Dumbly ("we", "us", or "our") is a home dumbbell fitness app that helps you build strength and consistency through structured challenges. We take your privacy seriously. This policy explains exactly what personal data we collect, why we collect it, who we share it with, and the rights you have over it.
1. Who We Are & How to Reach Us
Dumbly is the data controller for the personal data described in this policy.
2. Data We Collect & Why
Account Information
When you create a Dumbly account we collect your email address and a hashed password. You may optionally add a display name and profile photo. We use this data to authenticate you and operate your account.
Legal basis: performance of a contract (your account agreement with us).
Fitness & Health Data
To personalise your training and track your progress we collect:
- Which challenge you are on (30, 60, or 120 days) and your current day
- Exercises completed, sets, reps, and weights used
- Workout duration and rest periods
- Self-reported fitness level, goals, body weight, and height
- Streak history and personal records
Legal basis: performance of a contract. Fitness data that qualifies as health data under GDPR Art. 9 is processed on the basis of your explicit consent (Art. 9(2)(a)).
We never sell your health or fitness data, and we never use it for advertising purposes.
AI Personalisation
Our AI coach analyses your workout history, performance trends, and stated goals to adapt future sessions. This processing uses only your anonymised metrics (age range, fitness level, training history) — it does not involve your name or email address.
Legal basis: explicit consent.
Device & Technical Data
We automatically receive basic device and connection information when you use the app: device type and operating system version, app version, IP address, session timestamps, and crash/error logs. This data is used to keep the app stable and secure.
Legal basis: legitimate interest in maintaining service stability (GDPR Art. 6(1)(f)).
Crash reporting is handled by a third-party service (see Section 5). Crash data contains no health or workout information.
Communications
If you contact us via email or our support form, we store your name, email address, and message content solely to respond to your enquiry.
Legal basis: legitimate interest / contract performance.
3. Push Notifications
With your explicit permission, Dumbly sends push notifications for:
- Daily workout reminders
- Streak milestones and personal records
- Challenge progress updates
You can revoke notification permission at any time in your device's Settings → Notifications → Dumbly. Revoking permission does not affect your account or data.
Legal basis: consent.
4. Payments & Subscriptions
All purchases — Dumbly Pro monthly, annual, or Lifetime — are processed by Apple (App Store). We receive only a transaction confirmation and your subscription tier from Apple. We never see or store your payment card details; these are handled entirely by Apple under their own Privacy Policy.
Legal basis: performance of a contract.
5. Third-Party Service Providers
We work with the following sub-processors. Each has access only to the data necessary for their specific function and is bound by data processing agreements.
| Provider | Purpose | Location |
|---|---|---|
| Vercel Inc. | App & website hosting, edge network | USA (SCCs) |
| Resend | Transactional email delivery | USA (SCCs) |
| Sanity.io | Content management (exercise library) | USA (SCCs) |
| Apple Inc. | Push notifications, payment processing, App Store distribution | USA (SCCs) |
SCCs = EU Standard Contractual Clauses, ensuring GDPR-compliant data transfers outside the EEA.
6. Data We Do Not Collect
To be explicit about what Dumbly does not do:
- We do not sell your personal data to any third party.
- We do not use your data for advertising or build advertising profiles.
- We do not share your health or fitness data with advertisers.
- We do not track your location.
- We do not use your camera, microphone, or contacts.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data (email, name) | Until account deletion, then deleted within 30 days |
| Workout & fitness data | Until account deletion, then deleted within 30 days |
| Device & technical logs | Up to 90 days (rolling) |
| Support communications | Until resolution + 2 years (legal defence) |
| Payment records | 7 years (legal / tax obligation) |
You can export your workout history as a CSV at any time before deleting your account. Deletion requests are processed within 30 days.
8. Security
We apply industry-standard measures to protect your data:
- All data is encrypted in transit using TLS 1.2+.
- Passwords are hashed with bcrypt and never stored in plain text.
- Access to production data is restricted to authorised personnel only.
- We conduct regular security reviews of our infrastructure.
No system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to [email protected].
9. Children's Privacy
Dumbly is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If you are a parent or guardian and believe your child has provided us with data, contact [email protected] and we will delete it promptly.
Users aged 13–17 must have parental consent before creating an account.
10. Your Rights
Depending on your location, you have the following rights regarding your personal data. To exercise any of them, contact [email protected]. We will respond within 30 days.
- Access: Request a copy of the personal data we hold about you.
- Correction: Ask us to correct inaccurate or incomplete data.
- Deletion: Request erasure of your account and associated personal data.
- Portability: Receive your workout data in a structured, machine-readable format (CSV).
- Restriction: Ask us to pause processing of your data in certain circumstances.
- Objection: Object to processing based on legitimate interest.
- Withdraw Consent: Where processing relies on consent (e.g. health data, AI personalisation, push notifications), you can withdraw at any time without affecting prior lawful processing.
You also have the right to lodge a complaint with your local data protection authority (e.g. the ICO in the UK, or your national supervisory authority in the EU).
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes we will notify you via email or an in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version. Continued use of Dumbly after changes take effect constitutes acceptance.
12. Contact Us
For any privacy-related question, data request, or complaint: