Privacy Policy
Last updated: June 10, 2026
The short version: We only collect the data we need to run the Repz website and app and to build your training plan. Your fitness data is sensitive, so we process it only with your explicit consent. We do not sell your personal data, and we never send it to third-party AI providers. Your training plans come from our own machine-learning engine. On the website, analytics and advertising tools load only after you accept them in the cookie banner. You can delete your account and data whenever you want. Reach us at admin@repz.app with any questions.
Data Processors at a Glance
The tables below summarize every third-party service that processes personal data on our behalf. Full details, legal bases, and transfer safeguards for each are described in sections 3, 5, 8, and 9. The consent-based analysis and advertising tools on the website (Google, Meta, TikTok, Reddit) are covered separately in section 7.
Repz Mobile App
| Vendor | Purpose | Data typically processed | Location |
|---|---|---|---|
| Supabase | Authentication, database, storage, edge functions | Email, name, profile and training data, workout logs, push tokens | EU (Frankfurt, eu-central-1) |
| Expo (EAS) | App updates (OTA) and builds | Device identifier, app version, update channel | US |
| Sentry | Crash and error reporting | Device model, OS, crash stack traces, breadcrumbs, optional user ID | EU (Frankfurt) |
| RevenueCat | Subscription management | App user ID, purchase receipts, subscription state | US |
| Apple | Apple Sign-In, in-app purchases, push (APNs), App Store distribution | Apple ID email/name, purchase receipts, APNs token | US / Ireland (EU operator) |
| Google (Firebase) | Google Sign-In, Play Billing, push (FCM), Play Store distribution | Google account email/name, purchase receipts, FCM token | US / Ireland (EU operator) |
| GitHub | Server-side background jobs | Server-side only; no end-user personal data | US |
Repz Website (repz.app)
| Vendor | Purpose | Data typically processed | Location |
|---|---|---|---|
| Vercel | Hosting and serverless functions | IP address, request logs (standard CDN logs) | US / global edge |
| Supabase | Waitlist and early-access signups, published content | Email, name, signup metadata | EU (Frankfurt) — same project as the app |
| Resend | Transactional and lifecycle emails | Email address, name, message contents | US |
| Upstash (Redis) | API rate limiting | IP address (short TTL only) | EU / global (region-configurable) |
| Stripe | Payment processing | Name, billing details, payment data (held by Stripe) | EU (Ireland) / US |
1. An Overview of Data Protection
General Information
The following information provides an easy to navigate overview of what happens with your personal data when you visit this website (repz.app) or use the Repz mobile app for iOS and Android. The term “personal data” comprises all data that can be used to personally identify you. This single privacy policy covers both the website and the mobile app; sections that apply only to one of the two are marked accordingly. For detailed information, please consult the full declaration below.
Data Recording on This Website and in the App
Who is the responsible party for the recording of data (i.e., the “controller”)?
Data is processed by the operator of the website and the app. The operator’s contact information can be found in the section “Information about the responsible party” in this privacy policy.
How do we record your data?
We collect data that you share with us yourself — for example, when you join the waitlist, create an account, complete a fitness assessment, log workouts or race results, or contact us. Other data is recorded automatically by our IT systems, or after you consent to its recording, when you visit the website or use the app. This comprises primarily technical information (e.g., web browser or device model, operating system, time of access).
What are the purposes we use your data for?
A portion of the information is generated to guarantee the error-free provision of the website and the app. Other data is used to deliver the core service — personalized training plans, workout recommendations, and HYROX-specific performance tracking — and, with your consent, to analyze usage patterns and measure advertising.
What rights do you have as far as your information is concerned?
You have the right to receive information about the source, recipients, and purposes of your archived personal data at any time without having to pay a fee for such disclosures. You also have the right to demand that your data be rectified or eradicated. If you have consented to data processing, you can revoke this consent at any time with effect for all future processing. Moreover, you have the right to demand that the processing of your data be restricted under certain circumstances, and the right to lodge a complaint with the competent supervisory agency. Please do not hesitate to contact us at any time about these or any other data protection questions.
Analysis Tools and Tools Provided by Third Parties
When you visit this website, your browsing patterns may be statistically analyzed — but only after you have consented via the cookie banner. Such analyses are performed primarily with the analysis and advertising tools described in section 7 of this policy.
2. Responsible Party and Legal Framework
Information About the Responsible Party (the “Controller”)
The data processing controller for the website and the app is:
Zenon Technologies AG
Hinterbergstrasse 16
6312 Cham
Switzerland
Email: admin@repz.app
The controller is the natural person or legal entity that single-handedly or jointly with others makes decisions as to the purposes of and resources for the processing of personal data (e.g., names, email addresses, etc.).
We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP).
Storage Duration
Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for which it was collected no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g., retention periods under tax or commercial law); in the latter case, deletion takes place after these reasons cease to apply.
The following specific retention periods apply:
- Account, profile and training data: for as long as your account is active; deleted when you delete your account (subject to statutory retention obligations).
- Error events and Session Replay recordings (Sentry): up to 90 days, then automatically deleted.
- Rate-limiting data (IP addresses, Upstash): short-lived only (short TTL), deleted automatically.
- Email sending logs: for the duration of the early-access / customer relationship, to honor your unsubscribe status permanently.
- Billing and tax-relevant records: up to 10 years under statutory retention obligations.
- Backups: deleted data may persist in routine backups for a limited period before being purged on rotation.
- Cookie consent choice: stored for one year.
General Information on the Legal Basis for Data Processing
If you have consented to data processing, we process your personal data on the basis of Art. 6(1)(a) GDPR, or Art. 9(2)(a) GDPR if special categories of data are processed according to Art. 9(1) GDPR. In the case of explicit consent to the transfer of personal data to third countries, processing is also based on Art. 49(1)(a) GDPR. If you have consented to the storage of cookies or to the access to information in your end device, the data processing is additionally based on § 25(1) TDDDG. Consent can be revoked at any time. If your data is required for the fulfillment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art. 6(1)(b) GDPR. Furthermore, if your data is required for the fulfillment of a legal obligation, we process it on the basis of Art. 6(1)(c) GDPR. Data processing may also be carried out on the basis of our legitimate interest according to Art. 6(1)(f) GDPR. Information on the relevant legal basis in each individual case is provided in the following paragraphs of this privacy policy.
Special Categories of Personal Data (Fitness and Health Data)
Fitness and health-related data — such as your fitness assessment, workout logs, race results, and physiological metrics — can constitute a special category of personal data within the meaning of Art. 9(1) GDPR. We process this data exclusively to provide the training features you request, on the basis of your explicit consent(Art. 9(2)(a) GDPR), which you give when you create your account and provide this data. You can revoke this consent at any time with effect for the future — the simplest way is to delete the relevant data or your account in the app. We never use your fitness and health data for advertising or marketing purposes, and we do not share it with third parties except with the processors named in this policy who need it to provide the service on our behalf.
We Do Not Sell Your Personal Data
We do not sell your personal data, and we do not share your fitness or health data with data brokers or advertisers under any circumstances.
Recipients of Personal Data
In the scope of our business activities, we cooperate with various external parties. In some cases, this also requires the transfer of personal data to these external parties. We only disclose personal data to external parties if this is required as part of the fulfillment of a contract, if we are legally obligated to do so, if we have a legitimate interest in the disclosure pursuant to Art. 6(1)(f) GDPR, or if another legal basis permits the disclosure. When using processors, we only disclose personal data on the basis of a valid data processing agreement (DPA). The specific service providers we use for the website and the app are listed in the relevant sections of this policy.
Data Transfer to Third Countries
Some of the tools we use are provided by companies located in the United States or other countries outside the EU/EEA and Switzerland. If these tools are active, your personal data may be transferred to and processed in these countries. Where a provider is certified under the EU–US Data Privacy Framework (DPF), the transfer is based on that certification; otherwise, transfers are based on the Standard Contractual Clauses (SCC) of the European Commission or comparable safeguards. Details, including links to the relevant certifications, can be found in the sections on the individual tools below.
Revocation of Your Consent to the Processing of Data
A wide range of data processing transactions are possible only subject to your express consent. You can revoke any consent you have already given us at any time — on the website via the “Cookie Settings” link in the footer, and in the app via the privacy settings. This shall be without prejudice to the lawfulness of any data processing that occurred prior to your revocation.
Right to Object to the Collection of Data in Special Cases; Right to Object to Direct Advertising (Art. 21 GDPR)
In the event that data is processed on the basis of Art. 6(1)(e) or (f) GDPR, you have the right to object at any time to the processing of your personal data based on grounds arising from your unique situation. This also applies to any profiling based on these provisions. If you object, we will no longer process your affected personal data unless we can present compelling, protection-worthy grounds for the processing that outweigh your interests, rights and freedoms, or if the processing serves the claiming, exercising or defence of legal entitlements (objection pursuant to Art. 21(1) GDPR).
If your personal data is processed for direct advertising, you have the right to object at any time to the processing of your personal data for the purposes of such advertising. This also applies to profiling affiliated with such direct advertising. If you object, your personal data will subsequently no longer be used for direct advertising purposes (objection pursuant to Art. 21(2) GDPR).
Right to Lodge a Complaint with the Competent Supervisory Agency
In the event of violations of the GDPR, data subjects are entitled to lodge a complaint with a supervisory agency, in particular in the member state where they usually maintain their domicile or place of work, or at the place where the alleged violation occurred. This right exists regardless of any other administrative or court proceedings available as legal recourses. In Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC).
Right to Data Portability
You have the right to have data that we process automatically on the basis of your consent or in fulfillment of a contract handed over to you or to a third party in a common, machine-readable format. If you demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.
Information About, Rectification and Eradication of Data
Within the scope of the applicable statutory provisions, you have the right to demand information about your archived personal data, its source and recipients, as well as the purpose of the processing of your data at any time. You may also have a right to have your data rectified or eradicated. You can delete your Repz account and the associated personal data at any time directly in the app or via repz.app/delete-account. For any other questions about personal data, please contact us at any time.
Right to Demand Processing Restrictions
You have the right to demand the imposition of restrictions as far as the processing of your personal data is concerned. To do so, you may contact us at any time. The right to demand restriction of processing applies in the following cases:
- If you dispute the correctness of your data archived by us, we will usually need some time to verify this claim. During the ongoing investigation, you have the right to demand that we restrict the processing of your personal data.
- If the processing of your personal data was or is conducted in an unlawful manner, you may demand the restriction of processing instead of the eradication of this data.
- If we no longer need your personal data but you need it to exercise, defend or claim legal entitlements, you have the right to demand restriction instead of eradication.
- If you have raised an objection pursuant to Art. 21(1) GDPR, your rights and our rights will have to be weighed against each other. As long as it has not been determined whose interests prevail, you may demand a restriction of the processing of your personal data.
If you have restricted the processing of your personal data, this data — with the exception of its archiving — may be processed only subject to your consent, or to claim, exercise or defend legal entitlements, or to protect the rights of other natural persons or legal entities, or for important public interest reasons cited by the European Union or a member state of the EU.
How to Exercise Your Rights
To exercise any of the rights described in this policy, email us at admin@repz.app and describe the right you wish to exercise (e.g., “access request” or “deletion request”). Exercising your rights is free of charge. Before responding, we will take reasonable steps to verify your identity, typically by confirming that you control the email address associated with your account. We respond within one month of receiving your request; where a request is particularly complex, this period may be extended by up to two further months, in which case we will inform you of the extension and the reasons for it. You will never be discriminated against or otherwise disadvantaged for exercising any of your rights.
Children’s Privacy
Our website and app are not directed at children under the age of 16, and we do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at admin@repz.app and we will delete it promptly.
Data Security
We implement technical and organizational measures designed to protect your personal data, including:
- Encryption in transit (SSL/TLS) for all connections to the website, the app, and our APIs — on the website, you can recognize an encrypted connection by the “https://” prefix and the lock icon in the browser line;
- Encryption at rest for data stored in our database infrastructure;
- Access controls and the least-privilege principle for our personnel — personal data is accessed only on a need-to-know basis;
- Row-level security policies on our database, so users can only access their own data;
- Regular backups to protect against data loss;
- Data minimization — we collect only the data we need to provide the service.
No system is perfectly secure; we cannot guarantee absolute security.
Notification of Data Breaches
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority without undue delay and, where required, within 72 hours of becoming aware of it (Art. 33 GDPR; Art. 24 Swiss FADP). Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Art. 34 GDPR).
3. Hosting and Infrastructure (Website)
This website is hosted externally. Personal data collected on this website is stored on the servers of our hosting and infrastructure providers. This may include IP addresses, contact requests, metadata and communications, contract information, contact information, names, web page access, and other data generated through a website. External hosting serves the purpose of fulfilling the contract with our potential and existing customers (Art. 6(1)(b) GDPR) and is in the interest of a secure, fast, and efficient provision of our online services by professional providers (Art. 6(1)(f) GDPR). We have concluded data processing agreements (DPA) with the providers listed below.
Vercel
Hosting and serverless functions for the website are provided by Vercel Inc., 440 N Barranca Avenue #4133, Covina, CA 91723, USA. Vercel processes IP addresses and standard request logs (CDN logs) on a global edge network. Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission.
Supabase
Our database and backend infrastructure is provided by Supabase Inc. Data is stored on servers in the European Union (Frankfurt, Germany — AWS region eu-central-1). On the website, Supabase processes waitlist and early-access signups (email address, name, signup metadata) and serves published content. The same Supabase project also powers the mobile app (see section 8).
Upstash
We use Upstash, Inc. (Redis) for rate limiting of our API endpoints to protect them against abuse. For this purpose, your IP address is processed and stored for a short period only (short TTL), after which it is automatically deleted. The legal basis is our legitimate interest in the secure and stable operation of our services (Art. 6(1)(f) GDPR).
4. Recording of Data on This Website
Cookies and Consent
Our website uses “cookies.” Cookies are small data packages that do not cause any damage to your device. They are either stored temporarily for the duration of a session (session cookies) or permanently archived on your device (permanent cookies). Session cookies are automatically deleted once you terminate your visit. Permanent cookies remain archived on your device until you actively delete them or they are automatically eradicated by your web browser.
Cookies that are required for the performance of electronic communication transactions, for the provision of certain functions you want to use (e.g., login), or for the optimization of the website are stored on the basis of Art. 6(1)(f) GDPR, unless a different legal basis is cited. The website operator has a legitimate interest in the storage of required cookies to ensure the technically error-free and optimized provision of its services. If your consent to the storage of cookies and similar recognition technologies has been requested, processing occurs exclusively on the basis of the consent obtained (Art. 6(1)(a) GDPR and § 25(1) TDDDG); this consent may be revoked at any time.
When you first visit this website, a cookie consent banner asks whether you accept or reject non-essential cookies and tracking technologies. Your choice is stored in a cookie (repz_consent) and in your browser’s local storage for one year. No analytics or marketing scripts are loaded unless you actively consent. You can change your preference at any time via the “Cookie Settings” link in the website footer.
Waitlist and Early Access Signup
If you join the waitlist or sign up for early access on this website, we store the information you enter (email address, name if provided, and signup metadata such as time of signup and the page you signed up from) in order to manage your place on the waitlist and to send you the emails described in section 5. The legal basis is the implementation of pre-contractual measures at your request (Art. 6(1)(b) GDPR).
Contact and Feedback Forms
If you submit inquiries or feedback to us via a form on this website, the information provided, as well as any contact information provided therein, will be stored by us in order to handle your inquiry and in the event that we have further questions. We will not share this information without your consent. Processing is based on Art. 6(1)(b) GDPR if your request is related to the execution of a contract or pre-contractual measures. In all other cases, processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6(1)(f) GDPR) or on your consent (Art. 6(1)(a) GDPR) if requested; consent can be revoked at any time. The information remains with us until you ask us to delete it, revoke your consent, or the purpose for the storage no longer exists. Mandatory statutory provisions — in particular retention periods — remain unaffected.
Request by Email
If you contact us by email, your request, including all resulting personal data (name, request), will be stored and processed by us for the purpose of handling your request. We do not pass this data on without your consent. The legal bases are the same as for the contact form above.
5. Email Communications
Transactional and Lifecycle Emails (Resend)
We send emails related to your waitlist signup, early access participation, and use of the service — for example, a signup confirmation, your access invitation, onboarding guidance, and occasional requests for product feedback. For sending these emails, we use Resend, Inc., a US email delivery provider (Delaware, USA). Resend processes your email address, name, and the message contents on our behalf. We have concluded a data processing agreement (DPA) with Resend; data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission.
Emails that are necessary to deliver the service you requested (e.g., signup confirmation, access invitation) are sent on the basis of Art. 6(1)(b) GDPR. All other emails (e.g., onboarding tips, feedback requests, product updates) are sent on the basis of our legitimate interest in supporting and improving the early-access program (Art. 6(1)(f) GDPR).
Unsubscribe: Every non-essential email contains an unsubscribe link, and we support the one-click unsubscribe function of common email providers. If you unsubscribe, we stop sending you all non-essential emails; strictly transactional messages (e.g., confirming your own signup) are not affected. We record your unsubscribe status so that we can honor it permanently.
6. Hosting-Independent Recording of Data: Server Operations
Some background jobs (e.g., scheduled maintenance tasks) run on GitHub Actions, a service of GitHub, Inc. (USA). These jobs operate exclusively server-side on our own systems and infrastructure credentials; no end-user personal data flows through GitHub.
7. Analysis Tools and Advertising (Website)
This website uses the following analysis and marketing tools. They are only activated after you give consent via the cookie banner; no data is transmitted to these providers until you click “Accept All.” You may revoke your consent at any time via the “Cookie Settings” link in the footer.
Google Tag Manager
We use the Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The Google Tag Manager is a tool that allows us to integrate tracking or statistical tools and other technologies on our website. The Google Tag Manager itself does not create any user profiles, does not store cookies, and does not carry out any independent analyses. It only manages and runs the tools integrated via it. However, the Google Tag Manager does collect your IP address, which may also be transferred to Google’s parent company in the United States. Use is based on your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). Google is certified in accordance with the EU–US Data Privacy Framework (DPF); for more information see https://www.dataprivacyframework.gov/participant/5780.
Google Analytics 4
This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics enables us to analyze the behavior patterns of website visitors. To that end, we receive a variety of user data, such as pages accessed, time spent on the page, the utilized operating system, and the user’s origin. This data is assigned to the respective end device of the user; an assignment to a user ID does not take place. Google Analytics uses technologies that make the recognition of the user possible for the purpose of analyzing user behavior patterns (e.g., cookies or device fingerprinting). The website use information recorded by Google is, as a rule, transferred to a Google server in the United States, where it is stored.
IP anonymization is active: your IP address will be truncated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. The full IP address will be transmitted to one of Google’s servers in the United States and truncated there only in exceptional cases. The IP address transmitted in conjunction with Google Analytics from your browser shall not be merged with other data in Google’s possession.
The use of this service occurs on the basis of your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission (details). Google is certified in accordance with the EU–US Data Privacy Framework (DPF). You can prevent the recording and processing of your data by Google by installing the browser plugin available at https://tools.google.com/dlpage/gaoptout. For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration.
Google Ads and Google Conversion Tracking
The website operator uses Google Ads, an online promotional program of Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads enables us to display ads in the Google search engine or on third-party websites if the user enters certain search terms into Google (keyword targeting). It is also possible to place targeted ads based on the user data Google has in its possession (e.g., location data and interests; target group targeting). As the website operator, we can analyze this data quantitatively, for instance by analyzing which search terms resulted in the display of our ads and how many ads led to clicks.
This website also uses Google Conversion Tracking. With its assistance, we can recognize whether the user has completed certain actions — for instance, how frequently certain buttons on our website have been clicked or which signups were completed after clicking an ad. We learn how many users have clicked on our ads and which actions they have completed; we do not receive any information that would allow us to personally identify the users. Google itself uses cookies or comparable recognition technologies for identification purposes.
The use of these services occurs on the basis of your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission (details). Google is certified in accordance with the EU–US Data Privacy Framework (DPF); see https://www.dataprivacyframework.gov/participant/5780.
Google Ads Remarketing
This website uses the functions of Google Ads Remarketing. With Google Ads Remarketing, we can assign people who interact with our online offering to specific target groups in order to subsequently display interest-based advertising to them in the Google advertising network (remarketing or retargeting). Moreover, the advertising target groups generated with Google Ads Remarketing can be linked to device-encompassing functions of Google, so that interest-based advertising can be displayed across your devices. If you have a Google account, you can object to personalized advertising at https://adssettings.google.com. The use of this service occurs on the basis of your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). Further information can be found in Google’s Data Privacy Policies.
Meta Pixel (formerly Facebook Pixel)
To measure conversion rates, this website uses the visitor activity pixel of Meta. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. According to Meta’s statement, the collected data is also transferred to the USA and other third-party countries. This tool allows the tracking of page visitors after they have been linked to our website after clicking on a Meta ad. This makes it possible to analyze the effectiveness of Meta ads for statistical and market research purposes and to optimize future advertising campaigns.
For us as the operator of this website, the collected data is anonymous; we are not in a position to draw any conclusions as to the identity of users. However, Meta archives and processes the information, so that a connection to the respective user profile is possible and Meta is in a position to use the data for its own promotional purposes in compliance with the Meta Data Usage Policy. We as the operator have no control over the use of such data.
The use of this service occurs on the basis of your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). Insofar as personal data is collected on our website with the help of this tool and forwarded to Meta, we and Meta Platforms Ireland Limited are jointly responsible for this data processing (Art. 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its forwarding to Meta; the processing by Meta that takes place after the onward transfer is not part of the joint responsibility. The obligations incumbent on us have been set out in a joint processing agreement. You can assert data subject rights regarding data processed by Meta directly with Meta; if you assert them with us, we are obliged to forward them to Meta.
Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission (details). Meta is certified in accordance with the EU–US Data Privacy Framework (DPF); see https://www.dataprivacyframework.gov/participant/4452. You can deactivate the remarketing function “Custom Audiences” in the ad settings (login required). If you do not have a Facebook or Instagram account, you can deactivate user-based advertising by Meta on the website of the European Interactive Digital Advertising Alliance: https://www.youronlinechoices.com.
Meta Conversion API
We have integrated the Meta Conversion API into this website. The provider is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. The Meta Conversion API enables us to record the interactions of our website visitors with our website server-side and to share this information with Meta to improve advertising performance. For this purpose, in particular the time you accessed the site, the page you accessed, your IP address and your user agent, as well as, if applicable, other specific data are tracked (complete overview of tracked data). The use of this service occurs on the basis of your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). The joint-responsibility arrangement, data transfer safeguards, DPF certification, and opt-out options described in the Meta Pixel section above apply equally to the Meta Conversion API.
Meta Custom Audiences
We use Meta Custom Audiences. The provider is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Whenever you visit or use our website, transfer data to us, or interact with the Facebook or Instagram content of our company, related personal data may be recorded. In the event that you have given us your consent to the use of Meta Custom Audiences, we will share this data with Meta to enable Meta to display compatible ads to you. This data may also be used to define target audiences (Lookalike Audiences). Meta processes this data as our processor; for details, please consult the Meta Custom Audiences terms and the Meta data processing terms. The use of this service occurs on the basis of your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG). Meta is certified in accordance with the EU–US Data Privacy Framework (DPF).
Reddit Pixel (Reddit Ads)
We have integrated the Reddit Pixel on this website. The provider is Reddit, Inc., 303 2nd Street, Suite 500, San Francisco, CA 94107, USA; for users in the EEA, the United Kingdom, and Switzerland, the responsible entity is Reddit Ireland Limited, Dublin, Ireland (“Reddit”). With the help of the Reddit Pixel, we can measure the effectiveness of our advertising on Reddit — for example, whether a visitor who clicked on one of our Reddit ads subsequently signed up — and display interest-based advertisements on Reddit to visitors of our website (retargeting). For this purpose, usage data such as your IP address, device and browser information, pages visited, triggered events (e.g., signups), and information about the Reddit ad you clicked on is processed and may be assigned to your Reddit account or device.
The use of this tool is based on your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG); consent can be revoked at any time via the “Cookie Settings” link in the footer. Data may be transferred to the United States; such transfers are based on the Standard Contractual Clauses (SCC) of the European Commission. Further information can be found in the Reddit Privacy Policy and the Reddit advertising policies. You can object to personalized advertising in your Reddit account settings under “Privacy”.
TikTok Pixel
We have integrated the TikTok Pixel on this website. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”). With the help of the TikTok Pixel, we can display interest-based advertisements on TikTok to website visitors who have viewed our offers (TikTok Ads), and determine how effective our advertising on TikTok is for statistical and market research purposes. For this purpose, various usage data is processed, such as IP address, page views, time spent, operating system used, origin of the user, information about the ad on which a person clicked on TikTok, and triggered events (timestamps). This data is summarized in a user ID and assigned to the respective end device of the website visitor.
The use of this tool is based on your consent (Art. 6(1)(a) GDPR and § 25(1) TDDDG); consent can be revoked at any time. Data transfer to third-party countries is based on the Standard Contractual Clauses of the EU Commission; details can be found in the TikTok privacy policy and the TikTok controller-to-controller terms.
8. The Repz Mobile App
This section applies to the Repz mobile app for iOS and Android (application identifier com.roxbase.app), distributed via the Apple App Store and Google Play Store.
Account, Authentication and Training Data (Supabase)
When you create a Repz account and use the app, the following data is processed and stored in our backend, provided by Supabase Inc. on servers in the European Union (Frankfurt, Germany — AWS region eu-central-1):
- Personal identification information (name, email address)
- Profile and fitness assessment data you provide (e.g., fitness level, running pace, strength capabilities)
- HYROX race results, splits, and performance data you enter
- Workout logs, training history, and progress tracking
- Training preferences (available training days, equipment access, scheduling constraints)
- Goal information (target race times, goal events, performance objectives)
- Push notification tokens (see below)
We use this data to provide and maintain the training service, create personalized training plans based on your fitness level and goals, track progress and adjust workouts, analyze performance and identify improvement areas, provide benchmark comparisons and performance insights, improve the service and develop new features, and communicate with you about your training and service updates. Processing is based on Art. 6(1)(b) GDPR (contract fulfillment) and Art. 6(1)(f) GDPR (legitimate interest in providing effective training services); for fitness and health-related data, processing is additionally based on your explicit consent (Art. 9(2)(a) GDPR — see section 2).
Automated Processing and the Algorithmic Training Engine
Your training plans, workout adjustments, projected race times, and benchmark comparisons are generated by our own algorithmic machine-learning engine, which processes the training and profile data described above. This processing runs entirely on our own infrastructure; your personal data is not sent to any third-party AI provider (such as large-language-model services), and no generative AI is involved in producing your training plan.
This automated processing does not produce decisions that have legal or similarly significant effects on you within the meaning of Art. 22 GDPR. Training recommendations are informational — you remain free to follow, modify, or ignore any recommendation at any time. Where we improve our models across users, we use only aggregated or de-identified data that no longer identifies you.
Sign in with Apple and Google Sign-In
You can optionally sign in to the app using Sign in with Apple (Apple Inc. / Apple Distribution International Ltd., Ireland) or Google Sign-In (Google Ireland Limited / Google LLC, USA). In this case, the respective provider transmits your name and email address (or an Apple private relay address) to us to create your account. Processing is based on Art. 6(1)(b) GDPR. The providers’ own processing is governed by their privacy policies (Apple, Google).
Push Notifications (APNs and FCM)
If you enable push notifications, we send them via the Apple Push Notification service (APNs, Apple) on iOS and Firebase Cloud Messaging (FCM, Google) on Android. For this purpose, a device-specific push token is processed and stored with your account. Notifications are only sent after you grant the corresponding permission in the operating system, and you can disable them at any time in your device settings. Legal basis: Art. 6(1)(a) GDPR (your consent given via the OS permission). Apple and Google are certified under the EU–US Data Privacy Framework.
App Updates (Expo / EAS)
The app uses Expo Application Services (EAS) by 650 Industries, Inc., Palo Alto, CA, USA, to deliver over-the-air updates of the app’s code. When checking for updates, a device identifier, the app version, and the update channel are processed. This is necessary to keep the app functional and up to date. Legal basis: Art. 6(1)(b) GDPR and our legitimate interest in the secure and current provision of the app (Art. 6(1)(f) GDPR). Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission.
Crash and Error Reporting (Sentry)
The Repz mobile app uses Sentry, an error tracking and diagnostics service operated by Functional Software, Inc. (d/b/a Sentry), 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA. Our Sentry projects are hosted on Sentry’s EU infrastructure (currently Frankfurt, Germany, per Sentry’s published regions).
What is processed. When the mobile app encounters an error, Sentry receives the error message and stack trace, a truncated IP address, device and operating system information, a short list of your recent actions in the app leading up to the error (breadcrumbs), and your account ID if you are signed in. We have configured Sentry not to collect your full IP address.
Legal basis. Processing for error monitoring is necessary for our legitimate interest in operating a stable and secure service (Art. 6(1)(f) GDPR; Art. 31(1)(c) Swiss FADP). You may object to this processing at any time by contacting admin@repz.app.
Session Replay (consent-based, in-app). With your prior consent given inside the Repz mobile app, we additionally activate Sentry’s Session Replay feature, which records a privacy-filtered visual playback of your in-app interactions to help us reproduce errors. Text inputs are masked by default, and elements we mark as sensitive are blocked from recording. Session Replay is only activated if you explicitly accept the in-app prompt. Legal basis: Art. 6(1)(a) GDPR (your consent). You can revoke consent at any time in the app’s privacy settings.
Data location and transfers. Event data is stored on Sentry’s EU infrastructure (currently Frankfurt, Germany). Sentry’s parent company is in the United States; we have signed a Data Processing Agreement (DPA) with Sentry under Art. 28 GDPR.
Storage period. Error events and Session Replay recordings are retained for the period configured in our Sentry project (up to 90 days) and then automatically deleted.
Subscriptions and In-App Purchases (RevenueCat, Apple, Google)
Paid subscriptions in the app are purchased through Apple In-App Purchase (iOS) or Google Play Billing (Android). The payment itself is processed entirely by Apple or Google under their own terms and privacy policies; we do not receive your payment details (e.g., credit card numbers).
To manage subscription entitlements across platforms, we use RevenueCat, Inc., San Francisco, CA, USA. RevenueCat processes a pseudonymous app user ID, purchase receipts, and the subscription state on our behalf. We have concluded a data processing agreement (DPA) with RevenueCat; data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Legal basis: Art. 6(1)(b) GDPR (fulfillment of the subscription contract).
App Store and Play Store
When you download the app, the Apple App Store (Apple Distribution International Ltd., Ireland) or Google Play Store (Google Ireland Limited) processes data such as your account name, email address, device identifiers, and the time of download under their own responsibility. We have no control over this processing; please consult the privacy policies of Apple and Google.
Account Deletion
You can delete your account and all associated personal data at any time directly in the app (Settings → Delete Account) or via repz.app/delete-account. After deletion, your data is removed from our systems unless statutory retention obligations require otherwise.
9. eCommerce and Payment Service Providers (Website)
Payment Services
We integrate payment services of third-party companies on our website. When you make a purchase from us, your payment data (e.g., name, payment amount, bank account details, credit card number) is processed by the payment service provider for the purpose of payment processing. For these transactions, the respective contractual and data protection provisions of the respective providers apply. The use of the payment service providers is based on Art. 6(1)(b) GDPR (contract processing) and in the interest of a smooth, convenient, and secure payment transaction (Art. 6(1)(f) GDPR). Insofar as your consent is requested for certain actions, Art. 6(1)(a) GDPR is the legal basis for data processing; consent may be revoked at any time for the future.
Stripe
The provider for customers within the EU is Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland (“Stripe”). Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found in Stripe’s Privacy Policy and Stripe’s GDPR guide.
10. Medical Disclaimer
The training plans and fitness advice provided by Repz are for informational purposes only. Always consult with a qualified healthcare professional before starting any new exercise program. The company is not responsible for injuries or health issues from following training recommendations.
11. Changes to This Privacy Policy
We reserve the right to modify this privacy policy at any time. Material changes are communicated via email or through the service. Continued use constitutes acknowledgment of modifications.
12. Contact Us
For privacy policy questions, contact:
Zenon Technologies AG
Hinterbergstrasse 16
6312 Cham
Switzerland
Email: admin@repz.app