Founders· Lifetime Pro voor de eerste 110 leden ·Gold 3/10 · Silver 47/100· 60/110 plekken overReserveer →
Vytrix logoVytrix
FoundersDownload app
JuridischBijgewerkt 4 May 2026 · v1.1

Privacy Policy

How Vytrix handles your personal data under the GDPR. The Dutch version at /privacybeleid is the legally binding source; this English mirror is provided for accessibility under GDPR Art. 12(1).

1. Who are we?

Vytrix is a fitness and wellness application developed by Vincent Maas (sole proprietorship), based in the Netherlands.

  • Data controller: Vincent Maas / Vytrix
  • Privacy contact: privacy@vytrix.app
  • Appeals (DSA Art. 20): appeals@vytrix.app
  • Data Protection Officer (DPO): to be appointed prior to v1.0 launch (mandatory under GDPR Art. 37(1)(c) for large-scale Article 9 processing)

2. What data do we collect?

2.1 Account data

Name, email address, username, profile picture (avatar), date of birth, gender.

2.2 Training and activity data

Exercises, sets, reps, weights, workout duration, training templates, routines, personal records, custom exercises.

2.3 Health data (special category — GDPR Article 9)

This data is only processed after your explicit consent (GDPR Art. 9(2)(a)) and consent can be withdrawn at any time via Settings → Privacy → Withdraw consent — as easily as it was given.

  • Sleep data: bedtime, wake time, sleep duration, sleep quality, sleep stages.
  • Nutrition data: food log, calories, macronutrients, micronutrients, water intake, supplements.
  • Body measurements: weight, BMI, body fat percentage, body circumferences, lean body mass, body water mass.
  • Heart rate data: heart rate (BPM), HR zones, recovery data, HR variability (HRV).
  • Progress photos: body photos with metadata.
  • Meal photos (optional): processed temporarily by OpenAI (US, DPF + SCC + Zero Data Retention). Only extracted nutrition data is stored.
  • Product photos (barcode/label scan): identical to meal photos.
  • Menstrual cycle data (optional): see separate section below.

2.3a Menstrual cycle and reproductive health data

Reproductive health data warrants special attention. Vytrix follows Mozilla / Privacy International best-practices for period-tracking apps in a post-Roe geopolitical context.

What we collect: last menstruation start date, cycle length (21-35 days), period length (3-10 days), derived cycle phase (menstruation / follicular / ovulation / luteal).

How we use this data: automatic luteal-phase calorie adjustment (+150 kcal, toggleable), notifications about expected fluid retention (toggleable), visual indicators in training calendar, phase-specific training tips.

Guarantees:

  1. Optional — only active when you turn cycle tracking on (default off).
  2. EU-only storage — exclusively on Supabase Ireland (eu-west-1). No backup or replication to US servers.
  3. Not visible to coaches — regardless of other permissions.
  4. Not shared with OpenAI — cycle data is not passed to AI features.
  5. Not used for advertising or profiling — we do not run advertising.
  6. Independently deletable — you can delete cycle data without deleting the rest of your account.
  7. No disclosure to foreign authorities — except by Dutch court order.

2.3b Health Connect / HealthKit permissions

On Android devices you can connect Vytrix to Health Connect. Permissions are requested only when you activate the corresponding feature:

PermissionPurpose
READ_ACTIVE_CALORIES_BURNEDShow calorie expenditure
READ_STEPSShow steps + weekly volume
READ_WEIGHT / WRITE_WEIGHTSync weight between apps
READ_BODY_FAT / WRITE_BODY_FATSync body fat percentage
READ_LEAN_BODY_MASS / WRITE_LEAN_BODY_MASSSync lean body mass
READ_BODY_WATER_MASS / WRITE_BODY_WATER_MASSSync body water
READ_BASAL_METABOLIC_RATERead BMR for daily calorie target
READ_SLEEPImport sleep for recovery correlation
READ_HEART_RATEHeart rate during workouts

On iOS we use the equivalent HealthKit categories. You can withdraw any permission individually via Health Connect settings on your device.

2.3c Limited Use Statement (Health Connect)

The use of information received from Health Connect will adhere to the Health Connect Permissions policy, including the Limited Use requirements.
  • We use Health Connect data only for the features listed in §2.3b.
  • We never share Health Connect data with advertising networks, marketing data processors, lenders, insurers, or employers.
  • We do not use Health Connect data to determine employment, insurability, or for unauthorized social sharing.
  • We do not sell Health Connect data to third parties under any circumstance.

2.4 Social data and messages

  • Feed content: posts, comments, likes, friendships, challenges.
  • Direct messages and group chats: text and shared content. Messages are visible only to sender, recipient(s), and — for reported content — our moderation procedure. Not shared with third parties.
  • UGC moderation metadata: reports stored in social_reports; reports about you are not visible to you.

2.5 Coach-client data

Training programs, progress, messages with your coach. The coach is an independent data controller. Reproductive health data is excluded from coach access.

2.6 Technical data and device IDs

Device type, OS, app version. We do not collect Android Advertising ID (AD_ID) or Apple's Identifier for Advertisers (IDFA). We do collect a Firebase Installation ID and push notification token.

2.6a Background functions (Foreground Service)

During a workout, the app may show a rest timer (60-300 sec) on the lock-screen notification. No location tracking, audio recording, or other background processing occurs outside this user-started timer.

2.7 Location data (optional)

When you use the "detect gym" feature, the app collects your approximate location (city level, not precise) once. Location is not continuously tracked and not stored on our servers, except gym coordinates when you link a gym.

2.8 App performance and analytics

  • Crash reports via Firebase Crashlytics. No personal training, health, or cycle data.
  • App interactions via our own Supabase analytics on EU servers. Pseudonymized.
  • Diagnostic data: app version, OS version, device model.

2.8a No advertising ID

Vytrix does not request access to AD_ID or IDFA. We do not show advertisements and do not share data with ad networks.

3. Why and on what basis do we process your data?

See the Dutch source at /privacybeleid §3 for the full processing-purpose table. Vytrix relies on:

  • Art. 6(1)(a) Consent — for health data
  • Art. 6(1)(b) Performance of contract — for account, training, social platform
  • Art. 6(1)(f) Legitimate interest — for crashlytics + analytics
  • Art. 9(2)(a) Explicit consent — for all special-category data

4. Who do we share your data with?

4.1 Service providers (processors)

ProcessorServiceLocationTransfer
Supabase Inc.Database, auth, storageEU (Ireland)DPA + SCCs
Firebase (Google Ireland Limited)Crashlytics + pushEU + cross-borderDPF + SCCs
RevenueCat Inc.IAP entitlementsUSDPF + SCCs (no Art. 9)
OpenAIAI Coach + photo AIUSDPF + SCCs + ZDR

Full sub-processor list: vytrix.app/en/subprocessors.

4.2 We do NOT share with

  • Advertising networks
  • Data brokers
  • Employers, insurers, lenders
  • Foreign authorities (except by Dutch court order)
  • Any third party for marketing purposes

5. International transfers

Your data is primarily processed on EU servers (Ireland). Some additional processors are based in the US and certified under the EU-US Data Privacy Framework (DPF). On 3 September 2025, the EU General Court dismissed the appeal against the DPF (Latombe v Commission, T-553/23); the decision is under appeal at the Court of Justice. The DPF is a valid transfer mechanism at time of writing (May 2026). As a secondary basis, we have SCCs with all processors. A Transfer Impact Assessment is available on request via privacy@vytrix.app.

Reproductive health data is never transferred cross-border; it remains exclusively on EU servers.

6. Retention periods

DataRetention
Account / training / healthUntil account deletion or consent withdrawal
Soft-deleted items (trash)90 days, then permanently deleted
Data after account deletionFully deleted within 90 days
Tax-required transactional records (pseudonymized)7 years (Dutch Tax Act Art. 52)
Crashlytics technical logs90 days
Audit logs for fraud prevention12 months
Consent records5 years after withdrawal

7. Your rights

You have the following rights under GDPR:

  • Access (Art. 15) — view via Settings → Privacy
  • Rectification (Art. 16) — edit in the app
  • Erasure (Art. 17) — delete via Settings → Account or via vytrix.app/en/delete-account
  • Restriction (Art. 18) — withdraw consent per category
  • Portability (Art. 20) — JSON export via Settings
  • Object (Art. 21) — withdraw consent
  • Withdraw consent (Art. 7(3)) — one tap per category
  • Automated decision-making (Art. 22) — Vytrix does not make decisions with legal or similarly significant effects

You can file complaints with:

  • Autoriteit Persoonsgegevens (NL)
  • Gegevensbeschermingsautoriteit (BE)
  • BfDI (DE)
  • CNIL (FR)

8. Audience and age

Vytrix is intended for adults aged 18 and over. We do not knowingly process personal data of minors. At registration, your date of birth is verified via a neutral age picker. Users under 18 cannot create accounts.

9. Security

  • AES-256 encryption at-rest
  • TLS 1.3 in-transit; no cleartext traffic
  • EU hosting (Ireland)
  • Row Level Security on all personal-data tables
  • JWT authentication via Supabase Auth
  • Private storage buckets; signed URLs (24h)
  • Coach-client data isolation via RLS + consent checks
  • Automated retention cleanup (pg_cron)
  • BDSG §22(2) "suitable and specific safeguards" for German users

10. Changes

For material changes we proactively inform you via in-app banner, blocking modal requesting renewed consent, and email.

11. Contact