FitApp
LoginSign Up

Privacy Policy / Datenschutzerklärung

Effective Date: January 2025 | Last Updated: January 2025

1. Controller & Data Protection Officer

Controller:
FitApp
[Your Address - to be added before public launch]
Switzerland

Data Protection Contact:
Email: privacy@fitapp.ch

2. Scope & Purpose

This Privacy Policy explains how FitApp collects, uses, stores, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR) and Swiss Federal Act on Data Protection (FADP).

3. Data We Collect

3.1 Account Data

  • Username: For identification within the application
  • Email address: For account creation, authentication, and communication
  • Password: Stored as hashed value (PBKDF2, 150,000 iterations)
  • Account creation date: For record keeping

3.2 Health Data (Special Category - Art. 9 GDPR)

⚠️ IMPORTANT: Health data is considered a "special category of personal data" under GDPR Art. 9 and requires your explicit consent.

  • Body weight: Weight measurements over time
  • Food intake: Meals, ingredients, calories, nutritional information
  • Exercise data: Workout logs, duration, calories burned, distance
  • Physical characteristics: Height, birthdate, sex
  • Health goals: Target weight, activity level, dietary preferences

3.3 Technical Data

  • IP address: For security and abuse prevention (retained 90 days)
  • Browser type & version: For compatibility
  • Device information: For session management
  • Access logs: Page views, timestamps (retained 90 days)
  • Session data: Authentication tokens, login timestamps

3.4 Security Data

  • Login attempts: Failed/successful login records (retained 30 days)
  • 2FA settings: If you enable two-factor authentication
  • Activity logs: Account actions for security monitoring (retained 180 days)

4. Legal Basis for Processing (GDPR Art. 6 & 9)

  • Art. 6 (1) b GDPR - Contract Performance:
    Processing of account data (username, email, password) is necessary to provide the service.
  • Art. 9 (2) a GDPR - Explicit Consent:
    Processing of health data (weight, nutrition, exercise) is based on your explicit consent given during registration.
  • Art. 6 (1) f GDPR - Legitimate Interest:
    Processing of technical data (IP, logs) for security, fraud prevention, and service improvement.

5. How We Use Your Data

  • Service Provision: To provide fitness tracking functionality
  • Calculations: To calculate BMR, TDEE, calorie balance, and progress statistics
  • Personalization: To tailor the experience to your goals and preferences
  • Security: To protect your account and detect abuse
  • Communication: To send important service-related notifications (security alerts, policy changes)
  • Legal Compliance: To comply with legal obligations

We do NOT:

  • Sell your data to third parties
  • Use your data for advertising
  • Share your health data with anyone without your consent
  • Use third-party analytics or tracking services

6. Data Storage & Location

Server Location: Your data is stored on secure servers located in:
• Primary: Germany (Falkenstein/Nürnberg)
• Provider: Hetzner Online GmbH

Hosting Provider:
Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany
Privacy Policy: www.hetzner.com/rechtliches/datenschutz

Data Transfer: Your data is NOT transferred to countries outside the EU/EEA/Switzerland. All processing occurs within the European Union (Germany) with adequate data protection guarantees under GDPR and the Swiss-EU data protection framework.

7. Data Security Measures

We implement state-of-the-art technical and organizational measures:

  • Encryption in Transit: TLS 1.3 (HTTPS) for all data transmission
  • Encryption at Rest: Database encryption
  • Password Security: PBKDF2 hashing with 150,000 iterations
  • Two-Factor Authentication: Optional 2FA with TOTP
  • Access Control: Role-based access, least privilege principle
  • Rate Limiting: Protection against brute-force attacks
  • Security Headers: HSTS, CSP, X-Frame-Options
  • Regular Backups: Encrypted daily backups (30-day retention)
  • Monitoring: Real-time security monitoring and logging
  • Updates: Regular security patches and updates

8. Data Retention

Data TypeRetention Period
Active Account DataUntil account deletion
Health DataUntil account deletion
After Account Deletion30 days (complete deletion)
Backups30 days (automated deletion)
Access Logs90 days
Security Logs180 days
Login Attempts30 days

After these periods, data is permanently and irreversibly deleted from all systems including backups.

9. Your Rights under GDPR

You have the following rights regarding your personal data:

Right to Access (Art. 15 GDPR)

You can view all your data in your profile and export it in CSV/JSON format.

Right to Rectification (Art. 16 GDPR)

You can update your profile data at any time in Settings → Profile.

Right to Erasure (Art. 17 GDPR)

Contact privacy@fitapp.ch to delete your account and all data.

Right to Data Portability (Art. 20 GDPR)

Export your data in machine-readable format (CSV/JSON) via Settings → Export.

Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interest by contacting us.

Right to Withdraw Consent (Art. 7 (3) GDPR)

Withdraw consent for health data processing by deleting your account or contacting us.

Right to Lodge a Complaint (Art. 77 GDPR)

You can file a complaint with your national data protection authority:
Switzerland: Federal Data Protection and Information Commissioner (FDPIC)
EU/EEA: Your local supervisory authority

To exercise your rights, contact:
Email: privacy@fitapp.ch
We will respond within 30 days.

10. Cookies & Local Storage

We use minimal browser storage for essential functionality only:

ItemPurposeType
fitapp_tokenAuthentication (keep you logged in)Essential
fitapp_themeRemember dark/light mode preferenceFunctional
fitapp_localeRemember language preferenceFunctional

We do NOT use:

  • Tracking cookies
  • Advertising cookies
  • Third-party analytics (e.g., Google Analytics)
  • Social media pixels

11. Third-Party Services

FitApp does NOT use any third-party services for analytics, advertising, or tracking. All data processing occurs on our own servers.

We may share your data only in these exceptional cases:

  • Legal Obligation: When required by law or court order
  • Protection of Rights: To protect our rights, property, or safety
  • With Your Consent: When you explicitly authorize sharing

12. Children's Privacy

Age Restriction: FitApp is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

If you believe we have collected data from a child under 16, please contact us immediately at privacy@fitapp.ch and we will delete it promptly.

13. Data Breach Notification

In the event of a data breach affecting your personal data, we will:

  • Notify the relevant supervisory authority within 72 hours (GDPR Art. 33)
  • Notify affected users without undue delay if the breach poses a high risk (GDPR Art. 34)
  • Provide information about the breach and remediation steps

14. Automated Decision-Making

FitApp does NOT use automated decision-making or profiling (GDPR Art. 22). All calculations (BMR, TDEE, etc.) are transparent mathematical formulas that you can review.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via:

  • Email notification to your registered email address
  • Prominent notice on the website
  • Updated "Last Updated" date at the top of this policy

Continued use of the service after changes constitutes acceptance of the updated policy. If you do not agree with changes, please delete your account before they take effect.

16. Contact & Questions

For questions about this Privacy Policy or to exercise your rights:

Privacy & GDPR: privacy@fitapp.ch

General Support: support@fitapp.ch

Security Issues: security@fitapp.ch

17. Data Transfers & Third Countries

No Third Country Transfers:
We do NOT transfer any personal data to countries outside the EU/EEA/Switzerland. All data processing takes place exclusively within:

  • Germany: Primary hosting and data storage (Hetzner Data Centers)
  • Switzerland: Business operations and support

Both Germany and Switzerland provide adequate data protection levels recognized by the European Commission.

Last Updated: January 2025
Effective Date: January 2025
Version: 1.0