Privacy Policy

This Privacy Policy describes how Fitney Tecnologia Ltda. ("Fitney", "we") collects, uses, shares, and protects personal data from users ("Users", "you") of our fitness and nutrition SaaS platform.

This Policy applies to all services offered by Fitney, including:

• Institutional website (fitney.com.br);
• Mobile application for iOS and Android;
• Administrative panel for professionals (backoffice);
• White-label applications generated for Premium plan professionals;
• APIs and backend services.

It is supplemented by our GDPR page and our Cookie Policy.

We recommend reading this Policy in full. By using the Platform, you confirm that you understand our data processing practices.

For the purposes of this Policy and applicable data protection laws:

• Fitney Tecnologia Ltda. is the controller of personal data of Professionals (personal trainers, nutritionists) who subscribe to the Platform;
• The Professional is the controller of their Clients' personal data, and Fitney acts as processor of such data;
• The Data Protection Officer (DPO) can be reached at dpo@fitneyapp.com.

This distinction is important for exercising rights: Clients should primarily direct requests to the Professional managing their data, although they may also contact Fitney directly.

We collect the following categories of personal data:

Registration Data

• Full name, email, phone number (with country code);
• CPF/CNPJ (for billing in Brazil);
• Professional registration or certification, when voluntarily provided by the User (e.g., CREF, CRN in Brazil; NASM, ACE, NSCA, RD in the USA; REPs, EREPS in Europe). This data is optional and is not verified by Fitney;
• Business address and billing information.

Health and Fitness Data (Sensitive Data)

• Body measurements (weight, height, circumferences);
• Health and fitness goals;
• Workout and exercise history;
• Nutritional data and meal plans;
• Progress photos (when voluntarily provided);
• Dietary restrictions and declared health conditions;
• Data imported from health platforms (Apple HealthKit on iOS and Health Connect on Android), including steps, heart rate, calories burned, distance traveled, and exercise sessions — only with the data subject's explicit consent, granted directly through the device's operating system;
• Health questionnaire (anamnesis): medical history, lifestyle, physical activity level, goals — voluntarily filled in by the Client or Professional.

Usage and Device Data

• IP address, browser type, and operating system;
• Pages accessed, time spent, and interactions;
• Geolocation data (IP-based on the website; GPS on the mobile app, when authorized, to record workout location);
• Device identifiers: device model, operating system version, app version, and unique device identifier;
• Push notification tokens (Firebase Cloud Messaging) for sending reminders and communications;
• Performance and diagnostic data collected by Firebase Crashlytics (crash reports, without personally identifiable data);
• Cookies and similar technologies — see our Cookie Policy.

Local Storage Data (Mobile App)

• API response cache (stored locally for up to 3 days for offline functionality);
• Offline operations queue (exercises, check-ins, and running sessions performed without a connection, automatically synced upon reconnection);
• Notification preferences and User settings;
• Recent notification history (last 10 received).

Payment Data

• Transaction data (amount, date, status);
• Last 4 digits and card brand (for identification);
• In-app purchase data via Apple App Store or Google Play, including transaction identifiers and subscription periods;
• Note: complete card data is processed directly by Stripe or local processors (Asaas in Brazil) and is never stored on our servers.

Communication Data

• Messages exchanged between Professionals and Clients on the Platform;
• Support communications and feedback.

We process personal data based on the following legal grounds:

Legal Basis	LGPD (Art. 7)	GDPR (Art. 6)	Examples
Contract performance	Art. 7, V	Art. 6(1)(b)	Service provision, payment processing
Consent	Art. 7, I / Art. 11, I	Art. 6(1)(a)	Health data, marketing, non-essential cookies
Legitimate interest	Art. 7, IX	Art. 6(1)(f)	Security, fraud prevention, service improvement
Legal obligation	Art. 7, II	Art. 6(1)(c)	Tax obligations, regulatory requirements, court orders
Protection of life	Art. 7, VII	Art. 6(1)(d)	Emergency situations involving health data

For sensitive data (health and fitness data), we primarily use specific and prominent consent from the data subject, as required by Art. 11 of the LGPD and Art. 9 of the GDPR.

We use your personal data for the following purposes:

• Service provision: creating and maintaining your account, providing contracted features, processing payments;
• Personalization: adapting the experience, workout recommendations, and features to your profile;
• Communication: sending service notifications, updates, security alerts, and (with consent) marketing communications;
• Security: detecting, preventing, and investigating fraud, unauthorized access, and malicious activities;
• Service improvement: analyzing usage patterns (in aggregate and anonymized form when possible) to improve features;
• Legal compliance: fulfilling tax, regulatory, judicial, and competent authority obligations;
• Support: responding to requests, complaints, and providing technical assistance.

We share personal data only in the situations below, always with appropriate safeguards:

Service Providers (Processors/Sub-processors)

• Infrastructure and hosting: cloud computing providers (servers in the USA and/or EU);
• Payments: Stripe and local processors;
• Analytics and monitoring: Google Analytics 4 (via Google Tag Manager, with Consent Mode v2), Firebase Analytics and Firebase Crashlytics (stability reports), Microsoft Clarity (heatmaps);
• Push notifications: Firebase Cloud Messaging (Google);
• Media storage: Amazon S3 and Supabase (exercise photos, check-ins, and assessments);
• Health: Apple HealthKit and Google Health Connect (local read/write only on device, data not transferred to Fitney servers);
• Payments: Stripe (international) and Asaas (Brazil — PIX and Boleto); Apple App Store and Google Play (in-app purchases);
• Transactional email: email delivery providers (SMTP);
• Support: customer service tools.

All providers are contracted with Data Processing Agreements (DPAs).

Professional-Client Sharing

Professionals have access to their Clients' data as necessary for service provision. Clients should review their Professional's privacy policy.

Legal Obligations

We may disclose data when required by law, court order, legal proceedings, or request from a competent governmental authority.

Corporate Transfers

In the event of a merger, acquisition, reorganization, or asset sale, data may be transferred, with prior notice and maintenance of protections.

Fitney does not sell personal data to third parties, as defined by the LGPD, GDPR, and CCPA/CPRA.

Fitney may transfer personal data outside the data subject's country of origin, in compliance with applicable laws:

Brazil to Abroad (LGPD, Arts. 33-36)

• To countries or organizations providing an adequate level of protection, as recognized by the ANPD;
• Through standard contractual clauses approved by the ANPD;
• With specific and prominent consent from the data subject;
• When necessary for contract performance.

EU/EEA to Abroad (GDPR, Arts. 44-49)

• To countries with an adequacy decision from the European Commission;
• Through EU Standard Contractual Clauses (SCCs);
• To the USA, under the EU-US Data Privacy Framework, where applicable;
• Transfer impact assessment (TIA) is conducted when necessary.

Our primary servers are located in the United States (AWS/Google Cloud) with appropriate technical and organizational security measures.

We retain personal data only for the period necessary to fulfill the purposes described in this Policy:

Data Category	Retention Period	Justification
Active account data	While the account is active	Contract performance
Data after cancellation	Up to 6 months	Possibility of reactivation
Tax/financial data	5 years	Legal obligation (Brazilian Tax Code)
Health data	Until deleted by the subject or 2 years after inactivity	Regular exercise of rights
Access logs	6 months	Legal obligation (Brazilian Internet Civil Framework, Art. 15)
Communication data	While the account is active + 1 year	Support and dispute resolution
Anonymized data	Indefinitely	Anonymized data is not personal data

At the end of the retention period, data is deleted or irreversibly anonymized.

Depending on your location, you have the following rights over your personal data:

Rights under the LGPD (Brazil)

Under Arts. 17-22 of the LGPD, you have the right to:

• Confirmation of data processing;
• Access to personal data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or deletion of unnecessary or excessive data;
• Data portability;
• Deletion of data processed based on consent;
• Information about sharing with third parties;
• Withdrawal of consent;
• Objection to processing.

Rights under the GDPR (EU/EEA)

Under Arts. 15-22 of the GDPR, you have the right to:

• Access (Art. 15);
• Rectification (Art. 16);
• Erasure / "right to be forgotten" (Art. 17);
• Restriction of processing (Art. 18);
• Portability (Art. 20);
• Objection (Art. 21), including objection to direct marketing;
• Not to be subject to automated decisions (Art. 22);
• Lodge a complaint with the competent supervisory authority.

Rights under CCPA/CPRA (California, USA)

• Right to know what data is collected and how it is used;
• Right to delete personal data;
• Right to correct inaccurate data;
• Right to opt-out of the sale/sharing of data;
• Right to limit the use of sensitive data;
• Right not to be discriminated against for exercising your rights.

Fitney does not sell or share personal data for cross-context behavioral advertising purposes, as defined by the CPRA.

To exercise your rights, contact us at dpo@fitneyapp.com. We will respond within 15 days (LGPD), 30 days (GDPR), or 45 days (CCPA).

We implement technical and organizational measures to protect your personal data, including:

• Encryption: data in transit protected by TLS 1.3; sensitive data encrypted at rest (AES-256);
• Access control: multi-factor authentication, principle of least privilege, access logs;
• Infrastructure: servers in certified data centers (SOC 2 Type II, ISO 27001);
• Monitoring: intrusion detection, 24/7 monitoring, and automatic alerts;
• Backup: encrypted backups with regular retention and restoration testing;
• Staff: regular security and privacy training for all employees;
• Testing: periodic vulnerability assessments and security reviews.

No system is 100% secure. In the event of a security incident, we will notify competent authorities (ANPD, European data protection authorities) and affected data subjects within legal timeframes.

The Platform is not directed at minors under 18 years of age. Minors under 18 may only use the Platform with verifiable consent from a legal guardian.

• Brazil (LGPD, Art. 14): children's data (up to 12 years) only with specific and prominent consent from at least one parent or legal guardian. Adolescents (12-17): consent from legal guardian;
• EU (GDPR, Art. 8): consent of minors under 16 (or lower age defined by the Member State, minimum 13) requires authorization from the holder of parental responsibility;
• USA (COPPA): we do not knowingly collect data from minors under 13. If we become aware, we will delete the data immediately.

If you believe a minor's data has been collected without authorization, contact dpo@fitneyapp.com.

We use cookies and similar technologies to operate the Platform, analyze usage, and personalize the experience. For detailed information, please see our Cookie Policy.

Summary:

• Essential cookies: necessary for website operation (no consent required);
• Analytics cookies: to understand how the Platform is used (require consent);
• Marketing cookies: to personalize ads (require consent).

You can manage your cookie preferences at any time through the cookie banner or your browser settings.

Fitney may use automated processing to:

• Recommend workouts and meal plans based on the Client's profile;
• Detect anomalous usage patterns for security;
• Personalize the experience on the Platform.

These recommendations are auxiliary and always subject to Professional review. We do not make decisions that produce legal effects or significantly affect the data subject based solely on automated processing.

Under Art. 20 of the LGPD and Art. 22 of the GDPR, you have the right to request a review of automated decisions and to obtain information about the criteria and procedures used.

We may update this Policy periodically. Substantial changes will be communicated with 30 days' advance notice via:

• Email to registered Users;
• Notification on the Platform;
• Update of the "Last updated" date on this page.

For changes requiring new consent (e.g., new purposes for sensitive data processing), we will request specific consent before implementation.

We recommend reviewing this Policy periodically.

For questions, requests, or complaints about this Policy or the processing of your personal data:

• Data Protection Officer (DPO): dpo@fitneyapp.com
• General: legal@fitneyapp.com
• Address: Fitney Tecnologia Ltda., CNPJ 44.638.274/0001-86, R. Cascavel, 2760 — Curitiba, PR, Brazil

If you are not satisfied with our response, you may file a complaint with the competent data protection authority:

• Brazil: National Data Protection Authority (ANPD) — gov.br/anpd
• EU: Data protection authority of your country of residence
• USA (California): Office of the Attorney General of California