Privacy Policy

Last updated: May 1, 2026

This Privacy Policy describes what personal data the Fit Booster mobile application and backend service (the “Service”) collect, how we use it, who we share it with, and your rights.

Data Controller:Fit Booster, based in Kazakhstan. References to “we”, “us”, and “our” mean the operator of Fit Booster.

Fit Booster is an iOS and Android fitness tracking app. By using the Service you agree to the processing described below.

1. Data We Collect

1.1 Account data

• Email address - used to sign you in via a one-time 6-digit code. We do not use passwords or social sign-in. The code is stored hashed on the server only until it is used or expires.
• First name and last name - shown on your profile inside the app.

1.2 Profile data

We collect the following to personalise training recommendations:

• Gender
• Date of birth
• Height (cm)
• Body weight (kg)
• Fitness goal (muscle gain, fat loss, strength)
• Training experience level (beginner, intermediate, advanced)
• Preferred weight unit (kg or lb)

1.3 Workout data

• Sessions: start and finish times, status, total volume, your self-reported session quality.
• Exercises within a session: the exercise, its order, an optional free-text note, superset grouping.
• Sets: working weight, reps, optional RPE (rate of perceived exertion).
• Templates: training plans you build (title and selected exercises).
• Custom exercises: if you create your own exercise, the definition is stored and tied to your account.
• Progression recommendations: computed by the Service from your history.

1.4 Subscription data

• Subscription state: plan type (monthly or yearly), trial flag, trial end, period start and end, cancellation flag, status (trialing, active, grace, canceled, expired).
• Provider identifiers: your Apple original transaction ID and the product identifier. Card numbers are processed by Apple and never reach us.
• Linked email: your email address is shared with our subscription provider (RevenueCat) so that subscription status can be linked to your account and so that support inquiries can be resolved.
• Raw purchase events: the JSON webhook bodies sent to us by RevenueCat are stored for audit and idempotency. They contain transaction metadata (dates, identifiers, environment) but no payment card data.

1.5 Account deletion feedback

If you delete your account and choose to share why, we store the following anonymous record:

• The date the account was created
• The date the account was deleted
• The optional reason you selected
• An optional free-text comment (up to 2000 characters)

This record does not contain your user ID, email, name, or any other identifier that would allow us to link the feedback back to you.

1.6 Technical data

• App diagnostics: HTTP method, path, and status code of your requests to our backend are logged for debugging.

Server logs that may contain the data above are retained on our hosting provider for up to 90 days and are then automatically rotated and overwritten.

1.7 Data we do NOT collect

We do not collect advertising identifiers, contacts, calendar, precise location, microphone input, camera content, photos from your library, or biometric data. The app does not include third-party analytics, crash reporting, or advertising SDKs.

2. Device Permissions We Request

• Photo Library (iOS) / Storage (Android): requested only when you ask to save a workout completion image to your device. Denying this permission does not affect any other feature.
• Notifications (iOS / Android): we may ask for permission to send you push notifications, such as workout reminders or other Service-related messages. Notifications are optional - you can decline the prompt or disable them later in your device settings without affecting other features.
• Network access: used to communicate with our backend and Apple / Google.

3. How We Use Your Data

• To sign you in and keep you signed in on your device.
• To operate core features: log and display workouts, generate progression recommendations, show stats.
• To manage subscriptions, free trials, renewals, grace periods, and to prevent duplicate purchases.
• To send transactional emails (verification codes).
• To diagnose problems, maintain uptime, and secure the Service against abuse.
• To comply with legal obligations where applicable.

We do not sell your personal data and we do not use it for advertising or profiling outside of generating your own training recommendations.

4. Legal Basis (EEA / UK Users)

Where GDPR or UK GDPR applies, we process your data on the following bases:

• Performance of a contract - to deliver the Service you signed up for.
• Legitimate interests - to secure the Service, prevent fraud, and improve features.
• Consent - for optional permissions (e.g., saving images to your photo library).
• Legal obligation - when required to retain or disclose data.

Users in the EEA or UK who wish to exercise their rights or have questions about our processing can contact us at [email protected], which also serves as the contact point for matters under Article 27 GDPR.

5. Notice for California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• The right to know what personal information we collect, use, and disclose about you.
• The right to delete personal information we hold about you.
• The right to correct inaccurate personal information.
• The right to opt out of the “sale” or “sharing” of personal information.
• The right to non-discrimination for exercising your rights.

We do not sell or share personal information as those terms are defined under the CCPA / CPRA. To exercise any of your rights, email [email protected].

6. Who We Share Data With

We share data only with providers that help us operate the Service. Each acts as a processor under a contractual commitment to handle your data only for the purposes we instruct.

• Apple Inc. - app distribution (App Store) and payment processing for in-app purchases. Apple handles your payment method directly; we receive only subscription status and transaction IDs.
• RevenueCat, Inc. - subscription state management across devices. We send RevenueCat your internal user ID and your email address (to help support inquiries) and receive back subscription status.
• MongoDB, Inc. (Atlas) - hosted database that stores your account, profile, workout, and subscription data.
• DigitalOcean, LLC - virtual server hosting for our backend API.
• Resend (Resend.com) - delivery of transactional email (one-time sign-in code, account deletion confirmation). We send Resend only your email address and the message body.

7. International Transfers

Our providers may process data in countries other than your own, including the United States and the European Union. Where international transfers from the EEA, UK, or other regions with cross-border restrictions apply, we and our processors rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and, where applicable, the EU-US Data Privacy Framework for U.S.-based providers that are certified.

8. Data Retention

• Account data, profile, workout data, templates, custom exercises, recommendations: retained while your account is active.
• Account deletion: when you delete your account from the app, your account record, profile, workout data, templates, custom exercises, and saved recommendations are removed from our database. Associated subscription records are marked as belonging to a deleted user; they remain linked to the anonymised Apple original transaction ID for audit and refund handling. Subscriptions are not cancelled by account deletion - cancel them in your Apple ID settings.
• Deletion feedback: retained anonymously (without user ID, email, or other identifiers) for product improvement, with no fixed deletion date.
• RevenueCat webhook events: retained in our event log indefinitely for audit, deduplication, and refund handling. They contain subscription metadata but no PII beyond transaction identifiers.
• Server logs (IP addresses, HTTP diagnostics): retained on our hosting provider for up to 90 days and then rotated.
• Email logs: Resend may retain delivery logs in line with its own retention policy.

9. Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data. You can edit most profile fields directly in the app.
• Delete your data. You can do this yourself in Profile → Delete Account.
• Receive a copy of your data. Contact us and we will export your account and workout data as a JSON file.
• Object to or restrict processing.
• Withdraw consent at any time for processing based on consent.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email us at [email protected]. We will respond within the period required by applicable law (for GDPR, within one month).

10. Security

We protect your data with industry-standard measures including TLS in transit, JWT authentication, secure storage of the auth token on your device (Keychain on iOS, Keystore on Android), short-lived one-time sign-in codes, rate limiting on auth endpoints, and access controls on our database. No system is completely secure, but we continuously work to maintain the integrity and confidentiality of your data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We post the updated version here with a new “Last updated” date. If the changes are material we will notify you in the app or by email before they take effect.

12. Contact

Questions about this Privacy Policy or about how we handle your data? Email us at [email protected].