Domain: wovio.app
Effective Date: February 2, 2026
1) Data Controller
The data controller of personal data is:
The Arrogant T-Rex Srls
Operational HQ: Via Giovanni Gentile 26, 71016 San Severo (FG), Italia
Registered HQ: Corso Giuseppe di Vittorio, 71016 San Severo (FG), Italia
PEC: thearrogantrex@pec.it
VAT No.: 04430600710
For privacy inquiries: thearrogantrex@pec.it (subject: "Privacy – Wovio").
2) Scope of Application
This policy applies to:
- The Wovio App
- The website under the domain wovio.app (including any landing pages)
Third-party services (e.g. app stores, social media, external platforms) are governed by their respective privacy policies.
3) Personal Data Processed
3.1 Data provided directly by the user
- Account data:email and credentials (managed via authentication providers)
- Support communication:message content and contact info
3.2 Workout and potential health-related data
The Wovio App allows users to input information about workouts, goals, preferences, and personal notes. Some of these may qualify as special categories of data under Article 9 of the GDPR ("health data") if related to physical condition, injuries, limitations, or health status.
Processing mode:
Wovio does not require the insertion of detailed health data. Any health information voluntarily entered by the user in text fields is processed solely to deliver app functionality (e.g. personalized workout plans). This data is not used for marketing or profiling.
Legal basis:
- Art. 6(1)(b) GDPR for account and workout data management
- Art. 9(2)(a) GDPR for optional health data voluntarily entered by the user
Consent is given by using the features requiring such data and can be withdrawn at any time.
Protection measures:
Users are advised not to enter unnecessary health data; data is encrypted in transit and at rest; access is restricted and controlled; no data is shared with third parties for commercial purposes.
3.3 Automatically collected data (App)
- Usage data:navigation/interaction events, usage statistics (Analytics)
- Technical app/device data:app version, OS, language, technical identifiers (e.g. app-instance ID)
- Crash and diagnostics data:error logs, technical info (Crashlytics)
- Push notification tokens:technical IDs for sending notifications (Firebase Cloud Messaging)
3.4 Automatically collected data (Website – wovio.app)
Navigation data and tracking tools (cookies or similar):
- Technical cookies (essential)
- nalytics cookies/tools and, if enabled, qualitative analysis tools (with consent)
3.5 Necessary data
Required to use the app:
- Account data (email and credentials)
- Minimum workout data to save/sync exercises
- Technical data essential for app operation
Without this data, account creation or core features may not be possible.
3.6 Optional data
Optional and can be disabled at any time:
- Analytics;
- Push notifications
- Qualitative tools (e.g. Smartlook, if enabled)
- Advanced AI features
Declining these will not affect app usage, except for the availability of related features.
Entering health-related info is always optional. Not providing it may reduce personalization but does not prevent usage.
4) Voice and Speech-to-Text
Currently, speech-to-text (if present) occurs on-device (user's device).
Wovio does not save voice recordings..
If the user confirms or inputs recognized text, this is treated as workout data (notes/workout info).
Future developments: Cloud-based speech services may be introduced in the future. The policy will be updated and consent requested where applicable.
5) Purposes and Legal Bases (GDPR)
A) Service delivery (account, login, data saving/sync)
Purpose: create and manage account, login, workout data sync (e.g. Firestore)
Legal basis: contract performance (Art. 6(1)(b) GDPR)
B) AI-based workout generation (OpenAI)
Data: Only necessary info is shared with the AI provider (goals, preferences, selected exercises, user notes)
Purpose: deliver personalized suggestions and improve user experience
Notice: Avoid entering unnecessary personal or detailed health data in free-text fields.
Legal basis:
- Contract performance (Art. 6(1)(b) GDPR)
- Legitimate interest (Art. 6(1)(f) GDPR) to provide advanced features, with opt-out rights
- Explicit consent (Art. 9(2)(a) GDPR) for any health data voluntarily provided
OpenAI states that data sent via API is not used for model training by default, and logs may be retained for abuse prevention/safety (typically up to 30 days unless otherwise required).
C) Push notifications (Firebase Cloud Messaging)
Purpose: send reminders, feature updates, operational messages
Legal basis: legitimate interest (Art. 6(1)(f)) and/or system consent/permissions
D) Analytics (App and Website)
Purpose: usage analysis and product improvement (Google Analytics for Firebase, website analytics)
Legal basis:
- Website: consent for non-essential cookies/tools (as per regulatory guidance)
- App: use of analytics tools according to available settings; where required, consent or opt-out via settings
E) Qualitative analysis (Smartlook or similar) – if activated
Purpose: heatmaps, session replay, UX analysis for UI/flow improvement
Current Status: potential future implementation
Legal basis: consent (website) and/or opt-in where applicable (app)
If activated, these tools will be clearly listed in the cookie banner and/or app privacy settings, with opt-out available.
F) Security and stability (Crashlytics, technical logs)
Purpose: prevent abuse, diagnose crashes, improve stability
Legal basis: legitimate interest (Art. 6(1)(f) GDPR)
G) Automated decisions and profiling
Wovio does not perform automated decisions with legal or similarly significant effects (Art. 22 GDPR).
AI-based workout personalization is functional profiling, limited to service provision and without significant impact on user rights/freedoms.
H) Legitimate Interest Assessment (LIA)
Where processing relies on legitimate interest (e.g. security, operational notifications, app analytics), a balancing test (LIA) has been carried out to ensure that user rights and freedoms are not overridden.
6) Cookies and Tracking (Website wovio.app)
The site uses cookies or similar technologies:
- Technical cookies: always active (essential)
- Analytics/qualitative tools: only active with prior consent
Management is via banner and preferences in compliance with legal guidelines.
7) Data Recipients (Service Providers)
We may use providers to deliver the service, including:
- Google / FirebaseAuthentication, Firestore, Cloud Messaging, Analytics, Crashlytics
- OpenAI:workout generation via API, with DPA and contractual safeguards
- Smartlook (if used): qualitative analysis, with DPA
Other technical providers may also be used (hosting, email, customer support). The list may evolve and will be updated.
These providers act as processors under Art. 28 GDPR, unless acting as independent controllers (e.g. app stores, platforms collecting data directly). In such cases, their privacy policies apply.
8) Transfers Outside the EEA
Some providers may involve data transfers outside the EEA. We apply appropriate safeguards (e.g. Standard Contractual Clauses and supplementary measures, if needed), as per GDPR. OpenAI's DPA includes relevant contractual provisions.
9) Data Retention
- Account and workout data: retained while account is active; deletable anytime (see §11)
- Notification tokens (FCM): kept as long as notifications are enabled or account remains active
- Crash/diagnostic data: retained as needed for stability and issue resolution
- Analytics (app/site): retained per internal config and minimization principles; consent is revocable
- Data sent to OpenAI: retained per provider policies/contracts (API logs typically up to 30 days unless otherwise required)
10) Security
We adopt appropriate technical and organizational measures (e.g. encryption in transit, access control, least privilege, DB security rules, logging, and monitoring).
11) Account and Data Deletion
Users may delete their account and data anytime directly via the App (User/Profile section).
After deletion:
- the account is disabled
- associated data is deleted or anonymized, unless legal or technical obligations apply (e.g. backups, security, legal claims)
12) User Rights
Users may exercise their GDPR rights: access, rectification, deletion, restriction, portability, objection, and withdrawal of consent (where applicable).
To exercise them: thearrogantrex@pec.it.
Users may also lodge a complaint with the Italian Data Protection Authority.
13) Minors
Wovio is not specifically designed for minors. In Italy, for certain consent-based data processing in information society services, the relevant age threshold is 14 years.If you believe a minor has submitted data without authorization, please contact us.
14) Changes to This Policy
This Privacy Policy may be updated. The latest version will be published on wovio.app nd/or in the App, indicating its effective date.
