Privacy Policy

Last updated: March 26, 2026

Code Works OOD ("we", "our", or "us"), a company registered in the Republic of Bulgaria, operates the RepXP mobile application ("the app"). This Privacy Policy explains what data we collect, why we collect it, how we use it, and what rights you have regarding your data.

By using RepXP, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the app.

1. Data Controller

The data controller responsible for your data is:

Code Works OOD
Sofia, Republic of Bulgaria
Email: support@repxp.app

2. Data We Collect

RepXP is designed with privacy at its core. We minimise data collection and do not operate our own servers for storing your personal data.

2.1 Data Stored Locally on Your Device

All of your workout data — including exercise history, sets, reps, weights, personal records, body measurements, and progress information — is stored locally on your device using Apple's secure data storage. We do not have access to this data.

2.2 Data Synced via iCloud

If you have iCloud enabled, your workout data syncs across your Apple devices through your personal iCloud account. This data is stored by Apple in your iCloud container. We do not have access to the contents of your iCloud data. iCloud sync is governed by Apple's iCloud Terms and Apple's Privacy Policy.

2.3 Apple HealthKit Data

If you grant permission, RepXP can read and write health-related data (such as workouts and body measurements) to Apple Health via the HealthKit framework. This data is stored on your device and in your iCloud Health data. We do not collect, transmit, or have access to your HealthKit data. HealthKit data is never used for advertising or shared with third parties. This data is governed by Apple's privacy policies.

2.4 Anonymous Analytics and Crash Data

We collect anonymous, non-personally-identifiable data through Google Firebase to help us understand how the app is used and to identify and fix bugs. This data includes:

  • Device type and model
  • Operating system version
  • App version
  • General usage patterns (e.g., which screens and features are used most frequently)
  • Crash logs, error reports, and performance traces
  • Anonymous session data (session duration, session start)

This data does not include your workout details, exercise names, weights, reps, body measurements, or any information that could personally identify you.

2.5 Data We Do Not Collect

We do not collect:

  • Your name, email address, or phone number (no account registration is required)
  • Your location data
  • Your contacts, photos, or other personal files
  • Your workout history, exercise data, weights, reps, or personal records
  • Any HealthKit data beyond what you explicitly permit

3. How We Use Your Data

The anonymous analytics and crash data we collect is used solely to:

  • Improve the app: Understand which features are used most and how the app can be improved.
  • Fix bugs: Identify crashes and errors so we can release fixes promptly.
  • Monitor performance: Ensure the app runs smoothly across different devices and OS versions.

We do not use any data for advertising, user profiling, or selling to third parties.

4. Lawful Basis for Processing (GDPR)

Under the General Data Protection Regulation (GDPR), we rely on the following lawful bases for processing data:

  • Legitimate Interest (Article 6(1)(f)): We process anonymous analytics and crash data based on our legitimate interest in improving the app, fixing bugs, and understanding usage patterns. This processing is minimal, uses only anonymous data, and does not override your fundamental rights and freedoms.
  • Consent (Article 6(1)(a)): Where required by applicable law, we obtain your consent before processing. You can manage your device-level analytics and tracking preferences at any time through your device settings.
  • Contract Performance (Article 6(1)(b)): Processing necessary to provide the app's core features, including local data storage and iCloud synchronisation functionality.

5. Data Retention

We retain data only as long as necessary for the purposes described in this policy:

Data Type Retention Period
Local workout data Stored on your device until you delete it or uninstall the app
iCloud synced data Stored in your iCloud account until you delete it; governed by Apple's policies
HealthKit data Stored on your device and in iCloud Health; governed by Apple's policies
Firebase Analytics data 14 months from collection, then automatically deleted by Google
Firebase Crashlytics data 90 days from collection, then automatically deleted by Google
Firebase Performance data 90 days from collection, then automatically deleted by Google

6. Third-Party Services

RepXP uses the following third-party services. Each service has its own privacy policy governing how it handles data:

  • Google Firebase (Analytics, Crashlytics, Performance, Remote Config): Used for anonymous usage analytics, crash reporting, performance monitoring, and feature configuration. Data is processed by Google. See Google's Privacy Policy and Firebase Privacy Information.
  • Apple iCloud (CloudKit): Used for syncing workout data across your devices. Data is stored in your personal iCloud account and processed by Apple. See Apple's iCloud Terms.
  • Apple HealthKit: Used for reading and writing health data with your permission. Data is processed locally and by Apple. See Apple's Privacy Policy.

We are not responsible for the privacy practices of these third-party services. Any data stored, processed, or lost by these third-party services is governed by your agreement with those providers, not by this Privacy Policy. We encourage you to review their respective privacy policies.

7. International Data Transfers

Anonymous analytics and crash data collected through Firebase may be transferred to and processed on Google's servers, which may be located outside the European Economic Area (EEA). Google maintains appropriate safeguards for such transfers, including the use of Standard Contractual Clauses (SCCs) approved by the European Commission. For more information, see Google's data transfer frameworks.

Your local workout data and iCloud data are handled by Apple in accordance with their own data transfer policies and safeguards.

8. Tracking Technologies

RepXP does not use cookies, web beacons, or browser-based tracking technologies within the app.

Firebase Analytics uses a unique, anonymous app instance identifier to associate events with a single app installation. This identifier:

  • Is not linked to your personal identity
  • Is not shared with other apps
  • Is reset if you uninstall and reinstall the app
  • Can be reset through your device settings

We respect Apple's App Tracking Transparency (ATT) framework. RepXP does not track you across other companies' apps or websites.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR:

  • Right of Access (Article 15): You have the right to request information about whether we process your personal data and to obtain a copy of that data.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data, subject to applicable legal exceptions.
  • Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to Object (Article 21): You have the right to object to our processing of your personal data based on legitimate interests.
  • Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Since we do not collect personal data on our own servers, most of these rights are already satisfied by design. Your workout data is stored locally on your device and in your personal iCloud account — you have full control over it at all times. You can delete your data by using the app's data management features, clearing iCloud storage, or uninstalling the app.

Regarding analytics data: the data we collect through Firebase is anonymous and cannot be linked back to you as an individual. Because truly anonymous data does not constitute personal data under GDPR, the rights of access, rectification, erasure, and portability do not apply to it. To stop future anonymous analytics collection from your device, you can uninstall and reinstall the app (which resets the anonymous identifier) or adjust analytics permissions in your device settings.

If you have any questions or concerns about your data rights, contact us at support@repxp.app. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority in Bulgaria is the Commission for Personal Data Protection (CPDP) — www.cpdp.bg.

10. Your Rights Under CCPA

If you are a resident of California, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell.
  • Right to Delete: You have the right to request that we delete your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: You have the right to opt out of the sale of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

We do not sell, share, or rent your personal information to third parties. The anonymous analytics data we collect through Firebase does not constitute a "sale" of personal information under the CCPA. Since we do not collect personal information that can be linked to you, most CCPA rights are already satisfied by design — there is no personal information for us to disclose, delete, or stop selling.

If you have questions about your CCPA rights, contact us at support@repxp.app.

11. Children's Privacy

RepXP is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use the app.

Since RepXP does not require account registration and does not collect personal information, we have no way to identify whether a user is a child. The only data we collect is anonymous analytics through Firebase, which cannot be linked to any individual, including children. If you are a parent or guardian and have concerns, please contact us at support@repxp.app. We can advise on how to remove locally stored data from the device and how to disable analytics collection.

12. Data Security

We take the security of your data seriously. The measures in place include:

  • Local Storage: Your workout data is stored on your device using Apple's secure data storage frameworks, protected by your device's built-in encryption and passcode.
  • iCloud: Data synced via iCloud is encrypted in transit and at rest by Apple.
  • Firebase: Data transmitted to Firebase is encrypted in transit using HTTPS/TLS. Google applies its own security measures to data at rest.
  • No Server: We do not operate our own backend servers, which significantly reduces the attack surface for your data.

While we implement appropriate safeguards, no system is completely secure. We cannot guarantee the absolute security of your data.

13. Data Breach Notification

We do not store personal data on our own servers. Your workout data is stored locally on your device and optionally in your personal iCloud account. The only data we process is anonymous analytics through Firebase, which cannot be linked to individual users.

Because we do not hold personal data and cannot identify individual users, a traditional data breach notification is not applicable to our infrastructure. In the unlikely event that we become aware of a security incident affecting our systems or the anonymous data we process, we will:

  • Notify the relevant supervisory authority (the Commission for Personal Data Protection in Bulgaria) within 72 hours, as required by GDPR Article 33, if the incident involves any data that may be considered personal data.
  • Publish a notice on our website and, where practicable, within the app to inform users of the incident and any recommended actions.
  • Document the incident, its effects, and the remedial actions taken.

A breach affecting your personal workout data would most likely originate from Apple's or Google's infrastructure, as those are the services that store and process your data. In such cases, those companies would be responsible for notification under their own legal obligations.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the app's functionality. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page.
  • Where practicable, notify you through the app.

We encourage you to review this Privacy Policy periodically. Your continued use of the app after changes are posted constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the app.

15. Contact Us

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or have a privacy-related concern, please contact us at:

support@repxp.app

Code Works OOD
Sofia, Republic of Bulgaria

We will respond to all privacy-related inquiries within 30 days.