This Privacy Policy explains what personal data Ironkor collects, how we use it, and how you can control it. Ironkor is operated from Portugal and acts as the data controller for your personal data under the EU General Data Protection Regulation (GDPR).
1. Data we collect
We collect the following categories of data:
- Account data. Email address, display name, and authentication metadata, handled by our identity provider (Clerk).
- Workout data. Routines, sessions, sets, exercises, notes, and any media you attach. This is the data that makes Ironkor useful to you.
- Subscription data. If you subscribe to Hardcore, your subscription status and identifiers are processed by RevenueCat. Payment details are handled by Apple or Google. We do not receive your full card or banking information.
- Diagnostic and analytics data. Aggregate, pseudonymized product-usage events processed by PostHog (screens viewed, features used, crash and performance signals). Analytics events do not contain the contents of your workouts.
- Device and technical data. Device model, operating system, app version, language, and approximate IP-based region. Used to debug issues and ship compatible builds.
2. How we use your data
- To provide the service: sync workouts across your devices, compute progress, surface personal records.
- To keep the service reliable and safe: prevent abuse, debug issues, monitor performance.
- To improve the product: aggregate analytics inform what to build next.
- To communicate with you: essential service messages about your account or billing. Marketing communications only with your consent.
3. Legal bases (GDPR)
We process your personal data on the following legal bases:
- Contract: to provide the service you signed up for.
- Legitimate interest: security, abuse prevention, and aggregate product analytics.
- Consent: marketing communications and any analytics that require it.
- Legal obligation: for example, tax and billing records, and responses to lawful requests.
4. Processors we use
We share data with a small set of processors that operate Ironkor on our behalf:
- Clerk for authentication and account management.
- Convex for backend data storage and real-time sync.
- RevenueCat for subscription management.
- Apple App Store and Google Play for billing and subscription delivery.
- PostHog for product analytics.
We do not sell your personal data, and we do not share it with advertisers or data brokers.
5. International transfers
Some of our processors are based outside the EU and EEA, including in the United States. Where personal data is transferred outside the EEA, we rely on appropriate safeguards, including the European Commission’s Standard Contractual Clauses, and we take additional measures where they are required.
6. Data retention
We keep your data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where we are required to retain it (for example, billing and tax records). Encrypted backups are rotated and purged within 90 days.
7. Your rights
Under the GDPR you have the right to:
- access your personal data;
- correct inaccurate data;
- delete your data;
- export your data (data portability);
- object to or restrict certain processing;
- withdraw consent at any time;
- lodge a complaint with your supervisory authority. In Portugal, this is the Comissão Nacional de Proteção de Dados (CNPD).
You can exercise most of these rights directly in the app, including export and deletion. For other requests, email info@ironkor.com.
8. Children
Ironkor is not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
9. Security
We use industry-standard measures to protect your data, including encryption in transit (TLS), encryption at rest where our processors support it, restricted internal access, and audit logging. No system is perfectly secure. If a breach affecting your personal data occurs, we will notify affected users and the competent supervisory authority as required by law.
10. Changes to this policy
We may update this Privacy Policy as the product evolves. Material changes will be announced in the app or by email at least 30 days before they take effect.
11. Contact
Privacy questions or rights requests? Email info@ironkor.com.