Privacy Policy

Last updated: March 17, 2026.

SweatDrop is a gym gamification platform. This policy explains what data we collect, why we collect it and how we use it. Please read it in full — especially the section on health data.

1. Who we are

SweatDrop ("we", "us", "SweatDrop") is a software platform that provides gamification services to gyms and their members. For the purposes of applicable data protection law (including the Law on Personal Data Protection of the Republic of Serbia), the data controller is:

SweatDrop
Belgrade, Serbia
Email: support@sweat-drop.com

2. What data we collect

2.1 Data you provide

  • Account: Name, email address and authentication credentials. Passwords are stored using one-way hashing and are not stored in readable form.
  • Sign-in providers: If you use Google or Apple sign-in, we receive identity data from that provider as allowed by your settings (for example name, email and provider user ID). For email sign-in, we may require email verification before full app access.
  • Profile: Username, profile photo, gym name
  • Health and physical data (optional): Gender, body weight, height, date of birth, training goal. You provide these voluntarily during profile setup and use them for personalised recommendations. You can skip or delete them at any time.

2.2 Data generated by using the app

  • Workout sessions: Date, time, duration, drops earned, average RPM, calories
  • Check-in data: Date and time of check-in, gym, GPS distance from gym (number only, not precise location)
  • GPS location: We collect your location only when you scan the reception QR code, to confirm you are physically at the gym. We do not track location continuously.
  • Bluetooth (BLE) data: RPM and metrics from equipment sensors. Data is processed on device and only aggregated results are sent.
  • Gamification: Drops balance, badges, leaderboard rank, challenge progress, reward history
  • Social features: Referral invites, friend challenge records, and related progress needed to run invite-friend and 1v1 challenge features.
  • Push notifications: Device push token, delivery status and notification preferences needed to send account, activity and campaign notifications.

2.3 Technical data

  • Device type, operating system, app version
  • IP address (for security and abuse prevention)
  • Error and performance logs

3. Why we collect data (legal basis)

3.1 Contract performance

To provide core services — account creation, session tracking, drops calculation, leaderboard display and reward management in the Store.

3.2 Legitimate interest

To prevent check-in fraud (GPS verification), platform security, and improving service quality based on aggregated usage data.

3.3 Consent

For health data (body weight, height, date of birth, training goal). You give consent voluntarily during profile setup and can withdraw it at any time by deleting that data from your profile.

3.4 Legal obligation

Retention of data to the extent required by applicable law.

4. Who sees your data

4.1 Gym owner

The owner of the gym where you are active can see:

  • Your name, avatar and activity only at their gym
  • Number of sessions, drops earned at their gym, date of last visit
  • Your fitness goal (e.g. "fitness") — not body weight, height or date of birth
  • Your rank on their gym's leaderboard

The gym owner cannot see your activity at other gyms, your email, body weight, height or date of birth.

4.2 Other app users

On the public leaderboard, your username, avatar, drops count and rank are visible. You can turn off your public profile in settings.

4.3 SweatDrop team

Our team has access to data only to provide support, resolve technical issues and prevent abuse.

4.4 Third parties

We do not sell your data. We use the following trusted service providers:

  • Supabase — database and authentication, servers in the EU
  • Expo / EAS — mobile app distribution
  • Sentry (if enabled) — anonymous error reporting

We use service providers that process personal data on our instructions and apply appropriate contractual safeguards under applicable law.

4.5 Sweat Arenas — cross-gym visibility

By joining a Sweat Arena you accept that your score and username are visible to all arena participants, including members of other participating gyms.

Visible: username, avatar, total arena score. Not visible: which gym your points come from, body weight, height, email or any other personal data.

The arena sponsor sees only aggregated data (number of participants, total activity) — never individual user data.

5. GPS location — details

We use GPS location only when you scan the reception QR code, to confirm you are within 200 metres of the gym. We do not store precise coordinates — only the calculated distance in metres and whether verification succeeded.

If you deny location access, check-in still works — we only record that GPS verification was not possible. We do not track your location continuously.

6. How long we keep data

  • Account and profile: While the account is active. After deletion — 30-day retention period, then permanent deletion.
  • Workout sessions and check-ins: 3 years from last activity
  • Health data: Until you delete it or delete your account
  • Logs: 90 days

Some data may be retained for longer where required by law or needed for security, fraud prevention or dispute resolution, for the minimum period necessary.

7. Your rights

Under applicable data protection law you have the right to:

  • Access the data we hold about you
  • Correct inaccurate data (in the app or by email)
  • Delete your account and all data — via Settings → Delete account
  • Port your data (export in JSON format — contact us)
  • Object to processing based on legitimate interest
  • Withdraw consent for health data at any time

For any request, email us at support@sweat-drop.com. We respond within 30 days.

8. Data security

All data is transmitted encrypted (TLS 1.3). Passwords are never stored in readable form — we use bcrypt hashing. The database is on Supabase infrastructure in the EU with automatic backups and encryption at rest.

9. Children

SweatDrop is not intended for anyone under 13. We require a minimum age of 13 at registration. If we learn we have collected data from a child under 13, we delete the account immediately.

10. Changes to this policy

We will notify you of significant changes by email or in-app notification at least 14 days before they take effect. The last updated date is always shown at the top of this page.

11. Contact

For any privacy questions:
support@sweat-drop.com

Privacy Policy | SweatDrop