Privacy Policy

1. Information We Access

GearBro accesses the following data on your device to provide its core functionality. This data is processed locally and is not uploaded to any server.

Apple HealthKit (Read-Only)

GearBro reads workout data from Apple HealthKit to automatically link your workouts with your gear. We access:

• Workout type (e.g., running, cycling, hiking)
• Workout duration
• Distance covered
• Calories burned
• Heart rate data

GearBro uses HealthKit data exclusively in read-only mode. We do not write any data to HealthKit. HealthKit data is never shared with third parties, never used for advertising or marketing purposes, never used for data mining, and never stored in iCloud or on any remote server. This complies with Apple's HealthKit guidelines.

WeatherKit

GearBro may access weather data (temperature and weather conditions) at the time of your workout to provide contextual information. To retrieve this data, your device sends location information to Apple's WeatherKit service. Apple states that this location data is not linked to your identity and is not used for tracking between requests.

GearBro does not store or access your GPS coordinates — only the resulting weather data (temperature, conditions) is associated with your workout entry.

Camera & Photo Library

GearBro accesses your camera or photo library only when you explicitly choose to take or select a photo for a gear item. Images are stored locally on your device only and are never uploaded to any server or shared with any third party.

2. Information We Store Locally

All user-created data in GearBro is stored exclusively on your device. There is no cloud synchronization, no server-side storage, and no remote backup. The following data is stored locally:

• Gear profiles — name, category, brand, purchase date, photos, notes
• Workout assignments — which gear was used for which workout
• Goals & streaks — weekly usage goals and milestone progress
• Gear Journal entries — workout-specific notes, 5-star ratings, and quick tags
• User preferences — accent color, display settings, notification preferences
• Usage statistics — gear condition estimates, distance/session/time counters

3. Information We Do NOT Collect

GearBro is designed to function without collecting personal information. We explicitly do not collect:

• Names, email addresses, or any personal identifiers
• User accounts or login credentials
• Location data (GPS coordinates are never stored by GearBro)
• Browsing history or app usage outside of GearBro
• Advertising identifiers (IDFA)
• Tracking pixels or cross-app tracking data
• Contact lists, messages, or other personal content
• Biometric data beyond what HealthKit provides

We do not sell, rent, or trade your personal information to any third party.

4. How We Use Your Information

Each type of data GearBro processes serves a specific purpose:

• HealthKit workout data — To automatically match workouts with your gear, calculate gear usage statistics, and estimate gear condition
• Weather data — To provide contextual workout information and gear usage insights
• Photos — To visually identify your gear in the app
• Gear & workout data — To generate analytics, charts, share cards, and track goals
• Anonymous usage signals — To understand which features are used and improve the app (via TelemetryDeck, see Section 6)
• Crash data — To identify and fix bugs (via Sentry, see Section 6)
• Subscription data — To manage your GearBro Premium subscription status (via RevenueCat, see Section 6)

5. Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and similar laws, we process data based on the following legal grounds:

Consent (GDPR Art. 6(1)(a))

You grant consent through iOS system permissions when you allow GearBro to access HealthKit, your camera, or photo library. You may revoke this consent at any time through your device's Settings app. If you participate in the B2B Data Sharing Program (see Section 7), your explicit opt-in consent is required.

Explicit Consent for Health Data (GDPR Art. 9(2)(a))

HealthKit data is classified as health data under GDPR Article 9 (special categories of personal data). We process this data only with your explicit consent, granted when you authorize HealthKit access in the iOS permissions dialog. This consent is freely given, specific, informed, and unambiguous.

Performance of a Contract (GDPR Art. 6(1)(b))

Subscription management through RevenueCat is necessary for the performance of the contract between you and us when you purchase GearBro Premium.

Legitimate Interest (GDPR Art. 6(1)(f))

We rely on legitimate interest for crash reporting (Sentry) and anonymous usage analytics (TelemetryDeck) to maintain and improve app stability and functionality. These services collect minimal, non-identifying data and do not override your fundamental rights.

Voluntariness of Data Provision

Providing data to GearBro is entirely voluntary. The app functions without HealthKit access (with reduced functionality — workouts must be assigned manually). Granting or withholding any permission does not affect your ability to use the core features of the app. You are never required to provide personal data as a condition of using GearBro.

6. Third-Party Services

GearBro uses a minimal set of third-party services, each chosen for their strong privacy practices. None of these services receive your HealthKit data, personal information, or gear data.

7. Anonymized Data & B2B Data Sharing Program

GearBro may offer an optional B2B Data Sharing Program that allows us to share anonymized, aggregated data with third parties such as sports equipment manufacturers, retailers, and research institutions.

How It Works

• Opt-in only — You must explicitly choose to participate via a dedicated toggle in the app's Settings. The toggle is off by default. The program is entirely voluntary, and you will never be enrolled automatically.
• Anonymized & aggregated — Data is processed using k-Anonymity, statistical aggregation, and where appropriate, differential privacy techniques to ensure that no individual user can be identified. Data is only shared in aggregate form with minimum group sizes to prevent inference attacks.
• No HealthKit data — In compliance with Apple's HealthKit guidelines, no HealthKit-derived data (workout metrics, heart rate, calories) is included in the B2B Data Sharing Program. Only gear usage patterns (e.g., average lifespan of a gear category, popular sport types) are included.
• No personal information — The shared data contains no names, device identifiers, location data, or any information that could identify you.
• Opt-out at any time — You may withdraw your consent at any time by turning off the toggle in the app's Settings. No email or request needed. Once you opt out, your data will no longer be included in future aggregations.

What Data May Be Shared

Examples of anonymized, aggregated data that may be shared include:

• Average lifespan of gear categories by brand or type
• Popular sport types and gear combinations
• Seasonal usage patterns and trends
• General gear replacement frequency

Who May Receive This Data

• Sports equipment manufacturers and brands
• Retailers and e-commerce platforms
• Academic and market research institutions
• Sports and fitness industry analysts

Safeguards

• All data recipients are contractually prohibited from attempting to re-identify individual users.
• Data is reviewed to ensure it meets anonymization thresholds before sharing.
• We conduct regular privacy impact assessments to evaluate re-identification risks before any data release.
• No individual-level data is ever shared — only statistical aggregates across sufficiently large user groups.

Note: The B2B Data Sharing Program is not yet active. This Privacy Policy will be updated with additional details before the program launches. You will be notified within the app when participation becomes available.

8. Data Sharing & International Transfers

By default, GearBro does not share any of your data with third parties. The only data transmitted from your device is:

• Anonymous usage signals to TelemetryDeck (EU)
• Crash reports to Sentry (EU — Frankfurt)
• Subscription status to RevenueCat (USA)
• Install attribution to GoMarketMe (USA)

International Data Transfers

Some of our third-party service providers process data outside the European Economic Area (EEA). Specifically, RevenueCat and GoMarketMe process data in the United States. These transfers are protected by:

• The EU-U.S. Data Privacy Framework (DPF), where our service providers are certified participants
• EU Standard Contractual Clauses (SCCs) as approved by the European Commission, where DPF certification is not available
• The service providers' own data protection commitments and certifications
• Technical safeguards including encryption in transit and at rest

For users in Switzerland, these transfers comply with the Swiss Federal Act on Data Protection (FADP) and the Swiss-U.S. Data Privacy Framework. For users in the United Kingdom, these transfers comply with the UK GDPR, the UK Extension to the EU-U.S. DPF, and the Data Use and Access Act 2025 (DUAA).

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

• On-device storage — All personal data remains on your device, protected by Apple's hardware encryption and iOS security features
• HealthKit encryption — HealthKit data is encrypted end-to-end by Apple and is only accessible with your explicit permission
• Encrypted communication — All data transmitted to third-party services (TelemetryDeck, Sentry, RevenueCat, GoMarketMe) uses TLS/SSL encryption
• No cloud storage — GearBro does not store any user data on remote servers or cloud services
• No remote access — We cannot access, view, or retrieve any data stored on your device

Breach Notification

In the unlikely event of a data breach affecting your information through one of our third-party service providers, we will notify you and the relevant authorities in accordance with applicable law, including the EU GDPR (within 72 hours of becoming aware), the U.S. FTC Health Breach Notification Rule, and other applicable breach notification requirements in your jurisdiction.

10. Data Retention & Deletion

Local Data

Data stored on your device is retained for as long as you choose to keep it. You have full control:

• Delete individual gear items, workouts, journal entries, or goals at any time within the app
• Export all your data as a JSON file (Settings > Export Data) before deletion
• Uninstalling GearBro permanently removes all locally stored data from your device
• Since no data exists on any server, deletion from your device is permanent and complete

Third-Party Service Data

Data processed by our third-party services is retained according to their respective policies:

• TelemetryDeck — Anonymous signals are retained per their data retention policy. See telemetrydeck.com/privacy
• Sentry — Crash data is retained per their retention settings. See sentry.io/privacy
• RevenueCat — Subscription data is retained per their privacy policy. See revenuecat.com/privacy
• GoMarketMe — Attribution data is retained per their privacy policy. See gomarketme.co/privacy

11. Your Rights

Because GearBro stores all data locally on your device, you already have full, direct control over your data at all times. In addition, depending on your location, you may have the following rights under applicable data protection laws:

European Economic Area, United Kingdom & Switzerland (GDPR, UK GDPR, FADP)

• Right of access (Art. 15) — All your data is visible directly in the app
• Right to rectification (Art. 16) — Edit any data directly in the app
• Right to erasure (Art. 17) — Delete any or all data in the app, or uninstall to remove everything
• Right to restriction of processing (Art. 18) — Revoke permissions in iOS Settings
• Right to data portability (Art. 20) — Export all data as JSON
• Right to object (Art. 21) — Opt out of analytics or data sharing in app settings
• Right to withdraw consent — Revoke any consent at any time via iOS Settings or in-app settings
• Right to lodge a complaint — With your local data protection supervisory authority

California, USA (CCPA/CPRA)

• Right to know — What personal information is collected and how it is used
• Right to delete — Request deletion of your personal information
• Right to correct — Request correction of inaccurate information
• Right to opt-out of sale/sharing — See Section 12 below
• Right to limit use of sensitive personal information
• Right to non-discrimination — You will not be penalized for exercising your rights

Brazil (LGPD)

• Confirmation of data processing
• Access to your data
• Correction, anonymization, blocking, or deletion of unnecessary data
• Data portability
• Deletion of data processed with consent
• Information about shared data
• Withdrawal of consent
• Opposition to automated decision-making

Other Jurisdictions

We respect the data protection rights of users worldwide, including under:

• Canada (PIPEDA & Quebec Law 25) — Access, correction, withdrawal of consent, complaint to the Privacy Commissioner
• Japan (APPI) — Access, correction, deletion, objection to automated decisions
• South Korea (PIPA) — Access, correction, deletion, objection, data portability
• India (DPDPA) — Access, correction, deletion, withdrawal of consent, complaint to the Data Protection Board
• Thailand (PDPA) — Access, correction, deletion, restriction, data portability, objection
• South Africa (POPIA) — Access, correction, deletion, objection, complaint to the Information Regulator
• Australia (Privacy Act) — Access, correction, complaint to the OAIC

To exercise any of these rights, contact us at contact@gearbro.app. We will respond to your request within 30 days, or within the timeframe required by applicable law.

12. Do Not Sell or Share My Personal Information

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have the right to opt out of the "sale" or "sharing" of their personal information.

GearBro does not sell or share your personal information. The B2B Data Sharing Program (Section 7) uses only anonymized, aggregated data that does not constitute "personal information" under the CCPA. This data cannot be linked to any individual user.

We honor Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we treat it as a valid opt-out request under applicable law.

In the past 12 months, we have not sold or shared personal information of any user, as defined by the CCPA/CPRA.

Other U.S. State Privacy Laws

In addition to California, residents of Virginia, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Kentucky, and other states with comprehensive privacy laws have similar rights to access, delete, correct, and opt out of data sales. GearBro honors these rights regardless of your state of residence.

Under Maryland's Online Data Privacy Act (MODPA), the sale of sensitive data including health data is prohibited. GearBro does not sell personal health data under any circumstances.

To submit an opt-out request or inquire about your rights under any U.S. state privacy law, contact us at contact@gearbro.app.

13. Children's Privacy

GearBro is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction, such as 16 in some EU member states, or 14 in Quebec, Canada).

We do not knowingly collect personal information from children under 13. Since GearBro does not require account creation and does not collect personal identifiers, we have limited means to verify a user's age.

If you are a parent or guardian and believe your child may have provided personal information through our app or services, please contact us at contact@gearbro.app. We will take immediate steps to investigate and, if necessary, delete such information.

This policy complies with the U.S. Children's Online Privacy Protection Act (COPPA), the GDPR provisions on children's data, India's DPDPA requirements for children's data protection, and other applicable child privacy laws.

14. Automated Decision-Making

GearBro uses automated calculations to estimate gear condition based on your usage data (distance, sessions, time). These calculations are performed entirely on your device.

Important: Gear condition estimates are approximations based on usage patterns. They are not safety assessments and should not be relied upon to determine whether equipment is safe to use. Always inspect your gear manually and follow the manufacturer's recommendations for replacement and maintenance.

These automated calculations do not produce legally or similarly significant effects on you. Under GDPR Article 22, CCPA/CPRA, the Swiss FADP, South Korea's PIPA, and similar laws, you have the right to request an explanation of how gear condition is calculated. Contact us at contact@gearbro.app for details.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or new features. When we make changes:

• The updated policy will be posted on this page with a revised "Last updated" date
• For material changes (such as new data collection or changes to the B2B Data Sharing Program), we will provide a notice within the app
• Where required by law (e.g., GDPR, LGPD), we will seek renewed consent for material changes to data processing
• This policy is reviewed and updated at least annually, in compliance with the CCPA requirement for annual policy updates

Your continued use of GearBro after changes are posted constitutes your acknowledgment of the updated policy. If you do not agree with the changes, you should discontinue use of the app and delete your data.

16. Governing Law & Jurisdiction

This Privacy Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of Austria, without regard to its conflict of law provisions.

Any disputes relating to this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts in Vienna, Austria, unless mandatory consumer protection laws in your jurisdiction provide otherwise.

If you are a consumer residing in the European Union, you may also bring proceedings in the courts of your country of residence. EU consumers may also use the European Commission's Online Dispute Resolution (ODR) platform at ec.europa.eu/consumers/odr.

17. Limitation of Liability

To the maximum extent permitted by applicable law, TecFly Labs shall not be held liable for any indirect, incidental, special, consequential, or punitive damages arising from or related to your use of GearBro or reliance on information provided by the app, including but not limited to gear condition estimates.

Gear condition estimates are informational only. They are based on usage data (distance, sessions, time) and general wear assumptions. They are not safety assessments, product warranties, or professional advice. You are solely responsible for inspecting your equipment and determining whether it is safe to use. Always follow the manufacturer's guidelines for replacement and maintenance.

GearBro is provided on an "as is" and "as available" basis. We make no warranties, express or implied, regarding the accuracy, completeness, reliability, or suitability of any information or functionality provided by the app.

Nothing in this Privacy Policy limits or excludes liability that cannot be limited or excluded under applicable law, including liability for fraud, gross negligence, or death or personal injury caused by negligence.

18. Severability

If any provision of this Privacy Policy is found to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the original intent.

The failure of TecFly Labs to enforce any provision of this Privacy Policy shall not constitute a waiver of that provision or the right to enforce it at a later time.

19. Contact Us

If you have any questions about this Privacy Policy, want to exercise your data protection rights, or wish to file a complaint, you can reach us at:

Data Protection Officer

As a small organization that does not engage in large-scale processing of special categories of data, TecFly Labs is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For all privacy-related inquiries, please contact us directly at contact@gearbro.app.

Supervisory Authorities

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction, including but not limited to:

• Austria — Österreichische Datenschutzbehörde (dsb.gv.at)
• EU — Your national data protection authority
• UK — Information Commissioner's Office (ico.org.uk)
• Switzerland — EDÖB / FDPIC (edoeb.admin.ch)
• Canada — Office of the Privacy Commissioner (priv.gc.ca)
• Australia — OAIC (oaic.gov.au)
• South Africa — Information Regulator (inforegulator.org.za)
• India — Data Protection Board of India