Fitevolve Ltd – Privacy Policy

Last Updated: 01 November 2025

Company: Fitevolve Ltd (Reg. No. 16825211)

Address: 5 Hilton Walk, Canvey Island, SS8 9XZ

Email: contact@fitevolve.app

Data Protection: security@fitevolve.app

ICO Registration: In Progress (Currently in Private Testing Phase)

1. Introduction

Fitevolve Ltd ("Fitevolve", "we", "our", "us") respects your privacy. This Privacy Policy explains:

• What personal and health data we collect
• How we use and store it
• Your rights under UK GDPR
• How we share data with third parties
• Age restrictions and parental consent
• How to contact us

By using Fitevolve, you consent to the collection and processing of your data as described in this Privacy Policy.

⚠️ This app collects health data (Special Category Data under UK GDPR Article 9) which requires your explicit consent and receives enhanced protection.

2. Data We Collect

2.1 Personal Information

• Email address, full name, password (hashed via Supabase Auth)
• Phone number (optional)
• Profile photo/avatar
• Date of birth (for age verification & PT client management)
• Gender, pronouns
• Country and location data

2.2 Health & Fitness Data (SPECIAL CATEGORY DATA)

⚠️ Under UK GDPR Article 9, health data is 'Special Category Data' requiring explicit consent and enhanced protection.

We collect the following health-related information:

Physical Metrics:

• Weight (current & historical)
• Height
• Body fat percentage
• Body measurements
• Target weight
• Progress photos

Fitness Information:

• Fitness level (beginner/intermediate/advanced)
• Injuries and medical limitations
• Workout preferences, types, frequency, and duration
• Workout completion data and streaks
• Performance metrics and personal records
• Calories burned (calculated)

Running & GPS Data:

• GPS routes (latitude/longitude coordinates)
• Running pace, speed, distance
• Elevation data and changes
• Running session statistics

Nutrition & Diet:

• Dietary restrictions and allergies
• Daily food logs and macro tracking
• Meal plan preferences
• User-contributed food entries

Mental Wellness Data:

• Mood ratings (1-10 scale)
• Energy levels (1-10)
• Motivation levels (1-10)
• Sleep quality (1-10)
• Stress levels (1-10)
• Confidence ratings
• Hydration and nutrition ratings

Legal Basis:

We process your health data based on your explicit consent (GDPR Article 9(2)(a)). This processing is necessary to provide personalized workout plans, meal plans, fitness tracking, and PT services.

Your Rights:

You can withdraw your consent at any time by emailing security@fitevolve.app. However, withdrawal may limit or prevent us from providing certain services to you.

Enhanced Security:

Health data receives additional security protections including:

• Encryption in transit (HTTPS/TLS) and at rest
• Row-Level Security (RLS) policies in our database
• Restricted access controls (only you and your PT can access your data)
• Regular security audits and monitoring

Data Minimization:

We only collect health data that is necessary to provide our services. You can choose which data to provide, though limiting data may reduce personalization.

2.3 GPS Location Tracking - IMPORTANT INFORMATION

What We Track:

Our running tracker uses GPS to record:

• Your precise running route (latitude/longitude coordinates recorded every few seconds)
• Distance covered
• Pace and speed at each point
• Elevation changes, gain, and loss
• Start and end locations of runs

Background Tracking:

When you start a run, the app continues tracking your location even if you:

• Lock your screen
• Switch to another app (e.g., music player)
• Minimize Fitevolve

This requires "Always Allow" or "Allow While Using App" location permission to capture your complete route.

⚠️ BATTERY WARNING: GPS tracking uses significant battery power. Your device battery may drain 15-30% per hour of GPS tracking depending on: Device model and age, GPS signal strength (poor in buildings, tunnels, forests), Other apps running simultaneously, Screen brightness and usage

GPS Accuracy:

Location accuracy depends on GPS signal strength (poor in tunnels, dense urban areas, forests), weather conditions, and device hardware quality.

Accuracy typically ranges from 5-50 meters. We cannot guarantee precise measurements.

Your Privacy:

• Your running routes are PRIVATE and NOT shared with other users
• Only you can access your running history and GPS data
• You can delete any run and its GPS data at any time in your run history
• Deleted runs and routes are permanently removed from our servers

Required Permissions:

• iOS: "Allow While Using App" or "Always Allow" location access
• Android: "Allow all the time" or "Allow only while using the app"

You can revoke permissions in device settings, but this will disable GPS tracking features.

Additional Location Data:

We also collect general location data (city/country) from your IP address during signup to help match you with local Personal Trainers and Running Clubs.

2.4 PT Upgrade Application Data

When users apply to become Personal Trainers, we collect:

Personal Information:

• Full name, email, phone number
• Country, city
• Gender and pronouns
• Years of experience
• Profile photo

Social Media:

• Instagram handle (optional)
• YouTube channel (optional)
• LinkedIn profile (optional)

Professional Information:

• Professional certifications (name, provider, number, expiry, level, registration numbers)
• Certificate and document uploads
• Specializations
• Professional bio
• Hourly rate (£)
• Service format (in-person/online/hybrid)
• Languages spoken

Uploaded Documents:

• Qualification certificates
• Insurance documents (if provided)
• Identity verification documents
• Professional accreditation documents

Legal Declarations:

• Confirmation of accuracy
• Terms agreement
• Criminal record declaration (self-reported)
• Background check consent

Payment Information:

• £9.99 PT upgrade payment transaction
• Transaction ID
• Payment date
• Payment status (pending/completed/refunded)
• RevenueCat transaction ID (when implemented)

2.5 AI Business Coach Data (PTs Only)

PT AI Assistant Feature:

Personal Trainers can access an AI-powered business coach to help with business growth, client acquisition, pricing strategies, and professional development.

What We Send to OpenAI:

• Your name and role (PT)
• Your chat messages to the AI coach
• Basic PT context: years of experience
• Category of question (e.g., "Business Growth", "Client Acquisition")

What We DO NOT Send to OpenAI:

• Your clients' personal or health data
• Your clients' names, contact information, or identities
• Workout or session data from your clients
• Any identifying information about your clients
• Your full contact details or personal information
• Payment or financial information

OpenAI Data Processing:

• Messages are sent to OpenAI's servers in the United States
• OpenAI uses this data to generate AI responses
• OpenAI's API Data Policy: OpenAI does NOT use API data to train their models (as of their current policy)
• Messages are processed transiently and not stored long-term by OpenAI
• Data transferred under Standard Contractual Clauses (SCCs)

How Responses Work:

• AI provides business coaching advice (marketing, pricing, client retention)
• Responses are general coaching guidance, NOT specific to your clients
• Responses stored in our database (Supabase) for your conversation history

Your Control:

• Only accessible to PT users (not regular users)
• You choose when to use this feature
• You can delete your conversation history anytime
• Feature is optional - you're not required to use it

Data Retention:

• Conversations stored in our database until you delete them
• You can clear your AI chat history in Settings
• Deleted conversations removed within 30 days

OpenAI Privacy Policy | OpenAI API Data Usage

⚠️ Important: Do NOT share client-identifiable information in AI chats. Keep questions general (e.g., "How do I price online training?" not "What should I charge John Smith?").

2.6 Communications & Media (UNENCRYPTED)

⚠️ Important: Messages are NOT end-to-end encrypted

In-App Messaging:

• Text messages between users and PTs
• Group messages in running clubs
• Message content (plain text - not encrypted)
• Typing indicators
• Message reactions and emojis
• Reply threads
• Message delivery and read receipts
• Online/offline status
• Last seen timestamps

Media Sharing:

• Images shared in chat
• Videos shared in chat
• Voice messages and audio recordings
• Waveform data for voice messages
• Document attachments

NOT END-TO-END ENCRYPTED: Messages sent through Fitevolve chat are NOT end-to-end encrypted. This means: Messages are stored in plain text on our servers, Fitevolve administrators CAN access and read messages, Messages are NOT protected with encryption keys known only to you, Unlike WhatsApp, Signal, or iMessage, we can see message content

Why Not Encrypted:

• To moderate content for safety and policy violations
• To investigate reported harassment or abuse
• To comply with legal requests from law enforcement
• To provide customer support for message-related issues

Security Risks:

• In the event of a data breach, your messages could be exposed
• Messages could be accessed by unauthorized parties who gain system access
• We implement security measures but cannot guarantee absolute protection

DO NOT SHARE VIA CHAT:

• Credit card numbers or banking details
• Passwords or login credentials
• National Insurance numbers or ID numbers
• Highly sensitive medical details beyond fitness discussions
• Private photos or videos you wouldn't want potentially public
• Confidential business or personal information

Moderation:

We reserve the right to review message content for policy violations, remove inappropriate messages, suspend accounts for misuse, and report illegal activity to authorities.

Law Enforcement:

We may be legally required to provide message content to police, courts, or regulatory authorities pursuant to valid legal requests.

Your Responsibility:

Keep chat conversations professional and fitness-related. Assume messages are not completely private. Do not share information you wouldn't want potentially exposed.

2.7 Usage & Behavioral Data

• App open/close timestamps and session duration
• Feature usage statistics
• Workout completion data and streaks
• Total workouts completed
• Progress milestones and achievements
• Goal progress percentage
• PT session booking history
• Session reviews and ratings (stars, written reviews)
• Content interactions (likes, bookmarks, views)
• Running session data and personal records
• App inactivity periods
• Notification settings and preferences
• Device push notification tokens
• AI chat usage (PTs only): number of messages, categories used, conversation length

2.8 Payment & Financial Data

Processed via RevenueCat & App Stores:

• Subscription status (£11.99/month)
• PT upgrade payment (£9.99 one-time)
• Transaction IDs and payment dates
• Purchase history
• Refund records
• Subscription renewal dates
• Payment failure notifications

Important: We do NOT store credit card numbers, CVVs, or banking details. All payment information is processed and stored by Apple App Store, Google Play Store, and RevenueCat (when implemented).

2.9 Device & Technical Data

• Device ID (for push notifications)
• Operating system version (iOS/Android)
• App version
• Device model and manufacturer
• Screen resolution
• IP address
• Network connection type (WiFi/cellular)
• Crash logs and error reports
• Performance metrics
• App installation date

3. Legal Basis for Processing (UK GDPR)

We process your data under the following legal bases:

Consent (GDPR Article 6(1)(a) & Article 9(2)(a)):

• Health data collection and processing
• GPS location tracking
• Push notifications
• Marketing communications
• AI coach data processing (PTs only)

Contract (GDPR Article 6(1)(b)):

• To provide app services and features
• To process subscriptions and payments
• To facilitate PT-client interactions
• To deliver workout and meal plans

Legitimate Interest (GDPR Article 6(1)(f)):

• App improvements and feature development
• Fraud prevention and security
• Analytics and usage statistics
• Bug fixing and performance optimization

Legal Obligation (GDPR Article 6(1)(c)):

• Payment record retention (7 years - UK tax law)
• Compliance with law enforcement requests
• Regulatory compliance

4. How We Use Your Data

We use your data to:

Provide Services:

• Create and manage your account
• Deliver personalized workout and meal plans
• Track your fitness progress and goals
• Enable GPS running tracking with route visualization
• Facilitate communication with Personal Trainers
• Process subscriptions and payments
• Send push notifications for workouts, reminders, and updates
• Provide AI business coaching (PTs only)

Personalization:

• Customize workout recommendations based on fitness level
• Tailor meal plans to dietary restrictions and goals
• Match you with suitable Personal Trainers
• Suggest running routes and challenges
• Recommend running clubs in your area
• Provide relevant AI coaching advice (PTs only)

Safety & Moderation:

• Monitor PT qualifications and conduct
• Moderate user-generated content (messages, photos, reviews)
• Investigate reports of abuse or policy violations
• Ensure platform safety and compliance

Communication:

• Send service-related emails and notifications
• Provide customer support
• Send weekly check-in reminders
• Notify you of new features or updates
• Send marketing communications (with your consent)

Analytics & Improvements:

• Analyze app usage to improve features
• Identify and fix bugs
• Optimize performance
• Conduct research on fitness trends (anonymized data)
• Develop new features
• Improve AI response quality (PTs only)

Legal & Compliance:

• Comply with legal obligations
• Respond to law enforcement requests
• Enforce our Terms of Service
• Protect our rights and prevent fraud

5. Data Sharing & Third Parties

We share your data with the following third parties:

5.1 Supabase (Database & Storage)

• What: All user data is stored in Supabase (PostgreSQL database)
• Where: EU/US servers (check your Supabase project region)
• Why: Backend infrastructure for data storage and authentication
• Protections: Row-Level Security, encryption, access controls
• Agreement: Data Processing Agreement in place

5.2 OpenAI (AI Services - PTs Only)

• What: PT AI coach messages, PT name/role, years of experience, question category
• Where: United States (OpenAI servers)
• Why: To generate AI business coaching responses for Personal Trainers
• Who: Only PT users who use the AI Assistant feature
• Protections: OpenAI does NOT use API data to train models (per their policy)
• Agreement: Standard Contractual Clauses (SCCs) for international transfer
• Data NOT Shared: Client data, client identities, health data, financial data

OpenAI Privacy Policy

⚠️ Important: Only PTs using the AI coach feature send data to OpenAI. Regular users' data is NEVER sent to OpenAI.

5.3 Google Maps (Location Services)

• What: GPS coordinates for route visualization, city/location for maps
• Why: To display running routes and maps
• Protections: Only shares data necessary for map display

Google Privacy Policy

5.4 RevenueCat (Payment Processing)

• What: Subscription status, purchase history, transaction IDs
• Why: To manage subscriptions and in-app purchases
• Note: Actual payment details (cards) stored by Apple/Google, not RevenueCat

RevenueCat Privacy Policy

5.5 Apple App Store / Google Play Store

• What: Payment information, subscription status
• Why: To process payments for £11.99/month subscription and £9.99 PT upgrade
• Protections: Apple/Google handle all payment security

Apple Privacy Policy | Google Privacy Policy

5.6 Expo / Firebase (Push Notifications)

• What: Device push notification tokens
• Why: To send workout reminders, PT messages, and app notifications
• Protections: Tokens only, no personal data

Firebase Privacy Policy

5.7 Personal Trainers (PTs)

What PTs Can Access:

• Your name, email, profile photo
• Your fitness goals and current level
• Your workout history and progress
• Your meal plans and nutrition data
• Your health metrics (weight, body fat, etc.)
• Your injuries and limitations
• Messages you send to them
• Session notes and reviews

Limitations:

• PTs can ONLY access data for their assigned clients
• PTs cannot access your running routes or GPS data
• PTs cannot see your full account information
• PTs cannot access messages with other PTs

5.8 Running Clubs

When you join a running club, club members can see:

• Your name and profile photo
• Your running statistics (distance, pace, achievements)
• Group run attendance
• Club chat messages

Privacy: Your precise GPS routes are NOT shared with club members unless you explicitly share them.

5.9 What We DO NOT Do

• ✅ We DO NOT sell your data to advertisers
• ✅ We DO NOT share your data with data brokers
• ✅ We DO NOT use your data for targeted advertising
• ✅ We DO NOT share your precise location with other users (except your PT if you choose)
• ✅ We DO NOT send client data to OpenAI

6. International Data Transfers

Where Your Data is Stored:

• Supabase servers (EU or US, depending on project configuration)
• OpenAI servers (US - PTs using AI coach only)
• Apple iCloud or Google Cloud (for app store data)

Safeguards for International Transfers:

• Standard Contractual Clauses (SCCs) approved by UK ICO
• Supabase and OpenAI comply with GDPR/UK GDPR requirements
• Encryption in transit and at rest
• Data Processing Agreements with all processors

Your Rights: UK GDPR protections apply regardless of where data is physically stored.

7. Data Security

We implement comprehensive security measures to protect your data:

Encryption:

• All data encrypted in transit using HTTPS/TLS
• Sensitive data encrypted at rest
• Password hashing using industry-standard algorithms

Access Controls:

• Row-Level Security (RLS) policies in database
• Role-based access control (users, PTs, admins)
• Multi-factor authentication for admin accounts
• Regular access audits

Monitoring & Response:

• 24/7 security monitoring
• Automated threat detection
• Regular security assessments
• Incident response procedures

Infrastructure:

• Secure cloud hosting (Supabase/AWS)
• Regular backups
• DDoS protection
• Firewall protections

Despite our efforts, no system is 100% secure. We cannot guarantee absolute security against all threats.

7.1 Data Breach Response & Notification

In the Event of a Breach:

1. We will notify the UK Information Commissioner's Office (ICO) within 72 hours
2. We will notify affected users without undue delay (typically within 72 hours)
3. We will provide details of the breach, data affected, and recommended actions
4. We will implement additional security measures to prevent recurrence

What We'll Tell You:

• Nature of the data breach (what happened)
• Categories of data affected (e.g., email, health data, messages)
• Approximate number of users affected
• Likely consequences and risks to you
• Measures we've taken to address the breach
• Recommendations for protecting yourself
• Contact information for questions

What You Should Do if Notified:

• Change your Fitevolve password immediately
• Change passwords on other services if you used the same password
• Monitor your accounts for suspicious activity
• Be alert for phishing attempts using stolen information
• Consider placing fraud alerts if financial data was affected
• Contact us with questions at security@fitevolve.app

Your Rights:

• You have the right to lodge a complaint with the ICO
• You can request details about what data was affected
• You may request account deletion following a breach
• You can seek compensation for damages (subject to proving harm)

Legal Requirements: Under UK GDPR, we must report breaches to ICO within 72 hours and notify affected individuals. We face potential fines up to 4% of global revenue or £17.5 million for non-compliance.

8. Data Retention

How Long We Keep Your Data:

• Account information: Until account deletion + 30 days
• Health & fitness data: Until account deletion + 30 days
• Progress photos: Until you delete them, or account deletion
• Running routes & GPS data: Until you delete them, or account deletion
• Messages: Retained indefinitely until account deletion
• AI coach conversations (PTs): Until you delete them, or account deletion
• PT application data: 7 years (rejected), indefinitely (approved)
• Payment records: 7 years (UK legal requirement)
• Crash logs: 90 days
• Analytics data: 2 years (anonymized)

Account Deletion:

• When you delete your account, we delete all personal data within 30 days
• Some data may be retained for legal compliance (payment records, legal claims)
• Backups are overwritten within 90 days
• Anonymized analytics data may be retained indefinitely

9. Your Rights under UK GDPR

You have the following rights regarding your personal data:

9.1 Right to Access

Request a copy of all personal data we hold about you.

9.2 Right to Rectification

Correct inaccurate or incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data (subject to legal retention requirements).

9.4 Right to Restrict Processing

Limit how we use your personal data in certain circumstances.

9.5 Right to Data Portability

Receive your data in a machine-readable format to transfer to another service.

9.6 Right to Object

Object to processing based on legitimate interests or for marketing purposes.

9.7 Right to Withdraw Consent

Withdraw consent for health data processing, location tracking, AI data processing, or marketing (may limit services).

9.8 Right to Lodge a Complaint

File a complaint with the UK Information Commissioner's Office (ICO):

Website: https://ico.org.uk/

Phone: 0303 123 1113

How to Exercise Your Rights:

Email us at security@fitevolve.app with:

• Your full name and email address
• Description of your request
• Proof of identity (if requesting data access/deletion)

Response Time: We will respond within 30 days (may extend to 60 days for complex requests).

10. Cookies & Tracking

Mobile App: The Fitevolve mobile app does NOT use cookies.

Website (if applicable): If you visit our website, we may use essential cookies for functionality. We do not use tracking cookies for advertising.

11. Children's Privacy

Minimum Age: You must be at least 18 years old to use Fitevolve.

Why 18+:

• We collect Special Category health data
• Exercise programs carry physical risks
• GPS tracking raises safety concerns for minors
• Meal planning and calorie tracking may be inappropriate for youth
• Users may interact with Personal Trainers

Ages 16-17: May use Fitevolve ONLY with parental/guardian consent and supervision.

Children Under 16: We do NOT knowingly collect personal information from anyone under 16 without parental consent.

If Your Child Created an Account:

Contact us immediately at contact@fitevolve.app with:

• Child's email address used for the account
• Your relationship to the child
• Proof of parental relationship

We will delete the account and data promptly.

Discovery of Underage Users: If we discover a user is under 18 (or under 16 without parental consent), we will immediately suspend the account, delete all personal data within 30 days, and refund any subscription payments.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• User feedback

How We Notify You:

• In-app notification
• Email to registered address
• Prominent notice in the app

Your Continued Use: Continued use of Fitevolve after changes constitutes acceptance of the updated Privacy Policy.

Effective Date: Changes take effect 30 days after notification (or immediately if required by law).

13. Contact Information

Fitevolve Ltd (Company No. 16825211)

Registered Address: 5 Hilton Walk, Canvey Island, SS8 9XZ

General Inquiries: contact@fitevolve.app

Data Protection & Privacy: security@fitevolve.app

Security Issues: security@fitevolve.app

ICO Registration: In Progress (Currently in Private Testing Phase)

Office Hours: Monday-Friday 9:00am - 5:00pm GMT

Response Time: We aim to respond within 24-48 hours on business days

14. Additional Information

14.1 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.

AI Coach (PTs Only): The AI business coach provides suggestions and advice, but does NOT make automated decisions affecting your rights or services.

14.2 Data Protection Officer

For data protection inquiries, contact our Data Protection team at security@fitevolve.app

14.3 Supervisory Authority

UK Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: https://ico.org.uk/

Phone: 0303 123 1113