Privacy Policy

Identity: Bruno Martinez (hereinafter, "Rabtine").

Tax ID: 45575017B.

Address: Calle Santa Aurea, 28011 Madrid, Spain.

Contact email: support@rabtine.com.

This privacy policy applies to all personal data collected through: (a) the rabtine.com website, (b) the Rabtine mobile application for iOS and Android, and (c) the backend services that support routine generation, workout tracking, and subscription management.

Website analytics (cookies) are additionally governed by our Cookie Policy. In-app analytics (PostHog) are governed by this Privacy Policy.

A) Account and authentication data: email address, password (stored as an irreversible hash), user identifier (automatically generated UUID), session tokens, authentication provider (email, Google OAuth, or Apple Sign-In), name (if using Google Sign-In or Sign in with Apple and you choose to share it), language preference. If you use Sign in with Apple, Apple may provide us with a private relay email address (Private Email Relay, formatted as xxx@privaterelay.appleid.com) instead of your real email, at your choice during registration. Rabtine treats this relay address equivalently to a conventional email address.

B) Fitness profile (health data — see section 5): date of birth, gender, height, weight, fitness goal (muscle gain, fat loss, strength, etc.), experience level (beginner, intermediate, advanced), workout days per week, preferred session duration, available equipment (barbells, dumbbells, cables, machines, kettlebells, bands, bodyweight), injuries or physical limitations (optional field), additional sports or activities (optional field), unit system (metric/imperial).

C) Workout data: AI-generated routines (name, days, exercises, sets, reps, coach notes), workout session logs (date, duration, status: completed/partial/skipped), set logs (weight, reps, completed), blacklisted and favorite exercises, performance progression.

D) Subscription data: subscription status (active, expired, cancelled), plan (monthly, annual), expiration date, whether you have used the free routine. Payment data (credit cards, bank details) is NOT collected or stored by Rabtine; it is managed directly by Apple App Store or Google Play Store.

E) Analytics data (with your consent — app): anonymous usage events (onboarding steps completed, workout start/end, screen views). Only sent if you grant explicit consent when prompted. Your email and identifying data are NOT sent to the analytics tool.

F) Web browsing data (with consent): Google Analytics cookies (_ga, _ga_*). See our Cookie Policy.

G) Web browsing data (cookieless): Vercel Web Analytics collects anonymous page events without setting cookies.

H) Technical data: device type (iOS/Android), app version, IP address (server logs), user agent.

I) Support data: messages sent through the support form, device information attached to the ticket.

Contract performance (Art. 6(1)(b) GDPR): creating and managing your user account; generating personalized workout routines via AI; enabling workout tracking and logging; managing subscriptions and access to premium features; sending transactional emails (account verification, password reset, subscription notifications).

Explicit consent for health data (Art. 9(2)(a) GDPR): processing your fitness profile data classified as health data (weight, height, injuries, workout history) for personalized routine generation. You may withdraw this consent at any time by deleting your account, which will stop all processing of these data.

Consent for in-app analytics (Art. 6(1)(a) GDPR): enabling anonymous usage event tracking via PostHog. The analytics tool starts in opted-out mode and is only activated if you grant explicit consent. You may revoke it from your profile settings.

Consent for web analytics cookies (Art. 6(1)(a) GDPR and Art. 22.2 LSSI-CE): activating Google Analytics cookies to measure website usage. You can revoke this consent via the "Manage cookies" link in the footer.

Legitimate interest (Art. 6(1)(f) GDPR): performing aggregate cookieless analytics on the website (Vercel Web Analytics); ensuring service security and fraud prevention; improving the technical performance of the Service.

Legal obligation (Art. 6(1)(c) GDPR): verifying that you meet the minimum age of 16; retaining tax data as required by the Spanish Commercial Code (Art. 30); responding to requests from public authorities.

Rabtine collects and processes data that, taken together, constitute data concerning health under Article 9 of the GDPR and Recital 35: body weight, height, date of birth (derived age), gender, injuries and physical limitations, fitness goal, experience level, workout history (duration, exercises performed, weights, reps), and performance metrics.

These data are processed under the legal basis of explicit consent (Art. 9(2)(a) GDPR), which you grant when accepting the terms during registration in the application, where you are specifically informed about the processing of your health data.

These health data are used exclusively to: (1) generate personalized workout routines adapted to your profile, (2) record and display your training progress, and (3) adapt routines to your injuries or limitations. They are not used for advertising, commercial profiling, or sold to third parties.

Your fitness profile (including injuries, weight, height, workout history, and age) is sent to OpenAI (United States) for routine generation. OpenAI processes these data solely to generate your personalized routine, with the "store: false" configuration that prevents OpenAI from retaining your data after processing. See section 7 for more details about this processor.

You may withdraw your consent for health data processing at any time by deleting your account. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

Rabtine uses artificial intelligence (OpenAI GPT) to generate personalized workout routines. This process involves automated processing of your fitness profile data to produce a routine tailored to your characteristics.

Information about the logic: the system receives your fitness profile (goal, level, equipment, injuries, history) along with a catalog of 182 verified exercises, and generates a weekly routine with the exercises, sets, and reps best suited for you.

Significance and consequences: the generated routine determines which exercises are proposed to you. It has no legal effects or similarly significant effects, as it is a fitness recommendation that you are free to follow or ignore. It does not affect your access to the service or your contractual conditions.

Human intervention: you can block individual exercises, mark favorites, and request a new routine generation. The system adapts to your preferences.

We share your personal data with the following data processors, exclusively for the purposes indicated:

Supabase Inc. (European Union — Ireland): database hosting, user authentication, backend functions (Edge Functions). Stores all account data, fitness profile, routines, workouts, and subscriptions. Server in the EU-West-1 region (Ireland). DPA available.

OpenAI Inc. (United States): workout routine generation using artificial intelligence. Receives your fitness profile (goal, level, weight, height, injuries, sports, age, workout history) to generate personalized routines. Configured with "store: false" so that OpenAI does not retain your data after processing. DPA available.

RevenueCat Inc. (United States): subscription and in-app purchase management. Receives your user identifier and subscription data (plan, status, dates). Does not receive health data. DPA available.

PostHog Inc. (European Union — Frankfurt): in-app product analytics (only if you grant consent). Receives anonymous usage events and your user identifier. Does not receive your email or health data. Starts in opt-out mode. DPA available.

Resend Inc. (United States): transactional email delivery (account verification, welcome emails, subscription notifications). Receives your email address and language preference. DPA available.

Google LLC (United States): Google Analytics 4 for website analytics (with consent) and Google OAuth for social sign-in. Certified under the EU-U.S. Data Privacy Framework (DPF). DPA available.

Apple Inc. (United States): Sign in with Apple as an authentication provider on iOS. When you use this option, Apple provides us with a unique user identifier, your name (if you choose to share it), and your email address or a Private Email Relay address, at your choice. Apple does not share any other Apple ID account data with Rabtine. Apple does not track your activity within Rabtine. More information in Apple's privacy policy: https://www.apple.com/legal/privacy/.

Vercel Inc. (United States): website hosting and cookieless analytics (Vercel Web Analytics). Certified under the EU-U.S. Data Privacy Framework (DPF). DPA available.

Apple Inc. / Google LLC: subscription payment processing through the App Store and Google Play Store, respectively. Payment data is managed directly by these platforms under their own privacy policies.

We do not sell, rent, or disclose your personal data to third parties for advertising or marketing purposes.

Your primary database is hosted on Supabase servers located in the European Union (Ireland), which does not involve an international transfer.

The following data processors are located in the United States and transfers are carried out with the following safeguards:

OpenAI Inc.: Standard Contractual Clauses (SCCs) approved by the European Commission + signed DPA. "store: false" configuration to prevent data retention.

RevenueCat Inc.: EU-U.S. Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs).

Resend Inc.: Standard Contractual Clauses (SCCs) + DPA.

Google LLC: EU-U.S. Data Privacy Framework (DPF), recognized by the European Commission as providing an adequate level of protection (Adequacy Decision of July 10, 2023). Contracts also include Standard Contractual Clauses.

Vercel Inc.: EU-U.S. Data Privacy Framework (DPF) + Standard Contractual Clauses (SCCs).

PostHog Inc. stores data in the EU (Frankfurt), so no international transfer occurs for app analytics.

Account and fitness profile data: for as long as your account is active. After account deletion, your data is erased within a maximum of 30 days, except for the legal obligations indicated below.

Workout data (routines, logs): for as long as your account is active. Deleted along with the account.

Subscription data: for as long as your account is active, plus 6 additional years after cancellation to comply with tax and commercial obligations (Art. 30, Spanish Commercial Code).

Web analytics data (Google Analytics): retention period configured at 14 months.

In-app analytics data (PostHog): 25 months in accordance with AEPD guidelines.

Consent records: 5 years from the date of consent, as proof of consent collection.

Support data: 3 years after ticket resolution (Spanish Consumer Protection Act).

After retention periods expire, data is deleted or irreversibly anonymized. Under the LOPDGDD (Art. 32), data subject to legal obligations is kept in a blocked state (accessible only upon judicial or administrative request) for the legally required period.

Under the GDPR and the LOPDGDD, you have the following rights over your personal data:

Access (Art. 15): obtain confirmation of whether we process your data and, if so, access it.

Rectification (Art. 16): correct inaccurate or incomplete data. You can do this directly from the "Profile" section of the application.

Erasure (Art. 17): request the deletion of your data. You can delete your account from within the application.

Restriction (Art. 18): request that processing be restricted in certain circumstances.

Portability (Art. 20): receive your data in a structured, commonly used, machine-readable format (JSON).

Objection (Art. 21): object to processing based on legitimate interest.

Withdrawal of consent: you may withdraw any consent given at any time, without affecting the lawfulness of prior processing. To withdraw consent for health data, delete your account. To withdraw consent for analytics, use the app settings or contact us.

To exercise your rights, send an email to support@rabtine.com specifying the right you wish to exercise. We will respond within one month, extendable to three months in cases of particular complexity.

Rabtine is intended for users aged 16 and over. We do not knowingly collect data from anyone under 16.

The application implements an age check during registration that prevents account creation for anyone under 16. If we discover that a person under 16 has provided personal data, we will delete it without delay.

This global minimum age of 16 ensures compliance with: the GDPR (Art. 8, maximum allowed by Member States), the LOPDGDD and Spanish child protection legislation, COPPA (U.S.) for children under 13, and LATAM child protection laws.

If you grant notification permission on your device, Rabtine may send you service-related push notifications: workout reminders, streak alerts, and motivation.

Notifications are scheduled locally on your device. Push notification tokens are sent to Apple (APNs) or Google (FCM) services depending on your platform.

We do not send advertising or marketing notifications. You can disable notifications at any time from your device settings.

We implement technical and organizational measures to protect your data: encryption in transit (TLS/HTTPS) for all communications; password storage using irreversible cryptographic hashing; Row-Level Security (RLS) on the database, ensuring each user can only access their own data; JWT token authentication with expiration; primary servers in the European Union (Ireland); sensitive API keys stored as server-side secrets (never in the application code).

However, no electronic transmission or storage system is 100% secure. If we detect a security breach affecting your data, we will notify you in accordance with the GDPR (Art. 33-34) and applicable law.

The rabtine.com website uses cookies. For detailed information, please see our Cookie Policy.

The mobile application does not use cookies. In-app analytics are performed via PostHog SDK with prior user consent (see section 4).

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you additional rights:

Right to know: what categories of personal information we have collected, for what purposes, and to whom we have disclosed it.

Right to delete: request deletion of your personal information.

Right to non-discrimination: we will not treat you differently for exercising your privacy rights.

Rabtine does NOT sell or share personal information for advertising purposes. We do not engage in "sale" or "sharing" of data as defined by the CCPA/CPRA.

Fitness profile data (weight, height, injuries, workout history) constitutes "sensitive personal information" under the CPRA. We use it solely to provide the Service (generate routines), and you can limit its use by deleting your account.

To exercise your rights, contact support@rabtine.com.

If you are a Brazilian resident, the General Data Protection Law (LGPD, Lei 13.709/2018) grants you rights similar to the GDPR, including confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing, and withdrawal of consent.

Health data is classified as "dados pessoais sensíveis" (Art. 11 LGPD) and is processed with your specific and prominent consent, granted during registration.

Encarregado de Proteção de Dados (DPO equivalent): Bruno Martinez — support@rabtine.com.

Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd.

If you are a Mexican resident, the Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP) grants you ARCO rights (Access, Rectification, Cancellation, Opposition). To exercise them, send your request to support@rabtine.com. We will respond within a maximum of 20 business days.

Health data (weight, height, injuries) is classified as "datos sensibles" under Art. 3.VI LFPDPPP, and is processed with your express written consent granted during registration.

This privacy notice complies with the provisions of Art. 15 LFPDPPP.

Under the Health Breach Notification Rule of the U.S. Federal Trade Commission (FTC), we inform you that data relating to your health (weight, height, injuries, workout history) is sent to OpenAI Inc. (United States) for the purpose of generating personalized workout routines.

OpenAI processes this data solely to generate your routine, with the "store: false" configuration that prevents data retention after processing. OpenAI does not use your data to train its AI models.

In the event of a security breach affecting your health data, we will notify you within the timelines established by applicable law (72 hours under the GDPR; 60 days under the FTC HBNR).

If you believe that our processing of your data does not comply with data protection regulations, you may lodge a complaint with the Spanish Data Protection Agency (AEPD).

Address: C/ Jorge Juan 6, 28001 Madrid, Spain. Website: www.aepd.es. Phone: +34 901 100 099.

If you reside in another EU Member State, you may contact your local data protection authority.

We reserve the right to update this policy to adapt to legislative changes or changes in our services. Any substantial modifications will be communicated to users through the application or website.

The date of the last update is indicated at the beginning of this document. We recommend reviewing this policy periodically.