Privacy Policy
Last updated: 16th April 2026
Privacy Policy
Last updated: 16th April 2026
BDYCTRL | Privacy Policy
Effective Date: 1 April 2026
Last Updated: 1 May 2026
Version: 1.0.0
Applies to: www.bdyctrl.com · BDYCTRL mobile app (iOS)
─────────────────────────────────────────────────────────
Who We Are
This Privacy Policy applies to BDYCTRL Group AB, a company registered in Sweden with organisation number 559577-8506 at Bolagsverket ("BDYCTRL", "we", "us", "our"). We operate the BDYCTRL website at bdyctrl.com and the BDYCTRL mobile application (the "App"), collectively referred to as the "Services".
As the entity that determines the purposes and means of processing your personal data, BDYCTRL Group AB acts as the data controller under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).
Contact
Data Controller: BDYCTRL Group AB
Organisation Number: 559577-8506
General enquiries: privacy@bdyctrl.com
Data protection matters: dpo@bdyctrl.com
Postal address: BDYCTRL Group AB, Box 691, 414 52 Gothenburg, Sweden
Scope of This Policy
This Privacy Policy applies to all personal data collected when you:
— Visit or use our website (bdyctrl.com)
— Download, install, or use the BDYCTRL App on any device
— Create an account or use any feature of our Services
— Contact us through any channel (email, support forms, social media)
— Participate in any survey, beta programme, or promotional activity
This Policy does not apply to third-party websites, applications, or services that may be linked from our Services. We encourage you to review the privacy policies of those third parties independently.
Personal Data We Collect
We collect personal data in four ways: data you actively provide, data generated automatically through your use of the Services, data we receive from third parties, and data we derive by processing your inputs.
3.1 Data You Provide
Account & Identity Data
— Full name
— Email address
— Password (stored in encrypted/hashed form — we never store plain-text passwords)
— Profile photo (optional)
— Date of birth or age range
— Gender (optional)
Health & Fitness Data
Note: Fitness and body metrics may constitute 'special category data' under GDPR Article 9 depending on how they are used. We treat all health and fitness data with the highest level of protection and only process it with your explicit consent.
— Body weight, height, and BMI
— Body measurements (e.g. waist, chest, arms, legs)
— Workout logs: exercises, sets, reps, weights, duration
— Training programmes selected or created by you
— Progress photos (if uploaded)
— Muscle recovery status and fatigue indicators
— Subjective wellbeing or energy levels (if entered)
AI-Generated Plan Data
— Fitness goals, experience level, and preferences you provide during onboarding
— Inputs used to generate personalised AI workout plans (via GPT-4o integration)
— AI-generated plan outputs stored to your profile
Nutrition Data (Future Feature)
— Food logs, macro/calorie tracking data
— Dietary preferences or restrictions
Payment Data
— Billing name and address
— Payment method information — payments are processed directly by Apple App Store (iOS). We do not collect or store your card details at any point
— Subscription status, entitlement level, and purchase history — managed via RevenueCat, Inc. (USA), our subscription management platform
— Apple App Store purchase receipts — validated through RevenueCat on our behalf
— Refund requests and subscription changes
Third parties involved in payment processing:
— Apple App Store — collects and processes all payment card data directly. Subject to Apple's own privacy policy
— RevenueCat, Inc. (USA) — receives purchase receipts and subscription event data from the App Store to manage your entitlements within the App. RevenueCat does not process card data. Review: revenuecat.com/privacy
Communications Data
— Messages sent to our support team
— Survey responses and feedback
— Any other content you voluntarily submit to us
3.2 Data Collected Automatically
Usage & Technical Data
— Device type, operating system, and app version
— Unique device identifiers
— IP address and approximate location (country/region level)
— Screen views, feature interactions, and navigation patterns
— Session duration and frequency of use
— Crash reports and error logs
Analytics Data
We use analytics tools to understand how users interact with the Services. See Section 6 (Third Parties) for a full list of analytics providers.
Location Data
Note: Location data is processed only with your explicit permission granted at the device level. You can revoke this permission at any time in your device settings without affecting your ability to use other features of the App.
When you use GPS-enabled features of the App (such as route tracking, outdoor workout mapping, or distance measurement), we collect precise geolocation data from your device. This includes:
— GPS coordinates of your workout route
— Start and end points of your sessions
— Workout distance, pace, and elevation data derived from location signals
— Timestamps associated with location data points
How we use location data:
— To map and visualise your outdoor workouts
— To calculate distance, pace, speed, and elevation for your sessions
— To generate personalised route suggestions (future feature)
— To provide GPS-based performance metrics and training zones
Location data is not collected when you are not actively recording a workout. We do not track your location in the background when the App is not in active use. We do not share your precise GPS route data with third parties except as described in Section 6.
We collect location at the country/region level for all users (via IP address) for service localisation purposes. Precise GPS tracking is optional and only activates when you initiate a GPS workout session.
3.3 Data From Third Parties
— Apple Sign-In / Google Sign-In — name, email address, and profile image if you choose to authenticate via these providers
— App Store providers — purchase validation data from Apple App Store
— Analytics partners — aggregated and anonymised usage signals
3.4 Derived & Generated Data
In addition to data you provide and data we collect automatically, we generate new data about you by processing and analysing your inputs. This derived data is personal data and is treated with the same protections as the data it is derived from.
BDYCharge Points & Gamification Metrics
BDYCTRL's BDYCharge system awards points based on your workout activity. Specifically, 50% of your recorded workout minutes are converted into BDYCharge points. In processing this, we generate and store:
— Your total accumulated BDYCharge points
— Points earned per session and over time
— Your ranking relative to other users on leaderboards (once community features are active)
— Workout consistency metrics used to calculate point eligibility
BDYCharge data is used solely to power the gamification and motivation features of the App. We do not use this data to make decisions that have legal or similarly significant effects on you.
Leaderboard rankings and activity feed appearances are a core part of the BDYCTRL experience and are visible to other users by default. Users who prefer not to display their identity may activate anonymised mode via their privacy settings — their activity will still appear in feeds and leaderboards but will be attributed to "User" rather than their username, and their profile photo will be hidden.
AI-Generated Insights & Performance Metrics
When you use Bolt (our AI coach feature) or receive AI-generated workout plans, we process your fitness data to produce personalised outputs. These outputs are themselves a form of derived data and include:
— AI-generated workout plans tailored to your stated goals, experience level, and training history
— Performance trend analysis (e.g. progression over time, training load indicators)
— Readiness or recovery suggestions based on logged workout data
— Personalised difficulty adjustments and exercise recommendations
This processing involves automated analysis of your personal data, including health and fitness data (special category data under GDPR Article 9). It is carried out on the basis of your explicit consent and our contract with you. The AI does not make decisions with legal or similarly significant effects — all outputs are recommendations. You may request human review of any AI-generated output by contacting us at privacy@bdyctrl.com.
AI-derived insights are stored to your profile and used to improve the personalisation of future recommendations. They are not shared with third parties except as required to operate the AI service (see Section 6 — OpenAI).
3.5 Content You Share
Note: This section applies to current beta features and will expand when full community features launch. We will notify you and update this Policy before community features become publicly available.
When you use sharing or community features of the App, you may generate content that we collect and store. This includes:
— Progress updates or posts you share within the App
— Comments or reactions you submit on other users' content
— Progress photos or images you choose to upload and share
— Workout summaries or achievements you share to your profile or feed
— Messages sent to other users via any in-app messaging feature (future feature)
Sharing a workout to the community feed is always an active choice — nothing is posted automatically. Each time you complete a workout, you decide whether to share it. If you choose not to share, your workout remains private to your account only.
If you choose to share, your post will be visible to other BDYCTRL users within the feed. The only privacy control available at the point of sharing is anonymised mode — your post will appear attributed to "User" rather than your username, and your profile photo will be hidden. No other visibility restrictions apply to shared posts, as the feed is a shared community space.
We collect metadata associated with your shared content, including timestamps and interaction counts (e.g. how many users acknowledged or reacted to a post). This metadata is used to operate the community features and to surface relevant content to other users.
If you delete a post after sharing it, it will be removed from view promptly. However, where other users have already interacted with your content, traces of that interaction may remain associated with their accounts.
3.6 Social & Community Data
Note: Community features are not yet live. This section is published in advance of their launch so that you have full transparency about how your data will be used when these features become available. You will be notified before these features activate and given the opportunity to set your preferences.
When community features are live, BDYCTRL will collect and process data about your social interactions and connections within the App. This includes:
Connection & Follow Data
— Users you choose to follow within the BDYCTRL ecosystem
— Users who follow you
— Follow requests sent and received (if a private follow model is implemented)
Interaction Data
— Acknowledgements, reactions, or kudos you give and receive on workout posts
— Comments you post and receive
— Challenges you participate in and your standing within them
— Leaderboard positions (global, within your follower group, or within specific challenges)
Community & Group Membership
— Any BDYCTRL groups, clubs, or challenges you join
— Your activity and contributions within those groups
How we use social and community data:
— To display your profile, workout feed, and achievements to users you are connected with
— To operate the BDYCharge leaderboard and challenge features
— To send you in-app notifications about social interactions (e.g. when someone follows you or acknowledges a workout)
— To personalise your feed and surface content from users you follow
— To support community moderation and enforce our Community Standards (once published)
Your social graph data (who you follow, who follows you) is visible to other users within the limits of your privacy settings. We do not sell or licence your social graph data to third parties. Aggregated, anonymised community data (e.g. how many users completed a challenge) may be used for product analytics and improvement.
You will be able to control your identity within the community via your account privacy settings, including the option to activate anonymised mode, which replaces your username and profile photo with a generic identity across feeds and leaderboards.
How and Why We Use Your Data
We only process your personal data where we have a valid legal basis under GDPR.
Create and manage your account
Data used: Account & identity data
Legal basis: Art. 6(1)(b) — Contract
Provide fitness tracking and analytics
Data used: Fitness, workout, body metric data
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
Generate AI-powered workout plans
Data used: Goals, preferences, fitness data
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
GPS route tracking and mapping
Data used: Precise location data (opt-in)
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(a) — Consent (device-level)
Generate BDYCharge points and leaderboard rankings
Data used: Workout duration, session logs, derived points data
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(f) — Legitimate interest
Generate AI-derived performance insights (Bolt)
Data used: Fitness & health data, training history
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
Operate community features and social feed
Data used: Social graph, content, interaction data
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(a) — Consent (where required)
Process payments and manage subscriptions
Data used: Payment and billing data
Legal basis: Art. 6(1)(b) — Contract
Send transactional notifications
Data used: Email, push notification token
Legal basis: Art. 6(1)(b) — Contract
Send marketing communications (opt-in only)
Data used: Email, preferences
Legal basis: Art. 6(1)(a) — Consent
Improve and develop our Services
Data used: Anonymised usage and analytics data
Legal basis: Art. 6(1)(f) — Legitimate interest
Ensure security and prevent fraud
Data used: Technical, account, usage data
Legal basis: Art. 6(1)(f) — Legitimate interest
Comply with legal obligations
Data used: Relevant data as required
Legal basis: Art. 6(1)(c) — Legal obligation
Respond to support requests
Data used: Communications and account data
Legal basis: Art. 6(1)(b) — Contract
Special Category Data & Consent
Certain fitness and health data you provide — such as body measurements, workout performance, and metrics relating to physical condition — may qualify as special category data under GDPR Article 9.
We process this data only with your explicit, informed consent. During onboarding, you will be presented with a clear consent request specifically covering health and fitness data. You may withdraw this consent at any time through your account settings. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal.
Withdrawal of consent to health data processing will limit our ability to provide core features of the Services, including workout tracking, analytics, and AI plan generation.
Third-Party Services & Data Sharing
We do not sell your personal data. We share data only with trusted service providers who process it on our behalf under strict data processing agreements, and where required by law.
6.1 Service Providers (Data Processors)
Infrastructure & Backend
— Xano Inc. (USA) — backend database and API hosting. All data is stored in the EU (Frankfurt, Germany — AWS eu-central-1 region). DPA in place.
AI Processing
— OpenAI, L.L.C. (USA) — GPT-4o model used to generate AI workout plans. Inputs include your fitness goals and preferences. OpenAI processes this under their API terms. Data is not used to train OpenAI's models under our enterprise agreement. Review: openai.com/policies/privacy-policy
Payments
— RevenueCat, Inc. (USA) — subscription and entitlement management. Receives anonymised purchase receipt data from Apple App Store to determine your SPARK membership status and feature access. No card data is processed by RevenueCat or BDYCTRL. Review: revenuecat.com/privacy
— Apple App Store — all payment transactions are processed entirely within Apple's payment infrastructure. BDYCTRL receives only confirmation of purchase status.
Analytics
— [Analytics Provider — to be confirmed] — usage analytics and crash reporting. We use anonymised and aggregated data where possible. This section will be updated before launch.
Email & Communications
— Postmark (Wildbit LLC, USA) — transactional email delivery: account verification, password resets, purchase receipts, and security notifications. Review: postmarkapp.com/privacy-policy
— Loops, Inc. (USA) — marketing and engagement email delivery: product updates, feature announcements, re-engagement campaigns, and community communications. Only sent to users who have opted in to marketing communications. Review: loops.so/privacy
6.2 Disclosure Required by Law
We may disclose your personal data to law enforcement, regulatory authorities, or courts where we are legally required to do so. We will notify you of any such disclosure where legally permitted.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
International Data Transfers
BDYCTRL Group AB is based in Sweden and primarily processes data within the European Economic Area (EEA). However, some of our service providers are located outside the EEA, including in the United States.
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:
— Standard Contractual Clauses (SCCs) approved by the European Commission
— Transfers to countries with an EU adequacy decision
— Binding corporate rules where applicable
Specifically, transfers to the USA (OpenAI, RevenueCat, Xano, Postmark, and Loops) are covered by Standard Contractual Clauses. You may request a copy of the applicable safeguards by contacting dpo@bdyctrl.com.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law.
Account & identity data
Until account deletion + 30 days grace period
Fitness & health data
Until account deletion, or until consent is withdrawn
GPS & location data
Until account deletion; individual route files deletable at any time
Derived data (BDYCharge points, AI insights, generated plans)
Until account deletion
Community content (posts, comments)
Until you delete the content or your account
Social graph data (follows, interactions)
Until account deletion or connection is removed
Payment & billing records
7 years (Swedish Bookkeeping Act / Bokföringslagen)
Support communications
3 years from last contact
Analytics data — pseudonymous/user-level
Up to 24 months
Analytics data — anonymised aggregates
Indefinitely
Legal hold data
As required by applicable law
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. financial records).
Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights. We will respond to all requests within 30 days.
Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you, including information on how it is processed and who it is shared with.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate or incomplete personal data. You can update most data directly in the App settings.
Right to Erasure / 'Right to be Forgotten' (Art. 17)
You have the right to request deletion of your personal data. You can delete your account directly in the App, or by contacting us. Note that we may retain certain data as required by law (see Section 8).
Right to Restriction of Processing (Art. 18)
You have the right to request that we limit how we process your data in certain circumstances, such as if you contest its accuracy or object to processing.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. Contact us to request a data export.
Right to Object (Art. 21)
You have the right to object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7)
Where processing is based on your consent (including for health data), you may withdraw it at any time via account settings. Withdrawal does not affect the lawfulness of prior processing.
Right Not to be Subject to Automated Decision-Making (Art. 22)
Our AI workout plan generation involves automated processing but does not produce legal or similarly significant effects. You may request human review of any AI-generated output.
To exercise any of these rights, contact us at dpo@bdyctrl.com. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or the supervisory authority in your country of residence.
Cookies & Tracking Technologies
Our website (bdyctrl.com) is designed to be privacy-friendly by default. At launch, we do not use cookies or tracking technologies that require your consent. The App does not use cookies but may use equivalent device-level identifiers such as device IDs and analytics SDKs for crash reporting and usage analytics, as described in Section 3.2.
10.1 Website Analytics
We use Framer's built-in analytics to understand basic traffic patterns on bdyctrl.com. This operates without cookies and without collecting personally identifiable information — no consent banner is required. Data collected is aggregated and cannot be attributed to individual visitors.
10.2 Waitlist & Email Sign-Up
Our waitlist sign-up form is powered by Loops, Inc. When you submit your email address, you are taking a clear and active step to join our waitlist. This is not passive tracking — it is a voluntary submission and is handled under the consent you provide at the point of sign-up. No cookies are set by this interaction.
10.3 Strictly Necessary
Our website may set strictly necessary cookies to ensure basic functionality such as security and session management. These do not require consent and cannot be disabled.
10.4 Future Tracking Technologies
If we introduce analytics tools, advertising pixels, retargeting, or any other technology that sets cookies or collects data requiring consent, we will update this section before doing so, implement a compliant consent management solution, and — where required by law — obtain your explicit opt-in consent before any such tracking begins.
Children's Privacy
The BDYCTRL Services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16.
If you believe a child under 16 has provided us with personal data, please contact us immediately at privacy@bdyctrl.com and we will promptly delete that data.
Users between 16 and 18 may use the Services with the consent of a parent or legal guardian where required by applicable law.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
— Encryption of data in transit using TLS 1.2+
— Encryption of sensitive data at rest
— Password hashing using industry-standard algorithms
— Access controls and role-based permissions for staff
— Regular security reviews and vulnerability assessments
— Secure token-based authentication (no plain-text credentials stored)
No system is perfectly secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.
App Store Requirements
13.1 Apple App Store
BDYCTRL is distributed on the Apple App Store. Apple's privacy practices are described at apple.com/legal/privacy. BDYCTRL is solely responsible for the App and its content. Apple has no obligation to furnish any maintenance or support with respect to the App.
Health & Fitness data collected by BDYCTRL is not shared with Apple HealthKit unless you explicitly enable HealthKit integration (planned feature). Apple's HealthKit data is subject to additional restrictions under Apple's Developer Guidelines.
13.2 Google Play
BDYCTRL is not currently available on Google Play. Android distribution is planned for a future release. When the App launches on Google Play, we will submit a Data Safety declaration accurately reflecting the data practices described in this Policy and update this section accordingly. Google's privacy practices are described at policies.google.com/privacy.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
— Update the 'Last Updated' date at the top of this document
— Notify you via email (if you have an account with us)
— Display a prominent notice in the App
— Where required by law, seek your renewed consent
We encourage you to review this Policy periodically. Continued use of the Services after changes take effect constitutes your acceptance of the revised Policy, to the extent permitted by law.
Governing Law & Jurisdiction
This Privacy Policy is governed by the laws of Sweden and the European Union, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).
Any disputes arising from this Policy shall be subject to the jurisdiction of the Swedish courts, without prejudice to your rights as a consumer under applicable mandatory law in your country of residence.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Company: BDYCTRL Group AB
Organisation Number: 559577-8506
Privacy enquiries: privacy@bdyctrl.com
Data protection matters: dpo@bdyctrl.com
Postal address: BDYCTRL Group AB, Box 691, 414 52 Gothenburg, Sweden
Supervisory authority: IMY — Integritetsskyddsmyndigheten · imy.se · imy@imy.se
BDYCTRL Group AB · 559577-8506 · Sweden
Own the Move.
BDYCTRL
Privacy Policy
Effective Date: 1 April 2026
Last Updated: 1 May 2026
Version: 1.0.0
Applies to: www.bdyctrl.com · BDYCTRL mobile app (iOS)
─────────────────────────
Who We Are
This Privacy Policy applies to BDYCTRL Group AB, a company registered in Sweden with organisation number 559577-8506 at Bolagsverket ("BDYCTRL", "we", "us", "our"). We operate the BDYCTRL website at bdyctrl.com and the BDYCTRL mobile application (the "App"), collectively referred to as the "Services".
As the entity that determines the purposes and means of processing your personal data, BDYCTRL Group AB acts as the data controller under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).
Contact
Data Controller: BDYCTRL Group AB
Organisation Number: 559577-8506
General enquiries: privacy@bdyctrl.com
Data protection matters: dpo@bdyctrl.com
Postal address: BDYCTRL Group AB, Box 691, 414 52 Gothenburg, Sweden
Scope of This Policy
This Privacy Policy applies to all personal data collected when you:
— Visit or use our website (bdyctrl.com)
— Download, install, or use the BDYCTRL App on any device
— Create an account or use any feature of our Services
— Contact us through any channel (email, support forms, social media)
— Participate in any survey, beta programme, or promotional activity
This Policy does not apply to third-party websites, applications, or services that may be linked from our Services. We encourage you to review the privacy policies of those third parties independently.
Personal Data We Collect
We collect personal data in four ways: data you actively provide, data generated automatically through your use of the Services, data we receive from third parties, and data we derive by processing your inputs.
3.1 Data You Provide
Account & Identity Data
— Full name
— Email address
— Password (stored in encrypted/hashed form — we never store plain-text passwords)
— Profile photo (optional)
— Date of birth or age range
— Gender (optional)
Health & Fitness Data
Note: Fitness and body metrics may constitute 'special category data' under GDPR Article 9 depending on how they are used. We treat all health and fitness data with the highest level of protection and only process it with your explicit consent.
— Body weight, height, and BMI
— Body measurements (e.g. waist, chest, arms, legs)
— Workout logs: exercises, sets, reps, weights, duration
— Training programmes selected or created by you
— Progress photos (if uploaded)
— Muscle recovery status and fatigue indicators
— Subjective wellbeing or energy levels (if entered)
AI-Generated Plan Data
— Fitness goals, experience level, and preferences you provide during onboarding
— Inputs used to generate personalised AI workout plans (via GPT-4o integration)
— AI-generated plan outputs stored to your profile
Nutrition Data (Future Feature)
— Food logs, macro/calorie tracking data
— Dietary preferences or restrictions
Payment Data
— Billing name and address
— Payment method information — payments are processed directly by Apple App Store (iOS). We do not collect or store your card details at any point
— Subscription status, entitlement level, and purchase history — managed via RevenueCat, Inc. (USA), our subscription management platform
— Apple App Store purchase receipts — validated through RevenueCat on our behalf
— Refund requests and subscription changes
Third parties involved in payment processing:
— Apple App Store — collects and processes all payment card data directly. Subject to Apple's own privacy policy
— RevenueCat, Inc. (USA) — receives purchase receipts and subscription event data from the App Store to manage your entitlements within the App. RevenueCat does not process card data. Review: revenuecat.com/privacy
Communications Data
— Messages sent to our support team
— Survey responses and feedback
— Any other content you voluntarily submit to us
3.2 Data Collected Automatically
Usage & Technical Data
— Device type, operating system, and app version
— Unique device identifiers
— IP address and approximate location (country/region level)
— Screen views, feature interactions, and navigation patterns
— Session duration and frequency of use
— Crash reports and error logs
Analytics Data
We use analytics tools to understand how users interact with the Services. See Section 6 (Third Parties) for a full list of analytics providers.
Location Data
Note: Location data is processed only with your explicit permission granted at the device level. You can revoke this permission at any time in your device settings without affecting your ability to use other features of the App.
When you use GPS-enabled features of the App (such as route tracking, outdoor workout mapping, or distance measurement), we collect precise geolocation data from your device. This includes:
— GPS coordinates of your workout route
— Start and end points of your sessions
— Workout distance, pace, and elevation data derived from location signals
— Timestamps associated with location data points
How we use location data:
— To map and visualise your outdoor workouts
— To calculate distance, pace, speed, and elevation for your sessions
— To generate personalised route suggestions (future feature)
— To provide GPS-based performance metrics and training zones
Location data is not collected when you are not actively recording a workout. We do not track your location in the background when the App is not in active use. We do not share your precise GPS route data with third parties except as described in Section 6.
We collect location at the country/region level for all users (via IP address) for service localisation purposes. Precise GPS tracking is optional and only activates when you initiate a GPS workout session.
3.3 Data From Third Parties
— Apple Sign-In / Google Sign-In — name, email address, and profile image if you choose to authenticate via these providers
— App Store providers — purchase validation data from Apple App Store
— Analytics partners — aggregated and anonymised usage signals
3.4 Derived & Generated Data
In addition to data you provide and data we collect automatically, we generate new data about you by processing and analysing your inputs. This derived data is personal data and is treated with the same protections as the data it is derived from.
BDYCharge Points & Gamification Metrics
BDYCTRL's BDYCharge system awards points based on your workout activity. Specifically, 50% of your recorded workout minutes are converted into BDYCharge points. In processing this, we generate and store:
— Your total accumulated BDYCharge points
— Points earned per session and over time
— Your ranking relative to other users on leaderboards (once community features are active)
— Workout consistency metrics used to calculate point eligibility
BDYCharge data is used solely to power the gamification and motivation features of the App. We do not use this data to make decisions that have legal or similarly significant effects on you.
Leaderboard rankings and activity feed appearances are a core part of the BDYCTRL experience and are visible to other users by default. Users who prefer not to display their identity may activate anonymised mode via their privacy settings — their activity will still appear in feeds and leaderboards but will be attributed to "User" rather than their username, and their profile photo will be hidden.
AI-Generated Insights & Performance Metrics
When you use Bolt (our AI coach feature) or receive AI-generated workout plans, we process your fitness data to produce personalised outputs. These outputs are themselves a form of derived data and include:
— AI-generated workout plans tailored to your stated goals, experience level, and training history
— Performance trend analysis (e.g. progression over time, training load indicators)
— Readiness or recovery suggestions based on logged workout data
— Personalised difficulty adjustments and exercise recommendations
This processing involves automated analysis of your personal data, including health and fitness data (special category data under GDPR Article 9). It is carried out on the basis of your explicit consent and our contract with you. The AI does not make decisions with legal or similarly significant effects — all outputs are recommendations. You may request human review of any AI-generated output by contacting us at privacy@bdyctrl.com.
AI-derived insights are stored to your profile and used to improve the personalisation of future recommendations. They are not shared with third parties except as required to operate the AI service (see Section 6 — OpenAI).
3.5 Content You Share
Note: This section applies to current beta features and will expand when full community features launch. We will notify you and update this Policy before community features become publicly available.
When you use sharing or community features of the App, you may generate content that we collect and store. This includes:
— Progress updates or posts you share within the App
— Comments or reactions you submit on other users' content
— Progress photos or images you choose to upload and share
— Workout summaries or achievements you share to your profile or feed
— Messages sent to other users via any in-app messaging feature (future feature)
Sharing a workout to the community feed is always an active choice — nothing is posted automatically. Each time you complete a workout, you decide whether to share it. If you choose not to share, your workout remains private to your account only.
If you choose to share, your post will be visible to other BDYCTRL users within the feed. The only privacy control available at the point of sharing is anonymised mode — your post will appear attributed to "User" rather than your username, and your profile photo will be hidden. No other visibility restrictions apply to shared posts, as the feed is a shared community space.
We collect metadata associated with your shared content, including timestamps and interaction counts (e.g. how many users acknowledged or reacted to a post). This metadata is used to operate the community features and to surface relevant content to other users.
If you delete a post after sharing it, it will be removed from view promptly. However, where other users have already interacted with your content, traces of that interaction may remain associated with their accounts.
3.6 Social & Community Data
Note: Community features are not yet live. This section is published in advance of their launch so that you have full transparency about how your data will be used when these features become available. You will be notified before these features activate and given the opportunity to set your preferences.
When community features are live, BDYCTRL will collect and process data about your social interactions and connections within the App. This includes:
Connection & Follow Data
— Users you choose to follow within the BDYCTRL ecosystem
— Users who follow you
— Follow requests sent and received (if a private follow model is implemented)
Interaction Data
— Acknowledgements, reactions, or kudos you give and receive on workout posts
— Comments you post and receive
— Challenges you participate in and your standing within them
— Leaderboard positions (global, within your follower group, or within specific challenges)
Community & Group Membership
— Any BDYCTRL groups, clubs, or challenges you join
— Your activity and contributions within those groups
How we use social and community data:
— To display your profile, workout feed, and achievements to users you are connected with
— To operate the BDYCharge leaderboard and challenge features
— To send you in-app notifications about social interactions (e.g. when someone follows you or acknowledges a workout)
— To personalise your feed and surface content from users you follow
— To support community moderation and enforce our Community Standards (once published)
Your social graph data (who you follow, who follows you) is visible to other users within the limits of your privacy settings. We do not sell or licence your social graph data to third parties. Aggregated, anonymised community data (e.g. how many users completed a challenge) may be used for product analytics and improvement.
You will be able to control your identity within the community via your account privacy settings, including the option to activate anonymised mode, which replaces your username and profile photo with a generic identity across feeds and leaderboards.
How and Why We Use Your Data
We only process your personal data where we have a valid legal basis under GDPR.
Create and manage your account
Data used: Account & identity data
Legal basis: Art. 6(1)(b) — Contract
Provide fitness tracking and analytics
Data used: Fitness, workout, body metric data
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
Generate AI-powered workout plans
Data used: Goals, preferences, fitness data
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
GPS route tracking and mapping
Data used: Precise location data (opt-in)
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(a) — Consent (device-level)
Generate BDYCharge points and leaderboard rankings
Data used: Workout duration, session logs, derived points data
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(f) — Legitimate interest
Generate AI-derived performance insights (Bolt)
Data used: Fitness & health data, training history
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
Operate community features and social feed
Data used: Social graph, content, interaction data
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(a) — Consent (where required)
Process payments and manage subscriptions
Data used: Payment and billing data
Legal basis: Art. 6(1)(b) — Contract
Send transactional notifications
Data used: Email, push notification token
Legal basis: Art. 6(1)(b) — Contract
Send marketing communications (opt-in only)
Data used: Email, preferences
Legal basis: Art. 6(1)(a) — Consent
Improve and develop our Services
Data used: Anonymised usage and analytics data
Legal basis: Art. 6(1)(f) — Legitimate interest
Ensure security and prevent fraud
Data used: Technical, account, usage data
Legal basis: Art. 6(1)(f) — Legitimate interest
Comply with legal obligations
Data used: Relevant data as required
Legal basis: Art. 6(1)(c) — Legal obligation
Respond to support requests
Data used: Communications and account data
Legal basis: Art. 6(1)(b) — Contract
Special Category Data & Consent
Certain fitness and health data you provide — such as body measurements, workout performance, and metrics relating to physical condition — may qualify as special category data under GDPR Article 9.
We process this data only with your explicit, informed consent. During onboarding, you will be presented with a clear consent request specifically covering health and fitness data. You may withdraw this consent at any time through your account settings. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal.
Withdrawal of consent to health data processing will limit our ability to provide core features of the Services, including workout tracking, analytics, and AI plan generation.
Third-Party Services & Data Sharing
We do not sell your personal data. We share data only with trusted service providers who process it on our behalf under strict data processing agreements, and where required by law.
6.1 Service Providers (Data Processors)
Infrastructure & Backend
— Xano Inc. (USA) — backend database and API hosting. All data is stored in the EU (Frankfurt, Germany — AWS eu-central-1 region). DPA in place.
AI Processing
— OpenAI, L.L.C. (USA) — GPT-4o model used to generate AI workout plans. Inputs include your fitness goals and preferences. OpenAI processes this under their API terms. Data is not used to train OpenAI's models under our enterprise agreement. Review: openai.com/policies/privacy-policy
Payments
— RevenueCat, Inc. (USA) — subscription and entitlement management. Receives anonymised purchase receipt data from Apple App Store to determine your SPARK membership status and feature access. No card data is processed by RevenueCat or BDYCTRL. Review: revenuecat.com/privacy
— Apple App Store — all payment transactions are processed entirely within Apple's payment infrastructure. BDYCTRL receives only confirmation of purchase status.
Analytics
— [Analytics Provider — to be confirmed] — usage analytics and crash reporting. We use anonymised and aggregated data where possible. This section will be updated before launch.
Email & Communications
— Postmark (Wildbit LLC, USA) — transactional email delivery: account verification, password resets, purchase receipts, and security notifications. Review: postmarkapp.com/privacy-policy
— Loops, Inc. (USA) — marketing and engagement email delivery: product updates, feature announcements, re-engagement campaigns, and community communications. Only sent to users who have opted in to marketing communications. Review: loops.so/privacy
6.2 Disclosure Required by Law
We may disclose your personal data to law enforcement, regulatory authorities, or courts where we are legally required to do so. We will notify you of any such disclosure where legally permitted.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
International Data Transfers
BDYCTRL Group AB is based in Sweden and primarily processes data within the European Economic Area (EEA). However, some of our service providers are located outside the EEA, including in the United States.
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:
— Standard Contractual Clauses (SCCs) approved by the European Commission
— Transfers to countries with an EU adequacy decision
— Binding corporate rules where applicable
Specifically, transfers to the USA (OpenAI, RevenueCat, Xano, Postmark, and Loops) are covered by Standard Contractual Clauses. You may request a copy of the applicable safeguards by contacting dpo@bdyctrl.com.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law.
Account & identity data
Until account deletion + 30 days grace period
Fitness & health data
Until account deletion, or until consent is withdrawn
GPS & location data
Until account deletion; individual route files deletable at any time
Derived data (BDYCharge points, AI insights, generated plans)
Until account deletion
Community content (posts, comments)
Until you delete the content or your account
Social graph data (follows, interactions)
Until account deletion or connection is removed
Payment & billing records
7 years (Swedish Bookkeeping Act / Bokföringslagen)
Support communications
3 years from last contact
Analytics data — pseudonymous/user-level
Up to 24 months
Analytics data — anonymised aggregates
Indefinitely
Legal hold data
As required by applicable law
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. financial records).
Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights. We will respond to all requests within 30 days.
Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you, including information on how it is processed and who it is shared with.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate or incomplete personal data. You can update most data directly in the App settings.
Right to Erasure / 'Right to be Forgotten' (Art. 17)
You have the right to request deletion of your personal data. You can delete your account directly in the App, or by contacting us. Note that we may retain certain data as required by law (see Section 8).
Right to Restriction of Processing (Art. 18)
You have the right to request that we limit how we process your data in certain circumstances, such as if you contest its accuracy or object to processing.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. Contact us to request a data export.
Right to Object (Art. 21)
You have the right to object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7)
Where processing is based on your consent (including for health data), you may withdraw it at any time via account settings. Withdrawal does not affect the lawfulness of prior processing.
Right Not to be Subject to Automated Decision-Making (Art. 22)
Our AI workout plan generation involves automated processing but does not produce legal or similarly significant effects. You may request human review of any AI-generated output.
To exercise any of these rights, contact us at dpo@bdyctrl.com. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or the supervisory authority in your country of residence.
Cookies & Tracking Technologies
Our website (bdyctrl.com) is designed to be privacy-friendly by default. At launch, we do not use cookies or tracking technologies that require your consent. The App does not use cookies but may use equivalent device-level identifiers such as device IDs and analytics SDKs for crash reporting and usage analytics, as described in Section 3.2.
10.1 Website Analytics
We use Framer's built-in analytics to understand basic traffic patterns on bdyctrl.com. This operates without cookies and without collecting personally identifiable information — no consent banner is required. Data collected is aggregated and cannot be attributed to individual visitors.
10.2 Waitlist & Email Sign-Up
Our waitlist sign-up form is powered by Loops, Inc. When you submit your email address, you are taking a clear and active step to join our waitlist. This is not passive tracking — it is a voluntary submission and is handled under the consent you provide at the point of sign-up. No cookies are set by this interaction.
10.3 Strictly Necessary
Our website may set strictly necessary cookies to ensure basic functionality such as security and session management. These do not require consent and cannot be disabled.
10.4 Future Tracking Technologies
If we introduce analytics tools, advertising pixels, retargeting, or any other technology that sets cookies or collects data requiring consent, we will update this section before doing so, implement a compliant consent management solution, and — where required by law — obtain your explicit opt-in consent before any such tracking begins.
Children's Privacy
The BDYCTRL Services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16.
If you believe a child under 16 has provided us with personal data, please contact us immediately at privacy@bdyctrl.com and we will promptly delete that data.
Users between 16 and 18 may use the Services with the consent of a parent or legal guardian where required by applicable law.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
— Encryption of data in transit using TLS 1.2+
— Encryption of sensitive data at rest
— Password hashing using industry-standard algorithms
— Access controls and role-based permissions for staff
— Regular security reviews and vulnerability assessments
— Secure token-based authentication (no plain-text credentials stored)
No system is perfectly secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.
App Store Requirements
13.1 Apple App Store
BDYCTRL is distributed on the Apple App Store. Apple's privacy practices are described at apple.com/legal/privacy. BDYCTRL is solely responsible for the App and its content. Apple has no obligation to furnish any maintenance or support with respect to the App.
Health & Fitness data collected by BDYCTRL is not shared with Apple HealthKit unless you explicitly enable HealthKit integration (planned feature). Apple's HealthKit data is subject to additional restrictions under Apple's Developer Guidelines.
13.2 Google Play
BDYCTRL is not currently available on Google Play. Android distribution is planned for a future release. When the App launches on Google Play, we will submit a Data Safety declaration accurately reflecting the data practices described in this Policy and update this section accordingly. Google's privacy practices are described at policies.google.com/privacy.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
— Update the 'Last Updated' date at the top of this document
— Notify you via email (if you have an account with us)
— Display a prominent notice in the App
— Where required by law, seek your renewed consent
We encourage you to review this Policy periodically. Continued use of the Services after changes take effect constitutes your acceptance of the revised Policy, to the extent permitted by law.
Governing Law & Jurisdiction
This Privacy Policy is governed by the laws of Sweden and the European Union, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).
Any disputes arising from this Policy shall be subject to the jurisdiction of the Swedish courts, without prejudice to your rights as a consumer under applicable mandatory law in your country of residence.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Company: BDYCTRL Group AB
Organisation Number: 559577-8506
Privacy enquiries: privacy@bdyctrl.com
Data protection matters: dpo@bdyctrl.com
Postal address: BDYCTRL Group AB, Box 691, 414 52 Gothenburg, Sweden
Supervisory authority: IMY — Integritetsskyddsmyndigheten · imy.se · imy@imy.se
BDYCTRL Group AB · 559577-8506 · Sweden
Own the Move.
BDYCTRL
Privacy Policy
Effective Date: 1 April 2026
Last Updated: 1 May 2026
Version: 1.0.0
Applies to: www.bdyctrl.com · BDYCTRL mobile app (iOS)
───────────────────────────────────────────────────
Who We Are
This Privacy Policy applies to BDYCTRL Group AB, a company registered in Sweden with organisation number 559577-8506 at Bolagsverket ("BDYCTRL", "we", "us", "our"). We operate the BDYCTRL website at bdyctrl.com and the BDYCTRL mobile application (the "App"), collectively referred to as the "Services".
As the entity that determines the purposes and means of processing your personal data, BDYCTRL Group AB acts as the data controller under the EU General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).
Contact
Data Controller: BDYCTRL Group AB
Organisation Number: 559577-8506
General enquiries: privacy@bdyctrl.com
Data protection matters: dpo@bdyctrl.com
Postal address: BDYCTRL Group AB, Box 691, 414 52 Gothenburg, Sweden
Scope of This Policy
This Privacy Policy applies to all personal data collected when you:
— Visit or use our website (bdyctrl.com)
— Download, install, or use the BDYCTRL App on any device
— Create an account or use any feature of our Services
— Contact us through any channel (email, support forms, social media)
— Participate in any survey, beta programme, or promotional activity
This Policy does not apply to third-party websites, applications, or services that may be linked from our Services. We encourage you to review the privacy policies of those third parties independently.
Personal Data We Collect
We collect personal data in four ways: data you actively provide, data generated automatically through your use of the Services, data we receive from third parties, and data we derive by processing your inputs.
3.1 Data You Provide
Account & Identity Data
— Full name
— Email address
— Password (stored in encrypted/hashed form — we never store plain-text passwords)
— Profile photo (optional)
— Date of birth or age range
— Gender (optional)
Health & Fitness Data
Note: Fitness and body metrics may constitute 'special category data' under GDPR Article 9 depending on how they are used. We treat all health and fitness data with the highest level of protection and only process it with your explicit consent.
— Body weight, height, and BMI
— Body measurements (e.g. waist, chest, arms, legs)
— Workout logs: exercises, sets, reps, weights, duration
— Training programmes selected or created by you
— Progress photos (if uploaded)
— Muscle recovery status and fatigue indicators
— Subjective wellbeing or energy levels (if entered)
AI-Generated Plan Data
— Fitness goals, experience level, and preferences you provide during onboarding
— Inputs used to generate personalised AI workout plans (via GPT-4o integration)
— AI-generated plan outputs stored to your profile
Nutrition Data (Future Feature)
— Food logs, macro/calorie tracking data
— Dietary preferences or restrictions
Payment Data
— Billing name and address
— Payment method information — payments are processed directly by Apple App Store (iOS). We do not collect or store your card details at any point
— Subscription status, entitlement level, and purchase history — managed via RevenueCat, Inc. (USA), our subscription management platform
— Apple App Store purchase receipts — validated through RevenueCat on our behalf
— Refund requests and subscription changes
Third parties involved in payment processing:
— Apple App Store — collects and processes all payment card data directly. Subject to Apple's own privacy policy
— RevenueCat, Inc. (USA) — receives purchase receipts and subscription event data from the App Store to manage your entitlements within the App. RevenueCat does not process card data. Review: revenuecat.com/privacy
Communications Data
— Messages sent to our support team
— Survey responses and feedback
— Any other content you voluntarily submit to us
3.2 Data Collected Automatically
Usage & Technical Data
— Device type, operating system, and app version
— Unique device identifiers
— IP address and approximate location (country/region level)
— Screen views, feature interactions, and navigation patterns
— Session duration and frequency of use
— Crash reports and error logs
Analytics Data
We use analytics tools to understand how users interact with the Services. See Section 6 (Third Parties) for a full list of analytics providers.
Location Data
Note: Location data is processed only with your explicit permission granted at the device level. You can revoke this permission at any time in your device settings without affecting your ability to use other features of the App.
When you use GPS-enabled features of the App (such as route tracking, outdoor workout mapping, or distance measurement), we collect precise geolocation data from your device. This includes:
— GPS coordinates of your workout route
— Start and end points of your sessions
— Workout distance, pace, and elevation data derived from location signals
— Timestamps associated with location data points
How we use location data:
— To map and visualise your outdoor workouts
— To calculate distance, pace, speed, and elevation for your sessions
— To generate personalised route suggestions (future feature)
— To provide GPS-based performance metrics and training zones
Location data is not collected when you are not actively recording a workout. We do not track your location in the background when the App is not in active use. We do not share your precise GPS route data with third parties except as described in Section 6.
We collect location at the country/region level for all users (via IP address) for service localisation purposes. Precise GPS tracking is optional and only activates when you initiate a GPS workout session.
3.3 Data From Third Parties
— Apple Sign-In / Google Sign-In — name, email address, and profile image if you choose to authenticate via these providers
— App Store providers — purchase validation data from Apple App Store
— Analytics partners — aggregated and anonymised usage signals
3.4 Derived & Generated Data
In addition to data you provide and data we collect automatically, we generate new data about you by processing and analysing your inputs. This derived data is personal data and is treated with the same protections as the data it is derived from.
BDYCharge Points & Gamification Metrics
BDYCTRL's BDYCharge system awards points based on your workout activity. Specifically, 50% of your recorded workout minutes are converted into BDYCharge points. In processing this, we generate and store:
— Your total accumulated BDYCharge points
— Points earned per session and over time
— Your ranking relative to other users on leaderboards (once community features are active)
— Workout consistency metrics used to calculate point eligibility
BDYCharge data is used solely to power the gamification and motivation features of the App. We do not use this data to make decisions that have legal or similarly significant effects on you.
Leaderboard rankings and activity feed appearances are a core part of the BDYCTRL experience and are visible to other users by default. Users who prefer not to display their identity may activate anonymised mode via their privacy settings — their activity will still appear in feeds and leaderboards but will be attributed to "User" rather than their username, and their profile photo will be hidden.
AI-Generated Insights & Performance Metrics
When you use Bolt (our AI coach feature) or receive AI-generated workout plans, we process your fitness data to produce personalised outputs. These outputs are themselves a form of derived data and include:
— AI-generated workout plans tailored to your stated goals, experience level, and training history
— Performance trend analysis (e.g. progression over time, training load indicators)
— Readiness or recovery suggestions based on logged workout data
— Personalised difficulty adjustments and exercise recommendations
This processing involves automated analysis of your personal data, including health and fitness data (special category data under GDPR Article 9). It is carried out on the basis of your explicit consent and our contract with you. The AI does not make decisions with legal or similarly significant effects — all outputs are recommendations. You may request human review of any AI-generated output by contacting us at privacy@bdyctrl.com.
AI-derived insights are stored to your profile and used to improve the personalisation of future recommendations. They are not shared with third parties except as required to operate the AI service (see Section 6 — OpenAI).
3.5 Content You Share
Note: This section applies to current beta features and will expand when full community features launch. We will notify you and update this Policy before community features become publicly available.
When you use sharing or community features of the App, you may generate content that we collect and store. This includes:
— Progress updates or posts you share within the App
— Comments or reactions you submit on other users' content
— Progress photos or images you choose to upload and share
— Workout summaries or achievements you share to your profile or feed
— Messages sent to other users via any in-app messaging feature (future feature)
Sharing a workout to the community feed is always an active choice — nothing is posted automatically. Each time you complete a workout, you decide whether to share it. If you choose not to share, your workout remains private to your account only.
If you choose to share, your post will be visible to other BDYCTRL users within the feed. The only privacy control available at the point of sharing is anonymised mode — your post will appear attributed to "User" rather than your username, and your profile photo will be hidden. No other visibility restrictions apply to shared posts, as the feed is a shared community space.
We collect metadata associated with your shared content, including timestamps and interaction counts (e.g. how many users acknowledged or reacted to a post). This metadata is used to operate the community features and to surface relevant content to other users.
If you delete a post after sharing it, it will be removed from view promptly. However, where other users have already interacted with your content, traces of that interaction may remain associated with their accounts.
3.6 Social & Community Data
Note: Community features are not yet live. This section is published in advance of their launch so that you have full transparency about how your data will be used when these features become available. You will be notified before these features activate and given the opportunity to set your preferences.
When community features are live, BDYCTRL will collect and process data about your social interactions and connections within the App. This includes:
Connection & Follow Data
— Users you choose to follow within the BDYCTRL ecosystem
— Users who follow you
— Follow requests sent and received (if a private follow model is implemented)
Interaction Data
— Acknowledgements, reactions, or kudos you give and receive on workout posts
— Comments you post and receive
— Challenges you participate in and your standing within them
— Leaderboard positions (global, within your follower group, or within specific challenges)
Community & Group Membership
— Any BDYCTRL groups, clubs, or challenges you join
— Your activity and contributions within those groups
How we use social and community data:
— To display your profile, workout feed, and achievements to users you are connected with
— To operate the BDYCharge leaderboard and challenge features
— To send you in-app notifications about social interactions (e.g. when someone follows you or acknowledges a workout)
— To personalise your feed and surface content from users you follow
— To support community moderation and enforce our Community Standards (once published)
Your social graph data (who you follow, who follows you) is visible to other users within the limits of your privacy settings. We do not sell or licence your social graph data to third parties. Aggregated, anonymised community data (e.g. how many users completed a challenge) may be used for product analytics and improvement.
You will be able to control your identity within the community via your account privacy settings, including the option to activate anonymised mode, which replaces your username and profile photo with a generic identity across feeds and leaderboards.
How and Why We Use Your Data
We only process your personal data where we have a valid legal basis under GDPR.
Create and manage your account
Data used: Account & identity data
Legal basis: Art. 6(1)(b) — Contract
Provide fitness tracking and analytics
Data used: Fitness, workout, body metric data
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
Generate AI-powered workout plans
Data used: Goals, preferences, fitness data
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
GPS route tracking and mapping
Data used: Precise location data (opt-in)
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(a) — Consent (device-level)
Generate BDYCharge points and leaderboard rankings
Data used: Workout duration, session logs, derived points data
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(f) — Legitimate interest
Generate AI-derived performance insights (Bolt)
Data used: Fitness & health data, training history
Legal basis: Art. 6(1)(b) — Contract · Art. 9(2)(a) — Explicit consent
Operate community features and social feed
Data used: Social graph, content, interaction data
Legal basis: Art. 6(1)(b) — Contract · Art. 6(1)(a) — Consent (where required)
Process payments and manage subscriptions
Data used: Payment and billing data
Legal basis: Art. 6(1)(b) — Contract
Send transactional notifications
Data used: Email, push notification token
Legal basis: Art. 6(1)(b) — Contract
Send marketing communications (opt-in only)
Data used: Email, preferences
Legal basis: Art. 6(1)(a) — Consent
Improve and develop our Services
Data used: Anonymised usage and analytics data
Legal basis: Art. 6(1)(f) — Legitimate interest
Ensure security and prevent fraud
Data used: Technical, account, usage data
Legal basis: Art. 6(1)(f) — Legitimate interest
Comply with legal obligations
Data used: Relevant data as required
Legal basis: Art. 6(1)(c) — Legal obligation
Respond to support requests
Data used: Communications and account data
Legal basis: Art. 6(1)(b) — Contract
Special Category Data & Consent
Certain fitness and health data you provide — such as body measurements, workout performance, and metrics relating to physical condition — may qualify as special category data under GDPR Article 9.
We process this data only with your explicit, informed consent. During onboarding, you will be presented with a clear consent request specifically covering health and fitness data. You may withdraw this consent at any time through your account settings. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal.
Withdrawal of consent to health data processing will limit our ability to provide core features of the Services, including workout tracking, analytics, and AI plan generation.
Third-Party Services & Data Sharing
We do not sell your personal data. We share data only with trusted service providers who process it on our behalf under strict data processing agreements, and where required by law.
6.1 Service Providers (Data Processors)
Infrastructure & Backend
— Xano Inc. (USA) — backend database and API hosting. All data is stored in the EU (Frankfurt, Germany — AWS eu-central-1 region). DPA in place.
AI Processing
— OpenAI, L.L.C. (USA) — GPT-4o model used to generate AI workout plans. Inputs include your fitness goals and preferences. OpenAI processes this under their API terms. Data is not used to train OpenAI's models under our enterprise agreement. Review: openai.com/policies/privacy-policy
Payments
— RevenueCat, Inc. (USA) — subscription and entitlement management. Receives anonymised purchase receipt data from Apple App Store to determine your SPARK membership status and feature access. No card data is processed by RevenueCat or BDYCTRL. Review: revenuecat.com/privacy
— Apple App Store — all payment transactions are processed entirely within Apple's payment infrastructure. BDYCTRL receives only confirmation of purchase status.
Analytics
— [Analytics Provider — to be confirmed] — usage analytics and crash reporting. We use anonymised and aggregated data where possible. This section will be updated before launch.
Email & Communications
— Postmark (Wildbit LLC, USA) — transactional email delivery: account verification, password resets, purchase receipts, and security notifications. Review: postmarkapp.com/privacy-policy
— Loops, Inc. (USA) — marketing and engagement email delivery: product updates, feature announcements, re-engagement campaigns, and community communications. Only sent to users who have opted in to marketing communications. Review: loops.so/privacy
6.2 Disclosure Required by Law
We may disclose your personal data to law enforcement, regulatory authorities, or courts where we are legally required to do so. We will notify you of any such disclosure where legally permitted.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
International Data Transfers
BDYCTRL Group AB is based in Sweden and primarily processes data within the European Economic Area (EEA). However, some of our service providers are located outside the EEA, including in the United States.
When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including:
— Standard Contractual Clauses (SCCs) approved by the European Commission
— Transfers to countries with an EU adequacy decision
— Binding corporate rules where applicable
Specifically, transfers to the USA (OpenAI, RevenueCat, Xano, Postmark, and Loops) are covered by Standard Contractual Clauses. You may request a copy of the applicable safeguards by contacting dpo@bdyctrl.com.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law.
Account & identity data
Until account deletion + 30 days grace period
Fitness & health data
Until account deletion, or until consent is withdrawn
GPS & location data
Until account deletion; individual route files deletable at any time
Derived data (BDYCharge points, AI insights, generated plans)
Until account deletion
Community content (posts, comments)
Until you delete the content or your account
Social graph data (follows, interactions)
Until account deletion or connection is removed
Payment & billing records
7 years (Swedish Bookkeeping Act / Bokföringslagen)
Support communications
3 years from last contact
Analytics data — pseudonymous/user-level
Up to 24 months
Analytics data — anonymised aggregates
Indefinitely
Legal hold data
As required by applicable law
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law (e.g. financial records).
Your Rights Under GDPR
As a data subject in the EU/EEA, you have the following rights. We will respond to all requests within 30 days.
Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you, including information on how it is processed and who it is shared with.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate or incomplete personal data. You can update most data directly in the App settings.
Right to Erasure / 'Right to be Forgotten' (Art. 17)
You have the right to request deletion of your personal data. You can delete your account directly in the App, or by contacting us. Note that we may retain certain data as required by law (see Section 8).
Right to Restriction of Processing (Art. 18)
You have the right to request that we limit how we process your data in certain circumstances, such as if you contest its accuracy or object to processing.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. Contact us to request a data export.
Right to Object (Art. 21)
You have the right to object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7)
Where processing is based on your consent (including for health data), you may withdraw it at any time via account settings. Withdrawal does not affect the lawfulness of prior processing.
Right Not to be Subject to Automated Decision-Making (Art. 22)
Our AI workout plan generation involves automated processing but does not produce legal or similarly significant effects. You may request human review of any AI-generated output.
To exercise any of these rights, contact us at dpo@bdyctrl.com. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or the supervisory authority in your country of residence.
Cookies & Tracking Technologies
Our website (bdyctrl.com) is designed to be privacy-friendly by default. At launch, we do not use cookies or tracking technologies that require your consent. The App does not use cookies but may use equivalent device-level identifiers such as device IDs and analytics SDKs for crash reporting and usage analytics, as described in Section 3.2.
10.1 Website Analytics
We use Framer's built-in analytics to understand basic traffic patterns on bdyctrl.com. This operates without cookies and without collecting personally identifiable information — no consent banner is required. Data collected is aggregated and cannot be attributed to individual visitors.
10.2 Waitlist & Email Sign-Up
Our waitlist sign-up form is powered by Loops, Inc. When you submit your email address, you are taking a clear and active step to join our waitlist. This is not passive tracking — it is a voluntary submission and is handled under the consent you provide at the point of sign-up. No cookies are set by this interaction.
10.3 Strictly Necessary
Our website may set strictly necessary cookies to ensure basic functionality such as security and session management. These do not require consent and cannot be disabled.
10.4 Future Tracking Technologies
If we introduce analytics tools, advertising pixels, retargeting, or any other technology that sets cookies or collects data requiring consent, we will update this section before doing so, implement a compliant consent management solution, and — where required by law — obtain your explicit opt-in consent before any such tracking begins.
Children's Privacy
The BDYCTRL Services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16.
If you believe a child under 16 has provided us with personal data, please contact us immediately at privacy@bdyctrl.com and we will promptly delete that data.
Users between 16 and 18 may use the Services with the consent of a parent or legal guardian where required by applicable law.
Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
— Encryption of data in transit using TLS 1.2+
— Encryption of sensitive data at rest
— Password hashing using industry-standard algorithms
— Access controls and role-based permissions for staff
— Regular security reviews and vulnerability assessments
— Secure token-based authentication (no plain-text credentials stored)
No system is perfectly secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Articles 33–34.
App Store Requirements
13.1 Apple App Store
BDYCTRL is distributed on the Apple App Store. Apple's privacy practices are described at apple.com/legal/privacy. BDYCTRL is solely responsible for the App and its content. Apple has no obligation to furnish any maintenance or support with respect to the App.
Health & Fitness data collected by BDYCTRL is not shared with Apple HealthKit unless you explicitly enable HealthKit integration (planned feature). Apple's HealthKit data is subject to additional restrictions under Apple's Developer Guidelines.
13.2 Google Play
BDYCTRL is not currently available on Google Play. Android distribution is planned for a future release. When the App launches on Google Play, we will submit a Data Safety declaration accurately reflecting the data practices described in this Policy and update this section accordingly. Google's privacy practices are described at policies.google.com/privacy.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
— Update the 'Last Updated' date at the top of this document
— Notify you via email (if you have an account with us)
— Display a prominent notice in the App
— Where required by law, seek your renewed consent
We encourage you to review this Policy periodically. Continued use of the Services after changes take effect constitutes your acceptance of the revised Policy, to the extent permitted by law.
Governing Law & Jurisdiction
This Privacy Policy is governed by the laws of Sweden and the European Union, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218).
Any disputes arising from this Policy shall be subject to the jurisdiction of the Swedish courts, without prejudice to your rights as a consumer under applicable mandatory law in your country of residence.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Company: BDYCTRL Group AB
Organisation Number: 559577-8506
Privacy enquiries: privacy@bdyctrl.com
Data protection matters: dpo@bdyctrl.com
Postal address: BDYCTRL Group AB, Box 691, 414 52 Gothenburg, Sweden
Supervisory authority: IMY — Integritetsskyddsmyndigheten · imy.se · imy@imy.se
BDYCTRL Group AB · 559577-8506 · Sweden
Own the Move.