Legal

Privacy Policy

Last updated: 21 March 2026

Contents

  1. Data We Collect
  2. How We Use Your Data
  3. AI Processing
  4. Data Storage & Retention
  5. Data Sharing
  6. Your Rights Under the GDPR
  7. Complaint to the Dutch DPA
  8. Security
  9. Children
  10. Changes to This Policy
  11. Contact & Data Controller

This Privacy Policy describes how Erenay Tozun ("we", "us", or "our"), operator of the Nordyx application, processes your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Dutch implementation thereof (Uitvoeringswet AVG). We are the data controller for the personal data described in this policy.

Section 01

Data We Collect

We collect only what we need to provide the service.

👤
Identity data
Your name, as provided via Apple Sign In — only if you choose to share it with us.
🔑
Authentication tokens
Apple-issued identity tokens and our own session tokens, stored securely in the iOS Keychain on your device.
📱
Device identifier
A randomly generated UUID stored in your device Keychain. Used to enforce the one free plan per device limit. Not linked to your Apple ID or any advertising identifiers.
🏋️
Fitness profile
Information you enter during onboarding: fitness goal, experience level, preferred workout duration, and workouts per week.
📊
Workout data
Exercise names, sets, reps, weights, durations, and dates of workouts you log in the App. Stored locally on your device only using Apple SwiftData — we never have access to this data.
💳
Subscription status
Your subscription tier (Free or Starter), obtained from Apple StoreKit and verified with our backend server.
We do NOT collect:
  • Your Apple ID email address (unless you explicitly choose to share it)
  • Advertising identifiers (IDFA)
  • Analytics SDK data or third-party tracking
  • Your workout history (stored on-device only)

Section 02

How We Use Your Data

We process your personal data only for the following purposes and legal bases under GDPR Art. 6:

Art. 6(1)(b) — Performance of contract
Generating AI workout plans, saving account data, and processing subscription verification so we can deliver the service you signed up for.
Art. 6(1)(b) — Performance of contract
Using your device ID to enforce the one free plan per device limit, which is a core part of the free tier offering.
Art. 6(1)(c) — Legal obligation
Retaining transaction-related data as required by Dutch tax law (Wet op de omzetbelasting / Belastingdienst) — 7-year retention for financial records.
Art. 6(1)(f) — Legitimate interests
Securing the App against abuse and fraud, and maintaining the integrity of our backend infrastructure.

Section 03

AI Processing

Workout plans are generated by sending your fitness profile only (goal, experience level, duration preference, equipment preference) to our own backend server, which in turn uses the OpenAI API. OpenAI acts as a data processor under a Data Processing Agreement.

No other personal data — including your name, email, or workout history — is ever sent to OpenAI.

For OpenAI's data practices, see: openai.com/policies/privacy-policy

Section 04

Data Storage & Retention

📱
Workout history
Stored locally on your device only (Apple SwiftData). Deleted by iOS when you delete the App. We never access this data.
🔑
Authentication tokens
Stored in the iOS Keychain. Deleted when you sign out or delete the App.
☁️
Backend account data
Your fitness profile and subscription status are stored on our EU-based backend server. Retained for 30 days after you stop using the service, then deleted automatically.
📋
Financial records
Retained for 7 years as required by Dutch law (Belastingdienst). These records do not include personally identifiable workout data.

To request deletion of your backend data before the 30-day window, contact us using the details in Section 11.

Section 05

Data Sharing

We do not sell your personal data. We share data only with the following parties, and only to the extent necessary:

Apple Inc.
For App Store subscription management and Sign In with Apple. Apple's privacy policy applies: apple.com/legal/privacy
🤖
OpenAI LLC
Your fitness profile only (goal, experience, schedule), as described in Section 3. OpenAI is our data processor under a Data Processing Agreement.
🖥️
Backend hosting provider
Your account data is stored on servers located within the European Economic Area (EEA). We use only providers offering adequate GDPR-compliant data protection guarantees.

We will disclose your data to authorities only if required by applicable law.

Section 06

Your Rights Under the GDPR

As a data subject in the EU, you have the following rights. To exercise any of them, contact us at the address in Section 11. We will respond within 30 days. No charge is made for reasonable requests.

Right of access
Art. 15 GDPR
Request a copy of the personal data we hold about you.
Right to rectification
Art. 16 GDPR
Request correction of inaccurate or incomplete data.
Right to erasure
Art. 17 GDPR
Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction
Art. 18 GDPR
Request that we restrict processing of your data in certain circumstances.
Right to portability
Art. 20 GDPR
Receive your data in a structured, machine-readable format.
Right to object
Art. 21 GDPR
Object to processing based on legitimate interests.

Section 07

Complaint to the Dutch DPA

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens
Postbus 93374, 2509 AJ Den Haag
autoriteitpersoonsgegevens.nl
Tel: 0900 – 2001 201

Section 08

Security

We implement appropriate technical and organisational measures to protect your personal data:

🔒
HTTPS encryption
All data in transit between the app and our backend is encrypted using TLS.
🗝️
iOS Keychain
Authentication tokens and your device UUID are stored in the iOS Keychain, not in UserDefaults or plain storage.
🛡️
Backend security
Credentials are hashed on our backend. Access is protected by JWT-based authentication and rate limiting.

No system is completely secure. You use the App at your own risk.

Section 09

Children

The App is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately using the details in Section 11.

Section 10

Changes to This Policy

We may update this Privacy Policy as the App evolves. If changes are material, we will notify you via a notice in the App. The date at the top of this document reflects the most recent update. Continued use after the effective date constitutes acceptance.

Section 11

Contact & Data Controller

Data controller:
Erenay Tozun
The Netherlands
[email protected]

For privacy-related requests, include "Privacy Request" in your subject line so we can respond promptly.