackers, or sell your data. Ever.
- Workout photos are private. Friends can see your check-in photos for 24 hours after the workout finishes, then visibility expires automatically.
- You can delete your account from inside the app. When you do, everything you've created is permanently deleted or anonymised within 30 days.
- All personal data is stored in the European Economic Area (Supabase EU region, Ireland).
What personal data we collect
When you create an account
- Email address — used to sign you in and to send account-related messages such as the email verification link.
- Password — stored as a salted hash by our auth provider. We never see your password in clear text.
- First and last name — shown to friends you connect with.
- Username — your public handle inside the app. Other users can find you by it.
- Height and body weight — used to personalise the experience (the unit toggle, weekly targets). You can edit these any time.
- Weekly training goal — how many days a week you aim to train. Drives the streak feature.
When you use the app
- Workouts you log — exercises, sets, weights, reps, duration, rest defaults, the gym they belong to, the time they were started and finished.
- Workout templates — including any you have shared with or received from a friend.
- Check-in photos — photos you take or upload at the end of a workout, plus the avatar you set on your profile. These are stored as private files; signed URLs are issued to clients on demand.
- Friend relationships— friend requests sent and received, who you're currently connected to, and timestamps of those events.
- Streak and rest-day records — including any deload weeks you mark.
- Custom exercise names — entries you add to your own exercise catalogue.
- An Expo push notification token — used to deliver the small number of notifications described below. Optional; you can decline notifications on first launch or revoke them in your OS settings.
When you join the waitlist on the website
- Your email address, captured by the form on the home page. Used only to email you when the beta opens.
What we don't collect
- No location data. The app never asks for your GPS.
- No analytics or telemetry. We do not use Google Analytics, Sentry, PostHog, Mixpanel, Firebase, or any equivalent tool.
- No advertising identifiers. The app does not request the iOS Advertising Identifier (IDFA) or the Android Advertising ID.
- No contacts or address book access.
- No health or fitness data from Apple Health or Google Fit.
Fitness and body data
Repz is a workout-tracking and motivation app, not a medical or healthcare service. We use information such as height, body weight, weekly training goals, workouts, exercises, sets, reps, weights, streaks and rest-day records only to provide app features such as tracking, personalisation, progress history, streaks and friend features.
We do not use this information to provide medical advice, diagnose health conditions, monitor medical conditions, or make automated decisions about your health.
How we use your data, and our lawful basis
Under UK GDPR, we rely on these lawful bases:
- To deliver the service you signed up for (UK GDPR Art. 6(1)(b), performance of a contract): authenticating you, showing your workouts and streaks, syncing data across your devices, delivering shared templates and check-ins to your friends, and handling account deletion.
- To send service messages (Art. 6(1)(b)): account verification emails, password resets, and the in-app push notifications listed below.
- To keep the service secure and reliable (Art. 6(1) (f), legitimate interests): rate-limiting abuse, preventing spam, and investigating bugs from short-lived server logs.
- With your consent (Art. 6(1)(a)): joining the waitlist, and receiving push notifications. You can withdraw consent at any time.
Automated decision-making
Repz does not use your personal data to make decisions that have legal or similarly significant effects on you.
Features such as streaks, goals, leaderboards, head-to-head comparisons and progress summaries may be generated automatically from your workout activity, but they are used only to provide app functionality and motivation features.
Photos and friend visibility
Two kinds of photo live in Repz: your profile avatar and end-of-workout check-in photos.
- Your avatar is visible to you and to anyone you are friends with inside the app. It is stored privately and accessed via short-lived signed URLs (24 hours).
- A check-in photo is visible to your accepted friends on their dashboard for 24 hours after the workout finishes. After that window the photo is no longer surfaced to friends, though it remains attached to that workout in your own history until you delete the workout (or your account). Signed URLs for check-in photos expire after 1 hour.
Device permissions
Repz may ask for permission to access your camera or photo library if you choose to upload a profile avatar or a check-in photo. We only access photos you choose to take or upload through the app.
Repz may also ask for permission to send push notifications. Notifications are optional and you can change your permissions at any time in your device settings.
Push notifications
Notifications are optional. If you allow them, we deliver pushes only in these situations:
- A friend sends you a friend request.
- A friend accepts a request you sent.
- A friend shares a workout template with you.
- Locally, when a deload week you set ends — this notification is scheduled on your device only and never leaves the phone.
Push tokens are delivered to Expo's service to send notifications to your device. Revoke notification permission in your phone's settings any time and the token will be discarded.
Safety, moderation and abuse prevention
Because Repz includes friend and sharing features, we may process usernames, profile information, shared templates, check-in photos, friend requests, friendship records and related account activity where necessary to investigate reports of abuse, misuse, harassment, impersonation, unlawful content, security issues, or breaches of our Terms of Service.
We rely on our legitimate interests in keeping Repz safe, secure and trustworthy. Where required or permitted by law, we may preserve or disclose relevant information to law enforcement, regulators, or other competent authorities.
Who we share data with
We share data only with the third-party services we need to run the app. Each is contracted as a processor under our instructions, not as an independent controller. We do not sell, rent, or trade your data.
- Supabase (Supabase, Inc.) — hosts our database, authentication, file storage, and edge functions. The Repz project is hosted in their EU West (Ireland) region. Workout data, profiles, friendships, and photos all live here.
- Expo(Exponent, Inc.) — delivers push notifications via Expo's push service to your device.
- Apple and Google — operators of the App Store and Play Store. They receive the standard purchase and crash data that any app receives, governed by their own policies.
- Resend (Resend Inc.) — used to email the website waitlist and to send notification emails to the operator when someone signs up. Only your email address is shared.
- Vercel(Vercel Inc.) — hosts the marketing website you're reading. It receives the standard web request data (IP, user agent) needed to serve the page.
We may also disclose your data if required by UK law, a valid court order, or to protect the safety of users or the service. We will tell you about any such disclosure unless legally prevented from doing so.
Future paid features
Repz does not currently process payments. If we introduce paid features, payments may be processed by Stripe, Apple In-App Purchase, or Google Play Billing, depending on the platform.
Payment providers will process payment information directly. We will not receive or store full card details. We will update this policy before payment processing begins and notify existing users where required.
Where your data is stored
The Supabase database, file storage, and edge functions that hold your account and workouts are located in Ireland (Supabase EU West / eu-west-1). This is inside the European Economic Area, so no international transfer mechanism is required between the UK and the EU under the UK's adequacy decision.
Some processors (Expo, Resend, Apple, Google, Vercel) operate from the United States. Where they handle personal data on our behalf, transfers rely on the European Commission's Standard Contractual Clauses, the UK's International Data Transfer Addendum, or — for US-based recipients — their certification under the EU–US and UK–US Data Privacy Frameworks where applicable.
How long we keep your data
Account, profile and workout data
Account, profile and workout data is kept for as long as your account exists. If you delete your account, we will permanently delete or anonymise the personal data associated with your account within 30 days, unless we need to keep limited information for legal, security, fraud-prevention, accounting, dispute-resolution or regulatory reasons.
Workout photos and avatars
Workout photos and avatars are stored until the relevant workout is deleted, the photo is replaced, or the account is deleted. Copies of information that have already been shared with another user, saved to their device, or included in their own account, such as a shared workout template they accepted, may remain with that user until they delete it.
Push tokens
Push tokens are kept as long as the app is installed and you have notifications enabled. They are replaced when a new token is issued.
Waitlist emails
Waitlist emails are kept until you ask us to remove them, or for up to 24 months after the public launch of Repz, whichever is sooner.
Email verification and password-reset records
Handled by Supabase Auth on the standard short retention used by that service.
Your rights
Under UK GDPR you have the following rights over your personal data. To exercise any of them, email support@repzworkouts.co.uk from the address linked to your account. We will respond within one month.
- Access — ask for a copy of the personal data we hold about you.
- Rectification— correct anything that's wrong. Most fields you can edit yourself in the app's Profile screen.
- Erasure — delete your account and the personal data attached to it. You can do this yourself from Profile → Delete account in the app. Alternatively, email us.
- Restriction — ask us to limit how we process your data while you contest its accuracy or our use of it.
- Portability — ask for a machine-readable export of the personal data you have given us.
- Objection — object to processing carried out on the basis of our legitimate interests.
- Withdraw consent — where we rely on your consent (e.g. notifications, waitlist), withdraw it any time. Withdrawing consent does not affect processing that happened before.
- Lodge a complaint— if you're unhappy with how we handle your data, you can complain to the UK's Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We'd appreciate the chance to put things right first — email us before going to the ICO if you can.
Children
Repz is intended for users aged 16 or over. The app is not designed for children under 16 and we do not knowingly allow children under 16 to create accounts.
We may ask users to confirm their age when creating an account. If we discover or reasonably believe that someone under 16 has created an account, we may suspend or delete the account and remove the associated personal data.
If you believe a child under 16 has created an account, please email support@repzworkouts.co.uk.
Security
We protect your data with industry-standard measures: encrypted transport (HTTPS), encryption at rest for database and file storage, salted password hashes via Supabase Auth, row-level security policies on every database table, and short-lived signed URLs for private files. No system is perfect — if we ever discover a breach that puts your rights at risk, we will notify the ICO within 72 hours and contact affected users without undue delay.
Cookies and tracking
The website uses no advertising or analytics cookies. We currently use only cookies and similar technologies that are strictly necessary to provide the website or app functionality, such as serving the site securely or keeping you signed in where applicable.
We do not use advertising cookies, tracking pixels, or analytics tools. If this changes, we will update this policy and request consent where required before using any non-essential cookies or tracking technologies.
Changes to this policy
If we change this policy materially, we will update the "Last updated" date at the top and, for changes that affect your rights, email you at the address on your account before the change takes effect. Minor wording fixes are made without notice.
Contact
Questions, requests, complaints? Email support@repzworkouts.co.uk. We aim to respond within a few working days.