Last updated: March 2026
When you create an account, we store your email address, display name, and preferred weight unit (kg/lbs). All workout data — templates, sessions, exercise history, cardio logs, nutrition logs, mindfulness sessions, and program enrollments — is user-generated content that you create and control.
Social features (optional): If you enable a public profile, your display name and completed workout session summaries (duration, volume, exercise list) become visible to users who follow you in the app. We store follow relationships and emoji reactions on sessions. You can disable your public profile at any time via Profile → Public Profile toggle, which immediately removes your sessions from other users’ feeds. You can delete individual reactions and unfollow users at any time.
Workout DNA (optional): When you share a workout template via QR code, a public snapshot of that workout (name and exercise list, no personal data) is stored and accessible to anyone with the link or QR code. You can see your shared DNA codes via the workout edit page. Shared DNA does not include your name or any health data.
If you enable push notifications, we store a push notification subscription token (a device identifier issued by your browser or operating system) in your account. This token is used only to deliver the notifications you have enabled. You can disable push notifications and remove your token at any time via Profile → Notifications, or through your browser or device notification settings.
Guest mode (Ghost Protocol) stores everything locally on your device. Zero data is sent to our servers while in guest mode.
Fittssy optionally integrates with Google Health Connect (Android only) to import health and fitness data from your wearable devices (such as Garmin, Samsung, Fitbit, Pixel Watch, and others that sync to Health Connect). This integration is entirely optional and requires your explicit consent before any data is read.
Health data we may receive via Health Connect is limited to 7 read-only data types: exercise sessions (workout type, duration, calories, distance), sleep sessions (duration and stages), daily steps, active calories, resting heart rate, heart rate samples, and distance. We request READ permissions only — Fittssy never writes to Health Connect. This data is stored in your personal Fittssy account and is protected by Row Level Security — only you can access it.
You may also manually import fitness data by uploading .fit (Garmin binary) or .gpx (GPS Exchange Format) files. These files are parsed on your device and the extracted data is stored in your account. Uploaded files are not retained after processing.
Health Connect permissions can be revoked at any time via Android Settings → Health Connect → App permissions → Fittssy. You can delete all wearable data from Fittssy at any time via Profile → Wearables → Delete Wearable Data.
We do not use your health or wearable data for advertising, profiling, or any purpose other than displaying it to you within the app. Health data is never shared with third parties.
Fittssy offers optional AI-powered features that generate personalized workout programs and exercise protocols based on your preferences (goals, experience level, available equipment, and session duration). These features use Anthropic’s Claude API to process your inputs and return structured training plans.
When you use the AI generator, only the preferences you provide during the generation flow are sent to Anthropic. Your personal data (email, name, workout history, health data) is never included in AI requests. Anthropic does not use inputs to train their models.
AI-generated content is clearly labelled in the app with an ‘AI’ badge. You may edit or delete AI-generated workouts and programs at any time, just like any other user-created content.
Fittssy uses IndexedDB (browser local storage) to enable offline functionality and guest mode. This data never leaves your device unless you explicitly create an account and sync.
Data stored locally includes: exercises, workout templates, session logs, and app preferences. A Service Worker caches the app shell for offline access.
Fittssy does not use Facebook Pixel, ad networks, or advertising-based tracking. We do not sell, share, or monetize your data in any way.
Google Analytics 4 (Google LLC): We use Google Analytics 4 in cookieless mode on our website (fittssy.com) to understand how visitors interact with our landing page. No cookies are set — GA4 operates in memory only (client_storage: 'none'). No personal data is stored or transmitted to Google. Only anonymous usage statistics are collected (pages visited, scroll depth, button clicks). Our Android app is completely excluded from GA4 tracking. See Google’s Privacy Policy at https://policies.google.com/privacy.
PostHog (EU Cloud, Frankfurt, Germany): We capture anonymized product usage events such as account registration, workout completion, and feature usage. These events are linked to your user ID to understand how the app is used and improve the experience. PostHog does not perform cross-site tracking and no data is shared with advertisers or third parties.
Sentry (EU hosting): When an error occurs, Sentry captures the error stack trace and basic browser metadata (browser type, OS version). IP addresses are processed transiently for geolocation and are not stored.
Vercel Analytics: We collect anonymous, aggregated page view data. This data contains no personal information, cannot identify individual users, and is used solely to understand overall traffic patterns. No cookies are set for analytics.
All data in transit is encrypted via HTTPS with HSTS preload. Our Content Security Policy (CSP) scores 125/100 (A+) on Mozilla Observatory. Every database table uses Row Level Security (RLS) — you can only access your own data. Authentication is handled by Supabase Auth with bcrypt password hashing.
Passwords must be at least 8 characters. We recommend using a unique password that you don’t use on other services.
Your account data and user-generated content are retained for as long as your account exists. When you delete your account, all associated data is permanently deleted within 30 days.
Analytics data (PostHog) is retained for 12 months and then automatically purged. Error monitoring data (Sentry) is retained for 90 days.
Guest mode data is stored locally on your device and is deleted when you exit guest mode, clear browser data, or uninstall the app.
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):
Right of access: You may request a copy of the personal data we hold about you. Your workout data, session history, and profile information are always accessible directly within the app.
Right to rectification: You may update your personal data at any time via Profile settings.
Right to erasure: You may delete your account and all associated data at any time via Profile → Delete Account. Deletion is processed within 30 days.
Right to data portability: You may export your workout data through the app’s share and export features.
Right to object: You may object to processing of your data for analytics purposes by contacting us.
Right to withdraw consent: Where processing is based on consent (e.g., Health Connect integration), you may withdraw consent at any time by revoking permissions in Android Settings or deleting wearable data in the app.
Our legal basis for processing your data is: (a) performance of a contract (providing the app service), (b) your consent (Health Connect, AI features), and (c) legitimate interest (analytics, error monitoring, security).
To exercise any of these rights, contact us at privacy@fittssy.com.
Guest mode: Tap ‘Exit Ghost Protocol’ in your profile to wipe all local data instantly.
Registered accounts: Go to Profile → scroll to the bottom → ‘Delete Account’ to permanently delete your account and all associated data. Deletion is processed within 30 days. Alternatively, email privacy@fittssy.com with your account email.
Wearable data only: Profile → Wearables → Delete Wearable Data removes all Health Connect and imported FIT/GPX records without deleting your account.
Supabase (database + auth) — hosted in Zurich, Switzerland (EU). Processes your account, workout, wellness, and wearable data.
Google Analytics 4 (web only) — cookieless landing page analytics (no cookies, no personal data, no cross-site tracking). Android app excluded. Google’s privacy policy: https://policies.google.com/privacy.
Vercel (hosting + analytics) — serves the web application and collects anonymous page view analytics. Servers located in the US and EU.
PostHog (product analytics) — hosted in Frankfurt, Germany (EU). Captures anonymized usage events linked to your user ID. No cross-site tracking. No data shared with third parties.
Sentry (error monitoring) — hosted in the EU. Captures error stack traces and browser metadata when errors occur. IP addresses processed transiently, not stored.
Anthropic (AI content generation) — processes your workout preferences (goals, experience level, equipment) to generate training plans via the Claude API. No personal data, workout history, or health data is sent. Anthropic does not use inputs to train models.
Google OAuth (optional) — if you sign in with Google, Google shares your email and name with us. We store only the email and display name.
Google Health Connect (Android only, optional) — reads health and fitness data from your connected wearable devices when you grant permission. Data is fetched on-demand and stored only in your Fittssy account.
Open Food Facts (optional) — when you use the nutrition food search feature, your search query is sent to the Open Food Facts public API (world.openfoodfacts.org) to retrieve nutritional data. No personal information is included in these requests.
Stripe (payment processing) — processes subscription payments and one-time support donations. Stripe collects your payment card details directly — Fittssy never sees or stores your full card number. Stripe may store your email address, name, and billing address for payment receipts and fraud prevention. Stripe’s privacy policy: https://stripe.com/privacy. Stripe is PCI DSS Level 1 certified.
Resend (transactional email) — sends password reset and confirmation emails only. No marketing emails.
Your primary data is stored in the EU (Supabase in Zurich, PostHog in Frankfurt, Sentry in EU). Some services (Vercel hosting, Anthropic AI) may process data in the United States. Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as required by GDPR.
Fittssy is not intended for use by individuals under the age of 16. We require age verification during registration. We do not knowingly collect personal information from children. If you believe a child under 16 has provided us with personal data, please contact us at privacy@fittssy.com and we will delete the information promptly.
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will update the ‘Last updated’ date at the top of this page when changes are made. Continued use of the App after changes are posted constitutes your acceptance of the updated policy.
Fittssy™ is available in 10 languages: English, Hungarian (Magyar), German (Deutsch), Spanish (Español), French (Français), Portuguese (Português), Russian (Русский), Chinese Simplified (中文), Japanese (日本語), and Korean (한국어).
The app language can be changed at any time via Profile → Language. Your language preference is stored as a cookie on your device. If you are signed in, your language preference is also saved to your account so it persists across devices.
All UI text, exercise library descriptions, and in-app guidance are translated. The Privacy Policy and Terms of Service are currently available in English only.
For privacy questions, data access requests, or deletion requests: email privacy@fittssy.com.
You may also use the in-app feedback tool (tap the floating button on any page, select ‘Feedback’).
Data controller: Fittssy™, operated by an independent developer based in the United Kingdom.
© 2026 Fittssy™. All rights reserved.