Privacy.

Last updated: 2026-05-26

This page explains what data the Into platform collects, why, where it lives, and what you can do about it. The same policy applies to every app in the Into suite: Into Workout, Into Trainer, Into Diet, and any future Into app you sign into with the same account.

1. Who we are

Into is operated by an individual founder in Finland. Contact for all privacy matters: privacy@intoapp.fi.

2. What we collect

• Account data — email address and authentication credentials, managed by Firebase Authentication (Google as data processor). Passwords are never stored in plaintext.
• App data — the content you create in the apps: workouts, sets, programs, meals, notes, profile info, settings, preferences, and any photos you upload.
• Trainer ↔ client links — if you connect with a trainer or client, we store the relationship so the right people can see the right data.
• Email signups — if you join the early-access mailing list on the homepage, we store your email separately to notify you on launch.
• Server logs — Google Cloud Platform records standard access logs (IP, user agent, timestamps) for security and abuse prevention. Retained 30 days.
• Payment data — handled by Stripe. We receive subscription status only; we never see or store card numbers.

We do not use third-party analytics, advertising trackers, behavioural cookies, or any profile-building tools. There is no advertising on any Into surface.

3. Why we process this data (lawful basis)

• Contract (Art. 6(1)(b) GDPR) — to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)) — server logs for security and abuse prevention.
• Consent (Art. 6(1)(a)) — for early-access mailing list signups and any optional features.
• Legal obligation (Art. 6(1)(c)) — for invoices and tax records relating to paid subscriptions.

4. Where the data lives

All app data and authentication is hosted on Google Firebase in the europe-west1 region (Belgium, EU). Email signups, Firestore content, and Cloud Functions all run in this region. Stripe handles payments separately under its own EU infrastructure.

No personal data is transferred outside the European Economic Area for the operation of the service.

5. Who sees it

Internally, only the Into founder has access to production data, and only for operational reasons (support, incident response, account deletion requests).

Data processors on our behalf:

• Google Cloud Platform — Firebase Auth, Firestore, Cloud Functions, Hosting.
• Stripe — subscription billing.
• Domainhotelli / Namecheap — domain and DNS.

We do not sell or share data with third parties for advertising or analytics purposes.

6. Calendar export (Into Trainer)

Into Trainer lets trainers download their scheduled sessions as an iCalendar (.ics) file. This file contains client names, session dates and times, and duration — no email addresses, notes, or other personal information.

The export is opt-in — triggered deliberately by the trainer. The file is generated entirely in the browser (no server-side processing) and downloaded to the trainer's device. Once imported into a third-party calendar (Google Calendar, Outlook, Apple Calendar, etc.), the data is governed by that provider's privacy policy and is outside Into's control.

Trainers are responsible for ensuring they are entitled to process their clients' names and session data in a third-party calendar service, in accordance with applicable data protection regulations.

7. How long we keep it

• Account + app data — for as long as your account is active. On deletion, removed within 30 days (some backups may persist up to 90 days before rotation).
• Email signups — until you unsubscribe.
• Invoice / tax records — 6 years (Finnish accounting law).
• Server logs — 30 days.

8. Your rights under GDPR

You have the right to:

• Access — request a copy of the data we hold on you.
• Rectification — correct anything inaccurate (most fields editable in-app).
• Erasure — delete your account from in-app settings, or email us. Removes all app data irreversibly.
• Restriction — ask us to pause processing in specific cases.
• Portability — export your data in a machine-readable format (JSON).
• Objection — object to processing based on legitimate interest.
• Withdraw consent — for anything we process on consent (e.g. mailing list).
• Lodge a complaint — with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local EU supervisory authority.

To exercise any right, email privacy@intoapp.fi. We respond within 30 days.

9. Cookies & local storage

The Into apps store: your authentication session, language preference, and theme choice. That's it. No tracking cookies, no third-party cookies, no consent banner needed.

The marketing pages at intoapp.fi store one item in local storage: your chosen language, used by the language switcher.

10. Children

The Into platform is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe a child has signed up, email privacy@intoapp.fi and we will remove the account.

11. Security

Data is encrypted in transit (TLS) and at rest by Google Cloud Platform's default encryption. Access to production data is restricted to the founder and protected by 2FA. Firestore security rules enforce per-user data isolation.

12. Changes

We may update this policy. Material changes will be announced via email (to active users) and in-app. The "Last updated" date at the top reflects the most recent revision.

13. Contact

Privacy questions, data requests, complaints, or anything else: privacy@intoapp.fi.

Governing law: Finland. This policy is published in English and Finnish (tietosuoja) — in case of conflict, the English version prevails.