Privacy Policy
SwimST — Version 1.1 • Effective date: 28 February 2026
SwimST ("the App") is developed by Otenz ("we", "us"). This policy explains what data the App accesses, how it is used, and your rights.
1. Data We Collect
1.1 Training Session Data
The App stores your swim training sessions — including session names, dates, exercises, distances, repetitions, timers, and tools — in a local SQLite database on your device. This data is never transmitted to any server.
1.2 Preferences & Settings
Your preferences (theme, language, keep-screen-on, splash protection) are stored locally on your device using SharedPreferences. We do not collect or sync these.
1.3 Custom Tool Icons
If you add custom tool icons (PNG/JPG images), they are stored locally in the app's private directory on your device. These images are never uploaded or shared.
1.4 Athlete Labels
If you create athlete profiles, the names and identifiers you enter are stored locally on your device. We do not require real names — you may use any label you choose (nickname, initials, code).
1.5 Website & Web App Storage
The marketing website (swimst.app) stores a single language preference in your browser's localStorage so the site remembers your chosen language between visits. No cookies are set.
The web application (web.swimst.app) uses localStorage for preferences (theme, language, user role) and IndexedDB for training session data — the same data described in §1.1 above. All data remains entirely in your browser and is never sent to any server. No cookies are set. Clearing your browser data or site data removes all stored information.
2. Data We Do NOT Collect
- We do not create user accounts.
- We do not collect your name, email address, or phone number.
- We do not use advertising SDKs or tracking pixels.
- We do not use analytics or crash-reporting services.
- We do not sell, rent, or share any user data for marketing or advertising purposes.
- We do not operate any backend server that stores user data.
- We do not access your location, contacts, camera, microphone, or any other sensor.
3. Network Usage
SwimST is a fully offline application. The App does not make any network requests during normal operation. The only network activity occurs when:
- External links: Tapping the website link in the app footer opens your device browser to
swimst.app. No data is shared beyond the URL.
- Import / Export: When you export sessions as JSON, the file is saved locally or shared via your device's share sheet (AirDrop, email, etc.). The App does not upload data to any server.
- Shareable links: If you generate a shareable link, an encrypted copy of the session data is uploaded to
swimst.app. The server stores only the encrypted blob — it cannot read or decrypt the contents. The encryption key is included only in the URL fragment and is never sent to the server.
4. Permissions
The App requests the following Android permissions:
| Permission | Purpose | When Used |
|---|
| Storage (read/write) | Import/export session JSON files | Only when you use import or export |
| Wake Lock | Keep screen on during training execution | Only when "Keep screen on" preference is enabled |
No other permissions are requested. The App does not request location, camera, microphone, contacts, or any other sensitive permissions.
5. Data Storage & Security
- All user data (training sessions, exercises, preferences) is stored locally on your device.
- The SQLite database is stored in the app's private storage directory, inaccessible to other apps.
- We do not operate any server that stores user data.
- No data is encrypted at rest since all data is non-sensitive training records.
6. Data Retention & Deletion
Since all data is stored locally on your device:
- Uninstalling the App removes all local data (sessions, exercises, preferences).
- You can clear the App's data from Android Settings → Apps → SwimST → Clear Data.
- You can delete individual sessions from within the App.
- There is no server-side data to delete.
7. Children's Privacy
The App is not directed at children under the age of 13. We do not knowingly collect personal information from children. The App does not include age-gated content, in-app purchases, or advertising.
8. Your Rights
Because we do not collect any personal data on any server, there is no personal data for us to access, correct, or delete on your behalf. All data is under your direct control on your device.
9. Data Sharing & Your Responsibility
SwimST includes features that allow you to share training sessions with others (e.g., exporting encrypted .swimst files or generating shareable links). Please be aware of the following:
- Any data you choose to share — including session names, exercise details, and athlete labels — is shared at your sole discretion and responsibility.
- We do not collect, store, or process the names or personal information you enter as athlete labels. These identifiers exist only on your device until you decide to share them.
- When you generate a shareable link, session data is encrypted before being stored on our server. We cannot read the contents of shared data — only you and the people you share the link with can access it.
- We are not responsible for how recipients use data you share with them.
Recommendations for Safe Sharing
- Use nicknames, initials, or codes instead of full real names for athlete labels.
- Avoid including sensitive personal information (medical conditions, birth dates, etc.) in session names or notes.
- Share links and decryption keys only with trusted individuals.
- Remember that once you share data, you cannot control how the recipient handles it.
10. GDPR Compliance
Under the General Data Protection Regulation (EU 2016/679) and the Italian Codice in materia di protezione dei dati personali (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018):
- Processor Role. When you use the shareable-link or recovery-link features, Otenz acts as a Data Processor (Art. 4(8) GDPR). You — as the person who decides which data to include — act as the Data Controller (Art. 4(7) GDPR).
- Legal Basis. Processing is carried out on the basis of legitimate interest (Art. 6(1)(f) GDPR): providing the encrypted storage and delivery service you explicitly requested.
- Zero-Knowledge Architecture. We encrypt your data with AES-256-GCM before it leaves your device. The decryption key is embedded in the URL fragment and never reaches our server. We cannot read, profile, or monetise the content of your uploads.
- Right to Erasure (Art. 17). Because we cannot identify which encrypted blobs belong to which person, the practical way to exercise your right to erasure is to overwrite or delete the shared link from the app, which replaces the server-side blob.
- Data Processing Agreement. A full Data Processing Agreement describing our obligations under Art. 28 GDPR is available at swimst.app/dpa and is incorporated by reference into these Terms of Service.
- Supervisory Authority. You may lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) at www.garanteprivacy.it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The updated version will be posted at this URL with a revised effective date. Continued use of the App after changes constitutes acceptance of the updated policy.
12. Contact Us
If you have questions about this Privacy Policy or the App's data practices, contact us at: