Privacy Policy
How Pernu processes personal data — in compliance with the GDPR, Portuguese Law no. 58/2019, UK GDPR, the ePrivacy Directive and other applicable legislation.
In effect since 27 May 2026
1. Introduction
This Privacy Policy clearly and transparently describes how Pernu, Unipessoal Lda., with registered office at Quinta do Anjo, Setúbal, Portugal, processes the personal data of users of the Pernu application and associated services. This policy complies with Regulation (EU) 2016/679 (GDPR), Law no. 58/2019, UK GDPR, the ePrivacy Directive and other applicable legislation.
Use of the application implies that you have read and accept this policy, the Terms of Service and the End User Licence Agreement.
2. Data controller
The controller is Pernu, Unipessoal Lda., reachable at geral@pernu.pt for privacy matters and exercising your rights.
Pernu does not sell or rent personal data to third parties.
3. Scope
This policy applies to the mobile application, backend, website and transactional communications sent by Pernu.
Personal data may be obtained directly from the user, through the device via granted permissions, through Apple and Google APIs, from technical providers supplying logs and diagnostics, and from digital stores reporting subscription status.
4. Categories of personal data
Identification data: name or nickname, email address, cryptographically derived password, profile photo and account preferences, including age and gender when provided.
Workout data: plans, exercises, sets, repetitions, loads, times, notes, calendar, progress photos and sync metadata.
Location data: GPS coordinates, polylines and timestamps when the user enables outdoor workouts.
Social communication data: posts, comments, reactions, follow relationships, group participation, private or group messages, attachments and delivery/read receipts.
Health data: heart rate and other metrics from Apple Health or equivalent Android APIs, only when the user grants explicit permission. This data is never used for advertising or commercial profiling.
Technical data: IP address, device identifiers, operating system, app version, crash logs, latency, API failures and advertising identifiers such as IDFA or AAID.
Payment data: transaction identifiers and subscription status from digital stores; Pernu does not receive or store card numbers.
5. Purposes and legal bases
For contract performance, Pernu processes data to create and manage accounts, sync workouts, provide maps, feed, groups and messaging, validate subscriptions and provide support.
On the basis of consent, Pernu processes health data, precise location when not strictly necessary, optional operating system permissions and, where applicable, personalised advertising preferences.
On the basis of legitimate interests, Pernu processes data for information security, fraud prevention, aggregated statistics, limited‑impact A/B testing and serving non‑personalised ads, including measurement and fraud prevention. You may object to processing based on legitimate interests.
Processing may also be necessary to comply with legal obligations, such as billing requirements or communications to authorities.
6. Google AdMob
The application integrates the Google Mobile Ads (AdMob) SDK to display ads. For advertising purposes, Google Ireland Limited acts as an independent controller of data collected through the SDK. Pernu does not access data collected by Google for personalisation or measurement.
Google may process advertising identifiers, IP address, technical data, performance data and information about interaction with ads. The legal basis may be user consent where required, or legitimate interest for non‑personalised ads.
You can control tracking through device settings, including iOS tracking options and resetting the advertising ID on Android, as well as through Google’s consent form when implemented.
7. Providers and sub‑processors
Apple processes data for iOS app distribution, in‑app purchases, Apple Maps and Apple Health. Google processes data for Google Play, Android maps, location services and AdMob.
ImageKit stores and optimises media files. Resend sends transactional email. Infrastructure providers process data as sub‑processors, including servers, databases, backups, CDN and security services.
All sub‑processors act under contracts including data protection clauses. Google Ads acts as an independent controller.
8. International transfers
Some providers may access data from countries outside the European Economic Area. In those cases, Pernu applies Standard Contractual Clauses, adequacy decisions and additional technical and organisational measures, including transfer impact assessments when required.
9. Retention periods
Data is kept only for as long as necessary. Account and workout data is retained while the account is active and deleted or anonymised within thirty days of a deletion request.
Backups may retain data for up to ninety days. Technical logs are kept for up to ninety days unless an incident is investigated. Messages are kept while the account exists. Billing data is kept for statutory periods, generally ten years.
10. Data subject rights
You have the right of access, rectification, erasure, restriction, portability, objection and withdrawal of consent. You may exercise these rights by sending a request to geral@pernu.pt; additional information may be requested to verify identity.
You may lodge a complaint with the CNPD or the data protection authority in your Member State.
11. Information security
Pernu applies technical and organisational measures appropriate to the risk, including TLS‑encrypted communications, environment segregation, secrets management, access control, logging of administrative access, error monitoring, periodic security testing and an incident response plan with notification when required under the GDPR.
12. Automated decisions and minors
Pernu does not take solely automated decisions with significant legal effects. Algorithms may be used to order the feed or suggest groups, with limited impact.
The service is not intended for users under 16; accounts identified as belonging to minors will be deleted.
13. Changes
This policy may be updated periodically. Material changes will be communicated through the app or by email. Continued use after the notice period implies acceptance of the new version.
14. Contact
For any question about this policy, contact geral@pernu.pt.