Paul
Download

Privacy Policy

Last updated: June 17, 2026

1. Data Controller

The data controller is MAIA, a Société par actions simplifiée (SAS) with a share capital of €100, registered under SIREN 934 110 024, SIRET (registered office) 934 110 024 00023, RCS Grasse 934 110 024, VAT FR84934110024. Registered office: 20 chemin du Moulin, 06740 Châteauneuf-Grasse, France. You may contact the company's legal representative by email at [email protected] for all data-protection inquiries, or at [email protected] for general matters.

2. Data We Collect

Identity

When you sign in with Apple, we receive and store the name and email address provided by Apple (which may be a relay address), as well as Apple's stable user identifier (the "sub" field). We do not store your Apple ID password.

Training data

We store the workout data you enter: sessions, exercises, sets, reps, loads, body weight entries, and your training preferences. This data is stored on our own servers and is necessary to provide the service.

AI input processing

When you describe a workout in natural language, that text is sent to OpenRouter (which routes to Anthropic models) to be parsed into structured workout data. This transmission is necessary to provide the core functionality of the app. If you have enabled the "Help improve Paul" toggle in Settings (default: off), those text inputs may additionally be reviewed by MAIA to improve the service; you can withdraw this consent at any time by toggling the setting off.

Voice input

Voice transcription is performed on-device using WhisperKit. Audio is never uploaded to our servers or to any third party. This is entirely local processing and does not involve Apple Speech Recognition or any remote service.

Diagnostics

If you have enabled the "Diagnostic Data" toggle in Settings (default: off), the app reports crashes, masked session-replay events, and performance metrics to Sentry (EU region: ingest.de.sentry.io). Sentry is configured with sendDefaultPii=false: no user identifier, no IP address, and no screenshots are transmitted. When the toggle is off, no diagnostic data is collected passively.

Billing

Subscription management is handled entirely by Apple via StoreKit. We receive and store your subscription status and an opaque appAccountToken (a UUID) that links an Apple purchase to your account. We do not have access to your payment card details.

3. Purposes and Legal Bases

Identity data (name, email, Apple sub) is processed to create and authenticate your account; the legal basis is performance of a contract. Training data (workouts, exercises, logs, body weight, preferences) is processed to provide the service; the legal basis is performance of a contract. AI input processing (sending workout text to OpenRouter/Anthropic) is processed to deliver core natural-language parsing; the legal basis is performance of a contract. Review of AI inputs for service improvement ("Help improve Paul" toggle) is processed solely on the basis of your consent, which you may withdraw at any time. Diagnostic data (Sentry, when opt-in toggle is ON) is processed on the basis of your consent. Subscription and billing data is processed to manage access to paid features; the legal basis is performance of a contract.

4. Sub-processors and Recipients

Apple Inc. acts as sub-processor for authentication (Sign in with Apple) and subscription billing (StoreKit/App Store). OpenRouter Inc. and Anthropic PBC act as sub-processors for AI parsing of workout text. Functional Software, Inc. (Sentry) acts as sub-processor for diagnostic data in the EU region, only when the diagnostic toggle is enabled. Our infrastructure provider hosts the servers where your training data is stored. We do not sell, rent, or share your personal data with any other third parties.

5. International Transfers

OpenRouter and Anthropic are based in the United States. Transfers of workout text inputs to these processors are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent safeguards. Sentry diagnostic data is processed in the EU region (Frankfurt) and does not involve a transfer outside the EEA. Apple processes authentication and billing data under its own privacy framework, which includes EU–US data transfer safeguards.

6. Retention

Your training data, identity data, and billing records are retained for as long as your account is active. When you delete your account in the app, your personal data and all associated training records are permanently deleted from our servers within a reasonable period. Diagnostic data collected via Sentry is short-lived and retained for approximately 90 days. Apple billing records are governed by Apple's own retention policies.

7. Your Rights

Under the GDPR and applicable French law, you have the right to access, rectify, erase, and port your personal data, as well as the right to restrict or object to processing, and to withdraw consent where processing is based on consent. To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with the French data-protection authority, the CNIL, at www.cnil.fr.

8. Account Deletion

You may delete your account at any time from within the Paul app. Deleting your account permanently removes your profile, training data, and all associated records from our servers. Important: deleting your account does NOT cancel your Apple subscription. You must cancel your subscription separately through the App Store, via Apple ID settings, before or after deleting your account — otherwise Apple will continue to bill you.

9. Children

Paul is not intended for use by persons under the age of 15 (the age of digital consent under French law) without the prior authorisation of a parent or legal guardian. We do not knowingly collect personal data from children under 15. If you believe we have inadvertently collected such data, please contact us at [email protected] so we can delete it.

10. Website Cookies

The paulworkout.com website uses only technically necessary cookies — for example, to store your language preference. We do not use advertising cookies or third-party tracking cookies. No cookie consent banner is required for strictly necessary cookies under applicable EU law.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our practices or applicable law. The date at the top of this page indicates when the policy was last revised. Your continued use of the Paul app after any changes constitutes acceptance of the revised policy. We encourage you to review this page periodically.

12. Contact

For all GDPR-related requests, data-subject access requests, or privacy questions, contact us at [email protected]. For general inquiries about Paul, contact us at [email protected]. MAIA, 20 chemin du Moulin, 06740 Châteauneuf-Grasse, France.

© 2026 Maia
PrivacyTerms of ServiceApp Store