GDPR Document
Pernu's compliance with Regulation (EU) 2016/679 (GDPR), Portuguese Law no. 58/2019 and other applicable personal data protection legislation.
In effect since 27 May 2026
1. Controller and scope
Pernu, Unipessoal Lda., with registered office at Quinta do Anjo, Setúbal, Portugal, is the controller of personal data processed through the Pernu mobile application and associated digital services.
This document describes Pernu's compliance with Regulation (EU) 2016/679 (GDPR), Law no. 58/2019 and other applicable legislation on personal data protection, e-commerce and digital services.
2. Purposes and sources of data
Pernu processes personal data to operate the application, including account creation, workout management, social features, messaging, maps, optional health data integration, subscriptions and user support.
Data is collected directly from the user, through the device via permissions, through digital app stores and through technical providers supplying infrastructure, storage, security and advertising services.
3. Categories of data processed
Categories include identification data (name or nickname, email, profile photo and cryptographically derived password), workout data (exercises, sets, repetitions, loads, times, notes, calendar and progress photos), location data when the user enables outdoor workouts, social interaction data (posts, comments, reactions, followers, groups and private messages), health data when the user grants explicit permission through Apple Health or equivalent Android APIs, and technical data such as IP address, device identifiers, operating system, app version, crash logs and advertising identifiers.
Pernu also receives transaction identifiers and subscription status from digital stores but does not receive or store card payment details.
4. Legal bases
Processing is based on performance of the contract with the user, explicit consent where required (notably for health data, precise location and optional permissions), Pernu's legitimate interests for security, fraud prevention, aggregated statistics and serving non-personalised ads, and compliance with legal obligations including billing requirements and communications to authorities.
5. Google AdMob
Pernu integrates the Google Mobile Ads (AdMob) SDK to display ads. For advertising purposes, Google Ireland Limited acts as an independent controller of data collected through the SDK, including advertising identifiers, IP address, technical data and information about interaction with ads.
Pernu does not access this data and does not use health data for advertising, profiling or marketing. The user can control tracking and reset the advertising identifier in device settings.
6. Sub-processors and transfers
Pernu uses sub-processors for hosting, databases, backups, transactional email, media storage, maps and security services. These include providers such as Apple, Google, ImageKit, Resend and cloud infrastructure providers.
All sub-processors act under contracts including data protection clauses and, where applicable, Standard Contractual Clauses approved by the European Commission. Where international transfers occur, Pernu applies additional technical and organisational measures and carries out impact assessments when required.
7. Retention periods
Data is kept only as long as necessary for processing purposes. Account and workout data is deleted or anonymised within thirty days of an account deletion request. Backups may retain data for up to ninety days. Technical logs are kept for up to ninety days unless an incident is investigated. Messages are kept while the account exists. Billing data is kept for statutory periods, generally ten years.
8. Information security
Pernu applies technical and organisational measures appropriate to the risk, including TLS-encrypted communications, environment segregation, secrets management, access control, logging of administrative access, error monitoring, periodic security testing and an incident response plan with notification to the CNPD and data subjects when required under Article 34 GDPR.
Pernu designates internal owners for information security and data protection, reviews permissions periodically and maintains up-to-date documentation on sub-processors and data flows.
9. Data protection impact assessment (DPIA)
Pernu carried out a Data Protection Impact Assessment (DPIA) due to processing health data, precise location and integration with international providers. The assessment concluded that, with the measures implemented, residual risk is compatible with the service offered. Full documentation can be provided to the CNPD upon prior consultation.
10. Data subject rights
You have the right of access, rectification, erasure, restriction, portability, objection and withdrawal of consent. You may exercise these rights by sending a request to geral@pernu.pt; additional information may be requested to verify identity.
You may lodge a complaint with the Portuguese Data Protection Authority (CNPD) or the supervisory authority in your country of residence.
11. Automated decisions, minors and updates
Pernu does not take solely automated decisions with significant legal effects. Algorithms may be used to order the feed or suggest groups, with limited impact. The service is not intended for users under 16; accounts identified as belonging to minors will be deleted.
This document and related policies may be updated; material changes will be communicated through the app or by email.
12. Contact
For data protection enquiries, contact geral@pernu.pt.