Privacy Policy
Vecta iOS app & getvecta.app website · Last updated: 15 June 2026
This Privacy Policy explains how personal data is processed when you use the Vecta iOS application (the “App”) and the getvecta.app website (the “Website”).
1. Controller
The controller responsible for data processing is:
Leon Thomandl
Fruehlingstr. 2
85114 Buxheim
Germany
Email:
info@getvecta.app
2. Data We Process in the App
2.1 Account data
When you create an account you provide an email address (or sign in with Apple or Google). We process your email address and a user identifier to authenticate you and secure your account. If you sign in with Apple or Google, your name may also be provided by that sign-in provider and stored with your account.
2.2 Fitness and workout data
The App stores the fitness data you create — workouts, exercises, sets, weights, repetitions, personal records, body weight entries, and daily step counts — so that it syncs across your devices.
2.3 Apple Health (HealthKit) data
If you grant permission, the App accesses Apple Health to:
- Read recent workouts, body weight, active energy, and step counts to display your fitness progress.
- Write workouts you complete in the App back to Apple Health so they appear in your other health apps.
Body weight and step values imported from Apple Health are stored in our backend (see Section 4) so they remain available across your devices. We never use Apple Health data for advertising or marketing, we do not sell it, and we do not use it for any purpose other than providing the App's functionality to you. You can revoke Health access at any time in iOS Settings → Privacy & Security → Health.
2.4 Camera and the “Scan Machine” feature
The “Scan Machine” feature lets you photograph a gym machine so it can be identified automatically. When you use it:
- The camera is used only while you are actively taking a scan photo.
- Any faces detected in the photo are blurred on your device before the image is sent anywhere.
- The image is transmitted to our backend and forwarded to our AI processor (OpenAI, see Section 5) solely to classify the machine. The photo itself is not stored.
- We retain only a non-identifying hash of the image together with the classification result for up to 14 days to speed up repeat scans, plus minimal scan metadata (e.g. result category, confidence, timing) used for rate-limiting and abuse prevention.
3. Data We Process on the Website
When you visit the Website, technical data may be processed (e.g. IP address, date/time, browser details, pages accessed). If you contact us, we also process the information you provide (e.g. name, email address, message). The Website may use cookies; non-essential cookies are set only with your consent, which you can change at any time.
4. Hosting and Storage Location
Account and fitness data are stored using Supabase, our backend and database provider, on servers located in the European Union (AWS region eu-west-1, Ireland).
5. Recipients and Processors
| Recipient | Purpose | Location |
|---|---|---|
| Supabase | Backend, authentication, and database hosting | EU (Ireland) |
| OpenAI | AI classification of “Scan Machine” images (face-blurred; image not stored) | United States |
| Apple | Sign in with Apple; HealthKit (data exchanged on-device under your control) | - |
| Google Sign-In (only if you choose this login method) | United States |
We do not sell your personal data and do not share it with third parties for their own marketing.
6. Purpose and Legal Basis
- Providing the App and your account, syncing your data — Art. 6(1)(b) GDPR (performance of a contract).
- Apple Health access and the camera/Scan Machine feature — Art. 6(1)(a) GDPR (your consent, granted via the iOS permission prompts).
- Securing the service, preventing abuse, technical administration — Art. 6(1)(f) GDPR (legitimate interest), and Art. 6(1)(c) where required by law.
- Website operation and inquiries — Art. 6(1)(b), (c), and (f) GDPR.
7. International Transfers
“Scan Machine” images are processed by OpenAI in the United States. This transfer is safeguarded by the EU Standard Contractual Clauses (Art. 46 GDPR). Your account and fitness data remain within the EU (Section 4).
8. Storage Duration
- Account and fitness data: retained until you delete your account.
- Scan image hashes and results: up to 14 days.
- Website data: only as long as necessary for the purposes above or as required by legal retention obligations.
9. Account and Data Deletion
You can permanently delete your account and all associated workout data at any time directly in the App: Profile → Delete Account (you will be asked to type DELETE to confirm). This removes your data from our backend. Workouts that were previously written to Apple Health remain in Apple Health unless you remove them there. You may also request deletion by emailing info@getvecta.app.
10. Your Rights
You have the right to access, rectify, erase, and restrict processing of your data, the right to data portability, and the right to object to processing. Where processing is based on consent, you may withdraw it at any time with effect for the future. You also have the right to lodge a complaint with a data protection supervisory authority.
11. Children
The App is not directed to children under 16, and we do not knowingly collect personal data from them.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The current version is always available at this URL, with the “Last updated” date shown above.
13. Contact
For any privacy-related request, contact Leon Thomandl at info@getvecta.app.