← Back to Andura

Privacy policy

Beta version · Updated 2026-05-31

Your data stays on your phone. You control what leaves it. Andura is local-first: your profile and sessions are saved on your device. This policy explains what we collect, why, and the rights you have under the EU GDPR.

Who is responsible (data controller)

Andura is operated by DM & CO. (Romania, EU). For any privacy matter, including to exercise your rights, contact the data controller by email at support@andura.app.

What we collect and why

We collect only what the app needs to coach you: your profile (age, sex, weight, height, training goal, frequency and experience), your workout logs, weight and nutrition logs, body measurements, and the email address used for the magic link sign-in. We use this data to personalize your training and nutrition, on your device. We do not collect usage analytics.

Legal basis (GDPR Art. 6 and Art. 9)

We process your account email to provide the sign-in you asked for (contract / your request). We process your training, weight, nutrition and body data to deliver the coaching feature you use, on the basis of your consent, which you give by entering it and can withdraw anytime by deleting the data. Optional cloud backup and optional crash reporting each run only on your separate consent. Health-related data (weight, body measurements) is special-category data under Art. 9 and is processed solely on your explicit consent.

Where your data is stored

By default your data lives only on your device, in the browser's IndexedDB and local storage. If you sign in and enable cloud backup, a copy is synced to Google Firebase (Realtime Database) under a private path tied to your account, so you can restore it on another device. If you use Andura without an account (guest mode), your data never leaves your device.

Who else processes data (processors and transfers)

We use Google Firebase (authentication, email delivery for the magic link, and optional cloud backup) and, only if you opt in, Sentry for crash reporting (personal data is stripped before sending). These providers act as our processors. Google may process data on servers outside the EU; such transfers are covered by Standard Contractual Clauses. We never sell or share your data with advertisers.

How long we keep it

Local data stays until you delete it from your device. Cloud backup stays until you delete your data or your account. When you ask to delete your account, it is disabled immediately and permanently erased after a 30-day grace period in case you change your mind.

What we DON'T do

ZERO advertising. ZERO data sales. ZERO third-party trackers. We don't use your data for ads.

Cookies and local storage

Andura does not use advertising or tracking cookies. We use the browser's local storage and IndexedDB only to keep the app working: your session, your settings and your data on the device.

Children

Andura is for adults only. You must be at least 18 years old to use it. We do not knowingly collect data from anyone under 18.

Security

Sign-in uses a passwordless magic link, not a stored password. Data in transit is encrypted over HTTPS. Cloud backup is reachable only with your authenticated account token.

Your rights (GDPR)

You have the right to access, rectify, export (data portability), and erase your data, to withdraw consent, and to object to or restrict processing. You can exercise most of these directly in the app: export your data as JSON and delete your account and data from the Account screen, anytime. For anything else, email us. You also have the right to lodge a complaint with the Romanian supervisory authority, ANSPDCP (dataprotection.ro).

Changes to this policy

We may update this policy as Andura evolves. The date at the top shows the current version. Material changes will be highlighted in the app.

Contact

For privacy questions or to exercise your rights, write to support@andura.app.

Account & data deletion instructions →