Privacy Policy

Last Updated: April 19, 2026

1. Introduction

Ascend Beyond ApS ("we," "our," or "us") operates the XTA mobile application ("App"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our App, in accordance with the EU General Data Protection Regulation (GDPR), the Danish Data Protection Act (Databeskyttelsesloven), and other applicable data protection laws including the California Consumer Privacy Act (CCPA/CPRA) for California residents.

2. Data Controller

The data controller responsible for your personal data is:

Ascend Beyond ApS
CVR 46352270
Møllestenen 27, 3140 Ålsgårde
Denmark
Email: support@xta.one

Data Protection Officer: Ascend Beyond ApS has assessed its processing activities against Article 37 of the GDPR and has determined that appointment of a Data Protection Officer is not required. Our core activities do not consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, and we do not process special categories of data (Article 9) or data relating to criminal convictions (Article 10) on a large scale. For all privacy-related matters, contact our designated privacy contact at support@xta.one. We will review this determination if our processing activities materially change.

3. Data We Collect

Account Data

  • Email address (provided via Sign in with Apple — you may choose to hide your real email)
  • Unique user identifier (generated by Apple)
  • Authentication tokens (stored locally in your device's Keychain)

Workout and Fitness Data

  • Workouts you create, including exercise names, sets, reps, rest times, and tempo
  • Workout execution data (actual performance, duration, timestamps)
  • Perceived effort ratings
  • Training preferences and questionnaire responses

Important: Workout and fitness data you enter into the App is used solely to provide the service. It is not health data in the regulatory sense — we do not collect biometric data, medical records, or health diagnoses.

Apple HealthKit Data

  • Body mass (used to estimate calorie expenditure)
  • Workout sessions (written to Apple Health with your permission)
  • Workout effort scores

HealthKit data is processed locally on your device only. We do not store HealthKit data on our servers, do not transmit it to any third party, do not use it for advertising or marketing, and do not sell it. This applies without exception.

Technical Data

  • Error reports and crash logs (collected via Sentry for application stability)
  • API version headers and request metadata (for service compatibility)

Data We Do NOT Collect

  • Location data or GPS coordinates
  • Contacts, photos, or camera data
  • Browsing history or web activity
  • Advertising identifiers (IDFA) or tracking identifiers
  • Financial data (payments are processed entirely by Apple)

4. How We Use Your Data

We use your personal data exclusively for the following purposes:

  • Service delivery — provide and operate the App's core functionality (workout tracking, sync across devices)
  • AI features — generate AI-powered workout feedback and workout suggestions (paid subscribers only — see Section 5)
  • Authentication — verify your identity and secure your account
  • Service improvement — improve and develop the App based on aggregate, anonymized usage patterns
  • Communication — send service-related information (e.g., security alerts, Terms updates)
  • Error monitoring — diagnose and fix technical issues via crash and error reporting

We do not use your data for advertising, profiling, behavioral targeting, or any purpose other than those listed above.

5. AI Processing

If you subscribe to XTA Apex, your workout data is sent to Google's Gemini AI service to generate personalized feedback and workout suggestions. Specifically:

  • Workout structure, exercise names, sets, reps, rest times, and tempo data are transmitted
  • No personally identifiable information (name, email, Apple ID) is included in AI requests
  • Data is sent securely via encrypted connections (TLS)
  • Google processes this data under their API terms of service — data sent via the Gemini API is not used by Google to train their models

Free-tier users have no data sent to AI services.

AI-generated content is for informational purposes only. It does not constitute medical advice, personal training, or any form of professional health guidance. See our Terms of Use for important health and safety disclaimers.

6. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under the GDPR:

  • Contract performance (Article 6(1)(b)) — processing necessary to provide the App and its features as described in our Terms of Use
  • Legitimate interest (Article 6(1)(f)) — improving the App, ensuring security, preventing fraud, and monitoring application stability. Our legitimate interest does not override your fundamental rights and freedoms
  • Consent (Article 6(1)(a)) — for optional data processing such as HealthKit integration, which you can grant or revoke at any time in your device settings
  • Legal obligation (Article 6(1)(c)) — where we are required to process or retain data to comply with applicable law

7. Data Sharing

We do not sell, rent, trade, or otherwise commercially share your personal data. We have never sold personal data and have no plans to do so.

We share data only with the following service providers, solely as necessary to operate the App:

Supabase (Backend Infrastructure)

Provides database hosting, authentication, and server functions. Your account data and workout data are stored on Supabase's infrastructure in the EU (eu-north-1 region). Supabase processes data under a data processing agreement (DPA) in accordance with GDPR Article 28.

Google Gemini (AI Service)

Processes anonymized workout data for AI feedback generation. Only used for paid subscribers. No personal identifiers are shared. Google processes API data under their Cloud Data Processing Addendum.

Apple

Provides authentication (Sign in with Apple) and processes in-app purchases. HealthKit data remains on your device and is not transmitted to us or Apple's servers through the App.

Sentry (Error Monitoring)

Receives crash reports and error logs to help us maintain application stability. Error reports may contain technical device information but do not contain workout data or personal identifiers. Sentry processes data under a DPA.

Legal Obligations

We may disclose your data if required by law, regulation, court order, or valid legal process issued by a competent authority.

8. International Data Transfers

Your data is primarily stored within the European Economic Area (EEA). However, some data may be processed on servers located outside the EEA, including in the United States (where Google and Sentry operate). When data is transferred outside the EEA, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914), including the UK International Data Transfer Addendum where applicable
  • Data processing agreements with all sub-processors that bind them to GDPR-equivalent obligations
  • Technical and organizational supplementary measures including encryption in transit (TLS 1.2+) and at rest, data minimization (no direct identifiers transmitted to AI services), pseudonymization where technically feasible, and access controls based on the principle of least privilege

Transfer Impact Assessment (TIA): Following the Schrems II decision (Case C-311/18) and EDPB Recommendations 01/2020, we have assessed the laws and practices of third countries to which personal data may be transferred (notably the United States in the case of Google and Sentry). Based on this assessment, we have determined that the supplementary measures described above provide a level of protection essentially equivalent to that guaranteed within the EEA for the limited categories of data transferred. We periodically reassess these transfers and will suspend them if we conclude that an adequate level of protection can no longer be ensured.

You may request a summary of our Transfer Impact Assessment, the specific safeguards applied, or the current list of sub-processors and their processing locations by contacting us at support@xta.one.

9. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide the service. Our specific retention practices:

  • Active accounts: Data is retained for the duration of your account
  • Account deletion: Includes a 7-day grace period during which you may cancel by signing back in. After the grace period expires, all personal data is permanently and irreversibly deleted across all systems
  • AI-generated feedback: Feedback linked to deleted accounts is anonymized (all personal identifiers removed)
  • Deletion audit trail: Deletion request records are retained without personal data as a compliance audit trail
  • Anonymized data: We may retain anonymized, aggregated data that cannot be linked back to any individual, for analytical purposes. Anonymization is achieved by removing all direct identifiers (email, user ID, Apple identifier) and any indirect identifiers that could reasonably be used, alone or in combination, to re-identify an individual, and by aggregating data to a level of granularity that prevents singling-out, linkability, or inference attacks (consistent with Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques). Once data has been anonymized, it is no longer considered personal data under the GDPR
  • Legal retention: Data required for legal obligations (e.g., Danish tax and bookkeeping law — Bogføringsloven) may be retained for up to 5 years as required by law
  • Error logs: Technical error reports are retained for up to 90 days

10. Your Rights Under GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights regarding your personal data:

  • Right of access (Article 15) — request a copy of the personal data we hold about you
  • Right to rectification (Article 16) — request correction of inaccurate or incomplete data
  • Right to erasure (Article 17) — request deletion of your account and personal data ("right to be forgotten")
  • Right to data portability (Article 20) — receive your data in a structured, commonly used, machine-readable format (JSON)
  • Right to restrict processing (Article 18) — request that we limit how we process your data
  • Right to object (Article 21) — object to processing based on legitimate interest
  • Right to withdraw consent (Article 7(3)) — revoke consent at any time without affecting the lawfulness of processing prior to withdrawal (e.g., HealthKit permissions in device settings)
  • Right not to be subject to automated decision-making (Article 22) — see "Automated Decision-Making and Profiling" below

Automated Decision-Making and Profiling (Article 22)

AI-generated workout feedback and AI-generated workout suggestions are produced by automated systems (Google Gemini) without human review before delivery. However, these outputs:

  • Are informational and suggestive in nature — they do not impose obligations, restrictions, or consequences on you
  • Do not produce legal effects concerning you or similarly significant effects (Article 22(1) threshold is not met)
  • Are not used to make decisions that restrict your access to the service, alter your pricing, or affect any third-party dealings
  • Can be ignored, accepted, modified, or discarded at your sole discretion — you retain full control over your training

Because the outputs do not produce legal or similarly significant effects, Article 22(1) does not apply. Nonetheless, on request we will (a) provide information about the logic involved in the AI processing at a high level, (b) allow you to express your view, and (c) provide human review of any AI-generated output that you believe was harmful or inaccurate. Contact support@xta.one.

To exercise any of these rights, contact us at support@xta.one. We will respond within 30 days. If a request is complex or we receive numerous requests, we may extend this period by up to two additional months, and will inform you of any such extension.

You will not be charged a fee to exercise your rights, unless a request is manifestly unfounded or excessive.

11. Your Rights Under US State Privacy Laws

If you are a resident of California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), or other US states with comprehensive privacy legislation, you have additional rights:

California Residents (CCPA/CPRA)

  • Right to know — request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to delete — request deletion of your personal information
  • Right to correct — request correction of inaccurate personal information
  • Right to opt-out of sale or sharing — we do not sell or share (as defined by the CCPA/CPRA) your personal information. We have not sold personal information in the preceding 12 months
  • Right to non-discrimination — we will not discriminate against you for exercising your privacy rights
  • Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond what is necessary to provide the service

Categories of personal information collected in the preceding 12 months: Identifiers (email address, unique user ID); internet or electronic network activity (error logs); fitness information (self-reported workout data). Categories sold: None. Categories shared (as defined by CPRA): None. Categories disclosed for a business purpose: Anonymized workout data to AI service provider (Google Gemini) for paid subscribers only, under contract restricting use to the specified business purpose.

Sensitive Personal Information (CPRA)

We do not knowingly collect, process, or infer sensitive personal information as defined by the CPRA (Cal. Civ. Code § 1798.140(ae)) — including precise geolocation, racial or ethnic origin, religious beliefs, union membership, mail or communications contents, genetic data, biometric identifiers for identification, or health or sexual-orientation data. While self-reported body mass (used locally on your device for calorie estimation) could be characterized as health-adjacent, we do not use this data to infer characteristics about you, to profile you, or for cross-context behavioral advertising. We do not engage in any processing that would trigger the CPRA right to limit use of sensitive personal information. Accordingly, you do not need to exercise the "right to limit" with us — it is already our practice not to engage in those uses.

California Shine the Light Act (Cal. Civ. Code § 1798.83)

We do not disclose your personal information to third parties for their own direct marketing purposes. Because we do not engage in such disclosures, we are not required to and do not provide a separate Shine the Light response process. If California law entitles you to additional information, you may request it by contacting support@xta.one.

Washington My Health My Data Act (MHMDA)

Washington State's My Health My Data Act (RCW 19.373) applies to "consumer health data," which is defined broadly to include data that identifies a consumer's past, present, or future physical or mental health status, including exercise and fitness data and biological measurements. If you are a Washington resident or your consumer health data is collected in Washington, the following applies to the workout, exercise, and body mass data you provide to the App:

  • Consent: By creating an account and entering workout data into the App, you provide your voluntary, specific, opt-in consent for us to collect and process this consumer health data for the purposes described in this Privacy Policy — namely, delivering the core tracking service, generating AI feedback (Apex tier only, and only with the additional processing described in Section 5), and supporting service reliability
  • No sale of consumer health data: We do not sell your consumer health data. We have never sold consumer health data and have no plans to do so. No consent to "sell" has been requested because no sale occurs
  • No sharing for advertising: We do not share consumer health data with third parties for targeted advertising, cross-context behavioral advertising, or any similar purpose
  • Right to withdraw consent: You may withdraw your consent at any time by deleting your account in the App. Deletion follows the process described in Section 9 (7-day grace period, then permanent deletion)
  • Right to access and delete: You have the right to access, review, and delete your consumer health data. Exercise these rights by contacting support@xta.one
  • No geofencing: We do not operate any geofence around any location providing healthcare services and do not use geofencing to identify, track, collect data from, or send notifications to consumers regarding their consumer health data

Our processing of consumer health data is limited to what is strictly necessary to deliver the App's core functionality and any AI features you have subscribed to. No consumer health data is used for any purpose beyond those listed above.

Other US State Residents

If your state provides similar privacy rights (e.g., the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act, Tennessee Information Protection Act, Iowa Consumer Data Protection Act, Delaware Personal Data Privacy Act, New Jersey Data Privacy Act, New Hampshire Privacy Act, or similar), you may exercise applicable rights — including the right to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, or profiling with legal or similarly significant effects — by contacting us at support@xta.one. We will respond within the timeframe required by your state's law (generally 45 days, subject to applicable extensions).

Financial Incentives

We do not offer any financial incentives or price or service differences in exchange for the collection, retention, sale, or sharing of personal information. All users on a given tier pay the same price and receive the same service regardless of their privacy choices.

To exercise any US privacy rights, contact us at support@xta.one. We will verify your identity before processing your request using reasonable verification methods proportionate to the sensitivity of the data. You may also designate an authorized agent to make a request on your behalf by providing written permission signed by you.

12. Data Security

We implement appropriate technical and organizational measures to protect your data in accordance with GDPR Article 32, including:

  • Encryption in transit (TLS 1.2+/HTTPS) and at rest
  • Authentication tokens stored in the device Keychain (hardware-backed secure storage, not in plain text)
  • Row-level security (RLS) on our database ensuring users can only access their own data
  • Bearer token validation on all API endpoints
  • Principle of least privilege for all system access
  • Regular security monitoring and error tracking

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please contact us immediately at support@xta.one.

Data Breach Notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Danish Data Protection Agency (Datatilsynet) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, in accordance with Article 34 of the GDPR. Our notification will describe the nature of the breach, the likely consequences, the measures taken or proposed to address it, and the contact point for further information. For applicable U.S. state residents, we will additionally provide notice required under your state's data breach notification law.

13. Cookies, Tracking, and Browser Signals

The XTA App does not use cookies, advertising trackers, or analytics SDKs. We do not engage in cross-app or cross-site tracking. The XTA website (xta.one) does not use cookies, third-party tracking scripts, or advertising pixels.

Global Privacy Control (GPC) and Do Not Track (DNT): Because we do not engage in the "sale" or "sharing" of personal information (as those terms are defined under the CCPA/CPRA), and because we do not use tracking cookies or advertising identifiers, there is no processing we perform against which a Global Privacy Control or Do Not Track signal would operate. We treat any such signal received via the website as confirmation of our existing practice: no sale, no sharing for cross-context behavioral advertising, and no tracking. If we ever introduce processing that would be subject to GPC or DNT, we will update this Privacy Policy, honor such signals as a valid opt-out request, and communicate the change in advance.

14. Children's Privacy

The App is not directed at children under 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe a child under 16 has provided us with personal data, please contact us at support@xta.one and we will promptly delete such data. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information as soon as possible.

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the App or via your registered email address at least thirty (30) days before taking effect. The "Last Updated" date at the top indicates when the latest revision was made. Continued use of the App after the effective date of changes constitutes acceptance of the updated policy. If you do not agree to the revised policy, you should stop using the App and delete your account.

16. Supervisory Authority

If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with:

  • Danish Data Protection Agency (Datatilsynet)datatilsynet.dk, Carl Jacobsens Vej 35, 2500 Valby, Denmark
  • The supervisory authority in your EU/EEA member state of residence
  • The UK Information Commissioner's Office (ICO) if you are a UK resident

We encourage you to contact us first at support@xta.one so we can attempt to resolve your concern directly.

17. Contact Us

For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern:

Ascend Beyond ApS
CVR 46352270
Møllestenen 27, 3140 Ålsgårde
Denmark
Email: support@xta.one

We aim to respond to all privacy-related inquiries within 30 days.