Privacy Policy
Last updated: April 2026
This Privacy Policy explains how FitTracker collects, uses, stores and protects your personal data. We comply with the EU General Data Protection Regulation (GDPR).
1. Who We Are
FitTracker is operated by an individual ("Data Controller"). If you have any questions about this Privacy Policy or your personal data, please contact us:
π§ [email protected]
2. What Data We Collect
We collect only the data you provide directly to us:
Account data
- Email address (required for registration)
- Name or display name
- Password (stored as a one-way hash β we cannot read it)
- Security question and answer (stored as a one-way hash)
Fitness data (optional, entered by you)
- Body measurements: weight, height, body fat percentage, circumferences
- Training plans: exercises, sets, reps, weights, rest periods
- Training calendar: workout dates and colour markers
- Workout progression logs
- Nutrition logs: meals, food items, portion sizes
Technical data
- Session data (stored in a server-side session cookie)
- Server access logs (IP address, timestamp, requested URL) β kept for up to 30 days for security purposes
We do not collect: location data, device identifiers, advertising IDs, or any data from third-party sources.
3. How We Use Your Data
We use your data exclusively to provide the Service:
- To create and manage your account
- To store and display your fitness data
- To allow password recovery via security question
- To maintain the security and performance of the Service
We do not use your data for advertising, profiling, or any automated decision-making. We do not sell your data to any third party.
4. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
- Contract (Art. 6(1)(b) GDPR) β processing necessary to provide the Service you signed up for
- Legitimate interests (Art. 6(1)(f) GDPR) β security logging and fraud prevention
5. Data Retention
We retain your data for as long as your account is active. If you do not log in to your account for 90 consecutive days, your account and all associated data will be automatically and permanently deleted.
We will send you an email notification 10 days before the scheduled deletion, giving you the opportunity to log in and prevent it.
You may also delete your account and all data at any time via Account Settings β Delete Account. Deletion is immediate and irreversible.
6. Data Storage and Security
Your data is stored on servers located in the European Union. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure, including:
- Encrypted HTTPS connections (TLS)
- Password hashing (bcrypt)
- Server-side sessions
- Regular database backups
No method of transmission or storage is 100% secure. In the event of a data breach that affects your rights, we will notify you within 72 hours as required by GDPR.
7. Your Rights (GDPR)
Under GDPR, you have the following rights regarding your personal data:
- Right of access β you can view all data stored in your account at any time
- Right to data portability β you can export all your data in JSON or CSV format via Account Settings β Export My Data
- Right to erasure β you can permanently delete your account and all data via Account Settings β Delete Account
- Right to rectification β you can update your data directly within the Service
- Right to restriction β you may request that we restrict processing of your data
- Right to object β you may object to processing based on legitimate interests
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority. Please contact your local data protection supervisory authority.
8. Cookies
We use a single session cookie (session) that is strictly necessary for the Service to function. It keeps you logged in during your visit. This cookie is not used for tracking or advertising and does not require your consent under GDPR.
We do not use any analytics, advertising or third-party cookies.
9. Third Parties
We do not share your personal data with any third parties, with the exception of our hosting infrastructure provider (EU-based server). The hosting provider processes data only on our behalf and under our instructions, acting as a data processor under a Data Processing Agreement.
10. Children
The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has created an account, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by displaying a notice within the Service. The date at the top of this page reflects the most recent revision. Continued use of the Service after changes constitutes acceptance of the updated policy.