WODR
← Back

Privacy Policy

Last updated: 21 June 2026

1. Introduction

WODR ("we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to your data when you use the WODR mobile application ("App").

This policy applies globally and addresses requirements under the UK General Data Protection Regulation (UK GDPR), the EU GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

By using the App, you acknowledge the practices described in this policy. Where we rely on your consent (for example, for health data or non-essential analytics), we will ask for it separately, and you may withdraw it at any time as described below.

2. Data Controller

The data controller responsible for your personal data is [[ Legal entity name, e.g. WODR Ltd ]], [[ registered postal address ]]. For all data protection enquiries, please contact us at legal@wodr.app.

If you are located in the European Union or European Economic Area and we are required to appoint a representative under Article 27 GDPR, our representative is [[ EU representative name and address, if applicable ]].

3. Information We Collect

Account Information

When you register, we collect:

  • Email address
  • Username and display name
  • Profile photo (if you choose to upload one)
  • Password (stored in encrypted form; we never see your plain-text password)

Fitness & Workout Data

We collect data you actively log, including:

  • Workout logs (exercises, sets, reps, weights, durations, distances)
  • Workout blocks and movement history
  • Personal records and performance stats
  • Unit preferences (metric/imperial)

Apple HealthKit

With your explicit permission, the App may read from or write to Apple HealthKit. This data includes heart rate readings, heart rate zone breakdowns, and related fitness metrics. HealthKit data is used only within the App to display and enhance your fitness experience. We do not share HealthKit data with third parties, use it for advertising purposes, or sell it in any form. This data is classified as Special Category data under UK/EU GDPR and is processed only on the basis of your explicit consent, which you may withdraw at any time via App Settings > Privacy.

Social & User-Generated Content

  • Followers and following relationships
  • Workout posts you choose to share publicly on the feed
  • Images you upload (profile pictures, workout images submitted for AI scanning)
  • Comments and interactions with other users

Public posts and your profile are visible to other users of the App. You are solely responsible for any content you choose to share publicly.

Device & Usage Data

We automatically collect:

  • Device type, operating system version, and app version
  • Crash reports and error logs
  • Pseudonymised usage events and session data (via PostHog analytics)
  • IP address and general location (country/region level)

Payment Information

Subscription payments are processed by Apple via the App Store. RevenueCat is used to manage subscription and credits status. We do not store your payment card details. We may receive limited billing information such as subscription status, transaction identifiers, and country of purchase.

4. How We Use Your Information

We use your data to:

  • Provide, operate, and maintain the App and its features.
  • Personalise your experience (e.g. suggested workouts, unit preferences).
  • Enable social features such as the public workout feed and follower system.
  • Process AI-powered requests (workout generation, workout image scanning via Anthropic).
  • Manage your subscription and credits balance.
  • Send account-related notifications (e.g. follower alerts, comments, security alerts).
  • Analyse usage patterns to improve the App (via PostHog).
  • Comply with legal obligations.

We do not sell your personal data to third parties, and we do not use your data for advertising profiling.

5. Legal Bases for Processing (UK/EU GDPR)

Where the UK GDPR or EU GDPR applies, we process your personal data on the following legal bases:

  • Providing the App, your account, and core features (logging, library, stats, subscriptions, credits) — performance of our contract with you (Art. 6(1)(b)).
  • Social features (feed, followers, comments) — performance of our contract and our legitimate interests in operating the platform (Art. 6(1)(b) and (f)).
  • AI Features (workout generation and scanning) — performance of our contract, provided at your request (Art. 6(1)(b)).
  • Apple HealthKit and other health data — your explicit consent (Art. 9(2)(a)), which you may withdraw at any time.
  • Product analytics and improving the App — your consent where required by applicable law, and otherwise our legitimate interests (Art. 6(1)(a) and (f)).
  • Security, fraud prevention, and enforcing our Terms — our legitimate interests and compliance with legal obligations (Art. 6(1)(f) and (c)).
  • Payments and record-keeping — performance of our contract and compliance with legal obligations (Art. 6(1)(b) and (c)).
  • Responding to legal requests and complying with law — compliance with a legal obligation (Art. 6(1)(c)).

Where we rely on legitimate interests, you have the right to object (see Section 14). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

6. How We Share Your Information

We share your data only as necessary to operate the App or as required by law:

  • Supabase — database, authentication, and file storage infrastructure.
  • Anthropic— AI workout generation and image scanning. Workout text and images submitted for AI processing are subject to Anthropic's data policies. We do not send Apple HealthKit data to Anthropic.
  • RevenueCat — subscription and purchase management.
  • PostHog — product analytics.
  • Apple Inc. — authentication (Sign in with Apple), App Store payment processing, and Apple HealthKit integration.

We may also disclose your information where required by law, court order, or governmental authority, or where necessary to protect the rights, property, or safety of WODR, our users, or others.

In the event of a merger, acquisition, or sale of assets, your data may be transferred to a successor entity. We will notify you before your data becomes subject to a different privacy policy.

7. User-Generated Content and Public Posts

WODR allows you to upload images and create posts that are visible to other users of the App. By uploading or posting content, you confirm that you own the content or have the right to share it, that any persons depicted have given their consent, and that the content complies with our Terms and Conditions.

Public workout posts, your username, and profile information are visible to other users. Please only share content you are comfortable being seen by others. You may delete your public posts at any time from within the App.

8. Cookies, SDKs, and Analytics

The App uses software development kits (SDKs) and similar technologies, including PostHog, to understand how the App is used and to improve it. This analytics data is pseudonymised — it is linked to a random identifier rather than directly to your name — but it may include your IP address, device information, and session and usage events, which can be personal data under applicable law.

Where required by applicable law (such as the UK Privacy and Electronic Communications Regulations (PECR) and the EU ePrivacy rules), we will ask for your consent before using non-essential analytics, and you can withdraw your consent or opt out at any time via App Settings. We do not use analytics for advertising or cross-context behavioural profiling.

9. Data Retention

We retain your data for the following periods:

  • Account and profile data — for the life of your account, plus 30 days following deletion.
  • Workout and health data — for the life of your account, deleted upon account closure.
  • Payment records — retained for 7 years to meet legal and accounting obligations.
  • Crash logs and pseudonymised analytics — up to 24 months.

If you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required to retain it for legal or compliance purposes.

10. Data Security

We implement industry-standard security measures including encrypted data transmission (TLS/HTTPS), AES-256 encrypted token storage on device, and row-level security policies on our database. Access to personal data is strictly limited to personnel who require it to operate the Service.

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, please contact us immediately at legal@wodr.app.

11. Data Breach Notification

We maintain procedures to detect, report, and investigate personal data breaches. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (such as the UK Information Commissioner's Office) without undue delay and, where feasible, within 72 hours of becoming aware of it. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users without undue delay, in accordance with applicable law.

12. International Data Transfers

Your data may be stored or processed in countries outside your own, including the UK, EU member states, and the United States. Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum — to protect your data in line with applicable law.

13. Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects concerning you based solely on automated processing. Our AI Features generate workout suggestions and extract workouts from images or text at your request; this output is informational, is not used to evaluate or make significant decisions about you, and you remain in control of how you use it.

14. Your Rights

UK and EU Users (UK GDPR / EU GDPR)

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure— request deletion of your personal data ("right to be forgotten").
  • Restriction — request that we limit how we use your data.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — where processing is based on consent (including Apple HealthKit data and non-essential analytics), withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at legal@wodr.app. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local EU supervisory authority.

California Users (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know — request disclosure of the categories and specific pieces of personal information collected about you.
  • Delete — request deletion of your personal information.
  • Correct — request correction of inaccurate personal information.
  • Opt out of sale/sharing — we do not sell or share personal data for cross-context behavioural advertising.
  • Limit sensitive data use — you may limit our use of sensitive personal information (including health data) to necessary purposes only.
  • Non-discrimination — we will not discriminate against you for exercising your CCPA rights.

To submit a verifiable consumer request, contact us at legal@wodr.app. We will respond within 45 days.

15. Children's Privacy

The App is not directed at children under the age of 16 (or 13 in the United States). We do not knowingly collect personal data from children. If you believe we have collected data from a child below the applicable age threshold, please contact us immediately at legal@wodr.app and we will delete it promptly.

16. Push Notifications

With your permission, the App may send push notifications for events such as new followers, social interactions, and reminders. You can disable notifications at any time via your device settings or in-app notification preferences.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via the App or by email, and update the "Last updated" date above. Your continued use of the App after changes are posted constitutes your acceptance of the updated policy.

18. Contact Us

If you have any questions or concerns about this Privacy Policy or how we handle your data, please contact us:

Email: legal@wodr.app

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you are in the UK: ico.org.uk