GDPR — Data Protection

The General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR) is the EU regulation governing the processing of personal data of natural persons, in force since 25 May 2018. The UK retained substantially equivalent rules under the UK GDPR and the Data Protection Act 2018.

The GDPR applies to any processing of personal data of individuals in the EU/EEA, regardless of where the controller is established (Art. 3 GDPR). If you are outside the EU/UK, local laws (e.g. CCPA in California, LGPD in Brazil) may also apply — see the localized version of this page for your country.

Under the GDPR, Fitney Tecnologia Ltda. is the data controller for personal data of its users. Third parties that process data on our behalf (hosting, payments, email) are processors and act under a contract that complies with Art. 28 GDPR.

We process identification and contact data (name, email, phone), profile data (photo, bio, CREF), health and training data (weight, height, sessions, anamnesis — special categories under Art. 9 GDPR), usage data (logins, device IDs, IP) and payment data (via Stripe/Asaas).

Health data is processed only with your explicit consent (Art. 9(2)(a) GDPR).

We rely on the following lawful bases:

• Performance of a contract (Art. 6(1)(b)): account, authentication, payment, platform delivery.
• Consent (Art. 6(1)(a); Art. 9(2)(a)): health/anamnesis data, marketing, optional cookies.
• Legitimate interest (Art. 6(1)(f)): fraud prevention, service security, platform analytics.
• Legal obligation (Art. 6(1)(c)): accounting, tax, regulatory requests.

You have the following rights at any time:

• Right of access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure / right to be forgotten (Art. 17)
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20)
• Right to object (Art. 21)
• Right not to be subject to automated decision-making (Art. 22)
• Withdrawal of consent at any time, without retroactive effect

You can reach our DPO at privacy@fitneyapp.com. The DPO is your single point of contact for any question regarding the processing of your data and the exercise of your rights.

Send your request to privacy@fitneyapp.com with proof of identity. We respond within one month as a rule (Art. 12(3) GDPR), extendable by two months for complex requests.

We use encryption in transit (TLS 1.2+) and at rest, least-privilege access controls, audit logs, regular backups, and penetration testing. Staff are bound by confidentiality. Processors are bound by Art. 28 contracts.

Some processors are located outside the EEA (e.g. AWS US, Stripe US). These transfers rely on adequacy decisions of the European Commission or on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR, supplemented by the additional safeguards required after Schrems II.

We share data only with: (a) processors (hosting, payment, email, analytics); (b) your linked professionals (personal trainer, nutritionist) when an active link exists; (c) authorities when required by law.

We do not sell personal data.

We retain data only for as long as necessary for the purposes of processing or as required by law (accounting: 10 years; training history: until account deletion). After that, data is deleted or anonymized.

In the event of a breach likely to result in a risk to the rights and freedoms of natural persons, we notify the competent supervisory authority within 72 hours of becoming aware and inform affected individuals where the risk is high.

You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement (Art. 77 GDPR).

UK residents can complain to the Information Commissioner’s Office (ICO). EU residents can find their national authority via the European Data Protection Board.

For any data protection question:

• Email (DPO): privacy@fitneyapp.com
• Controller: Fitney Tecnologia Ltda.