Privacy Policy
Last updated: 2026-06-05
This Privacy Policy explains how The Gymbiote Company Inc. ("Gymbiote," "we," "us," or "our") collects, uses, shares, and protects information when you use the Gymbiote mobile application and the gymbiote.com website (collectively, the "Service"). By using the Service you agree to the practices described here.
1. Information we collect
1.1 Information you provide
- Account credentials — email address and a hashed password when you create an account. We never store your password in plain text.
- Trainer profile — trainer name, avatar selection, and any custom gymbiote nicknames you set.
- Sign-in via Apple, Google, or Facebook — if you use a social sign-in option, we receive an opaque user identifier and (where you authorize it) your name and email from the provider. We do not receive your social-network password.
- Support correspondence — when you email support@gymbiote.com, we retain the messages to handle your request.
1.2 Information generated by your use of the Service
- Gameplay data — gymbiote collection, levels, bonds, achievements, items, REPS balance, gym progress, mail, friends list, PvP records, trade history, and other in-game state.
- Workout data — exercises, sets, reps, weight, duration, templates, and notes you log inside the Service.
- Fitness data from health platforms — see Section 7 below.
- Approximate location — when you opt into PvP nearby matchmaking we collect a coarse, rounded location (~100 m precision) to surface other trainers in your area. You can disable this at any time in your device settings.
- Device + diagnostic data — device model, OS version, app version, language, time zone, crash reports, and basic performance metrics. We use this to debug and improve the Service.
- Advertising identifiers (free tier only) — see Section 3.3.
1.3 Information we do not collect
We do not collect government identifiers, payment card numbers (those are handled by Apple, Google, and RevenueCat — see Section 3.2), browsing history outside the Service, contacts, photos other than ones you explicitly attach to an in-Service feature, or biometric identifiers other than the on-device fingerprint/Face ID check used to unlock the app when you enable it.
2. How we use information
We use the information described above to:
- Operate the Service — sign you in, sync your account across devices, deliver in-game features, run battles and PvP matches, and process subscriptions.
- Personalise gameplay — choose wild encounters based on your team, convert workout volume into gymbiote stats, surface relevant scanner alerts.
- Communicate with you — send transactional messages (e.g. password resets, account changes) and respond to support requests. We do not send marketing emails unless you opt in.
- Maintain safety and integrity — detect and prevent fraud, abuse, cheating, and violations of our Terms of Service.
- Improve the Service — analyse aggregated, de-identified usage patterns to fix bugs and balance gameplay.
- Comply with legal obligations — respond to lawful requests, enforce our Terms, and protect rights, safety, and property.
3. Third-party services we use
We rely on the following processors. Each one operates under its own privacy policy, which we encourage you to review:
3.1 Infrastructure
- Google Firebase (Authentication, Cloud Firestore, Cloud Storage, Cloud Functions, Hosting) — hosts your account, gameplay state, mail, and uploaded assets. firebase.google.com/support/privacy
- Sign-in providers — Apple, Google, and Facebook authentication is processed by those companies under their respective privacy policies.
3.2 Payments
- Apple App Store, Google Play, and RevenueCat — handle subscription processing, receipts, and entitlement verification. We never receive or store your payment-card information. revenuecat.com/privacy
3.3 Advertising (Free tier only)
- Google AdMob — serves banner and rewarded-video ads to free-tier players. AdMob may receive your device advertising identifier, IP address, approximate location derived from IP, and ad-interaction events. policies.google.com/technologies/ads
- Paid subscribers (Gymbiote+, PRO, APEX) see no ads and we share no data with AdMob for advertising purposes.
- On iOS, advertising data collection is gated by Apple's App Tracking Transparency prompt. You can revoke permission at any time in Settings → Privacy & Security → Tracking.
3.4 Push notifications
Push notifications are delivered through Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM). You can disable notifications at any time in your device settings.
4. How we share information
We do not sell or rent your personal data to advertisers or data brokers. We share information only in these limited cases:
- With other players, when you choose — your trainer name, level, and basic stats are visible to friends you add and opponents in PvP. Your email, password, and private gameplay details are never shared with other players.
- With service providers — the processors listed in Section 3, strictly to deliver the Service.
- For legal reasons — to comply with a court order, subpoena, or other lawful demand; to enforce our Terms; or to protect rights, safety, and property.
- In a business transfer — if Gymbiote is acquired or merges with another company, your information may transfer to the successor entity, subject to this policy.
5. Data retention
We keep your account and gameplay data for as long as your account is active. When you delete your account (see Section 9) we remove personal data from our active systems immediately and from backups within 30 days. Anonymized purchase records may be retained for up to seven years to comply with tax and consumer-protection law. Server access logs are retained for up to 30 days for security and abuse-prevention purposes.
6. Data security
All traffic between the app and our servers is encrypted in transit using TLS. Account data at rest in Google Firebase is encrypted using Google's standard infrastructure. We use scoped Firestore security rules so that one trainer cannot read or modify another trainer's private data. No system is perfectly secure, however; if we become aware of a breach that affects your personal data we will notify you as required by applicable law.
7. Health and fitness data
On iOS, with your explicit permission, Gymbiote reads step count, active energy, and similar workout metrics from Apple HealthKit. On Android, we read equivalent metrics from Health Connect. This data:
- Stays on your device and in your private account; it is never shared with other players, advertisers, or data brokers.
- Is used only to convert your real-world activity into in-game progression (step-based bond candy, workout-based gymbiote stats).
- Can be revoked at any time in your device's health-platform settings without affecting the rest of the app.
Health data is never used for advertising or sold to third parties.
8. Children's privacy
Gymbiote is not directed at children under 13, and we do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided personal information without your consent, contact us at support@gymbiote.com and we will delete the information.
9. Your rights
9.1 Access and deletion
You can delete your account at any time from inside the app (Profile → Settings → Delete Account) or by emailing support@gymbiote.com. See gymbiote.com/delete-account for full details. To request a copy of your personal data, email the same address; we will respond within 30 days.
9.2 California residents (CCPA / CPRA)
If you are a California resident you have the right to (a) know what personal information we collect and how we use it, (b) request access to a copy of that information, (c) request deletion, (d) request correction of inaccurate information, and (e) not be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. To exercise any of these rights, email support@gymbiote.com.
9.3 European Economic Area, United Kingdom, and Switzerland (GDPR / UK-GDPR)
If you reside in the EEA, UK, or Switzerland, you have the right to access, rectify, erase, restrict, and port your personal data, and to object to processing. The legal bases on which we process your data are: (i) performance of our contract with you (the Terms of Service), (ii) our legitimate interests in operating and securing the Service, (iii) your consent (e.g. for health data, advertising tracking on iOS), and (iv) compliance with legal obligations. You also have the right to lodge a complaint with your local data-protection authority.
10. International data transfers
We are based in the United States and our service providers operate globally. By using the Service you understand that your information may be transferred to, stored, and processed in countries other than your own. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers of personal data.
11. Cookies and tracking on the website
The gymbiote.com website itself uses essential cookies only — no advertising cookies, no cross-site tracking, no third-party analytics. The mobile app does not use web cookies.
12. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we update the "Last updated" date at the top of this page and, for material changes, notify active users inside the app. Your continued use of the Service after a change constitutes acceptance of the revised policy.
13. Contact us
Questions about this policy or your data? Email support@gymbiote.com.
The Gymbiote Company Inc.