This Privacy Policy explains how SpineElevate ("we", "us", "our") collects, uses, and protects your personal data when you use our mobile application. We comply with the General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG). Please read this carefully.
1. Controller
The data controller responsible for processing your personal data is:
Finn Strehl
Kaiser-Friedrich-Ring 142
40547 Düsseldorf
Germany
Email: strehldevs@gmail.com
Phone: +49 176 59058049
2. Data We Collect
2.1 Data you provide directly
- Pain areas and pain level — selected during onboarding (stored locally on your device)
- Goals — your selected goals such as flexibility, posture, or pain relief (stored locally)
- Daily habits — sitting hours and exercise frequency from onboarding (stored locally)
- Display name — the name you enter during onboarding (stored locally on your device)
- Notification preferences — time-of-day preference for reminders (stored locally)
2.2 Data collected automatically
- Pseudonymous analytics events — app opens, feature usage, session completions (no names or email addresses attached)
- Subscription status — whether you are on a free or Pro plan (via RevenueCat)
- Device identifiers — pseudonymous identifiers used by analytics and RevenueCat (not linked to your real identity by us)
- Purchase receipts — processed by Google Play and RevenueCat; we do not store card data
2.3 Data we do NOT collect
- Email addresses or phone numbers (no account registration required)
- Location data
- Camera, microphone, or contacts
- Advertising IDs (we do not serve ads)
- Health data synced with external services unless you explicitly enable it
3. How We Use Your Data
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Providing the app's core exercise functionality | Onboarding answers, pain areas, goals | Art. 6(1)(b) — contract performance |
| Generating your personalized exercise plan | Pain level, sitting hours, exercise frequency, daily time | Art. 6(1)(b) — contract performance |
| Subscription management and payment processing | Subscription status, purchase receipts | Art. 6(1)(b) — contract performance |
| Improving the app via anonymous analytics | Pseudonymous event data | Art. 6(1)(f) — legitimate interests |
| Push notifications (reminders, if enabled) | Notification token | Art. 6(1)(a) — consent |
| Legal compliance and fraud prevention | Transaction records | Art. 6(1)(c) — legal obligation |
4. Personalized Exercise Plans
Your personalized exercise plan is generated entirely on-device based on the answers you provide during onboarding (pain areas, goals, sitting hours, exercise frequency, and available time). This data is not sent to our servers — it stays on your device and is used solely to configure your routines within the app.
We do not transmit your health or pain data to any third party for the purpose of generating your plan.
5. Third-Party Service Providers
We use the following third-party processors who may receive your data:
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| RevenueCat | Subscription management | Pseudonymous user ID, subscription status, purchase events | revenuecat.com/privacy |
| Google Play | App distribution & payment | Purchase data (handled by Google) | policies.google.com/privacy |
| Expo (Expo Inc.) | Push notification delivery | Notification token (if you enable reminders) | expo.dev/privacy |
All third-party processors are contractually bound to process your data only as instructed and in compliance with GDPR where applicable.
6. International Data Transfers
Some of our service providers (including RevenueCat) are based in the United States. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or reliance on an adequacy decision.
7. Data Retention
- Exercise history and progress — stored only on your device. We cannot access or delete it. You can delete the app at any time to remove all locally stored data.
- Onboarding answers (pain areas, goals, habits) — stored locally on your device only.
- Analytics data — retained by our analytics provider for up to 12 months in pseudonymised form.
- Subscription records — retained by RevenueCat and Google Play per their policies and applicable tax law (typically 7 years for financial records under German law).
8. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — request a copy of the data we hold about you
- Right to rectification (Art. 16) — request correction of inaccurate data
- Right to erasure (Art. 17) — request deletion of your data ("right to be forgotten")
- Right to restriction (Art. 18) — request that we limit how we process your data
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interests
- Right to withdraw consent (Art. 7(3)) — withdraw any consent at any time (e.g. push notifications can be disabled in your device settings)
To exercise any of these rights, contact us at: strehldevs@gmail.com
We will respond to requests within 30 days. You also have the right to lodge a complaint with a supervisory authority. In Germany, you may contact the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).
9. Data Security
We take reasonable technical and organisational measures to protect your data. Exercise data and onboarding answers are stored only on your device. Network transmissions to RevenueCat and other services are made over encrypted HTTPS connections.
However, no method of transmission over the internet is 100% secure. You are responsible for keeping your device secure.
10. Children's Privacy
SpineElevate is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided us with personal data, please contact us at strehldevs@gmail.com and we will take steps to delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the app after changes constitutes acceptance of the updated policy.
12. Contact
For any questions about this Privacy Policy or to exercise your rights, contact:
Finn Strehl
Email: strehldevs@gmail.com
Address: Kaiser-Friedrich-Ring 142, 40547 Düsseldorf, Germany
This policy was written in English. In the event of any conflict between this English version and any translated version, the English version shall prevail.