Privacy Policy

Last Updated: November 3, 2025

Introduction

This privacy policy explains how MITOLOGIC SP. Z O.O. (referred to as "we", "us", or "Company") collects, uses, and protects your personal data when you use the Fitly mobile application (referred to as "App" or "Application") available on iOS App Store and Google Play Store.

Medical Disclaimer: Fitly is not a medical application and does not replace professional medical advice. Always consult with your doctor before starting any fitness or nutrition program. The app's recommendations are for informational purposes only.

Data We Collect

1. Registration and Profile Data

  • Email address (required for login)
  • Password (hashed and securely stored)
  • First and last name
  • Age, height, weight, gender
  • Date of birth
  • Profile photo (optional)
  • Registration date

2. Social Login Data (Optional)

  • Google Sign-In: Email, name, profile picture (from Google account)
  • Apple Sign-In: Email (may be masked by Apple), name (optional)
  • Note: Social login accounts are created with random secure passwords

3. Health and Fitness Data

  • Fitness goals (muscle building, weight loss, etc.)
  • Dietary preferences and restrictions
  • Allergies and food intolerances
  • Health conditions and injuries
  • Physical activity level (1-5 scale)
  • Target weight and goal dates
  • Weight goal type (lose, gain, maintain)
  • Workout history (exercises, weights, repetitions, sets)
  • Training progress and achievements
  • Progress photos (stored as WebP format, max 1.5MB)
  • Mood tracking data (Pro feature - mood, intensity, notes)
  • Weight measurements over time
  • Water intake tracking

4. Nutrition Data (Pro feature)

  • Food diary (meals, calories, macronutrients: protein, carbs, fat)
  • Additional nutrients (fiber, sugar, sodium, salt)
  • Photos of meals and nutrition labels (scanned via camera)
  • Product data from Open Food Facts (barcode, brand, ingredients, Nutri-Score)
  • Caloric and nutritional goals (custom or AI-generated)
  • Consumption history
  • Shopping lists with categories

5. AI Chat Data (Pro feature)

  • Chat messages with AI fitness coach (encrypted)
  • Conversation history and sessions
  • Images sent to AI (max 2 per request)
  • AI Memory (contextual information for personalized coaching)
  • Usage limits tracking (50 chat requests/day for Pro users)

6. App Preferences and Settings

  • App language
  • Dark/light mode preference
  • Notification settings
  • Daily goals (steps, water, calories)
  • Workout frequency preferences
  • Session duration settings

7. Technical Data

  • Device information (model, operating system)
  • IP address
  • App usage patterns and analytics
  • Push notification tokens
  • JWT authentication tokens

Device Permissions

The App may request the following permissions:

  • Camera: To take photos of your progress and meals
  • Gallery/Media Library: To save and access comparison photos
  • Push Notifications: For workout and meal reminders
  • Internet Access: For communication with our servers
  • Local Storage: For offline data caching

How We Use Your Data

  • Service Provision: To provide personalized fitness and nutrition recommendations
  • AI Training Services: To generate custom workout plans and analyze meal photos
  • Progress Tracking: To monitor your fitness journey and achievements
  • App Functionality: To maintain your account and preferences
  • Communication: To send you notifications, updates, and support messages
  • Improvement: To analyze app usage and improve our services
  • Security: To protect against fraud and unauthorized access

Legal Basis for Processing

  • Contract Performance (GDPR Art. 6(1)(b)): Processing necessary to provide the fitness and nutrition services you've requested
  • Explicit Consent (GDPR Art. 6(1)(a) & Art. 9(2)(a)): For health data processing and AI analysis of your photos and personal information
  • Legitimate Interest (GDPR Art. 6(1)(f)): For app improvement, security, and analytics
  • Legal Obligation (GDPR Art. 6(1)(c)): To comply with applicable laws and regulations

Important: Health and fitness data are considered special categories of personal data under GDPR Article 9. We only process this data with your explicit consent, which you can withdraw at any time through the app settings or by contacting us.

Third-Party Services and Data Sharing

1. Microsoft Azure (Cloud Infrastructure)

  • Purpose: Backend hosting, database storage, email services
  • Data stored: All user data, uploaded files (photos), database backups
  • Location: Azure Cloud (region configured)
  • Security: TLS/SSL encryption in transit, Azure encryption at rest, SQL Database with automatic backups
  • Email Service: Azure Communication Services for verification emails and password resets

2. OpenRouter AI / OpenAI (United States) - Pro Feature

  • Purpose: AI-powered fitness coaching and conversation using OpenAI models (GPT-4, Claude)
  • Data transferred: Chat messages, optional images (max 2 per request), user context for personalization
  • Usage limits: 50 requests per day for Pro subscribers
  • Data retention: Messages encrypted before storage on our servers; third-party retention policies apply to OpenRouter/OpenAI
  • Legal basis: Explicit consent for AI analysis and service provision
  • Note: We do not control how OpenRouter/OpenAI processes or stores data during API calls

3. RevenueCat (Subscription Management)

  • Purpose: Managing in-app subscriptions (Trial, Pro)
  • Data shared: App User ID (email), platform (iOS/Android), subscription status
  • Payment processing: Handled by Apple App Store / Google Play Store (we do NOT store payment card data)
  • Server-side verification: We verify subscriptions server-side for security

4. Open Food Facts (Public Database)

  • Purpose: Product nutrition information lookup
  • Data sent: Product barcode, country code (for filtering regional products)
  • Data received: Product name, nutrition values, ingredients, photos, Nutri-Score
  • Note: Open Food Facts is a free, open-source database - no personal data shared

5. Google Sign-In & Apple Sign-In (Authentication)

  • Purpose: Alternative login methods (no password needed)
  • Google data: Email, name, profile picture (validated via Google OAuth 2.0)
  • Apple data: Email (may be private relay), name (optional)
  • Token validation: Server-side verification of OAuth tokens
  • Account creation: Auto-created on first login with random secure password

6. Expo Services

  • Push Notifications: Device tokens, notification preferences
  • Location: Various global servers
  • Purpose: Workout and meal reminders, achievement notifications

Data Protection: We do NOT share your data with advertisers, data brokers, or social media platforms (except for authentication). We do NOT sell your personal data.

Third-party privacy policies:

Service Updates: We may add or change third-party service providers to improve app functionality. We will make reasonable efforts to communicate material changes in advance, typically aiming for 30 days' notice through email and/or in-app notification when feasible.

Payment and Subscription Data

We Do NOT Store Payment Data: All payment information (credit cards, billing addresses) is processed and stored exclusively by Apple App Store or Google Play Store. We never have access to your payment card details.

What We Receive from Payment Providers:

  • Transaction ID (confirmation number)
  • Subscription status (active, expired, cancelled)
  • Subscription tier (Trial, Pro)
  • Purchase date and expiration date
  • Platform (iOS or Android)

Subscription Types:

  • Trial (3 days): Full features, free trial period, one-time per user
  • Pro Subscription: Monthly/yearly auto-renewal, managed by Apple/Google

Cancellation and refunds are managed through your Apple App Store or Google Play Store account settings, subject to their respective policies.

Cookies and Local Storage

Mobile App (React Native):

  • AsyncStorage: JWT access and refresh tokens, user preferences, language selection, cached data for offline mode
  • Secure Storage: Sensitive authentication data
  • Purpose: Maintain login session, enable offline functionality, remember user preferences
  • Control: Cleared when you logout or delete account

Web Version (if applicable):

  • Essential Cookies: Session management, authentication
  • Preference Cookies: Language, theme (dark/light mode)
  • No Advertising Cookies: We do not use tracking cookies for ads

International Data Transfers

Some of your data may be transferred to and processed in the United States, specifically:

  • OpenRouter AI / OpenAI: For AI-powered fitness coaching and image analysis
  • Cloud Infrastructure: For data backup and processing

We aim to ensure adequate protection for these transfers through:

  • Standard Contractual Clauses approved by the European Commission where applicable
  • Additional technical and organizational security measures
  • Regular assessment of transfer adequacy when feasible

Data Retention and Deletion

  • Active Account: Data retained while your account is active and you use the service
  • Deleted Account: We aim to permanently delete all personal data within 30 days of deletion request. During this period, you may contact us to attempt account recovery. After 30 days, deletion is typically permanent and irreversible.
  • Unverified Accounts: Automatically deleted after 15 minutes if email not confirmed (security measure)
  • Progress Photos: Deleted with account or when manually removed through the app
  • Anonymized Data: We may retain anonymized, non-personal statistical data for service improvement
  • Business Records: Transaction records may be retained for tax and legal compliance (invoices, receipts) - personal identifiers removed after account deletion
  • Legal Hold: Data may be retained longer if required by law, court order, or investigation

Data Breach Notification (GDPR Art. 33-34)

In the event of a data breach that may affect your personal data, we will make reasonable efforts to:

  • Notify Authorities: Report to supervisory authority within 72 hours of becoming aware, when required by law
  • Notify You: Inform affected users as promptly as reasonably possible via email and/or in-app notification
  • Provide Details: Nature of breach, categories of data affected, likely consequences, measures taken
  • Mitigation Steps: Recommend actions to protect your data (password reset, enable 2FA, etc.)

Our Commitment: We maintain reasonable security measures to help prevent breaches. Security audits and monitoring are performed periodically. In case of any security incident, transparency and user safety are priorities.

Your Rights Under GDPR & CCPA

You have the following rights regarding your personal data:

  • Right of Access (GDPR Art. 15, CCPA): Access your data through the app or request a copy via privacy@fitly-app.com
  • Right to Rectification (GDPR Art. 16): Update your data directly in My Profile section
  • Right to Erasure / "Right to be Forgotten" (GDPR Art. 17, CCPA): Delete your account via: My Profile β†’ Account section β†’ Delete Account button. This action is irreversible and will permanently delete all data including profile, workouts, nutrition data, photos, chat history, and active subscription (will be cancelled). Works for all login types: Email/Password, Google Sign-In, Apple Sign-In.
  • Right to Data Portability (GDPR Art. 20): Request export of your data in JSON format. Email privacy@fitly-app.com - we aim to respond within 30 days.
  • Right to Restrict Processing (GDPR Art. 18): Request to limit how we use your data
  • Right to Object (GDPR Art. 21, CCPA): Object to data processing
  • Right to Withdraw Consent (GDPR Art. 7(3)): Withdraw consent anytime through app settings

California Residents - CCPA Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request details about personal information collected, used, disclosed, or sold
  • Right to Delete: Request deletion of your personal information (available in-app)
  • Right to Opt-Out of Sale: We do NOT sell your personal information to third parties
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

Data Sharing Disclosure: We do NOT sell your personal information, share data with advertisers, use data for targeted advertising, or share with data brokers.

Opt-Out and Data Control Options

You can limit data collection and processing by:

  • Disable AI Chat: Don't use Pro AI features - no data sent to OpenRouter/OpenAI
  • Disable Photo Analysis: Don't upload photos - no image data processed
  • Disable Notifications: Turn off in app settings - no push tokens collected
  • Manual Entry Only: Don't use barcode scanner - no Open Food Facts queries
  • Delete Progress Photos: Individual deletion available anytime
  • Clear Chat History: Delete specific conversations or all chat data

Note: Some core features require minimal data collection (profile, authentication). For complete data deletion, use the "Delete Account" feature.

Children's Privacy (COPPA Compliance)

Minimum Age: 13 years old (enforced by age validation during registration)

Our App is not intended for children under 13 years of age. We enforce age validation (13-130 years) during account creation. We do not knowingly collect personal data from children under 13.

For Users 13-16: We recommend parental guidance. If you are a parent or guardian and believe your child under 13 has provided personal data to us, please contact us immediately at privacy@fitly-app.com and we will delete the account promptly.

Age Verification: Age is self-reported during registration. We do not verify age through documents. Users must truthfully represent their age. Providing false information is a violation of our Terms of Service.

Health Data and HIPAA

Not HIPAA Compliant: Fitly is NOT a HIPAA-compliant application. We are not a covered entity under HIPAA regulations. Do not use this app to store or transmit protected health information (PHI) as defined by HIPAA.

While we collect health and fitness data (weight, workouts, meals, mood), this data is for personal fitness tracking purposes only. It is not intended for medical diagnosis, treatment, or healthcare purposes.

If you need medical-grade health data management, please use a HIPAA-compliant health app or consult with your healthcare provider.

AI Data Processing and Limitations

OpenRouter AI / OpenAI Processing:

  • Images sent for meal analysis are processed and we request immediate deletion where possible
  • We cannot guarantee how long third-party AI providers retain data
  • Chat messages are encrypted before storage on our servers
  • Do NOT send: medical images, prescription labels, sensitive health records, or identifying photos of others

AI Training: We do NOT use your personal data to train AI models. Third-party AI providers (OpenRouter, OpenAI) may have their own data usage policies - please review their privacy policies if concerned.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will make reasonable efforts to notify you of material changes by:

  • Sending a notification through the App when feasible
  • Emailing you at your registered email address
  • Posting a notice on our website

Changes typically become effective 30 days after notification when feasible. Continued use of the App after this period constitutes acceptance of the updated policy. You can review previous versions by contacting us.

Last Updated: November 3, 2025
Version: 2.0
Effective Date: November 3, 2025

Limitation of Liability

While we implement reasonable security measures, no system is 100% secure. We cannot guarantee absolute security of data transmitted over the Internet or stored electronically.

By using the App, you acknowledge and accept these limitations. We are not liable for unauthorized access to your data resulting from:

  • Your device being lost, stolen, or accessed by unauthorized persons
  • Sharing your login credentials with others
  • Third-party security breaches beyond our reasonable control
  • Vulnerabilities in operating systems or network infrastructure

Your Responsibility: Maintain strong passwords, enable 2FA, keep your device secure, and do not share login credentials.

Contact Information

For any questions about this Privacy Policy or your personal data, please contact:

MITOLOGIC SP. Z O.O.

WaΕ‚y Piastowskie 1 / 1508

80-855 GdaΕ„sk, Poland

NIP: 5833537382

KRS: 0001172492

Support: support@fitly-app.com

Privacy: privacy@fitly-app.com

Supervisory Authority: You have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes UrzΔ™du Ochrony Danych Osobowych) at ul. Stawki 2, 00-193 Warsaw, Poland.