Skip to main content
JIM

Privacy Policy

Effective date: 15 March 2026

Last updated: 15 March 2026

Jim ("the App") is a free, personal project created and maintained by Ruben Swidzinski ("I", "me", "my"). I am committed to protecting your privacy. This Privacy Policy explains how I collect, use, store, and share your personal data when you use the App.

This policy complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive 2002/58/EC, and applicable Belgian data protection law.

1. Data Controller

The data controller for the purposes of GDPR is:
Ruben Swidzinski (individual)
Email: [email protected]
Website: jim.relaycloud.org

Jim is a personal, non-commercial project. It is free to use and is not operated by a company or organisation.

2. Data I Collect

2.1 Account Data

  • Email address
  • Display name
  • Hashed password (I never store plaintext passwords)
  • Account creation date

2.2 Profile & Onboarding Data

  • Date of birth, sex, height, weight
  • Training experience, goals, and preferences
  • Available equipment, injuries, recovery quality
  • Preferred training schedule
  • Unit system preference (metric/imperial)

2.3 Health & Fitness Data (Special Category — GDPR Art. 9)

  • Workout sessions and exercise logs (sets, reps, weight, RPE)
  • Body metrics (weight history, body fat percentage, measurements)
  • Nutrition logs (meals, calories, macronutrients)
  • Water intake tracking
  • Fatigue scores and recovery metrics
  • Personal records (PRs) and strength estimates
  • Workout plans and progression data

2.4 Couples Data

  • Partner linking status and invite codes
  • Shared goals and accountability settings
  • Streaks and shared activity data

2.5 AI Coach Data

  • Chat messages sent to and received from the AI coach
  • AI-generated workout plans and suggestions
  • Rate limiting data for AI feature usage

2.6 Technical Data

  • Session tokens (authentication cookies)
  • Cookie consent preferences
  • Device type and browser information (from HTTP headers)
  • Offline sync queue data (stored locally)

3. Legal Basis for Processing

I process your data under the following legal bases (GDPR Article 6 & 9):

  • Consent (Art. 6(1)(a) & Art. 9(2)(a)): For processing health & fitness data (special category data). You provide explicit consent during onboarding.
  • Contract performance (Art. 6(1)(b)): For providing the App's core features — account management, workout tracking, nutrition logging.
  • Legitimate interest (Art. 6(1)(f)): For security, fraud prevention, and service improvement.

4. How I Use Your Data

  • Provide and personalise the App experience
  • Generate AI-powered workout plans and coaching advice
  • Track your fitness progress, nutrition, and goals
  • Enable couples features (partner linking, shared goals, streaks)
  • Calculate fatigue scores, personal records, and progression
  • Maintain security and prevent abuse

5. Data Sharing

5.1 With Your Partner

If you link your account with a partner, specific data is shared: workout activity, streaks, shared goals, and reactions. You can unlink at any time to stop sharing.

5.2 Third-Party Services

  • AI Provider (OpenRouter): Chat messages and relevant fitness context are sent to AI model providers to generate coaching responses. Messages are processed per the provider's privacy policy and are not used for model training.
  • Cloudflare: Traffic is routed through Cloudflare Tunnel for security and performance. Cloudflare may process connection metadata.

5.3 I Do Not

  • Sell your personal data to third parties
  • Use your data for advertising or ad targeting
  • Share your health data with insurers, employers, or data brokers
  • Transfer data outside the EU/EEA without adequate safeguards
  • Monetise this App or your data in any way — Jim is and will remain free

6. Data Storage & Security

  • Data is stored on a self-hosted server located in Belgium (EU).
  • The database is PostgreSQL with row-level security (RLS) policies.
  • All connections are encrypted via HTTPS (TLS 1.2+) through Cloudflare.
  • Passwords are hashed using bcrypt via GoTrue (Supabase Auth).
  • JWT tokens are used for session authentication with configurable expiry.
  • Access to the server is restricted to SSH key authentication only.

7. Data Retention

  • Active accounts: Data is retained for the lifetime of your account.
  • Deleted accounts: Personal data is deleted within 30 days of account deletion.
  • AI chat history: Retained for the lifetime of your account, deletable on request.
  • Server logs: Retained for a maximum of 90 days.
  • Cookie consent records: Retained for 12 months (as required for compliance evidence).

8. Your Rights Under GDPR

As an EU/EEA resident, you have specific rights regarding your personal data. See the dedicated Your Rights (GDPR) page for full details, including how to exercise each right.

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure / right to be forgotten (Art. 17)
  • Right to restrict processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent (Art. 7(3))
  • Right to lodge a complaint with a supervisory authority (Art. 77)

9. Cookies

I use cookies and similar technologies. For detailed information, see the Cookie Policy.

10. Children's Privacy

Jim is not intended for children under 16. I do not knowingly collect data from children under 16. If I discover that I have, I will delete it promptly.

11. International Data Transfers

All data is stored and processed within the European Union (Belgium). If in the future I use services that process data outside the EU/EEA, I will ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses, adequacy decisions).

12. Changes to This Policy

I may update this Privacy Policy periodically. I will notify you of material changes by updating the "Last updated" date and, where appropriate, providing in-app notification.

13. Contact

For privacy-related enquiries or to exercise your rights:
Ruben Swidzinski
Email: [email protected]

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Belgian Data Protection Authority:
Gegevensbeschermingsautoriteit (GBA)
Drukpersstraat 35, 1000 Brussels, Belgium
Website: gegevensbeschermingsautoriteit.be

Jim — A personal couples fitness project by Ruben Swidzinski

Questions? Contact [email protected]