Privacy Policy
App “10 Reps”
Last updated: June 2026
Data Controller
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Samuel Mamulaschwili
Nordstr. 37
74076 Heilbronn, Germany
Email: hello@10reps.app
General Information on Data Processing
We process personal data of our users exclusively in accordance with applicable law, in particular the General Data Protection Regulation (GDPR). Personal data means any information relating to an identified or identifiable natural person.
Data Processing When Using the App
a) Use without registration (local storage)
If the app is used without registration, training data (e.g. workouts, repetitions, weights, progress) is stored exclusively on the user’s device. No personal data is transmitted to our servers in this case.
b) Use with a user account
When using the app with a registered account, we process the following data:
- Email address
- First name (provided during onboarding)
- User ID
- Training data (e.g. completed workouts, progress, training history)
This data is processed to provide the app’s features and to synchronise data across devices. The legal basis is Art. 6(1)(b) GDPR (performance of contract).
Use of Supabase
When a user account is created, data is processed via the service Supabase (provider: Supabase Inc.). Processing is carried out under a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR. Data may be transferred to third countries; any such transfer is made exclusively on the basis of appropriate safeguards pursuant to Art. 46 GDPR (e.g. Standard Contractual Clauses issued by the European Commission).
Use of Anthropic (AI Coach)
The app includes an AI-powered coaching assistant (“AI Coach”) that generates personalised guidance and recommendations based on the user’s training data. To do so, we transmit relevant training data to the API of the provider Anthropic.
Provider: Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA
Purpose: Generation of personalised coaching content based on training history, progress data, and plan context.
The following data may be transmitted to the API:
- Training history (completed exercises, weights, repetitions)
- Training progress and progression data
- Training plan context (e.g. training phase, current week)
No directly identifying data such as name or email address is transmitted to Anthropic. Processing is carried out exclusively for the purpose of the coaching feature.
Legal basis: Art. 6(1)(b) GDPR (performance of contract), as the AI Coach is part of the contracted service.
Transfer to third countries: Use of the Anthropic API involves a transfer of data to the United States. This is carried out on the basis of appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses). Anthropic does not use API inputs to train models by default. Further information: https://www.anthropic.com/legal/privacy
Use of Sentry (Error Tracking)
To detect and fix technical errors and improve app stability, we use the service Sentry.
Provider: Functional Software, Inc., 132 Hawthorne Street, San Francisco, CA 94107, USA
Purpose: Automatic capture of app crashes, error logs, and performance metrics to allow reproduction and resolution of errors.
The following data may be processed:
- Error messages and stack traces (technical error descriptions)
- App version, operating system version, device type
- Anonymised IP address
- Pseudonymised user ID (no direct identification of individuals)
- Timestamp of the error
Legal basis: Art. 6(1)(f) GDPR (legitimate interests). Our legitimate interest lies in the technical stability and quality assurance of the app.
Retention period at Sentry: error events are retained for 90 days by default.
Transfer to third countries: Processing by Sentry may involve a transfer of data to the United States on the basis of appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses). Further information: https://sentry.io/privacy/
Use of PostHog (Product Analytics)
To improve app features and the user experience, we use the product analytics tool PostHog. We use exclusively the PostHog EU Cloud instance, which operates on servers within the European Union (AWS eu-central-1, Frankfurt, Germany).
Provider: PostHog Inc., 965 Mission Street, San Francisco, CA 94103, USA (data processed exclusively on EU servers)
Purpose: Analysis of app usage, measurement of feature adoption, and improvement of product quality based on aggregated and pseudonymised usage data.
The following data may be processed:
- Pseudonymised user identifier (no real names or email addresses)
- Interaction events within the app (e.g. screens visited, features used)
- Device information (device type, OS version, app version)
- Session duration and usage frequency
All data is collected in pseudonymised form. Direct identification of individual persons is not intended. No training content or health data is transmitted to PostHog.
Legal basis: Art. 6(1)(f) GDPR (legitimate interests). Our legitimate interest lies in improving and developing the app based on usage patterns. Users may object to the processing of their data for analytics purposes at any time by contacting us at hello@10reps.app.
As PostHog in its EU Cloud configuration operates exclusively on European servers, no personal data is transferred to third countries. Further information: https://posthog.com/privacy
Use of RevenueCat (In-App Purchases)
We use the service RevenueCat to manage in-app purchases and subscriptions.
Provider: RevenueCat, Inc., 633 Tasman Street, San Jose, CA 95126, USA
Purpose: Processing and management of in-app purchases, subscriptions, and entitlements (access rights to premium features).
The following data may be processed:
- Transaction identifiers from the Apple App Store (anonymised; no payment data)
- Subscription status and entitlement information
- Pseudonymised user ID
- Timestamps of purchases and renewals
RevenueCat does not receive payment data such as credit card numbers or full Apple purchase receipts. This information remains exclusively with Apple. No real names or email addresses are transmitted to RevenueCat.
Legal basis: Art. 6(1)(b) GDPR (performance of contract).
Transfer to third countries: Processing by RevenueCat involves a transfer of data to the United States on the basis of appropriate safeguards pursuant to Art. 46 GDPR (Standard Contractual Clauses). Further information: https://www.revenuecat.com/privacy
Processing of Training and Health Data
The app processes training data (e.g. weights, repetitions, training progress). This data may allow inferences about an individual’s physical condition and is used exclusively to provide the training features. The legal basis is Art. 6(1)(b) GDPR. Where health data within the meaning of Art. 9 GDPR is involved, processing takes place exclusively on the basis of the user’s explicit consent pursuant to Art. 9(2)(a) GDPR.
Apple Health / HealthKit
Where the user expressly consents to integration with Apple Health (HealthKit), the following data accesses are made:
Write access: Workout sessions are written to Apple Health so they appear in the user’s Health app.
Read access: The app reads active energy data (active calories burned) from Apple Health to incorporate this into training evaluations.
Processing is carried out exclusively on the basis of the user’s consent pursuant to Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR.
- Only data to which the user has actively consented is transferred or read.
- We do not access HealthKit data unless the user has explicitly permitted this.
- This data is not used for advertising or marketing purposes.
- HealthKit data is not shared with third parties.
Push Notifications
The app may send push notifications (e.g. workout reminders or usage prompts). Push notifications are only sent if the user has explicitly opted in. A push token (device identifier) may be processed to deliver messages to the respective device.
Legal basis: Art. 6(1)(a) GDPR (consent). The user may withdraw consent at any time by disabling push notifications in the device settings or within the app.
Legal Bases for Processing
We process personal data on the following legal bases:
- Art. 6(1)(b) GDPR (performance of contract)
- Art. 6(1)(a) GDPR (consent)
- Art. 6(1)(f) GDPR (legitimate interests, in particular operation, security, and improvement of the app)
- Art. 9(2)(a) GDPR (explicit consent for health data)
Retention Periods
We retain personal data only for as long as necessary for the respective purposes. Upon deletion of a user account, personal data will be deleted unless statutory retention obligations apply.
The following retention periods apply to third-party services:
- Sentry: error events are retained for 90 days by default.
- PostHog: analytics data is retained in accordance with project configuration settings. We configure the shortest feasible retention period.
- RevenueCat: transaction data is retained for the duration of the subscription and thereafter to the extent required for tax or legal purposes.
- Anthropic: API inputs are processed in accordance with Anthropic’s privacy policy. Anthropic does not retain API requests permanently for model training purposes by default.
Rights of Data Subjects
Users have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
To exercise these rights, please contact us at hello@10reps.app.
Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, every user has the right to lodge a complaint with a data protection supervisory authority if they consider that the processing of their personal data infringes the GDPR (Art. 77 GDPR).
The competent supervisory authority is:
The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI BW)
Königstraße 10a
70173 Stuttgart, Germany
Website: https://www.baden-wuerttemberg.datenschutz.de
Email: poststelle@lfdi.bwl.de
Withdrawal of Consent
Any consent granted may be withdrawn at any time with effect for the future. This applies in particular to consent for Apple Health / HealthKit integration and for receiving push notifications. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
Data Security
We implement appropriate technical and organisational measures to protect users’ data against loss, misuse, or unauthorised access. All communication between the app and our servers is encrypted via HTTPS.
Changes to this Privacy Policy
We reserve the right to update this Privacy Policy to reflect changes in applicable law or changes to the app. Users will be informed of material changes.
Last updated: June 2026 · 10 Reps · iOS App