Privacy Policy

Last updated: May 2026 — Effective immediately.

1. Who we are

FitnessData ("we", "us", "our") is a SaaS platform for personal trainers and their clients, owned and operated by Chichi Denis William (sole proprietorship / ditta individuale, flat-rate "regime forfettario"), registered in Italy, VAT no. IT03544140985, registered office: Via Amatore Sciesa 9, 20021 Bollate (MI), Italy.

Contact: [email protected]
Data Protection Officer (DPO): not appointed — a DPO is not mandatory at the current scale; one will be designated if processing of health data reaches the scale that requires it under Art. 37 GDPR.

2. What data we collect

Personal Trainers (account owners): name, email, phone, billing info via Stripe.
Clients (end users): name, age, contact, body measurements, workout history, photos/videos, medical/anamnesis data (Article 9 GDPR — "special categories").
Technical: IP, device, browser, session logs (audit, security).

3. Legal basis

Contract (Art. 6.1.b GDPR) for trainer account.
Explicit consent (Art. 9.2.a GDPR) for client health data — collected at first portal access via mandatory consent popup.
Legitimate interest for security logs, fraud prevention.

4. How we use it

To provide the service: coaching, scheduling, payment tracking. No selling, no advertising. Stripe processes payments under their own privacy policy.

5. Sharing & sub-processors

Supabase (EU region, Frankfurt) — database hosting.
Cloudflare — CDN, edge worker, file storage (R2).
Stripe — payment processing.
Anthropic / Google — AI for workout parsing (anonymized text only).

All sub-processors are bound by DPA (Data Processing Agreements).

6. Data retention

Active accounts: for the duration of the subscription.
On account closure you choose: (a) deactivate & keep — data retained up to 12 months so you can return, then automatic permanent deletion; or (b) delete everything now — immediate, irreversible deletion.
Backups: purged on a rolling basis (within 30 days).
Anonymized phone hash: 12 months (anti-fraud).
Audit logs: 6 months.

7. Your rights (GDPR Articles 15-22)

Access: request a copy of your data (response within 30 days).
Rectification: correct inaccurate data.
Erasure ("right to be forgotten"): delete your account from app settings or write us.
Portability: export your data in JSON format.
Object/Restrict: limit certain processing activities.
Withdraw consent: at any time (does not affect prior lawful processing).
Complaint: lodge with your supervisory authority (e.g. Garante Privacy IT, CNIL FR, ICO UK).

8. International transfers

The primary database (Supabase) and media storage are hosted in the EU. Some sub-processors are based in the United States — Stripe (payments) and Anthropic / Google (AI workout parsing, Google Calendar). Transfers to these US providers are covered by Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework.

9. Security

TLS 1.3 in transit, AES-256 at rest, RLS (Row Level Security) on database, biometric authentication on mobile, encrypted local storage. Regular security audits.

10. Children

The digital-consent age is 14 in Italy (16 in some EU countries, 13 in the US under COPPA). Clients below the applicable threshold (under 14 in Italy) require a parent's or guardian's consent, obtained by the trainer before their data is entered.

11. Changes

We'll notify you of material changes via email + in-app notice. Continuing use after notice = acceptance.