Privacy Policy

Last Updated: February 25, 2026

1. Introduction

Ascend Beyond ApS ("we," "our," or "us") operates the XTA mobile application ("App"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our App, in accordance with the EU General Data Protection Regulation (GDPR) and applicable Danish data protection law.

2. Data Controller

The data controller responsible for your personal data is:

Ascend Beyond ApS
Denmark
Email: support@xta.one

3. Data We Collect

Account Data

  • Email address (provided via Sign in with Apple — you may choose to hide your real email)
  • Unique user identifier (generated by Apple)
  • Authentication tokens (stored locally in your device's Keychain)

Workout and Fitness Data

  • Workouts you create, including exercise names, sets, reps, rest times, and tempo
  • Workout execution data (actual performance, duration, timestamps)
  • Perceived effort ratings
  • Training preferences and questionnaire responses

Apple HealthKit Data

  • Body mass (used to estimate calorie expenditure)
  • Workout sessions (written to Apple Health with your permission)
  • Workout effort scores

HealthKit data is processed locally on your device. We do not store HealthKit data on our servers, do not use it for advertising, and do not share it with third parties.

Data We Do NOT Collect

  • Location data
  • Contacts or photos
  • Browsing history
  • Advertising identifiers

4. How We Use Your Data

  • Provide and operate the App's core functionality (workout logging, sync across devices)
  • Generate AI-powered workout feedback and workout suggestions (paid subscribers only — see Section 5)
  • Authenticate your identity and secure your account
  • Improve and develop the App based on aggregate usage patterns
  • Communicate service-related information (e.g., updates, security alerts)

5. AI Processing

If you subscribe to XTA Apex, your workout data is sent to Google's Gemini AI service to generate personalized feedback and workout suggestions. Specifically:

  • Workout structure, exercise names, sets, reps, rest times, and tempo data are transmitted
  • No personally identifiable information (name, email, Apple ID) is included in AI requests
  • Data is sent securely via encrypted connections
  • Google processes this data under their API terms of service — data sent via the Gemini API is not used by Google to train their models

Free-tier users have no data sent to AI services.

6. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract performance — processing necessary to provide the App and its features (Article 6(1)(b) GDPR)
  • Legitimate interest — improving the App, ensuring security, and preventing fraud (Article 6(1)(f) GDPR)
  • Consent — for optional data processing such as HealthKit integration, which you can grant or revoke at any time in your device settings (Article 6(1)(a) GDPR)

7. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with the following service providers, solely as necessary to operate the App:

Supabase (Backend Infrastructure)

Provides database hosting, authentication, and server functions. Your account data and workout data are stored on Supabase's infrastructure. Supabase processes data under a data processing agreement.

Google Gemini (AI Service)

Processes anonymized workout data for AI feedback generation. Only used for paid subscribers. No personal identifiers are shared.

Apple

Provides authentication (Sign in with Apple) and processes in-app purchases. HealthKit data remains on your device and is not transmitted to us or Apple's servers through the App.

Legal Obligations

We may disclose your data if required by law, regulation, or valid legal process.

8. International Data Transfers

Your data may be processed on servers located outside the European Economic Area (EEA), including in the United States (where Supabase and Google operate). When data is transferred outside the EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to protect your personal data in accordance with GDPR requirements.

9. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the service.

  • Account deletion includes a 7-day grace period. You may cancel the deletion by signing back in during this period
  • After the grace period expires, all personal data is permanently deleted across all systems
  • AI-generated feedback linked to deleted accounts is anonymized
  • Deletion request records are retained as an audit trail without personal data
  • We may retain anonymized, aggregated data that cannot be linked back to you for analytical purposes
  • Data required for legal obligations (e.g., tax records) may be retained as required by law

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your account and data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to restrict processing — request that we limit how we use your data
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — revoke consent at any time (e.g., HealthKit permissions in device settings)

To exercise any of these rights, contact us at support@xta.one. We will respond within 30 days.

11. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Authentication tokens stored in the device Keychain (not in plain text)
  • Row-level security on our database ensuring users can only access their own data
  • Bearer token validation on all API endpoints

No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately.

12. Children's Privacy

The App is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at support@xta.one and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the App or via your registered email address. The "Last Updated" date at the top indicates when the latest revision was made. Continued use of the App after changes constitutes acceptance of the updated policy.

14. Supervisory Authority

If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk, or with the supervisory authority in your EU member state of residence.

15. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

Ascend Beyond ApS
Email: support@xta.one