Introduction

FitStreak ("we", "our", or "us") is a Finnish company committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application FitStreak (the "App").

Data Controller

FitStreak, Finland

Contact: kaveebhashiofficial@gmail.com

By using FitStreak, you agree to the collection and use of information in accordance with this policy and the General Data Protection Regulation (GDPR).

Information We Collect

Health and Fitness Data

We collect the following health and fitness data to provide our services:

Body Measurements: Weight, height, and body measurements
Workout Data: Exercises performed, sets, reps, weights lifted, workout duration, workout notes
Activity Data: Steps, calories burned, active energy expenditure
Nutrition Data: Water intake, meal plans (if provided via AI features)
Sleep Data: Sleep duration (manual entry)
Goals and Preferences: Fitness goals, target weight, workout preferences, schedule preferences, equipment availability, injury information
Progress Data: Workout history, exercise frequency, muscle group usage, rest days

Account Information

Email address (for authentication via Supabase)
Profile information (name, age, gender - if provided during onboarding)
Authentication tokens (stored securely)
Subscription status (managed through RevenueCat)

Usage Data

App usage statistics (anonymized)
Feature usage analytics (which features you use most)
Error logs (for debugging and improving the app)
Device information (device type, OS version - for compatibility)

AI-Generated Content

Workout plans generated based on your preferences and goals
AI coach conversations (if you use the AI coach feature)
Personalized recommendations

How We Collect Information

Direct Collection

Information you provide during onboarding (height, weight, goals, preferences)
Data you manually enter in the app (workouts, daily logs, weight entries)
Workout logs you create
Profile information you update

Health Connect / HealthKit Integration

Android (Health Connect): With your explicit permission, we sync data from Health Connect

iOS (HealthKit): With your explicit permission, we sync data from Apple HealthKit

Data Types Synced:

Steps (read)
Weight (read and write)
Active Energy / Calories (read)
Water Intake (read and write)
Sleep (read - if available)

You can revoke this permission at any time through your device settings.

Automatic Collection

Usage analytics (anonymized and aggregated)
Error reports (to help us fix bugs)
App performance metrics

Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal bases:

Consent (Article 6(1)(a) GDPR):

Health and fitness data collection
Health Connect/HealthKit integration
Push notifications
Marketing communications (if applicable)

Contract Performance (Article 6(1)(b) GDPR):

Providing the core fitness tracking services
Managing your subscription
Processing payments

Legitimate Interests (Article 6(1)(f) GDPR):

App improvement and analytics (anonymized)
Security and fraud prevention
Customer support

Legal Obligation (Article 6(1)(c) GDPR):

Compliance with legal requirements
Tax and accounting obligations

Special Category Data

Health and fitness data is considered "special category personal data" under GDPR Article 9. We process this data based on your explicit consent (Article 9(2)(a) GDPR).

How We Use Your Information

Provide Core Services (Contract Performance):

Track your workouts and exercise progress
Calculate daily streaks and achievements
Display progress charts, insights, and analytics
Generate personalized AI workout plans based on your goals and preferences
Provide AI coach recommendations
Sync data with Health Connect/HealthKit (with your explicit consent)
Manage your subscription and provide premium features

Improve the App (Legitimate Interest):

Fix bugs and improve performance
Analyze usage patterns (anonymized and aggregated)
Develop new features based on user needs
Optimize AI recommendations

Communication (Consent/Contract):

Send you push notifications about your fitness goals and daily challenges
Provide customer support
Send important app updates and announcements
Respond to your inquiries

Legal Compliance (Legal Obligation):

Comply with legal obligations
Protect our rights and prevent fraud
Enforce our Terms of Service

Data Storage and Security

Where Your Data is Stored

Cloud Storage: Your data is stored securely in Supabase (PostgreSQL database hosted in the EU region: eu-north-1, Finland/Sweden)
Local Storage: Some data is cached locally on your device for offline access
Encryption: All data is encrypted in transit (HTTPS/TLS) and at rest
Backup: Regular backups are performed to prevent data loss (stored in EU region)
Data Location: Your personal data is primarily stored and processed within the European Economic Area (EEA)

Security Measures

Industry-standard encryption protocols (TLS/SSL)
Secure authentication (Supabase Auth with OAuth support)
Row-level security (RLS) policies ensure users can only access their own data
Regular security audits and updates
Secure API endpoints with authentication
Password hashing and secure token management

Data Retention

Your data is retained as long as your account is active
You can delete your account and all associated data at any time through the app settings
Deleted data is permanently removed from our servers within 30 days
Some data may be retained in backups for up to 90 days before permanent deletion

Data Sharing and Disclosure

We Do NOT:

❌ Sell your data to third parties
❌ Share your data with advertisers
❌ Use your data for marketing purposes (except with your explicit consent)
❌ Share your health data with other users
❌ Use your data to train AI models (except for generating your personalized workout plans)

Service Providers

We may share information with trusted third-party services that help us operate the app:

Supabase (EU-based)

Database hosting, authentication, and backend services
Location: EU region (eu-north-1)
Privacy Policy: https://supabase.com/privacy
Data Processing Agreement: We have a Data Processing Agreement (DPA) with Supabase

RevenueCat (US-based)

Subscription management and payment processing
Location: United States (with EU Standard Contractual Clauses)
Privacy Policy: https://www.revenuecat.com/privacy
Data Transfer: We use Standard Contractual Clauses (SCCs) approved by the European Commission

OpenAI (US-based)

AI workout plan generation
Location: United States (with EU Standard Contractual Clauses)
Your data is processed to generate personalized plans but is not stored by OpenAI
Privacy Policy: https://openai.com/privacy
Data Transfer: We use Standard Contractual Clauses (SCCs) approved by the European Commission

Apple/Google

Payment processing for subscriptions
Location: EU-based for EU users (Apple/Google process payments in your region)
Processed through their platforms in compliance with GDPR

Legal Requirements

We may disclose your information if required by law or to:

Comply with legal processes or government requests
Protect our rights, property, or safety
Prevent fraud or security issues
Enforce our Terms of Service

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right of Access (Article 15 GDPR): View all data we have about you through the app settings or by contacting us
Right to Rectification (Article 16 GDPR): Update or correct inaccurate information through the app or by contacting us
Right to Erasure ("Right to be Forgotten") (Article 17 GDPR): Delete your account and all associated data at any time
Right to Restrict Processing (Article 18 GDPR): Request that we limit how we process your data in certain circumstances
Right to Data Portability (Article 20 GDPR): Request a copy of your data in a structured, commonly used, and machine-readable format
Right to Object (Article 21 GDPR): Object to processing of your data based on legitimate interests
Right to Withdraw Consent (Article 7(3) GDPR): Withdraw your consent at any time (this does not affect processing that occurred before withdrawal)
Right to Lodge a Complaint (Article 77 GDPR): File a complaint with the Finnish Data Protection Authority (Tietosuojavaltuutettu)

How to Exercise These Rights

In-App:

Go to Settings > Edit Profile to view/update your data
Go to Settings > Delete All Data to permanently delete your account
Go to Settings > Health Connect to manage health data permissions

Contact Us:

Email kaveebhashiofficial@gmail.com for any GDPR rights requests. We will respond within 30 days (or inform you if we need more time, up to 60 days maximum)

Device Settings:

Android: Settings > Apps > FitStreak > Permissions
iOS: Settings > Privacy & Security > Health > FitStreak

No Fees: Exercising your GDPR rights is free of charge, unless your request is manifestly unfounded or excessive.

Health Connect and HealthKit

Android (Health Connect)

We request permission to read/write specific health data types
You can grant or deny permissions for each data type individually
You can revoke permissions at any time in Health Connect settings
Your data stays on your device and is only shared with apps you explicitly approve
We only access data types necessary for the app's functionality

iOS (HealthKit)

We request permission to read/write specific health data types
You can grant or deny permissions for each data type individually
You can revoke permissions at any time in iOS Settings > Privacy & Security > Health
HealthKit data remains on your device and is encrypted
We only access data types necessary for the app's functionality

Children's Privacy

Our app is not intended for children under 13 years of age. In Finland, the age of digital consent is 13 years. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately.

If we discover that we have collected information from a child under 13, we will delete that information promptly.

For children between 13 and 15 years old, we recommend parental supervision when using the app.

International Data Transfers

Data Transfers Outside the EEA

Some of our service providers are located outside the European Economic Area (EEA), specifically in the United States:

RevenueCat (US): Subscription management
OpenAI (US): AI workout plan generation

When we transfer your personal data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use EU Commission-approved Standard Contractual Clauses with all US-based service providers
Data Processing Agreements (DPAs): We have DPAs in place with all processors
Adequate Protection: We only transfer data to service providers that provide adequate protection for personal data

CCPA (California Users)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to know what personal information is collected
Right to know if personal information is sold or disclosed
Right to opt-out of the sale of personal information (we do not sell your data)
Right to non-discrimination for exercising your privacy rights

Cookies and Tracking

FitStreak does not use cookies or web tracking technologies. We do not track you across other websites or apps.

Automated Decision-Making and Profiling

The App uses automated processing (AI) to generate personalized workout plans based on your data. This includes:

Analyzing your fitness goals, preferences, and history
Generating workout recommendations
Suggesting optimal training schedules

You have the right to:

Request human intervention
Express your point of view
Contest the decision

You can opt-out of AI-generated recommendations by contacting us, though this may limit some App features.

Data Breach Notification

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will:

Notify you without undue delay (within 72 hours of becoming aware)
Notify the Finnish Data Protection Authority (Tietosuojavaltuutettu) within 72 hours if required
Provide clear information about the nature of the breach and steps we are taking

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by:

Posting the new Privacy Policy in the app
Updating the "Last Updated" date at the top of this policy
Sending you an email notification (for significant changes)
Displaying a notice in the app

Your continued use of the App after changes are posted constitutes acceptance of the updated Privacy Policy.

Right to Lodge a Complaint

If you believe we have not addressed your concerns adequately, you have the right to lodge a complaint with the Finnish Data Protection Authority:

Tietosuojavaltuutettu (Finnish Data Protection Authority)

Website: https://tietosuoja.fi
Email: tietosuoja@om.fi
Address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Phone: +358 29 566 6700

Compliance

We comply with:

General Data Protection Regulation (GDPR) - As a Finnish company, GDPR is our primary data protection framework
Finnish Data Protection Act (Tietosuojalaki 1050/2018)
Google Play Store Health Apps Policy
Apple App Store Health Data Guidelines
California Consumer Privacy Act (CCPA) - For California residents
Health Insurance Portability and Accountability Act (HIPAA) - We are not a covered entity, but we follow best practices for health data security

We are committed to maintaining the highest standards of data protection and regularly review our practices to ensure compliance.

Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: kaveebhashiofficial@gmail.com

Contact Page: Visit our contact page