Privacy Policy

Last Updated: April 26, 2026

Nemis ("we", "our", or "us") is operated from Switzerland. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Nemis mobile application ("the App"). We comply with the Swiss Federal Act on Data Protection (nFADP), the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA).

1. Data We Collect

Account Information

When you create an account, we collect your email address, name, and a hashed version of your password. If you sign in with Google, we receive your name, email, and profile picture from Google. We never store your raw password.

Profile Information

You may optionally provide your age, username, avatar selection, motivation style preference, and timezone. This data is used to personalize your experience.

Location Data

To verify gym check-ins, the App reads your device's current GPS coordinates and compares them in real time against the gym location you saved yourself. The result of that comparison ("near your gym: yes/no") is what we use — and it is the only thing we keep.

What we do NOT do:

• We do not store your raw GPS coordinates or any "breadcrumb" / location history.
• We do not track you outside the immediate vicinity of your saved gym.
• We do not share, sell, or sync your location with any third party.

How auto check-in works: if you enable auto check-in, your device's iOS or Android operating system handles a small geofence around your saved gym locally. When you enter the geofence, your device wakes the App and the App asks our server "is the user still near their saved gym?". We log only that yes/no answer plus the start time and last-seen time of that gym session — not coordinates. The lat/lng leaves your device only for the moment of the check, is used once, and is then discarded server-side.

You can turn off auto check-in at any time in Settings → Auto Check-In, or revoke location permission entirely via your device's system settings.

Workout and Activity Data

We store your check-in history, workout streaks, XP (experience points), level progression, badges earned, Gaincoin balance, and other gamification data. This is the core of the Nemis experience.

Home Workout Video (AI Verification)

If you use the optional Home Workout Verification feature, a 30-second video is recorded on your device. Five still frames are extracted from that video locally on your device and are the only data transmitted to our AI vision provider. The original video is deleted immediately after frame extraction and is never uploaded to our servers.

Social and Communication Data

Your friends list, team memberships, team chat messages, community feed activity, reactions, and zaps are stored to power the social features of the App.

Device Information

We collect your Expo push notification token to send you workout reminders and activity notifications. We do not collect device identifiers beyond what is necessary for push notifications.

Payment Information

Payments are processed entirely by Stripe. We never receive, store, or have access to your credit card number or banking details. Stripe handles all payment data in accordance with PCI-DSS standards.

2. How We Use Your Data

We use your data to:

• Provide and operate the App
• Verify gym check-ins via GPS location
• Track your workout streaks, XP, and progress
• Enable social features (friends, teams, community feed)
• Send push notifications (reminders, zaps, achievements)
• Process payments through Stripe
• Provide AI-powered home workout verification
• Automatically award check-ins from Apple HealthKit workouts (with your consent)
• Personalize your motivation style and experience
• Improve the App based on aggregated, anonymized usage patterns

3. Third-Party Services

We share data with the following third-party providers, strictly for the purposes described:

• OpenAI (GPT-4o-mini): Analyses the 5 extracted frames from your Home Workout Verification. No data retention beyond the short-lived inference request.
• Stripe: Handles payment processing
• Google: Provides sign-in authentication and gym search (Google Places API)
• Apple: HealthKit (on-device, read-only) and Apple Push Notification Service
• Expo: Delivers push notifications
• MongoDB Atlas: Cloud database hosting (data encrypted at rest and in transit)

We do not sell, rent, or trade your personal data to any third party for marketing or advertising purposes.

4. Apple HealthKit Data

With your explicit consent, Nemis reads a strictly limited subset of data from Apple HealthKit to verify and reward workouts inside the gamification system.

• Data read: completed workout sessions (type, start/end time, duration, active energy burned) and daily step count only
• Purpose: automatically award check-ins, streak points and Gaincoin for workouts of 20 minutes or longer that match supported activity types (strength training, running, cycling, HIIT, yoga, soccer, etc.)
• We do NOT read medical, clinical, reproductive, mental-health, nutrition, sleep, heart, or lab-result categories from HealthKit
• Only the derived outcome (e.g. "30-minute workout completed at 10:42 AM") is stored on our servers; raw HealthKit samples stay on your device
• You may revoke HealthKit permission at any time via iOS Settings › Health › Data Access & Devices › Nemis, which disables auto-check-ins without affecting the rest of the app

5. AI Home Workout Verification

Nemis offers an optional "Home Workout Verification" flow that uses computer vision to confirm you are actually exercising before awarding a check-in.

• When you start verification, the app records a 30-second video locally on your device using the front or rear camera
• Immediately after recording, we extract five (5) still image frames from the video on-device at evenly spaced timestamps
• Only those 5 frames are transmitted over HTTPS to our backend, which forwards them to OpenAI GPT-4o-mini solely to check for continuous human movement consistent with exercise
• The AI returns a simple approval/rejection decision and a short reason. No biometric template, face recognition, or identity analysis is performed
• The original 30-second video is deleted from your device as soon as the frames are extracted, and is never uploaded to our servers
• The 5 extracted frames are not stored on our servers or retained by the AI provider beyond the short-lived inference request
• If verification fails, no check-in, streak, or Gaincoin reward is granted
• You can skip this feature entirely by checking in at a registered gym location instead

6. Camera & Microphone

Camera access is used only when you (a) take or update a profile photo, (b) capture a gym selfie, or (c) start an AI Home Workout Verification. Microphone audio is not recorded during home workout verification and is never transmitted to our servers. You can revoke camera or microphone permission at any time in iOS Settings › Nemis.

7. Screen Wake During Workouts

While a workout timer, rest timer, or Home Workout Verification recording is active, Nemis requests that iOS keep your screen awake so the session is not interrupted by the device auto-locking. This permission is scoped to active workout screens only and is released automatically once the workout or recording ends.

8. Data Retention

• Account and workout data: Retained for as long as your account is active.
• Home workout video: Never uploaded. Deleted from your device after on-device frame extraction.
• AI verification frames: Processed in real-time and immediately discarded. Never stored.
• HealthKit raw samples: Never stored on our servers. Only derived check-in events are retained.
• Team chat messages: Retained while the team exists. Deleted when your account is deleted.
• Push notification tokens: Deleted immediately upon account deletion.
• After account deletion: All personal data is permanently deleted within 30 days. Anonymized, aggregated statistics may be retained.

9. Your Rights

Under GDPR, nFADP, and CCPA, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Deletion: Delete your account and all associated data
• Portability: Receive your data in a structured format
• Objection: Object to certain processing activities
• Withdraw Consent: Withdraw consent at any time

To exercise these rights, use the "Delete Account" option in Settings or contact us at privacy@nemispro.com.

10. Data Security

We implement industry-standard security measures including:

• HTTPS/TLS encryption for all data in transit
• Bcrypt password hashing with unique salts
• API rate limiting to prevent abuse
• Input sanitization to prevent injection attacks
• Database encryption at rest (MongoDB Atlas)
• No storage of payment card details (handled by Stripe)

11. Children's Privacy

Nemis is not intended for users under the age of 16. We do not knowingly collect personal data from anyone under 16. If we learn that we have collected data from a user under 16, we will delete their account and data immediately.

12. International Data Transfers

Your data may be processed in countries outside Switzerland and the EEA, including the United States (for cloud hosting and AI processing). We ensure appropriate safeguards are in place, including standard contractual clauses, to protect your data in accordance with GDPR and nFADP requirements.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes through the App. Continued use of Nemis after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at:

Email: privacy@nemispro.com
Location: Switzerland