Privacy Policy

Last updated: May 2026 — Effective immediately.

Note: This is a working draft. Before launching, have it reviewed by a privacy lawyer (€500-1500 EU). Fill in your company legal name, VAT, and DPO contact.

1. Who we are

FitnessData ("we", "us", "our") is a SaaS platform for personal trainers and their clients, owned and operated by [YOUR COMPANY LEGAL NAME], registered in [COUNTRY], VAT [NUMBER].

Contact: privacy@fitnessdataplatform.com
DPO: [DPO NAME + CONTACT] — required if processing health data of >250 subjects systematically.

2. What data we collect

Personal Trainers (account owners): name, email, phone, billing info via Stripe.
Clients (end users): name, age, contact, body measurements, workout history, photos/videos, medical/anamnesis data (Article 9 GDPR — "special categories").
Technical: IP, device, browser, session logs (audit, security).

3. Legal basis

Contract (Art. 6.1.b GDPR) for trainer account.
Explicit consent (Art. 9.2.a GDPR) for client health data — collected at first portal access via mandatory consent popup.
Legitimate interest for security logs, fraud prevention.

4. How we use it

To provide the service: coaching, scheduling, payment tracking. No selling, no advertising. Stripe processes payments under their own privacy policy.

5. Sharing & sub-processors

Supabase (EU region, Frankfurt) — database hosting.
Cloudflare — CDN, edge worker, file storage (R2).
Stripe — payment processing.
Vercel — web hosting.
Anthropic / Google — AI for workout parsing (anonymized text only).

All sub-processors are bound by DPA (Data Processing Agreements).

6. Data retention

Active accounts: for the duration of the subscription.
After account deletion: 30 days backup, then permanent deletion.
Anonymized phone hash: 12 months (anti-fraud).
Audit logs: 6 months.

7. Your rights (GDPR Articles 15-22)

Access: request a copy of your data (response within 30 days).
Rectification: correct inaccurate data.
Erasure ("right to be forgotten"): delete your account from app settings or write us.
Portability: export your data in JSON format.
Object/Restrict: limit certain processing activities.
Withdraw consent: at any time (does not affect prior lawful processing).
Complaint: lodge with your supervisory authority (e.g. Garante Privacy IT, CNIL FR, ICO UK).

8. International transfers

All data stays in EU (Supabase Frankfurt, Vercel EU). Cloudflare R2 in EU region. No transfers to non-EU countries except where explicitly enabled by Standard Contractual Clauses.

9. Security

TLS 1.3 in transit, AES-256 at rest, RLS (Row Level Security) on database, biometric authentication on mobile, encrypted local storage. Regular security audits.

10. Children

Service intended for adults (18+). Minors must have parental/guardian consent submitted by the trainer.

11. Changes

We'll notify you of material changes via email + in-app notice. Continuing use after notice = acceptance.