Last updated: June 17, 2026
The data controller is MAIA, a Société par actions simplifiée (SAS) with a share capital of €100, registered under SIREN 934 110 024, SIRET (registered office) 934 110 024 00023, RCS Grasse 934 110 024, VAT FR84934110024. Registered office: 20 chemin du Moulin, 06740 Châteauneuf-Grasse, France. You may contact the company's legal representative by email at [email protected] for all data-protection inquiries, or at [email protected] for general matters.
Identity
When you sign in with Apple, we receive and store the name and email address provided by Apple (which may be a relay address), as well as Apple's stable user identifier (the "sub" field). We do not store your Apple ID password.
Training data
We store the workout data you enter: sessions, exercises, sets, reps, loads, body weight entries, and your training preferences. This data is stored on our own servers and is necessary to provide the service.
AI input processing
When you describe a workout in natural language, that text is sent to OpenRouter (which routes to Anthropic models) to be parsed into structured workout data. This transmission is necessary to provide the core functionality of the app. If you have enabled the "Help improve Paul" toggle in Settings (default: off), those text inputs may additionally be reviewed by MAIA to improve the service; you can withdraw this consent at any time by toggling the setting off.
Voice input
Voice transcription is performed on-device using WhisperKit. Audio is never uploaded to our servers or to any third party. This is entirely local processing and does not involve Apple Speech Recognition or any remote service.
Diagnostics
If you have enabled the "Diagnostic Data" toggle in Settings (default: off), the app reports crashes, masked session-replay events, and performance metrics to Sentry (EU region: ingest.de.sentry.io). Sentry is configured with sendDefaultPii=false: no user identifier, no IP address, and no screenshots are transmitted. When the toggle is off, no diagnostic data is collected passively.
Billing
Subscription management is handled entirely by Apple via StoreKit. We receive and store your subscription status and an opaque appAccountToken (a UUID) that links an Apple purchase to your account. We do not have access to your payment card details.
Identity data (name, email, Apple sub) is processed to create and authenticate your account; the legal basis is performance of a contract. Training data (workouts, exercises, logs, body weight, preferences) is processed to provide the service; the legal basis is performance of a contract. AI input processing (sending workout text to OpenRouter/Anthropic) is processed to deliver core natural-language parsing; the legal basis is performance of a contract. Review of AI inputs for service improvement ("Help improve Paul" toggle) is processed solely on the basis of your consent, which you may withdraw at any time. Diagnostic data (Sentry, when opt-in toggle is ON) is processed on the basis of your consent. Subscription and billing data is processed to manage access to paid features; the legal basis is performance of a contract.
Apple Inc. acts as sub-processor for authentication (Sign in with Apple) and subscription billing (StoreKit/App Store). OpenRouter Inc. and Anthropic PBC act as sub-processors for AI parsing of workout text. Functional Software, Inc. (Sentry) acts as sub-processor for diagnostic data in the EU region, only when the diagnostic toggle is enabled. Our infrastructure provider hosts the servers where your training data is stored. We do not sell, rent, or share your personal data with any other third parties.
OpenRouter and Anthropic are based in the United States. Transfers of workout text inputs to these processors are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent safeguards. Sentry diagnostic data is processed in the EU region (Frankfurt) and does not involve a transfer outside the EEA. Apple processes authentication and billing data under its own privacy framework, which includes EU–US data transfer safeguards.
Your training data, identity data, and billing records are retained for as long as your account is active. When you delete your account in the app, your personal data and all associated training records are permanently deleted from our servers within a reasonable period. Diagnostic data collected via Sentry is short-lived and retained for approximately 90 days. Apple billing records are governed by Apple's own retention policies.
Under the GDPR and applicable French law, you have the right to access, rectify, erase, and port your personal data, as well as the right to restrict or object to processing, and to withdraw consent where processing is based on consent. To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with the French data-protection authority, the CNIL, at www.cnil.fr.
You may delete your account at any time from within the Paul app. Deleting your account permanently removes your profile, training data, and all associated records from our servers. Important: deleting your account does NOT cancel your Apple subscription. You must cancel your subscription separately through the App Store, via Apple ID settings, before or after deleting your account — otherwise Apple will continue to bill you.
Paul is not intended for use by persons under the age of 15 (the age of digital consent under French law) without the prior authorisation of a parent or legal guardian. We do not knowingly collect personal data from children under 15. If you believe we have inadvertently collected such data, please contact us at [email protected] so we can delete it.
The paulworkout.com website uses only technically necessary cookies — for example, to store your language preference. We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under applicable EU law.
We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. The date at the top of this page indicates when the policy was last revised. Your continued use of the Paul app after any changes constitutes acceptance of the revised policy. We encourage you to review this page periodically.
For all GDPR-related requests, data-subject access requests, or privacy questions, contact us at [email protected]. For general inquiries about Paul, contact us at [email protected]. MAIA, 20 chemin du Moulin, 06740 Châteauneuf-Grasse, France.