← BACK

Privacy Policy

Effective date: 24 May 2026

ViaVia UG (haftungsbeschränkt) (“ViaVia”, “we”, “us”, “our”) operates the Charles mobile application (“Charles”, “the App”). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use Charles.

Charles is an AI-powered strength training application. We take the protection of your personal data seriously and comply with the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and all other applicable data protection laws.

---

1. Data Controller

The controller responsible for the processing of your personal data is:

ViaVia UG (haftungsbeschränkt) Marchgrabenplatz 4 80805 München, Germany

Commercial Register: Amtsgericht München, HRB 308987 Managing Director: Klemen Kocic Email: info@viavia.travel

2. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for ViaVia UG is:

Bayerisches Landesamt fur Datenschutzaufsicht (BayLDA) Promenade 18 91522 Ansbach, Germany Phone: +49 981 180093-0 Email: poststelle@lda.bayern.de Website: https://www.lda.bayern.de

3. Data We Collect

3.1 Account Data

Data	Source	Legal Basis
Email address	Provided by you or via Apple/Google Sign-In	Art. 6(1)(b) GDPR (contract performance)
Display name	Apple or Google Sign-In (if available)	Art. 6(1)(b) GDPR (contract performance)
Authentication tokens	Generated during sign-in	Art. 6(1)(b) GDPR (contract performance)

3.2 Fitness Assessment Data

Data	Source	Legal Basis
Age range	Provided during onboarding assessment	Art. 6(1)(b) GDPR (contract performance)
Training experience and history	Provided during onboarding assessment	Art. 6(1)(b) GDPR (contract performance)
Movement capability (squat, hinge, push, pull)	Provided during onboarding assessment	Art. 6(1)(b) GDPR (contract performance)
Injury information	Provided during onboarding assessment	Art. 6(1)(b) GDPR (contract performance)
Training location and equipment	Provided during onboarding assessment	Art. 6(1)(b) GDPR (contract performance)
Training frequency preference	Provided during onboarding assessment	Art. 6(1)(b) GDPR (contract performance)
Focus areas (accessory preferences)	Provided during onboarding assessment	Art. 6(1)(b) GDPR (contract performance)

3.3 Training Data

Data	Source	Legal Basis
Training plans generated by Charles	Generated by AI based on your assessment	Art. 6(1)(b) GDPR (contract performance)
Workout session logs (exercises, sets, reps, weights, duration)	Recorded by you during workouts	Art. 6(1)(b) GDPR (contract performance)
Session feedback and exercise flags	Provided by you after workouts	Art. 6(1)(b) GDPR (contract performance)
Exercise preferences (avoid/prefer)	Inferred from your feedback or set by you	Art. 6(1)(b) GDPR (contract performance)
Health condition tracking	Derived from session feedback patterns	Art. 6(1)(b) GDPR (contract performance)

3.4 Subscription Data

Data	Source	Legal Basis
Subscription status and plan type	RevenueCat (synced from App Store/Play Store)	Art. 6(1)(b) GDPR (contract performance)
Trial start date	Recorded at account creation	Art. 6(1)(b) GDPR (contract performance)

We do not store or have access to your payment card details. All payment processing is handled by Apple (App Store) or Google (Play Store).

3.5 Technical Data

Data	Source	Legal Basis
Device type and operating system	Collected automatically	Art. 6(1)(f) GDPR (legitimate interest: app stability)
App version	Collected automatically	Art. 6(1)(f) GDPR (legitimate interest: app stability)
Crash reports and stack traces	Firebase Crashlytics	Art. 6(1)(f) GDPR (legitimate interest: app stability)
Anonymised usage analytics	PostHog	Art. 6(1)(f) GDPR (legitimate interest: product improvement)

3.6 Data Not Collected

We do not collect: - Precise location data (GPS) - Contact lists or address books - Photos, videos, or other media from your device - Biometric data - Advertising identifiers - Data from other apps on your device

4. Purpose of Data Processing

We process your personal data for the following purposes:

1. Providing the service (Art. 6(1)(b) GDPR): Generating personalised training plans based on your assessment, tracking your workout progress, adapting your programme over time, and managing your subscription.

2. AI-powered plan generation (Art. 6(1)(b) GDPR): Your assessment data and training history are sent to Google Gemini API to generate and refine your training programme. Only the data necessary for plan generation is transmitted. No personally identifiable information (such as your email address or name) is sent to the AI model.

3. App improvement (Art. 6(1)(f) GDPR): Analysing anonymised usage patterns to improve features and fix issues. Our legitimate interest in providing a stable, high-quality application does not override your fundamental rights and freedoms.

4. Crash reporting (Art. 6(1)(f) GDPR): Collecting crash reports and performance data to identify and fix bugs. Our legitimate interest in maintaining app stability does not override your fundamental rights and freedoms.

5. Trial notifications (Art. 6(1)(a) GDPR): Sending local, on-device reminder notifications about your free trial period. These notifications are processed entirely on your device and do not transmit data to our servers.

6. Legal compliance (Art. 6(1)(c) GDPR): Retaining purchase records as required by German tax law.

5. Third-Party Services (Data Processors)

We use the following third-party services that process personal data on our behalf. We have entered into data processing agreements (Art. 28 GDPR) with each provider.

Supabase (Database, Authentication, Storage)

• Provider: Supabase Inc., San Francisco, CA, USA
• Data processed: Account data, assessment data, training data, authentication tokens
• Purpose: Backend infrastructure, user authentication, data storage, file storage (exercise animations)
• Data location: EU (Frankfurt, Germany)
• Legal basis: Art. 6(1)(b) GDPR (contract performance)
• Transfer safeguards: Standard Contractual Clauses (SCCs); EU data region selected
• Privacy policy: https://supabase.com/privacy

RevenueCat (Subscription Management)

• Provider: RevenueCat Inc., San Francisco, CA, USA
• Data processed: App user ID, subscription status, purchase history, device identifiers
• Purpose: Managing in-app subscriptions across iOS and Android
• Data location: US
• Legal basis: Art. 6(1)(b) GDPR (contract performance)
• Transfer safeguards: Standard Contractual Clauses (SCCs)
• Privacy policy: https://www.revenuecat.com/privacy

Firebase / Crashlytics (Crash Reporting)

• Provider: Google LLC, Mountain View, CA, USA
• Data processed: Crash logs, stack traces, device information, app instance ID
• Purpose: Crash reporting and performance monitoring
• Data location: US
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest: app stability)
• Transfer safeguards: Standard Contractual Clauses (SCCs); Google is certified under the EU-US Data Privacy Framework
• Privacy policy: https://firebase.google.com/support/privacy

PostHog (Product Analytics)

• Provider: PostHog Inc.
• Data processed: Anonymised usage events, session data, device type, OS version
• Purpose: Product analytics to understand feature usage and improve the App
• Data location: EU
• Legal basis: Art. 6(1)(f) GDPR (legitimate interest: product improvement)
• Transfer safeguards: EU data region selected
• Privacy policy: https://posthog.com/privacy

Google Gemini API (AI Training Plan Generation)

• Provider: Google LLC, Mountain View, CA, USA
• Data processed: Assessment data (age range, movement capabilities, training history, injury information, equipment, frequency), training session summaries. No personally identifiable information (name, email) is transmitted.
• Purpose: Generating personalised training plans using AI
• Data location: US
• Legal basis: Art. 6(1)(b) GDPR (contract performance)
• Transfer safeguards: Standard Contractual Clauses (SCCs); Google is certified under the EU-US Data Privacy Framework
• Privacy policy: https://policies.google.com/privacy

Google Sign-In (Authentication)

• Provider: Google LLC, Mountain View, CA, USA
• Data processed: Email address, display name (from your Google account)
• Purpose: User authentication
• Data location: US
• Legal basis: Art. 6(1)(b) GDPR (contract performance)
• Transfer safeguards: Standard Contractual Clauses (SCCs); EU-US Data Privacy Framework
• Privacy policy: https://policies.google.com/privacy

Apple Sign-In (Authentication)

• Provider: Apple Inc., Cupertino, CA, USA
• Data processed: Email address (or private relay email), display name (if shared)
• Purpose: User authentication
• Data location: US
• Legal basis: Art. 6(1)(b) GDPR (contract performance)
• Transfer safeguards: Standard Contractual Clauses (SCCs); EU-US Data Privacy Framework
• Privacy policy: https://www.apple.com/legal/privacy/

6. Data Retention

Data Type	Retention Period	Legal Basis for Retention
Account data	Until account deletion + 30 days	Account recovery window
Assessment data	Until account deletion	Required for service provision
Training data (plans, sessions, sets)	Until account deletion	Required for service provision
Health conditions and exercise preferences	Until account deletion	Required for service provision
Subscription and purchase records	10 years after transaction	German tax law (AO ss 147)
Crash reports	90 days	Bug fixing (legitimate interest)
Anonymised analytics data	12 months	Product improvement (legitimate interest)
Server logs (IP addresses)	7 days	Security and abuse prevention (legitimate interest)

After account deletion: When you delete your account through the App, we permanently delete all your personal data (account data, assessment data, training data, health conditions, exercise preferences) within 30 days. Data subject to legal retention obligations (purchase records) is retained for the legally required period and then deleted. Anonymised data that can no longer be attributed to you may be retained for statistical purposes.

7. Your Rights Under GDPR (Articles 15 to 22)

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data, and if so, request a copy of that data along with information about the processing.

• Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate personal data or the completion of incomplete data.

• Right to erasure (Art. 17 GDPR): You may request the deletion of your personal data (“right to be forgotten”). You can delete your account directly in the App under Account settings, which triggers immediate deletion of your data (subject to legal retention periods).

• Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your personal data in certain circumstances (e.g., while we verify the accuracy of contested data).

• Right to data portability (Art. 20 GDPR): You may request to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transmitted to another controller.

• Right to object (Art. 21 GDPR): You may object to processing based on legitimate interests (Art. 6(1)(f) GDPR) at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

• Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.

How to exercise your rights: Contact us at info@viavia.travel. We will respond within one month of receiving your request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests (Art. 12(3) GDPR). We will inform you of any such extension within one month.

We will verify your identity before processing any rights request. There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.

8. International Data Transfers

Some of our data processors are based in the United States. We ensure that all transfers of personal data outside the European Economic Area (EEA) are subject to appropriate safeguards:

• EU Standard Contractual Clauses (SCCs): We have entered into SCCs approved by the European Commission (Decision 2021/914) with all US-based processors.
• EU-US Data Privacy Framework: Where applicable, we verify that processors are certified under the EU-US Data Privacy Framework (Adequacy Decision of 10 July 2023).
• EU data regions: Where available, we select EU-based data storage regions (Supabase: Frankfurt; PostHog: EU).
• Technical measures: All data transfers are encrypted in transit using TLS 1.2 or higher.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data in accordance with Art. 32 GDPR, including:

• Encryption of all data in transit (TLS 1.2+) and at rest
• Row-Level Security (RLS) on all database tables, ensuring users can only access their own data
• Secure authentication via industry-standard providers (Apple Sign-In, Google Sign-In, Supabase Auth)
• Environment variable isolation for all service credentials (no secrets in client code)
• Regular review of access controls and principle of least privilege
• Encrypted database backups with restricted access

10. Children’s Privacy

Charles is not directed at children under 13 years of age. We do not knowingly collect personal data from children under 13. If you are under 13, please do not use the App or provide any personal data.

For users aged 13 to 15: Under the GDPR, the processing of personal data of a child below the age of 16 based on consent requires the consent of the holder of parental responsibility (Art. 8 GDPR). Germany applies an age threshold of 16 for consent-based processing. For processing based on contract performance (Art. 6(1)(b) GDPR), users aged 13 and older may use the App with parental awareness.

If we become aware that we have collected personal data from a child under 13 without appropriate consent, we will delete that data promptly. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at info@viavia.travel.

11. Automated Decision-Making

Charles uses AI (Google Gemini) to generate personalised training plans based on your assessment data. This constitutes automated decision-making within the meaning of Art. 22 GDPR. However, the training plans generated are recommendations only and do not produce legal effects or similarly significantly affect you. You are free to modify exercises within your plan and provide feedback to adjust future recommendations.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the services we offer. We will notify you of material changes through the App or by email before the changes take effect. The effective date at the top of this document indicates the most recent revision.

We recommend reviewing this Privacy Policy periodically. Continued use of the App after changes take effect constitutes your acknowledgement of the updated policy.

13. Contact

For any questions about this Privacy Policy, your personal data, or to exercise your rights:

ViaVia UG (haftungsbeschränkt) Marchgrabenplatz 4 80805 München, Germany Email: info@viavia.travel