Privacy Policy

1. Introduction

Welcome to FitTrack (“we,” “our,” or “us”). FitTrack is an AI-powered platform that connects fitness specialists (personal trainers, nutritionists, and coaches) with their clients to deliver personalized fitness and nutrition guidance.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the FitTrack mobile application (available on iOS and Android) and related web services (collectively, the “Platform”). This policy applies to all users of the Platform, including fitness specialists and their clients.

By creating an account or using FitTrack, you acknowledge that you have read and understood this Privacy Policy and consent to the collection and use of your information as described herein. If you do not agree with our practices, please do not use the Platform.

2. Data We Collect

We collect the following categories of data to provide and improve our services. We collect data only with your consent, and only what is necessary to deliver our services.

2.1 Contact & Profile Information

• Name: First and last name, used for your account profile.
• Email address: Used for authentication, login, and platform invitations.
• Phone number: Used for profile information and communication with your specialist.
• Date of birth: Used to calculate your age for personalized fitness recommendations.
• Gender: Options include Male, Female, Other, and Prefer not to say. Used for personalized fitness and nutrition guidance.
• Height: Used in combination with weight data to calculate body metrics such as BMI.
• Fitness level and primary goal: Used to tailor your fitness experience (e.g., Beginner/Intermediate/Advanced; Weight Loss, Muscle Gain, etc.).

2.2 Health & Fitness Data

• Body weight: Weight measurements you record to track your progress over time.
• Nutritional information: Meal data including meal name, type, ingredients, calories, macronutrients (protein, carbs, fat), and notes you provide.
• Fitness data: Workout performance data including exercises, sets, reps, weights lifted, duration, distance, speed, and completion status.

2.3 User Content

• Photos: Meal photos uploaded for AI-powered nutritional analysis, progress photos you choose to share, and profile photos. We access your device camera or photo library only when you explicitly choose to upload a photo. We do not access your camera or photo library in the background or without your action.
• Videos: Exercise form videos you record or upload for coach review and feedback.
• Voice recordings: Audio feedback you record for workout sessions, which may be transcribed using AI for your specialist’s review.
• Community content: Posts, replies, and reactions you create in the community section of the app.

2.4 Identifiers & Device Information

• User ID: A unique account identifier assigned when you create your account, used for authentication and to link your data to your profile.
• Push notification tokens: Device tokens used to deliver push notifications you have opted into. You can disable push notifications at any time through your device settings.
• Device metadata: Your device platform (iOS/Android), app version, device model, and operating system version are transmitted with API requests to ensure compatibility and assist with troubleshooting.
• Timezone: Your device timezone is synced to provide accurate time-based features such as meal and workout scheduling.

2.5 Diagnostics

• Crash data: Error logs and crash reports collected automatically to identify and fix bugs.
• Performance data: App launch times, response times, and other performance metrics to improve platform stability.

2.6 Data We Do NOT Collect

• We do not collect precise or coarse location data.
• We do not collect financial or payment information. FitTrack does not process payments within the app.
• We do not collect contacts, browsing history, or data from other apps on your device.
• We do not use device advertising identifiers (IDFA/GAID).

Summary of Data Collected

3. How We Use Your Data

We use the data we collect for the following purposes:

• Provide platform services: Enable account creation, authentication, fitness tracking, nutrition monitoring, and communication between specialists and clients.
• Personalize your experience: Use AI to analyze meal photos, generate nutritional estimates, transcribe voice feedback, and provide personalized fitness and nutrition recommendations based on your data.
• Facilitate specialist-client relationships: Allow your assigned fitness specialist to view your progress, provide guidance, and create personalized plans.
• Enable community features: Allow users to post and interact in the community section of the app, including leaderboards and activity sharing.
• Maintain and improve the platform: Use crash reports, performance data, and device metadata to identify bugs, fix errors, and improve app stability and performance.
• Communicate with you: Send platform invitations, transactional notifications, and important updates about the service via push notifications and email.
• Ensure security: Prevent fraud, detect rooted or jailbroken devices, enforce our terms, and protect users and the platform.
• Comply with legal obligations: Meet applicable legal and regulatory requirements.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

• Contract performance: Processing necessary to provide the services you have requested, including account management, fitness tracking, and specialist-client communication.
• Consent: For health and fitness data, AI-powered analysis of your meal photos and voice recordings, personalized recommendations, and push notifications. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legitimate interest: For improving our services, preventing fraud, ensuring platform security, and analyzing crash/performance data. We balance our interests against your rights and freedoms.
• Legal obligation: To comply with applicable laws, regulations, and legal processes.

FitTrack acts as a data controller for personal data collected directly from users through the Platform. Where fitness specialists use the Platform to manage their clients, FitTrack acts as a data processor on behalf of the specialist (who acts as a data controller for their clients’ data).

5. Third-Party Service Providers

We work with trusted third-party service providers who process data on our behalf to deliver our services. These providers act as data processors and are contractually bound to use your data only as instructed by us and to implement appropriate security measures.

• Cloud hosting and storage: Amazon Web Services (AWS) for secure data storage, file storage (S3), and infrastructure.
• AI and machine learning: OpenAI for AI-powered features such as nutritional analysis from meal photos, personalized recommendations, and audio transcription of voice recordings.
• Email delivery: Amazon Simple Email Service (SES) for transactional emails such as welcome messages and password resets.
• Error reporting: Sentry for crash detection, error monitoring, and performance diagnostics.

We select providers whose published policies and terms of service align with our commitment to protecting your data. We review these policies regularly to ensure continued compliance with our privacy standards.

6. Data Sharing & Disclosure

6.1 With Your Fitness Specialist

Your assigned fitness specialist has access to the information you provide through the Platform, including your profile data, health and fitness data, meal photos, workout logs, voice feedback transcriptions, progress photos, and communication history. This access is necessary to deliver personalized fitness and nutrition services.

6.2 Community Content

Posts, replies, and reactions you make in the community section are visible to other members of the community. Workout completions and meal logs may be automatically shared as community activity posts. Leaderboard data (workout count, streak days, rank) is visible to community members unless you opt out. Do not share sensitive personal information in community posts.

6.3 We Do NOT

• Sell your personal data to third parties.
• Share your data with advertising networks or data brokers.
• Use your data for targeted advertising.
• Track you across apps or websites owned by other companies.
• Share or sell health and fitness data to any third party for advertising, data mining, or any purpose other than providing the services described in this policy.

6.4 Legal Requirements

We may disclose your information if required to do so by law, legal process, or government request, or when we believe disclosure is necessary to protect the rights, property, or safety of FitTrack, our users, or others.

6.5 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will notify you of any such change via email or a prominent notice on our Platform at least 30 days before the transfer takes effect.

7. AI-Powered Features

FitTrack uses artificial intelligence to enhance your experience. Specifically:

• Nutritional analysis: When you upload a meal photo, the image is sent to our AI service provider (OpenAI) for analysis. The AI estimates caloric content, macronutrients, and provides nutritional information. Context such as your daily macro targets and previous meals may be included to improve accuracy.
• Personalized recommendations: The AI analyzes your health data, fitness data, and nutritional history to generate personalized recommendations for your fitness journey. Your specialist may use AI-assisted chat to review your progress, which includes your profile information, recent meals, workout performance, and meeting note summaries.
• Audio transcription: Voice recordings you submit as workout feedback or meeting notes are transcribed using AI (OpenAI Whisper) and may be further analyzed to generate summaries for your specialist.
• Semantic search: Chat messages and summaries may be converted into vector embeddings to enable relevant context retrieval in AI-assisted conversations.

AI-generated nutritional estimates and recommendations are for informational purposes only and should not be considered medical advice. Always consult a qualified healthcare professional before making significant changes to your diet or exercise routine.

8. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (SSL/TLS).
• Secure local storage: Authentication tokens are stored in your device’s secure storage (iOS Keychain / Android Keystore) using hardware-backed encryption.
• Secure authentication protocols (JWT-based authentication).
• Access controls and role-based permissions.
• Private file storage with time-limited access URLs (presigned URLs).
• Secure cloud infrastructure hosted on AWS.
• Jailbreak and root detection to protect against compromised devices.
• Regular monitoring and error reporting.
• Periodic security reviews and vulnerability assessments.

However, no method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. If we become aware of a security breach that affects your personal data, we will notify you in accordance with applicable laws.

9. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services.

9.1 During Active Use

While your account is active, we retain all data necessary to provide our services, including your profile, health and fitness data, photos, videos, voice recordings, and communication history.

9.2 After Account Deletion

Upon account deletion, we follow this retention schedule:

• Immediately deleted (within 30 days): Profile information, health and fitness data, photos, videos, voice recordings, workout logs, progress photos, AI chat history, and specialist-client communication.
• Retained for up to 90 days: Account metadata and transaction records, retained solely for legal compliance, fraud prevention, and dispute resolution purposes.
• Anonymized and retained indefinitely: Aggregated, de-identified analytics data that can no longer identify you may be retained for analytical and service improvement purposes.

Community posts you have made may be anonymized rather than deleted to preserve the integrity of community discussions.

10. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data and account.
• Data portability: Request your data in a structured, machine-readable format.
• Withdraw consent: Withdraw consent for specific processing activities at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
• Object to processing: Object to certain types of data processing based on legitimate interests.
• Restriction: Request restriction of processing under certain circumstances.
• Non-discrimination: Exercise your privacy rights without receiving discriminatory treatment.

To exercise any of these rights, please contact us at privacy@fit-track.io. We will respond to your request within 30 days. If we need more time (up to an additional 60 days for complex requests), we will notify you and explain the reason for the delay.

11. Account Deletion

You can request deletion of your account and associated data at any time by:

• Using the “Delete Account” option within the app settings (Settings > Account > Delete Account).
• Emailing us at privacy@fit-track.io.

Upon receiving a deletion request:

• Your account will be deactivated immediately.
• Personal data (profile information, health and fitness data, photos, videos, voice recordings, workout logs, and communication history) will be permanently deleted within 30 days.
• Account metadata and transaction records may be retained for up to 90 days for legal compliance and fraud prevention purposes only.
• Community posts you have made will be anonymized (your name replaced with “Deleted User”) rather than removed, to preserve discussion integrity.
• Backup copies of your data may take up to an additional 30 days to be fully purged from our systems.

Account deletion is irreversible. Once deleted, your data cannot be recovered.

12. Children’s Privacy

FitTrack is rated for users aged 13 and older. We do not knowingly collect personal information from children under 13. We do not knowingly allow children under 13 to create accounts on the Platform.

Users between the ages of 13 and 18 may use FitTrack only with the consent and supervision of a parent or legal guardian. By allowing a minor between 13 and 18 to use the Platform, the parent or guardian agrees to this Privacy Policy on the minor’s behalf and assumes responsibility for the minor’s use of the Platform.

If you believe that we have inadvertently collected information from a child under 13, please contact us immediately at privacy@fit-track.io and we will take steps to delete such information within 48 hours of verification.

If you are a parent or guardian and discover that your child under 13 has provided us with personal information without your consent, you may contact us to request deletion of that information.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States, where our service providers operate. These countries may have different data protection laws than your jurisdiction.

We ensure that appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, where required.
• Data processing agreements with all service providers.
• Compliance with applicable data protection laws in each jurisdiction.
• Ensuring that all service providers maintain adequate security measures.

By using the Platform, you consent to the transfer of your information to the United States and other jurisdictions as described in this policy.

14. Cookies & Local Storage

14.1 Mobile Application

The FitTrack mobile application uses local device storage (such as secure storage and app preferences) to:

• Store your authentication tokens for persistent login (using hardware-backed secure storage).
• Save app preferences, settings, and user profile information.
• Cache active workout session data for uninterrupted use.

This data is stored locally on your device and is removed when you delete the app or clear app data.

14.2 Web Platform

Our website and web-based services may use:

• Essential cookies: Required for authentication, security, and basic platform functionality. These cannot be disabled.
• Performance cookies: Used for error reporting (Sentry) to improve platform stability.

We do not use advertising cookies, social media tracking cookies, or any third-party cookies for marketing purposes. You can manage cookie preferences through your browser settings.

15. Information for Fitness Specialists

If you use FitTrack as a fitness specialist, the following additional provisions apply:

15.1 Your Responsibilities

As a specialist, you act as a data controller for your clients’ information that you access and process through the Platform. You are responsible for:

• Protecting client confidentiality and privacy.
• Using client data only for legitimate fitness and nutrition purposes.
• Complying with applicable data protection laws in your jurisdiction.
• Maintaining professional standards of care.
• Obtaining necessary consents from your clients for processing their data.
• Not disclosing, exporting, or sharing client data outside the Platform without proper authorization.

15.2 Client Data Access

You may only access data belonging to clients assigned to your team. Access is logged and monitored. You must not share client data with unauthorized third parties, use client data outside of your professional services, or access client data after the professional relationship has ended.

15.3 Additional Data Collected

In addition to the data described above, we may collect the following from specialists: professional credentials and certifications, team membership information, meeting notes (including audio recordings and AI-generated transcriptions and summaries), and AI chat history related to client management.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Notify you via email and/or in-app notification.
• Post the updated policy on this page with a revised effective date and version number.
• Provide at least 30 days’ notice before the changes take effect.

Your continued use of FitTrack after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. We encourage you to review this page periodically for the latest information on our privacy practices.

17. Jurisdiction-Specific Rights

European Union / European Economic Area (GDPR)

If you are in the EU/EEA, you have rights under the General Data Protection Regulation (GDPR). Our legal bases for processing are:

• Contract performance: To provide our services as described in our Terms of Service.
• Legitimate interest: To improve services, prevent fraud, and ensure security.
• Legal obligation: To comply with applicable laws.
• Consent: For health data processing and AI-powered features, where explicitly obtained.

You have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe your rights have been violated. A list of EU DPAs is available at edpb.europa.eu.

United Kingdom (UK GDPR)

If you are in the United Kingdom, you have similar rights under the UK General Data Protection Regulation and Data Protection Act 2018. You may contact the Information Commissioner’s Office (ICO) at ico.org.uk with any concerns.

United States

California (CCPA/CPRA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request what personal information we collect, use, disclose, and sell about you.
• Right to Delete: You have the right to request deletion of personal information we have collected about you.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information as defined under the CCPA/CPRA. We do not sell personal information to third parties for monetary or other valuable consideration.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Authorized Agent: You may designate an authorized agent to make a request on your behalf. To do so, you must provide the agent with written permission and we may verify your identity directly.

Categories of personal information collected (per CCPA categories): Identifiers (name, email, phone number, user ID); Health information; Internet or electronic network activity (crash logs, performance data); Visual information (photos, videos); Audio information (voice recordings); Inferences drawn from the above (AI recommendations).

To exercise your rights, contact us at privacy@fit-track.io or use the in-app privacy settings. We will verify your identity before processing your request.

Other U.S. States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with consumer privacy laws may have additional rights including access, correction, deletion, and data portability. Contact us at privacy@fit-track.io to exercise these rights.

Brazil (LGPD)

If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including access, correction, anonymization, data portability, deletion, information about sharing, and the right to revoke consent. You may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD). Contact us to exercise these rights.

Argentina (PDPA)

If you are in Argentina, you have the right to access, rectify, and delete your personal data under the Personal Data Protection Act. You may file complaints with the Agencia de Acceso a la Información Pública (AAIP).

Mexico (LFPDPPP)

If you are in Mexico, you have ARCO rights (Access, Rectification, Cancellation, Opposition) under the Ley Federal de Protección de Datos Personales en Posesión de los Particulares. Contact us to exercise these rights.

18. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@fit-track.io
• Website: https://fit-track.io

For data protection inquiries in the EU/EEA, you may also reach our data protection team at dpo@fit-track.io.

We aim to respond to all inquiries within 30 days. For complex requests, we may require up to 90 days and will keep you informed of the progress.