Ferrum
Ferrum
English العربية

Privacy Policy

Last updated: May 7, 2026

Overview

Ferrum is operated by ZoalTech Limited, an Irish company ("Ferrum", "ZoalTech", "we", "our", "us"). ZoalTech Limited is the data controller for personal data processed through the Service. We provide a fitness platform that lets independent fitness coaches and creators publish workout programs to their audiences through our mobile app and coach portal. This Privacy Policy explains what information we collect, how we use and share it, and the choices you have. It applies to the Ferrum mobile app, the Ferrum coach portal at cp.ferrumapp.com, and our marketing site at ferrumapp.com.

Some Ferrum apps are distributed under a coach's own brand. Even when the app appears white-labeled, the underlying service is operated by Ferrum and this policy applies.

Information We Collect

Information You Provide

  • Account information: email address, display name, profile photo, preferred language (English or Arabic), and authentication identifiers from Apple Sign-In, Google Sign-In, or our magic-link email sign-in.
  • Preferences: notification settings, workout reminder time, dark/light mode.
  • Coach profile data (if you register as a coach): your name, display name, tagline, biography, profile photo, social links, and content you upload (programs, workouts, exercises, videos, thumbnails). Coaches may provide both English and Arabic versions of these fields.
  • Support requests: messages you send to us by email or through our contact form.

Information Generated by Your Use of the App

  • Workout activity: completed workouts, completion timestamps, program progress, and aggregate stats (total workouts, total minutes, current streak, longest streak, last workout date).
  • Subscription status: whether you have an active subscription, the purchase channel (Apple App Store, Google Play, or web via Stripe), and a Stripe customer identifier when applicable. We do not store full payment-card details — those are handled by Apple, Google, or Stripe directly.
  • Acceptance records: the version of these Terms and Privacy Policy you accepted, and the time of acceptance.

Diagnostic Information

  • Crash reports and performance traces collected by Sentry, which include the device model, operating system version, app version, your account identifier, email, and display name. This helps us diagnose problems and improve reliability.
  • Server logs from our backend, which may include your account identifier and the API endpoints you call.

We do not collect data from Apple HealthKit or Google Fit, and we do not use third-party advertising or behavioral analytics SDKs (no Google Analytics, no Mixpanel, no Facebook Pixel, no PostHog).

Mobile Permissions

  • Notifications: used to deliver local rest-timer alerts during workouts. You can disable notifications in your device settings at any time.
  • Microphone (Android only, declared but unused): the Android system declares the RECORD_AUDIO permission for compatibility with audio playback libraries. We do not record, store, or transmit any audio.

We do not request access to your camera, photo library, contacts, or location.

How We Use Your Information

  • To create and authenticate your account and keep you signed in.
  • To deliver workout programs, track your progress, and personalize your experience.
  • To process subscription purchases and renewals.
  • To send transactional emails such as magic-link sign-in messages.
  • To trigger local rest-timer notifications during a workout.
  • To diagnose crashes, fix bugs, and improve performance.
  • To enforce our Terms of Service and protect against fraud or abuse.
  • To comply with legal obligations.

How We Share Information

With Coaches

If you subscribe to a coach's programs, the coach can see aggregated activity metrics about their subscribers (such as total active users and weekly completions) through the coach portal. Coaches do not see individually identified workout activity, your email, or your contact information through these aggregate dashboards.

With Service Providers

We rely on the following processors to operate the service. Each processes only the data needed for their specific function and is bound by their own privacy commitments:

Provider Purpose Data shared
Google Firebase (Auth, Firestore, Cloud Functions) Authentication, database, server-side logic Account, preferences, workout history, coach content
Cloudflare R2 Storage and delivery of videos, images, profile photos Media files uploaded by coaches and users
Stripe Web subscription payments and coach payouts Email, name, payment-card details (handled by Stripe), Stripe customer ID
RevenueCat In-app purchase management on iOS and Android App Store / Play Store purchase identifiers and entitlement status
Apple App Store / Google Play In-app purchase processing Payment information governed by Apple's and Google's policies
Resend Sending transactional email (sign-in links) Email address and message content
Sentry Crash reporting and performance monitoring Device/OS info, account identifier, email, display name, error context

Legal and Safety

We may share information when we believe in good faith that it is necessary to comply with applicable law, respond to lawful requests from public authorities, enforce our Terms, prevent fraud, or protect the rights, property, or safety of Ferrum, our users, or others.

Business Transfers

If Ferrum is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you and provide choices where required by law.

We Do Not Sell Your Personal Information

We do not sell or rent your personal information, and we do not share it with advertising networks for cross-context behavioral advertising.

Account Access by Ferrum Staff

Authorized Ferrum administrators may temporarily impersonate a coach account to provide support or troubleshoot issues. When this happens, the coach portal displays an impersonation banner and the action is logged. Administrators cannot impersonate other administrators.

Legal Basis (EEA / UK Users)

If you are in the European Economic Area, the United Kingdom, or another region with equivalent data-protection laws, we rely on the following legal bases under the General Data Protection Regulation (GDPR):

  • Performance of a contract — to provide the Service you signed up for, including authentication, delivering programs, and tracking your progress.
  • Legitimate interests — to keep the Service secure, prevent fraud and abuse, diagnose crashes, and improve the product. We balance these interests against your rights.
  • Consent — for any processing that requires it (you can withdraw consent at any time).
  • Legal obligations — to comply with tax, accounting, and other applicable laws.

International Data Transfers

We are based in Ireland and personal data is processed within the European Economic Area where possible. Several of our service providers (Google, Stripe, Sentry, RevenueCat, Resend, Cloudflare) process data in the United States and other regions. When data is transferred outside the EEA or the UK, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or, for U.S. providers, certification under the EU–U.S. Data Privacy Framework where available.

Data Retention

  • Account, profile, and workout-history data are retained for as long as your account is active.
  • When you delete your account, we delete or anonymize your personal data within 30 days, except where we must keep it to comply with legal, tax, or accounting obligations (typically up to 7 years for payment records).
  • Crash reports and server logs are typically retained for up to 90 days.

Your Rights

Depending on where you live, you may have rights to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and personal data.
  • Export your data in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email support@ferrumapp.com. We will respond within the timeframe required by applicable law. EEA and UK users have the right to lodge a complaint with their local supervisory authority — in Ireland, this is the Data Protection Commission (www.dataprotection.ie).

Security

We use industry-standard safeguards to protect your information, including TLS encryption for data in transit, encrypted-at-rest storage in Google Firebase and Cloudflare R2, signed URLs with limited validity for video access, and strict access controls for our staff. No system can be guaranteed completely secure, but we work hard to protect your data and will notify you in the event of a breach involving your personal information as required by law.

Children's Privacy

Ferrum is not directed to children under 13 (or under 16 in the European Economic Area and the United Kingdom). We do not knowingly collect personal information from children below these ages. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will revise the "Last updated" date and, where appropriate, notify you in the app or by email. Your continued use of Ferrum after the update means you accept the revised policy.

Contact Us

If you have questions about this Privacy Policy or want to exercise your rights:

ZoalTech Limited

Registered in Ireland

support@ferrumapp.com