Privacy Policy

Last Updated: May 22, 2026

Controlling language: Spanish. This English version is for reference only.

At Myosin we are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, store and protect your data when you use the Myosin mobile application (the “App” or “Service”).

Myosin is operated by a sole proprietor domiciled in the Republic of Argentina. By using the App you consent to the collection and processing of information in accordance with this policy. If you do not agree with any part of it, please do not use the Service.

1. Data Controller

Myosin is operated by a sole proprietor in Argentina. Registration with the Argentine Agency for Access to Public Information (AAIP), National Database Registry (Law No. 25.326), is in process. The registration number will be published in this section once received.

Privacy and data contact email: legal@getmyosin.com

2. Data We Collect

2.1 Account information

  • Email address (for authentication).
  • Password (stored using secure hashing, never plain text).
  • Display name or username (optional).

2.2 Workout data

  • Exercises performed, sets, repetitions and weight lifted.
  • Custom exercises and routines you create.
  • Workout duration and timestamps.
  • Personal records (PRs) and progress data.
  • Training volume and derived analytics.
  • Notes and comments you add to your workouts.

2.3 Personal habits

If you use the habits feature, we store your custom habit definitions and daily completion records.

2.4 Body weight and measurements

If you choose to log them, we store your body weight and measurement entries over time. These are treated as sensitive health data under article 7 of Law 25.326 and article 9 of GDPR.

2.5 Device information

  • Device type and operating system version.
  • Installed app version.
  • Language preference.
  • Time zone.
  • Crash reports and performance data.

2.6 Third-party login

If you sign in with a third party (Sign in with Apple or Google), we receive basic profile data from that provider, which may include your name and email address. We never receive third-party account passwords.

2.7 What we do NOT collect

  • We do not access contacts, photos, microphone or camera without explicit feature-by-feature consent.
  • We do not read HealthKit (iOS) or Health Connect (Android) data without separate explicit opt-in.
  • We do not use advertising tracking cookies.
  • We do not sell, rent or trade your personal data with third parties.

3. How We Use Your Data

  • Service delivery: store your workouts, habits and measurements and sync them across devices.
  • Personalization: track progress and compute individual training analytics.
  • Service improvement: analyze crash reports and aggregated usage patterns to fix bugs and improve features.
  • Communication: respond to support requests and send important service updates. We do not send marketing communications without prior explicit consent.
  • Security: prevent unauthorized access, fraud, and ensure data integrity.
  • Legal compliance: when required by applicable law or competent authority.

4. Legal Basis for Processing

  • Consent (Law 25.326 art. 5; GDPR art. 6.1.a): by creating an account you give informed consent. For sensitive health data we collect separate explicit consent (Law 25.326 art. 7, GDPR art. 9.2.a).
  • Contract performance (GDPR art. 6.1.b): required to deliver the Service.
  • Legitimate interest (GDPR art. 6.1.f): product improvement, security and fraud prevention, balanced against your rights.
  • Legal obligation (GDPR art. 6.1.c): compliance with judicial or regulatory requirements.

You can withdraw consent at any time by deleting your account or emailing legal@getmyosin.com. Withdrawal does not affect the lawfulness of prior processing.

5. Service Providers (Processors)

  • Supabase, Inc. (US / EU): PostgreSQL database, authentication, backups. DPA: supabase.com/legal/dpa.
  • Functional Software, Inc. (Sentry) (US): error tracking and crash reports, with PII scrubbing. DPA: sentry.io/legal/dpa/.
  • 650 Industries, Inc. (Expo / EAS) (US): build infrastructure and OTA updates. DPA: expo.dev/legal/dpa.
  • Apple Inc. (US): App Store, Sign in with Apple, In-App Purchases. Covered by Apple Developer Program Agreement.
  • Google LLC (US): Google Play, Sign in with Google, Play billing. Covered by Google Play Developer Distribution Agreement.

6. Storage, Security and International Transfer

6.1 Local-first architecture

  • Your data is primarily stored on your device in a local SQLite database.
  • The app works fully offline; no internet connection is required to log workouts.
  • Sync to our servers occurs when an internet connection is available, as backup and for multi-device access.

6.2 Security measures

  • Passwords stored with secure hashing.
  • All transmissions encrypted with TLS 1.2+ (HTTPS).
  • Data at rest encrypted on database provider servers.
  • Access restricted by Row-Level Security (RLS) policies.
  • Periodic rotation of authentication tokens.

6.3 International data transfer

Your data may be transferred and processed in the US, EU and other countries where our providers operate. We rely on Standard Contractual Clauses (SCCs) where applicable and ensure technical safeguards (encryption in transit and at rest) regardless of where data is processed.

7. Data Retention

  • Account and workout data: while your account is active. On deletion request, see §7.1.
  • Backend operational logs: 90 days from generation, then rotated.
  • Sentry crash reports: 90 days from generation, then deleted.
  • Encrypted backups: 30 days from creation, then rotated.
  • Consent records: while your account is active, plus 5 years after deletion (evidentiary obligation).
  • Data required by legal/tax obligation: for the period required by applicable law.

7.1 Account deletion and grace period

  1. A 7-day grace period begins during which you can recover the account by signing back in.
  2. After the grace period, all personal data is permanently deleted from the primary database.
  3. Backups containing your data are overwritten in the 30-day rotation cycle.
  4. You may be excluded from deletion only with respect to information we must retain by legal obligation or for legal defense.

8. Your Rights

8.1 Argentina — Law 25.326

  • Access, Rectification, Cancellation and Opposition rights (ARCO).

8.2 Mexico — LFPDPPP

ARCO rights under Mexican federal data protection law. Authority: INAI.

8.3 EEA / UK — GDPR / UK GDPR

  • Access, rectification, erasure, restriction, portability, objection, consent withdrawal, lodge a complaint with a supervisory authority.

8.4 California — CCPA / CPRA

Right to know, delete, correct, and opt-out of sale/sharing. We do not sell or share your personal information for cross-context behavioral advertising.

9. Privacy Choices — How to Exercise Your Rights

Email legal@getmyosin.com from the address linked to your account to request access, rectification, deletion, objection, restriction or portability. We respond within a maximum of 30 days (typically within 7). You can delete your account directly in-app: Profile → Settings → Delete Account → Confirm.

10. Children's Privacy

Myosin is not intended for users under 16. We do not knowingly collect data from children under 16. If we discover such data was collected, we will delete it immediately.

11. Disclosure to Authorities

We may disclose personal data when required by applicable law, regulation, judicial process, or valid governmental request, or to protect the rights, property or safety of Myosin, its users or others.

12. Changes to This Policy

We may update this Privacy Policy. For material changes we will notify you at least 30 days in advance via in-app notice, email and an updated “Last Updated” date. Where renewed consent is required, we will request it explicitly before applying the change.

13. Contact

For any question, concern or request related to this Privacy Policy or your personal data:

Myosin

Email: legal@getmyosin.com

Jurisdiction: Republic of Argentina.