Privacy Policy

1. Who We Are

NYRO is operated by Niklas Roznowski (the "Operator", "we", "us"), based in Basel, Switzerland. The Operator is the data controller within the meaning of Art. 4(7) GDPR and Art. 5(j) of the Swiss Federal Act on Data Protection ("nDSG") for any personal data processed through the NYRO mobile application (the "App").

Although the Operator is based in Switzerland, the App is offered to users in the European Union (in particular Germany and Austria). The GDPR therefore applies to processing activities directed at users in the EU/EEA pursuant to Art. 3(2) GDPR, in addition to the Swiss nDSG.

We have not appointed a Data Protection Officer because the conditions of Art. 37 GDPR / Art. 10 nDSG do not apply to our processing operations.

2. Information We Collect

We collect only the data needed to operate the App. Specifically:

Account data

• A stable identifier ("Apple sub") returned by Sign in with Apple when you create or use your account. This identifier is unique to NYRO and your Apple ID.
• Optionally, the name and email address you choose to share via Sign in with Apple. You may use Apple's "Hide My Email" feature; we then receive only a relay address.

Training data

• Workout sessions you log: exercises, sets, reps, weights, durations, perceived exertion (RPE), notes, and timestamps.
• Routines, programs, and schedules you create.
• Body measurements you enter (weight, body fat, circumferences, etc.).
• Custom exercises you add to your library.
• Training goals and preferences you set during onboarding or in Settings.

Apple Health data (only if you connect Apple Health)

• Read: Heart Rate Variability (HRV/SDNN), Resting Heart Rate, Sleep analysis, Body Mass, Heart Rate during workouts.
• Write: Completed workouts (HKWorkout), Body Mass entries, Active Energy estimates.

See section 6 for our specific commitments regarding Health data.

Technical data

• Crash reports collected via Firebase Crashlytics (stack traces, device model, OS version, anonymized installation ID).
• Aggregate, pseudonymized usage events collected via Firebase Analytics (e.g. "workout_started", "onboarding_completed").
• Standard server logs when your device communicates with our backend (IP address — used for security purposes only and not stored beyond the legitimate retention window of our processors).

Voluntary data

• Messages you submit through the in-app feedback feature.

3. How We Use Your Information

We use your data to:

• Provide the core App functionality: tracking workouts, displaying progress, computing analytics and insights.
• Sync your training data across your devices via your account.
• Compute the Training Readiness Score and adapt suggestions based on Apple Health signals (HRV / RHR / Sleep), if connected.
• Generate workout suggestions on request via our AI workout generator (see section 7 — Anthropic).
• Detect, diagnose, and fix crashes and bugs.
• Understand how the App is used in aggregate so we can improve it.
• Respond to feedback and support requests you send us.

We do not use your data for advertising, profiling beyond what is described above, or selling to third parties.

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under Art. 6(1) GDPR:

• Performance of a contract (Art. 6(1)(b)): Account creation, training-data sync, providing the core functionality you signed up for.
• Consent (Art. 6(1)(a)): Reading Apple Health data (HRV / RHR / Sleep / Body Mass / Heart Rate) — you grant this through Apple's Health permission sheet and may revoke it any time in iOS Settings → Privacy & Security → Health → NYRO. AI-generated workout suggestions when you trigger them.
• Legitimate interest (Art. 6(1)(f)): Crash diagnostics, aggregate usage analytics for product improvement, and security logging. Our legitimate interest is the operation, security, and continuous improvement of the App. You may object at any time (see section 11).

5. How Your Data Is Stored & Where

On your device

• All training data is stored locally first. The App is fully functional offline.
• Local files reside in iOS Application Support and standard app sandboxing.

On our backend (Supabase)

• When you are signed in, training data (workout history, routines, programs, body measurements, custom exercises, training goals, profile) is synced to Supabase as a backup and to allow multi-device use.
• Supabase data is hosted in Dublin, Ireland (AWS eu-west-1) — within the EU/EEA.
• Apple Health data (HRV / RHR / Sleep) is NEVER uploaded to our backend. It is read on-device only.

Crash and analytics data

• Crash reports are processed by Firebase Crashlytics (Google).
• Pseudonymized usage events are processed by Firebase Analytics (Google).
• Both are subject to the international transfer disclosures in section 8.

6. Apple Health Data

NYRO can read selected metrics from Apple Health to power the Training Readiness Score and to display recovery-aware coaching. Apple's Health framework requires us to make the following commitments, which we honor:

• We will never use Apple Health data for advertising or marketing purposes.
• We will never share, sell, or transmit your Apple Health data to any third party (including our own backend).
• Apple Health data we read remains on your device. We use it only to compute scores shown in the App.
• Aggregate Apple Health data (e.g. baseline values used in score computation) may be cached on-device for performance. It never leaves your device.
• You can revoke Apple Health access at any time via iOS Settings → Privacy & Security → Health → NYRO. The App degrades gracefully — features that depend on Health data simply hide or fall back.

We may also write your completed workouts and body weight entries back to Apple Health if you grant write permission, so they appear in your Activity rings and Health timeline.

7. Third-Party Service Providers

We use the following service providers ("processors") to operate the App:

• Apple Inc. — Sign in with Apple (authentication), HealthKit (Health framework), App Store (distribution and in-app purchases). Subject to Apple's Privacy Policy.
• Supabase Inc. — Backend database, authentication, file storage. Stores your account-bound training data. Hosted in Dublin, Ireland (AWS eu-west-1).
• Google LLC (Firebase) — Crash reporting (Crashlytics) and product analytics (Analytics). Processes crash payloads and aggregate usage events.
• Anthropic, PBC — AI workout generation. When you request an AI-generated workout, your equipment selection, training goal, and (optionally) free-text input are sent to Anthropic's Claude API to generate a workout structure. We do not send your training history, identity, or Apple Health data. Anthropic processes the request and returns a structured response. Per Anthropic's API policy, prompts are not used to train their models.

We do not sell your data, share it with data brokers, or use it for advertising. Each processor is bound by a Data Processing Agreement (Art. 28 GDPR).

8. International Data Transfers

Some of our processors (Google / Firebase, potentially Anthropic) operate servers outside the European Economic Area (EEA), including in the United States.

When data is transferred to a country without an EU adequacy decision, we rely on the EU Standard Contractual Clauses (SCCs) and the EU-U.S. Data Privacy Framework where the recipient has self-certified, in line with Art. 46 GDPR.

You may request information about the specific safeguards applied to a transfer by contacting us at nyro.app@gmail.com.

9. Data Retention

• Training data: kept for the lifetime of your account. When you delete your account (Settings → Advanced → Delete account), all training data is removed from our backend within 30 days.
• On-device data: kept until you delete the App or use Settings → Advanced → Delete account, which wipes local storage immediately.
• Crash reports: retained by Firebase Crashlytics for 90 days by default.
• Aggregate analytics events: retained by Firebase Analytics for up to 14 months.
• Apple Health data we read: never persistently stored by us — see section 6.

10. Account Deletion

You can delete your account at any time directly in the App: Settings → Advanced → Delete account.

This action:

• Permanently deletes your account record and all training data on our backend.
• Wipes all training data from your device (workouts, routines, programs, measurements, custom exercises, cached Health snapshots).
• Signs you out and resets the App to its first-launch state.

Some derived data may persist briefly in backups or processor systems before purging cycles complete. All processors are bound to honor deletion requests.

You can also request deletion or any other right listed in section 11 by emailing nyro.app@gmail.com.

11. Your Rights Under GDPR / nDSG

You have the following rights with respect to your personal data:

• Right of access (Art. 15 GDPR / Art. 25 nDSG): obtain a copy of the data we hold about you.
• Right to rectification (Art. 16 GDPR / Art. 32(1) nDSG): correct inaccurate data.
• Right to erasure (Art. 17 GDPR / Art. 32(2) nDSG): request deletion of your data — most easily via in-app account deletion.
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR / Art. 28 nDSG): export your training data in a machine-readable format via Settings → Export data, or request it from us.
• Right to object (Art. 21 GDPR): object to processing based on legitimate interest.
• Right to withdraw consent (Art. 7(3) GDPR / Art. 6(6) nDSG): withdraw consent for Apple Health reads or AI features at any time. Withdrawal does not affect prior lawful processing.
• Right to lodge a complaint with a supervisory authority:
  • If you reside in Switzerland, you may contact the Swiss Federal Data Protection and Information Commissioner (FDPIC / EDÖB), Feldeggweg 1, CH-3003 Bern, www.edoeb.admin.ch.
  • If you reside in the EU/EEA, you have the right under Art. 77 GDPR to lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, contact nyro.app@gmail.com. We will respond within one month (Art. 12(3) GDPR / Art. 25(7) nDSG).

12. Children's Privacy

NYRO is not intended for children under 16 years of age, in line with Art. 8 GDPR. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us so we can delete it.

13. Automated Decision-Making & AI

NYRO uses computational logic to compute scores and recommendations:

• The Training Readiness Score is a deterministic calculation from HRV, RHR, and Sleep against a 14-day rolling baseline.
• The Weekly Training Score is a weighted sum of training metrics.
• Workout suggestions can be generated on request by Anthropic's Claude AI (see section 7).

These outputs are informational only. They do not produce legal effects or significantly affect you within the meaning of Art. 22 GDPR. You always remain in control: you choose whether to follow a suggestion, modify it, or ignore it.

14. Security

We use industry-standard measures to protect your data:

• All network traffic uses TLS 1.2+.
• Authentication tokens are stored in the iOS Keychain (encrypted at rest).
• Backend data is protected by Supabase Row-Level Security policies that enforce per-user isolation.
• We follow the principle of least privilege when granting access to operational systems.

No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the competent supervisory authority in accordance with Art. 33 / 34 GDPR.

15. Changes to This Policy

We may update this Privacy Policy as the App evolves or as legal requirements change. We will update the "Last updated" date above on every change. For material changes affecting your rights, we will notify you via an in-app notice or email before the change takes effect.

Continued use of the App after the effective date constitutes acceptance of the updated policy.

16. Contact & Complaints

For questions, requests, or complaints about this policy or our handling of your data:

You also have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC / EDÖB) if you reside in Switzerland, or with a data protection supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.