Privacy Policy - Ekomo

Version: 1.0

Last updated: March 4, 2026

1. Data Controller

The data controller is:

  • Company name: Static Bloom
  • Legal form: Sole proprietorship (micro-entrepreneur)
  • Address: 200 rue de la Croix Nivert, 75015, Paris, France
  • Privacy contact email: hello@staticbloom.io

2. Data We Process

Depending on how you use the app, Ekomo processes the following categories.

2.1 Account and identity data

  • Email address (magic link, Apple, Google sign-in)
  • Internal user identifier (UUID)
  • First name / nickname (`first_name` / `display_name`)
  • Profile settings: language, time zone, weight unit, training preferences

2.2 Training and progression data

  • Workout sessions and history
  • Completed exercises, sets, performance data (reps, duration, entered weight)
  • Personal records (reps, duration, weight when applicable)
  • Exercise progression/unlocks, streak, fitness feature usage stats

2.3 Subscription and in-app purchase data

  • Subscription status (active/inactive)
  • Premium entitlements
  • Technical transaction details handled by Apple/Google and RevenueCat

2.4 Product analytics data

  • Usage events (screens viewed, onboarding, paywall, in-app actions)
  • Technical properties (platform, app version, environment)
  • Analytics identifiers linked to the account (including email in current implementation)
  • Technical and security event logs needed to detect abuse, incidents, and service errors

2.5 Data stored locally on the device

  • Preferences (sound, notifications, etc.)
  • Nutrition calculator data (weight, height, age, sex) if entered by the user

This data remains local unless explicitly sent to a remote service.

3. Purposes and Legal Bases

Ekomo processes data for the following purposes:

1. Delivering the service (account, sync, history, progression): contract performance (Art. 6(1)(b) GDPR).

2. Managing premium subscriptions and purchase restoration: contract performance (Art. 6(1)(b) GDPR).

3. Measuring and improving the product (analytics, feature performance): legitimate interest (Art. 6(1)(f) GDPR).

Where legally required (including under ePrivacy rules), analytics tracking is based on consent.

4. Security, fraud prevention, technical logging: legitimate interest (Art. 6(1)(f) GDPR).

5. Compliance with legal obligations (e.g., accounting/tax where applicable): legal obligation (Art. 6(1)(c) GDPR).

4. Recipients and Processors

Data may be processed by the following service providers:

  • Supabase: authentication, database, backend functions.
  • PostHog: product analytics.
  • RevenueCat: in-app subscription management.
  • Apple / Google: social login and in-app purchase infrastructure.
  • Resend: transactional emails.

Each provider acts under its own terms and security commitments.

5. International Transfers

Some providers may process data outside the EU/EEA.

When this occurs, we apply appropriate safeguards under GDPR Chapter V, such as:

  • an adequacy decision by the European Commission, or
  • the European Commission Standard Contractual Clauses (SCCs), together with supplementary measures where required.

You can request more information about the applicable transfer mechanism by contacting hello@staticbloom.io.

6. Retention

  • Account and training data: retained while the account is active. If an account is inactive for 24 months, we may delete or anonymize related data after prior notice, unless retention is required by law.
  • Analytics data: retained for up to 24 months, then deleted or aggregated.
  • Security and technical logs: retained for up to 12 months, unless a longer retention period is required to investigate security incidents or comply with legal obligations.
  • Transaction and accounting records: retained as required by applicable tax/accounting laws (which may be up to 10 years in some jurisdictions).
  • Local device data: retained until local deletion, app uninstall, or account deletion.

When an account is deleted, backend data associated with the account is deleted, subject to legal retention obligations.

7. Account Deletion

The app provides an account deletion feature in settings.

Deletion triggers backend account data deletion and local app data cleanup.

8. Notifications

Ekomo may request permission for local notifications (e.g., rest timer).

You can enable/disable notifications at any time in the app and/or device settings.

9. Security

We implement reasonable technical and organizational safeguards to protect data (access controls, authentication, encryption in transit, per-user backend restrictions).

No transmission or storage method is fully secure.

10. GDPR Rights

Subject to applicable law, you may have the right to:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Objection
  • Portability
  • Withdraw consent where processing relies on consent
  • Lodge a complaint with a competent supervisory authority

To exercise your rights: hello@staticbloom.io.

11. United States Privacy Rights

11.1 California residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

  • Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes of collection, and the categories of third parties with whom we share it.
  • Right to delete: You may request deletion of your personal information, subject to certain legal exceptions.
  • Right to correct: You may request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising as defined under CCPA/CPRA.
  • Non-discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

Categories of personal information collected (past 12 months):

| Category | Examples | Source |

| ---------------------------- | ----------------------------------------- | --------------------------------------- |

| Identifiers | Email, name, user ID | User-provided, authentication providers |

| Commercial information | Subscription status, purchase history | RevenueCat, Apple/Google |

| Internet/electronic activity | Usage events, screens viewed, app version | Automatically collected via PostHog |

| Geolocation | Time zone | User-provided |

Categories of personal information sold or shared: None.

Retention: See Section 6.

To exercise your rights, contact hello@staticbloom.io. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

11.2 Other US state privacy laws

Residents of states with applicable consumer privacy legislation (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights to access, delete, correct, and opt out. To exercise these rights, contact hello@staticbloom.io.

12. Minors

The app is not intended for children under 13 years old. In jurisdictions where the age required to validly consent to personal data processing is higher (for example, certain EU countries), users below that local age must have parental or guardian consent.

We do not knowingly collect personal information from children under the applicable minimum age. If you are a parent or guardian and believe your child has provided us with personal information without valid consent, please contact us at hello@staticbloom.io and we will promptly delete such information.

13. Changes

This policy may be updated. If material changes are made, users will be informed through an appropriate channel (in-app or website).

14. Contact

For privacy-related questions:

  • Company: Static Bloom
  • Email: hello@staticbloom.io
  • Address: 200 rue de la Croix Nivert, 75015, Paris, France