Privacy Policy
of the aGYM App
As of: March 2026
This English translation is provided for information purposes only. Only the German version of this Privacy Policy (Datenschutzerklärung) is legally binding. In the event of any discrepancy between the English and German versions, the German version shall prevail.
1. Data Controller and Contact
The controller responsible for the processing of personal data within the meaning of the General Data Protection Regulation (GDPR) is:A Corporation GmbH
Westendhof 10
45143 Essen, Germany
Managing Directors: Jacob Fatih, Mohamad Ali Mohamad
Email: support@agym.io | Tel.: +49 (0) 201 38409150
Website: www.agym.co
Court of registration: District Court of Essen | Registration number: HRB 32094
We are currently not required to appoint a Data Protection Officer.
2. Scope
This Privacy Policy applies to the mobile application "aGYM" (hereinafter "App") and to all personal data processed through this App and its associated services (website, event platform, access control systems, ordering system).For applications and websites of other providers that may be linked to, only their respective privacy policies apply.
3. Minimum Age
Use of the aGYM App requires a minimum age of 16 years. By registering, you confirm that you are at least 16 years old.4. Hosting and Storage Location
Our App is operated on servers within the European Union. The infrastructure provider is Google LLC (hereinafter "Google"), with whom we have concluded a Data Processing Agreement (DPA). Google is certified under the EU-U.S. Data Privacy Framework.Backups are stored within the EU and deleted after a maximum of 180 days.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure, high-performance provision of the App).
5. Your Rights
As a user of our App, you have the following rights under the GDPR:- Access (Art. 15 GDPR): You can request information about your personal data processed by us.
- Rectification (Art. 16 GDPR): You can request the correction of inaccurate or the completion of incomplete data.
- Erasure (Art. 17 GDPR): You can request the deletion of your data, provided no statutory retention obligation exists.
- Restriction (Art. 18 GDPR): You can request the restriction of the processing of your data.
- Objection (Art. 21 GDPR): You can object to the processing of your data at any time.
- Withdrawal (Art. 7(3) GDPR): You can withdraw any given consent at any time.
- Data Portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
- Complaint (Art. 77 GDPR): You can lodge a complaint with a data protection supervisory authority.
Note: If mandatory data is deleted or restricted, the App may no longer be (fully) usable.
6. What Data We Collect
6.1 Registration and Account
Using the App requires creating an account. Registration is done via phone number with SMS verification. The following data is processed: phone number, IP address (technically required), and a one-time SMS verification code.Additionally, login via QR code is possible (e.g., for employees). The temporary code is automatically deleted after a maximum of 24 hours.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
6.2 User Profile
Mandatory information: First name and last name (for identification and display in the App).Voluntary information: Gender, body type, date of birth, bio, tags, email address, address, profile picture, home gym, training goals, experience level, training preferences, and privacy settings.
Automatically collected: Language and time zone.
Legal basis: Art. 6(1)(b) GDPR (mandatory information); Art. 6(1)(a) GDPR (voluntary information).
6.3 Facial Verification
During onboarding, a photo of your face is captured. This is used for access control at the entrance gates of our gym locations. The image is stored encrypted on our servers.Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
6.4 Training Sessions
When using the App, data about your training visits is collected: start and end time, visited location, trained muscle groups, and optionally notes, photos (stories), and ratings.Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(a) GDPR (voluntary content).
6.5 Access Control
When entering and leaving our locations, an access control system is used. The following data is processed: your QR code or ID code, the access direction (entry/exit), a timestamp, and your name and facial image for verification.Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(f) GDPR (legitimate interest in security).
6.6 Social Features
The App offers social features such as a friends list, a blocking function, reactions to other users' training sessions, and the ability to share content via third-party platforms (e.g., WhatsApp, Instagram, Snapchat, Facebook). When sharing, the privacy policies of the respective platform apply.Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(a) GDPR (consent when actively sharing).
6.7 Digital Membership Card (ID QR Code)
The App generates a personal QR code that serves as a digital membership card. The cryptographic keys required for this are stored securely on your device.Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
7. aBAR – Ordering System
At our gym locations, we operate a bar/café called aBAR. When placing orders, the following data is processed: order details (items, order number, time, location), payment information (processed via Stripe, see Section 9), optional tips, and invoices and receipts.Legal basis: Art. 6(1)(b) GDPR (performance of a contract/purchase agreement).
8. IP Address
When using the App, your IP address is technically transmitted. It is used for establishing the connection, protection against abuse, and IT security. The IP address is stored temporarily and may remain in backup systems for up to 180 days.Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technical provision and security).
9. Payment Processing
For the processing of payments (membership, aBAR orders), we use the payment service provider Stripe, Inc., 354 Oyster Point Blvd, South San Francisco, CA 94080, USA.The following data is transmitted to Stripe: name, email address, phone number, billing address, and payment method (card details, Apple Pay, Google Pay, or PayPal).
We only store the card brand, the last 4 digits, the expiration date, and the type of payment method. Complete payment data is processed exclusively by Stripe. Stripe is certified under the EU-U.S. Data Privacy Framework.
Stripe Privacy Policy: stripe.com/en-de/privacy
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
10. Email Sending
For sending transactional emails, we use the service Resend (Plus Five Five, Inc.). Your name and email address are transmitted to Resend.Resend Privacy Policy: resend.com/legal/privacy-policy
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(f) GDPR (legitimate interest).
11. Analytics, Statistics, and Troubleshooting
11.1 Usage Analytics
To improve our App, we collect pseudonymized usage data such as app usage events, general user properties, and device information. We use Google Analytics / Firebase Analytics for this purpose.You can opt out of statistical analysis at any time in the App settings.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in improving the App).
11.2 Troubleshooting and Performance
To detect and fix App errors and to monitor performance, we collect pseudonymized crash reports, error messages, and performance metrics. This data is stored for a maximum of 90 days.Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the stability and performance of the App).
11.3 App Configuration
We use configuration services to manage App settings and optimize the user experience (e.g., through A/B tests). A pseudonymized device ID is used for this purpose.Legal basis: Art. 6(1)(f) GDPR (legitimate interest in App optimization).
12. Artificial Intelligence
We use AI-powered services from Google to automatically analyze user reviews. The review text and pseudonymized attribution data are transmitted to the Google Cloud.The analysis serves quality assurance and the early detection of issues at our locations. According to Google, the data is not used for training AI models.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in quality assurance).
13. Push Notifications
The App can send you push notifications (e.g., location reminders, friends' activities, order status, system messages). A device-bound token is stored for this purpose, which does not contain personal data.You can disable push notifications at any time in your device settings or App settings.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(a) GDPR (consent).
14. Device Information and Permissions
14.1 Device Data
When using the App, technical data is automatically collected: device model, operating system, App version, language, and screen size. Additionally, a device ID is collected for security and fraud prevention.14.2 Device Permissions
- Camera: Facial verification, profile picture, QR code scanning, session photos
- Photos / Gallery: Selection of profile and session photos
- Microphone: Voice messages (team features)
- Push Notifications: Receiving notifications
Legal basis: Art. 6(1)(f) GDPR (legitimate interest); Art. 6(1)(b) GDPR (performance of a contract).
15. Spotify Integration
The App offers an optional Spotify integration that allows you to display your top artists on your profile. No music data is streamed and no playlists are processed. You can disconnect the integration at any time in the App settings.Spotify Privacy Policy: spotify.com/legal/privacy-policy
Legal basis: Art. 6(1)(a) GDPR (consent through active connection).
16. Customer Support
For in-app customer support, we use the service Gleap. Your name, contact details, and the content of your inquiry are transmitted to Gleap.Gleap Privacy Policy: gleap.io/privacy-policy
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(f) GDPR (legitimate interest).
17. Address Autocomplete
When entering addresses, we use the Google Maps Places API for autocomplete. The entered search text and the selected address are transmitted to Google.Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(f) GDPR (legitimate interest in user-friendliness).
18. Event Platform
Through our event platform, you can register for events. Your email address and a participant code are processed in the course of this.Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
19. Audio Data
Within team features, voice messages can be recorded. These are stored encrypted on our servers.Legal basis: Art. 6(1)(a) GDPR (consent through active recording).
20. Data Transfers to Third Countries
Insofar as data is processed outside the EU, we ensure that an adequate level of data protection is guaranteed. The US-based service providers we use (Google, Stripe) are certified under the EU-U.S. Data Privacy Framework.Further information: dataprivacyframework.gov
21. Storage Duration and Deletion
We only store your data for as long as it is necessary for the respective purpose or as required by statutory retention obligations:| Data Type | Storage Duration |
|---|---|
| Account data | Until deletion of the account |
| IP addresses | Temporary; up to 180 days in backups |
| Support inquiries | 3 months after completion |
| Payment data | According to statutory obligations (up to 10 years) |
| Analytics data | Up to 14 months |
| Error reports | Up to 90 days |
| Temporary codes | Automatic deletion after 24 hours |
Account Deletion
You can delete your account at any time via the App settings. All your personal data will be deleted, unless statutory retention obligations exist.22. Encryption
All communication between the App and our servers is conducted via SSL/TLS encryption. Transmitted data cannot be read by third parties.23. Recipients and Data Processors
To fulfill our services, we use the following data processors:| Recipient | Purpose | Location |
|---|---|---|
| Google LLC | Hosting, authentication, analytics, push, AI | USA (DPF-certified) |
| Stripe, Inc. | Payment processing | USA (DPF-certified) |
| Resend (Plus Five Five, Inc.) | Email delivery | USA |
| Gleap | In-app support | Austria/EU |
| Spotify AB | Music integration (optional) | Sweden/EU |
| Vercel Inc. | Marketing website hosting | USA |
24. Contact
When you voluntarily contact us (by email or via the feedback function), the data you provide is stored to process your request. The data is deleted as soon as storage is no longer necessary.Legal basis: Art. 6(1)(a) GDPR (consent); Art. 6(1)(f) GDPR (legitimate interest).
25. Changes to This Privacy Policy
Changes in the legal situation or our services may require an update to this Privacy Policy. We will inform you of material changes by email or in-app notification.The current version is available at any time in the App under Settings.