Privacy Policy

Last Updated: April 13, 2026

Everground ("we", "our", or "us") is operated by Daniel Gonzalez Reina, an individual based in Portugal, EU. This Privacy Policy explains what personal data we collect, why we collect it, how it is stored and protected, and your rights under the General Data Protection Regulation (GDPR) and other applicable laws. If you have any questions, contact us at [email protected].

1. Data We Collect

Account data

When you create an account we collect your name and email address. If you sign in with Google, we receive these from Google with your consent. We also store a hashed password if you use email/password sign-in, and a record of whether your email address has been verified.

Workout data

The app records workout sessions ("logs") containing the timer mode, duration, optional time cap, result, an optional Rx'd flag, and free-text notes you choose to enter. Within each session the app also records timestamped checkpoint events (rounds, reps, exercises) that you generate during a workout. This data is personal to you and is never shared with other users without your explicit consent.

Free plan: all workout data is stored only on your device in a local SQLite database. It is never transmitted to our servers.

Sync-enabled plans: workout logs and checkpoints, including any notes you have written, are synced to our servers to enable backup and multi-device access. You can delete individual logs or your entire account at any time (see Section 6).

Analytics and session recordings

We use PostHog to understand how the app is used and to identify issues. PostHog collects:

  • Screen views and in-app navigation events (e.g. which screens you visit and in what order)
  • Session recordings — a replay of your on-screen interactions within the app, used to diagnose UX problems. Recordings do not capture passwords or payment details.
  • Your PostHog identity is linked to your account user ID, name, and email address so we can correlate events with accounts when debugging.
  • Technical metadata: device type, operating system version, app version, and approximate IP-derived location.

Analytics data is processed by PostHog, Inc. under a Data Processing Agreement. PostHog requests are routed through our own domain (i.everground.app) to reduce third-party tracking exposure.

Email communications

We send transactional emails (email verification, password reset). We do not send marketing emails unless you have explicitly opted in.

Waitlist / interest signups

If you submit your email on our website to join a waitlist or express interest in a feature, we store that email address to notify you when the relevant feature is available. You can ask us to remove it at any time.

2. Lawful Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Performance of a contract — account data and (for paid/beta users) synced workout data are processed to deliver the service you signed up for.
  • Legitimate interests — analytics and session recordings are processed to improve the app and fix bugs. We have assessed that this interest does not override your rights, given the limited sensitivity of the data and the privacy-preserving routing we apply.
  • Legal obligation — we may retain certain data where required by applicable law.

3. How We Share Your Data

We do not sell your personal data. We share it only in these circumstances:

  • PostHog (analytics): usage data and session recordings as described in Section 1, under a Data Processing Agreement.
  • Google (authentication): if you choose "Sign in with Google", your name and email are shared from Google to us under Google's Privacy Policy and your consent.
  • Resend (email delivery): your email address is passed to Resend solely to deliver transactional emails you have triggered (verification, password reset).
  • Neon (database): synced workout data and account data are stored on Neon-hosted infrastructure (EU region), processed under a Data Processing Agreement.
  • Hetzner (server infrastructure): our application servers run on Hetzner Cloud (EU region). Hetzner processes data only as necessary to operate the service.
  • Legal requirements: we may disclose data if required by law, court order, or to protect the rights and safety of users or third parties.
  • Business transfer: if the service is acquired or merged, your data may transfer to the new operator, who would be bound by this policy or a materially equivalent one.

4. Data Retention

We retain your data for as long as your account is active. When you delete your account, your account data and any server-synced workout data are deleted within 30 days. Analytics events are retained by PostHog according to your PostHog instance's retention settings (currently 1 year) and anonymised thereafter. Waitlist emails are retained until you ask us to remove them or until the relevant feature ships, whichever comes first.

5. Data Security

Passwords are stored as salted hashes and are never stored in plain text. Data in transit between your device and our servers is encrypted using TLS. We apply access controls to limit who can query production data. No system is completely secure; in the event of a data breach affecting your rights, we will notify you as required by applicable law.

6. Your Rights (GDPR)

If you are in the EU/EEA, you have the following rights regarding your personal data. To exercise any of them, contact us at [email protected]. We will respond within 30 days.

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure: ask us to delete your data by emailing us. We will delete your account and all associated data within 30 days.
  • Portability: request your data in a machine-readable format.
  • Restriction: ask us to pause processing of your data in certain circumstances.
  • Objection: object to processing based on legitimate interests (e.g. analytics). If you object, we will stop processing unless we have compelling legitimate grounds.
  • Complaint: you have the right to lodge a complaint with the Portuguese data protection authority, CNPD (Comissão Nacional de Proteção de Dados), at www.cnpd.pt.

7. International Data Transfers

Our servers and some third-party service providers (including PostHog) are located in the United States. When your data is transferred outside the EU/EEA, we rely on appropriate safeguards — currently Standard Contractual Clauses approved by the European Commission — to ensure your data receives an equivalent level of protection.

8. Children's Privacy

The Service is not directed at children under 13 (or under 16 in jurisdictions where that age applies). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Changes to This Policy

We will update this policy when our data practices change materially — for example, if we add new third-party processors, change how workout data is stored, or form a legal entity. We will notify you of significant changes by posting the updated policy on the Service and, where feasible, by email. The "Last Updated" date at the top of this page always reflects the current version.

10. Contact

Data controller: Daniel Gonzalez Reina, Portugal, EU.
For privacy questions, data requests, or complaints, email us at [email protected].