Skip to main content

Privacy Policy

Last updated: December 1, 2025

At PumplAI ("we", "us", or "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered fitness coaching platform.

1. Information We Collect

1.1 Information You Provide

  • Account Information: Name, email address, password, and profile details when you create an account
  • Health & Fitness Data: Workout preferences, fitness goals, exercise history, and form analysis data
  • Communication Data: Messages sent through our platform, feedback, and support requests
  • Payment Information: Billing details processed securely through our payment providers

1.2 Newsletter Subscriptions

  • Newsletter Data: Email address, optional first name, subscription source, and consent version
  • Consent & Preferences: GDPR consent status, timestamp, and privacy policy version accepted
  • Unsubscribe & Suppression: Unsubscribe status and reasons to honor opt-outs and suppression requests

1.3 Information Collected Automatically

  • Usage Data: How you interact with our platform, features used, and time spent
  • Device Information: Browser type, operating system, device identifiers
  • Analytics Data: Page views, click patterns, and navigation paths (with your consent)
  • Error Reports: Technical error information to improve our service

2. How We Use Your Information

  • To provide and personalize our AI fitness coaching services
  • To analyze your workout form and provide feedback
  • To generate personalized workout recommendations
  • To communicate with you about your account and our services
  • To improve our platform and develop new features
  • To ensure the security and integrity of our services
  • To comply with legal obligations

3. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

  • Contract: Processing necessary to provide our services to you
  • Consent: For analytics cookies and marketing communications
  • Legitimate Interests: To improve our services and ensure security
  • Legal Obligation: To comply with applicable laws and regulations

4. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience. For detailed information about the cookies we use and how to manage your preferences, please see our Cookie Policy.

Cookie Categories:

  • Essential Cookies: Required for the platform to function (authentication, security)
  • Analytics Cookies: Help us understand how you use our platform (require consent)
  • Functional Cookies: Remember your preferences (require consent)
  • Marketing Cookies: Used for advertising purposes (require consent, not currently used)

5. Data Sharing and Disclosure

We do not sell your personal data. We may share your information with:

  • Service Providers: Third-party vendors who help us operate our platform (hosting, analytics, payment processing)
  • Trainers: If you use our trainer-client features, relevant fitness data is shared with your assigned trainer
  • Legal Requirements: When required by law or to protect our rights
  • Business Transfers: In connection with a merger, acquisition, or sale of assets
  • Newsletter Delivery: Email infrastructure providers (e.g., Resend) solely to send newsletter communications; unsubscribe and GDPR requests are honored across these systems

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide our services. After account deletion, we may retain certain data for legitimate business purposes or legal requirements for up to 3 years. Newsletter subscriber data is retained while you are subscribed; upon GDPR deletion, records are anonymized and removed from mailing audiences.

7. Your Rights (GDPR & CCPA)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data ("right to be forgotten")
  • Restriction: Request limited processing of your data
  • Portability: Receive your data in a portable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw Consent: Withdraw consent for analytics and marketing at any time

To exercise these rights, please contact us at privacy@pumpl.app.

8. Data Security

We implement industry-standard security measures to protect your data, including:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication with JWT tokens and HTTP-only cookies
  • Regular security audits and penetration testing
  • Access controls and employee training

9. Data Residency and Storage Locations

We are committed to storing your personal data within the European Economic Area (EEA) to ensure GDPR compliance and protect your privacy rights.

9.1 Primary Data Storage

Your personal data is stored in the following locations:

  • Database: PostgreSQL database hosted in EU/EEA region
  • File Storage: Google Cloud Storage buckets located in EU/EEA regions
  • Backups: Automated backups stored in the same EU/EEA region as primary database

9.2 Third-Party Service Providers

We use the following third-party services that may process your data:

  • Resend: Email delivery service (GDPR compliant, processes email addresses and content)
  • Stripe: Payment processing (GDPR compliant, processes payment information)
  • Vercel: Frontend hosting and CDN (serves static assets only, no user data stored)

All third-party service providers are required to maintain GDPR compliance and have appropriate data protection safeguards in place.

10. International Data Transfers

In the event that any data must be transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfer Impact Assessments (TIAs) to evaluate risks and mitigations
  • Compliance with GDPR Articles 44-49 on international transfers

Current Status: We strive to store all user data within the EU/EEA. If any data processing occurs outside the EU/EEA, it will be clearly disclosed in this policy and appropriate safeguards will be documented.

11. AI Processing and Transparency

Our messaging platform includes AI assistant features that may process your conversation data. In compliance with the EU AI Act and GDPR, we provide the following information:

11.1 AI Features and Functionality

  • Conversation Summaries: AI generates summaries to help you quickly understand conversation context
  • Suggested Replies: AI suggests reply options based on conversation history and context
  • Content Analysis: AI analyzes message content to provide insights and assistance

11.2 Consent and Opt-in

  • Explicit Consent Required: AI features are opt-in per conversation and require explicit consent before activation
  • Consent Dialog: When enabling AI, you will see a clear consent dialog explaining what data is processed and how
  • Withdrawal: You can disable AI features at any time, which immediately stops all AI processing for that conversation
  • Consent Tracking: We track when consent is given, including the timestamp and consent version, for audit purposes

11.3 Data Processing

When you enable AI for a conversation, the following data is processed:

  • Message Content: All messages in the conversation are processed to generate summaries and suggestions
  • Conversation Metadata: Participant information, timestamps, and conversation context
  • Message History: Previous messages in the conversation for context understanding

Important: AI processes data only for conversations where you have explicitly enabled AI. No AI processing occurs for conversations where AI is disabled.

11.4 Transparency and Labeling

  • Clear Labeling: All AI-generated content is clearly labeled with "AI-generated" or "AI-suggested" badges
  • Notification: You will be notified when you first interact with our AI assistant in a conversation
  • Documentation: Comprehensive documentation about our AI system is available in settings

11.5 AI Model Information

  • Model: Llama 3.1 8B (8 billion parameters)
  • Fine-tuning: Fine-tuned specifically for fitness coaching using LoRA (Low-Rank Adaptation) techniques
  • Training Data: Model trained on fitness coaching datasets, not on your personal conversation data
  • Processing Location: AI inference runs on our infrastructure within the EU/EEA

11.6 Your Rights Regarding AI Processing

  • Right to Withdraw Consent: Disable AI at any time to stop processing
  • Right to Access: Request information about what data was processed by AI (included in data export)
  • Right to Erasure: Request deletion of AI-generated content linked to your account
  • Right to Object: Object to AI processing if you believe it violates your rights

For more detailed technical information about our AI system, please see our AI Assistant Documentation.

12. Children's Privacy

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

15. Data Protection Officer

For GDPR-related inquiries, you may contact our Data Protection Officer at dpo@pumpl.app.