Privacy Policy
Last updated: April 25, 2026
HugMuninn Ltd ("Company", "we", "us") — registered in England and Wales, company number 16868375 — operates the Unleash fitness app (iOS, Android) and the web application at unleash.coach. This policy explains what personal data we collect, why we collect it, the legal basis for doing so, and your rights under the UK General Data Protection Regulation (UK GDPR) and EU GDPR.
Definitions
- Company — HugMuninn Ltd, registered in England and Wales (company no. 16868375).
- App / Platform — the Unleash mobile app (iOS & Android) and web application.
- Personal Data — any information that identifies or can be used to identify you as an individual.
- You / User — any person who accesses or uses the Platform.
- Data Processor — a third party that processes data on our behalf under our instruction.
Data We Collect and Legal Basis
Account Information
Your email address, collected when you create an account.
Legal basis: Performance of a contract (Art. 6(1)(b) UK/EU GDPR) — necessary to authenticate you and enable cross-device sync.
Workout Data
Exercise logs including sets, reps, weights, and related training data synced to our servers and associated with your account.
Legal basis: Performance of a contract (Art. 6(1)(b)) — the core service you signed up for.
Analytics Data (web app only)
With your explicit consent, we use Google Analytics 4 (GA4) to collect anonymised usage data — pages visited, feature interactions, and error events. Your IP address is anonymised before being sent to Google. This data helps us improve the platform.
Legal basis: Consent (Art. 6(1)(a)). You may withdraw consent at any time by clicking "Manage cookies" in the footer.
Web App — Cookies & Browser Storage
The web app stores authentication session tokens in first-party cookies and local storage. These are strictly necessary for you to remain signed in and are not used for advertising or tracking.
Legal basis: Legitimate interests (Art. 6(1)(f)) — maintaining a secure authenticated session is a fundamental technical requirement.
Cookies
The following cookies may be set by the web application:
| Cookie | Purpose | Expiry | Category |
|---|---|---|---|
| sb-* | Supabase authentication session | 1 hour (access) / 1 week (refresh) | Essential |
| cc_cookie | Stores your cookie consent preferences | 6 months | Essential |
| _ga | Google Analytics — distinguishes users | 2 years | Analytics (consent required) |
| _ga_* | Google Analytics — maintains session state | 2 years | Analytics (consent required) |
You can manage or withdraw your analytics cookie consent at any time using the "Manage cookies" link in the footer. Essential cookies cannot be disabled as they are required for the web app to function.
How We Use Your Data
- Maintain the platform and your account
- Enable cross-device synchronisation between mobile and web
- Resolve technical issues and improve reliability
- Send account-related communications (e.g. password resets, security notices)
- Analyse anonymised usage patterns to improve the platform (with your consent)
- Meet legal and regulatory requirements
We do not use your data for advertising or sell it to third parties.
Data Storage & Security
Your data is stored on Supabase infrastructure located in Frankfurt, Germany (EU). All data in transit is encrypted via TLS; data at rest is encrypted by Supabase. No storage method provides absolute security guarantees, but we take reasonable precautions to protect your information and will notify you of any breach that poses a significant risk to your rights.
Third Parties & Data Processors
Supabase
Acts as our data processor for authentication and database storage, under a data processing agreement. Data is stored in the EU (Frankfurt).
Google Analytics
With your consent, anonymised usage data is sent to Google LLC via Google Analytics 4. Google acts as a data processor under our configuration (IP anonymisation enabled, no advertising features enabled). Google's privacy policy applies to data it receives: policies.google.com/privacy.
Apple & Google (mobile platforms)
Apple and Google independently collect device-level data — including crash reports and diagnostic information — through their respective app store platforms. Their own privacy policies govern that collection and we have no access to individually identifiable data from these sources.
We do not share your personal data with any other third parties.
Data Retention
Data is retained for as long as your account is active. If you delete your account, personal data is removed within 30 days, except where retention is required by applicable law. Anonymised analytics data retained by Google Analytics is governed by Google's own retention settings (default 14 months).
Your Rights
Under UK GDPR and EU GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Restriction — ask us to restrict processing of your data in certain circumstances.
- Portability — receive your workout data in a structured, machine-readable format. To request an export, contact us at the address below.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent (e.g. analytics cookies), you may withdraw it at any time without affecting the lawfulness of prior processing. Use the "Manage cookies" link in the footer.
To exercise any right, contact us at contact+privacy@hugmuninn.com. We will respond within 30 days.
UK residents may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. EU residents may also contact the supervisory authority in their member state.
Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.
International Transfers
Your data is stored within the EU (Frankfurt). If any processing occurs outside the EU/UK, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses or adequacy decisions). HugMuninn Ltd is a UK-based company; transfers between the UK and EU are covered by the UK–EU adequacy decision currently in force.
Children
The platform is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with data, please contact us and we will delete it promptly.
Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by email or via a notice on the platform at least 14 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
Contact
For privacy questions, data requests, or complaints:
- Email: contact+privacy@hugmuninn.com
- Web: hugmuninn.com
- Company: HugMuninn Ltd, registered in England and Wales, company no. 16868375