Privacy Policy

1. Who we are

GymPulseTimer is an independent product developed by Daniel Ancuta (trading as w3b, Brașov, Romania). The product consists of an iOS app with an Apple Watch companion, an Android app, and the marketing and support website at gympulsetimer.com. This policy covers all three surfaces.

2. Mobile apps — data we do not collect

The iOS, watchOS, and Android apps deliberately collect none of the following:

• Personal information (name, email address, phone number)
• Location data
• Health or fitness data (heart rate, calories, workout history)
• Account credentials — there are no accounts, and no sign-in is offered or required
• Advertising identifiers (IDFA on iOS, GAID on Android)
• Contacts, photos, calendar, microphone or camera access

3. Mobile apps — anonymous analytics

Both apps use TelemetryDeck to record anonymous, aggregated usage signals such as “app launched”, “workout started”, and “workout completed”. TelemetryDeck does not use cookies, does not collect personally identifiable information, and is fully GDPR and CCPA compliant. No data is sold or shared with advertisers.

4. Mobile apps — in-app purchases

The apps offer a one-time in-app purchase called “GymPulse Pro”. Purchases are processed exclusively by Apple (iOS) or Google (Android), and entitlement validation is handled by RevenueCat. RevenueCat receives only the platform-issued purchase receipt — no personal data is collected by us. See RevenueCat’s Privacy Policy for their handling practices.

5. Mobile apps — local storage

Timer presets and app preferences are stored on your device using the platform’s native preference storage (UserDefaults on Apple, SharedPreferences on Android). Nothing is synced to the cloud or transmitted over the network.

6. Website — consent-gated analytics

The gympulsetimer.com website uses three analytics providers. Two require your consent before they run; the third operates cookielessly and needs no consent.

• Google Analytics 4 — loaded only after you accept cookies via our consent banner. Implements Google Consent Mode v2 with anonymised IP addresses. Used to understand traffic sources and measure conversions.
• Microsoft Clarity — loaded only after you accept cookies. Provides heatmaps and session recordings so we can see how visitors interact with the page without identifying any individual user.
• TelemetryDeck — runs cookielessly without consent. Records anonymous pageviews only.

You may withdraw consent at any time using the Manage Cookies button in the footer. Withdrawing consent disables Google Analytics and Microsoft Clarity and clears their cookies on the next page load.

7. Website — contact and notify-me forms

If you submit the contact form or the Android notify-me form, your message (and email address) is delivered to support@gympulsetimer.com through Resend, our transactional email provider. We retain these messages only as long as needed to respond to you — typically no longer than twelve months. They are not added to any marketing list and are never shared with third parties.

We apply basic rate limiting (per-IP, time-windowed) and spam heuristics on these endpoints to protect the mailbox from abuse. No persistent identifiers are stored.

8. Google API Services — site-owner analytics tool

We operate an internal OAuth client (registered with Google Cloud as “GymPulseTimer Analytics”) that the site owner uses to extract this site’s own performance data from Google Analytics and Google Search Console for SEO and growth monitoring. The client requests two read-only scopes:

• https://www.googleapis.com/auth/analytics.readonly — read Google Analytics 4 property metrics for gympulsetimer.com.
• https://www.googleapis.com/auth/webmasters.readonly — read Search Console query, impression, click, and indexing data for gympulsetimer.com.

Use. The tool is used solely by the site owner against the site owner’s own Google account and the properties the site owner controls. It is not offered to other users.

Transfer. Data fetched via these APIs is never transferred to other services, never used to train AI or machine-learning models, never sold, and never shared with third parties.

Storage. Extracted reports are written to local files on the owner’s development machine and rotated when no longer needed. OAuth refresh tokens are stored in the owner’s home directory with filesystem permissions restricted to the owner.

Protection. Access requires the owner’s own Google account credentials and two-factor authentication. Tokens can be revoked at any time from the owner’s Google Account → Security → Third-party apps page.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

9. Third-party services at a glance

• TelemetryDeck — anonymous, cookieless analytics (apps + website)
• RevenueCat — in-app purchase receipt validation (apps)
• Apple App Store / Google Play — in-app purchase processing (apps)
• Google Analytics 4 — consent-gated web analytics (website)
• Microsoft Clarity — consent-gated heatmaps and session recordings (website)
• Resend — transactional email delivery for support requests (website)
• Vercel — hosting and edge delivery (website). Vercel processes IP addresses for routine request handling and DDoS protection.

10. Your rights (GDPR, CCPA)

Where applicable law grants you rights over your personal data, you may request access to, correction of, or deletion of any data we hold about you, and you may object to or restrict its processing. Because the apps do not collect personal data and the website only stores email addresses you actively submit through the contact or notify-me forms, the practical scope of such a request is usually limited to “remove my email and any related messages from your inbox”.

To exercise any of these rights, email support@gympulsetimer.com from the address concerned. We will respond within thirty days.

11. Children’s privacy

The apps are rated 4+ and contain no objectionable content. We do not knowingly collect data from children under 13. If you believe a child has provided data through any of our surfaces, contact us and we will delete it promptly.

12. International transfers

GymPulseTimer is operated from Romania (EU). Some third-party processors listed above operate servers outside the EU. Where data is transferred internationally, the receiving processor either operates under EU adequacy or contractual standard clauses. Because the apps collect no personal data, the transfer surface is limited to website analytics and inbound support email.

13. Changes to this policy

We may update this policy from time to time. The “Effective date” at the top of this page will always reflect the most recent revision. Material changes will be summarised in the changelog of our app release notes.

14. Contact

Questions about this policy? Email support@gympulsetimer.com. For security disclosures, see our Security page.