1. GDPR Overview
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to all individuals within the European Union (EU) and the European Economic Area (EEA). It gives you greater control over your personal data and requires organizations to be transparent about how they collect, use, and protect your information.
At FitFlow, we are committed to GDPR compliance and protecting your fundamental right to privacy. This page explains your rights under GDPR and how you can exercise them.
Our Commitment
We process your personal data lawfully, fairly, and transparently. We only collect data that is necessary for our services and protect it with appropriate security measures.
2. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights regarding your personal data:
2.1 Right to Access (Article 15)
You have the right to request a copy of your personal data that we process. This includes:
- Confirmation of whether we process your personal data
- A copy of your personal data in a commonly used format
- Information about how we process your data
- The purposes of processing
- Categories of recipients we share data with
- How long we retain your data
- Your rights regarding your data
2.2 Right to Rectification (Article 16)
You have the right to request correction of inaccurate personal data or completion of incomplete data. You can update most of your information directly through your account settings, or contact us for assistance.
2.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request deletion of your personal data when:
- The data is no longer necessary for the original purpose
- You withdraw consent and there's no other legal basis for processing
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required by law
Note: This right is not absolute. We may need to retain certain data for legal obligations, such as financial records for tax purposes.
2.4 Right to Restriction of Processing (Article 18)
You can request that we limit how we use your personal data in certain circumstances:
- When you contest the accuracy of the data (while we verify it)
- When processing is unlawful but you don't want erasure
- When we no longer need the data but you need it for legal claims
- When you've objected to processing (while we assess our legitimate grounds)
2.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You can also request that we transfer this data directly to another service provider where technically feasible. This applies to data:
- You provided to us
- Processed based on consent or contract
- Processed by automated means
2.6 Right to Object (Article 21)
You have the right to object to processing of your personal data in certain circumstances:
- Processing based on legitimate interests or public task
- Direct marketing (including profiling related to direct marketing)
- Processing for scientific, historical research, or statistical purposes
2.7 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that significantly affect you. If we use automated decision-making, you can:
- Request human intervention
- Express your point of view
- Contest the decision
Current Status: FitFlow does not currently use automated decision-making that produces legal or similarly significant effects.
2.8 Right to Withdraw Consent
Where we process your data based on consent, you have the right to withdraw that consent at any time. This doesn't affect the lawfulness of processing before withdrawal. You can withdraw consent for:
- Marketing communications
- Non-essential cookies
- Optional data processing
3. How to Exercise Your Rights
3.1 Methods to Submit Requests
Account Settings
Access your data directly:
Settings → Privacy → Manage Data
3.2 Information We Need
To process your request, we need:
- Your full name and email address
- Specific right(s) you wish to exercise
- Relevant details about your request
- Proof of identity (we may request additional verification)
3.3 Response Timeline
Standard Response Time: 30 Days
- • We'll acknowledge your request within 3 business days
- • Most requests are completed within 30 calendar days
- • Complex requests may take up to 90 days (we'll inform you)
- • No fee for most requests (excessive requests may incur a fee)
3.4 Verification Process
To protect your privacy and security, we verify your identity before processing requests:
- Email verification through your registered address
- Security questions about your account
- Government-issued ID (for sensitive requests)
4. Categories of Data We Process
Identity Data
Name, username, date of birth, gender
Contact Data
Email address, phone number (optional), location (city/country)
Fitness Data
Workout programs, exercise logs, progress metrics, goals
Financial Data
Subscription details, payment history (via Stripe)
Technical Data
IP address, browser type, device information, cookies
Usage Data
How you use our service, features accessed, interaction patterns
Communication Data
Messages, support tickets, feedback, preferences
5. Legal Basis for Processing
We only process your personal data when we have a valid legal basis. Here's how we justify our processing:
5.1 Contract Performance
We process data necessary to provide our services to you:
- Account creation and management
- Providing fitness program features
- Processing payments
- Customer support
5.2 Legitimate Interests
We process data for legitimate business interests that don't override your rights:
- Improving our services
- Preventing fraud and ensuring security
- Analytics and performance monitoring
- Direct marketing to existing customers
5.3 Legal Obligations
We process data to comply with legal requirements:
- Tax and accounting records
- Responding to lawful requests
- Preventing illegal activities
5.4 Consent
We process data based on your explicit consent for:
- Marketing to non-customers
- Non-essential cookies
- Optional features requiring additional data
5.5 Vital Interests
In rare circumstances, we may process data to protect someone's life or physical safety.
6. Data Protection Measures
6.1 Technical Measures
- Encryption in transit (TLS 1.2+) and at rest
- Secure authentication and session management
- Regular security audits and vulnerability testing
- Firewalls and intrusion detection systems
- Regular backups with encryption
6.2 Organizational Measures
- Limited access on a need-to-know basis
- Employee training on data protection
- Data protection impact assessments
- Incident response procedures
- Data processing agreements with third parties
6.3 International Transfers
When we transfer data outside the EEA, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Binding corporate rules
- Your explicit consent (where applicable)
6.4 Data Retention
| Data Category | Retention Period |
|---|---|
| Account data | Duration of account + 30 days |
| Fitness data | Duration of account + 1 year |
| Financial records | 7 years (legal requirement) |
| Marketing data | Until consent withdrawn |
| Support tickets | 2 years after resolution |
| Security logs | 1 year |
7. How to File a Complaint
7.1 Contact Us First
We hope to resolve any concerns directly. Please contact our Data Protection Officer:
7.2 Supervisory Authority
If you're not satisfied with our response, you have the right to lodge a complaint with a supervisory authority:
For EU Residents
Contact your local data protection authority. Find your authority at: EDPB Members
For UK Residents
Information Commissioner's Office (ICO): ico.org.uk
7.3 Your Right to Judicial Remedy
You also have the right to an effective judicial remedy if you believe your rights under GDPR have been infringed. This can be against:
- The supervisory authority (for inadequate handling of your complaint)
- FitFlow directly (for violation of your rights)
8. Contact Our Data Protection Officer
Data Protection Officer
Privacy Team
General Inquiries: privacy@fitflow.digital
Data Requests: Use account settings or email
Office Hours: Mon-Fri, 9AM-5PM PST
We're Here to Help
Exercising your GDPR rights is important to us. We'll guide you through the process and ensure your requests are handled promptly and professionally. Don't hesitate to reach out if you have any questions about your privacy rights.
9. Updates to This Document
We may update this GDPR Rights document to reflect changes in our practices or legal requirements. When we make significant changes:
- We'll update the "Last Updated" date
- We'll notify you via email or in-app notification
- We'll highlight the changes for easy review
- Previous versions will be available upon request