Privacy Policy

Last updated: June 2026

This Privacy Policy explains how Fittery processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

Maksim Savolya, Selbständiger Unternehmer Munich, Germany Contact: savolya.maksim@gmail.com A formal Data Protection Officer (DPO) is not required under Art. 37 GDPR for our current size.

2. Data we collect

• Account data: email, display name, authentication provider (Apple / email). • Booking data: session history, status, amount paid, chosen trainer. • Device data: a per-install identifier kept in the iOS Keychain to link bookings made before sign-in (Art. 6(1)(f) — legitimate interest in service continuity). • Trainer data (trainers only): profile photo, professional bio, verification document (e.g. business registration), PayPal handle. • Location (optional, with explicit consent): used in-app to sort sessions by distance. Coordinates are NOT uploaded to our servers. • Push tokens (only if you grant permission): Firebase Cloud Messaging token, stored to send you booking notifications.

3. Purposes and legal basis

• Operating the booking service — Art. 6(1)(b) (performance of contract). • Crash diagnostics (Crashlytics) — Art. 6(1)(f) (legitimate interest in stability), opt-out via in-app settings. • Product analytics (Firebase Analytics) — Art. 6(1)(a) (consent), granular toggle in onboarding and settings. • Transactional emails (verification, booking confirmations) — Art. 6(1)(b). • Compliance with legal obligations — Art. 6(1)(c).

4. Subprocessors and third-party transfers

We use the following processors, who may transfer data to the United States under the EU–US Data Privacy Framework with Standard Contractual Clauses: • Google Ireland Limited (Firebase Auth, Firestore, Cloud Functions, Cloud Messaging, Crashlytics, Analytics, Hosting) • Resend, Inc. (transactional email delivery) • Apple Inc. (Sign in with Apple, Push Notification Service) We use these processors strictly for the purposes stated above. Payments via PayPal happen off-platform: when you tap "Pay with PayPal" you leave the App and interact directly with PayPal (Europe) S.à r.l.; their privacy policy applies for that step.

5. Sharing of data

Bookings include your display name, which the chosen trainer can see. We do not sell personal data and do not share it with advertisers.

6. Retention

• Account profile: kept until you delete your account, then retained 30 additional days for security investigations. • Booking history: retained for 10 years to comply with § 147 AO (German tax retention). • Crash logs / analytics events: maximum 90 days, then deleted. • FCM push tokens: until revoked, app uninstall, or 270 days of inactivity (Firebase default).

7. Your rights (Art. 15–22 GDPR)

Access, rectification, erasure, portability, restriction of processing, objection, and withdrawal of consent at any time. To exercise these rights, contact savolya.maksim@gmail.com. You can delete your account in-app at any time (Profile → Settings → Delete Account).

8. Supervisory authority

You may lodge a complaint with the Bavarian Data Protection Authority (BayLDA): Bayerisches Landesamt für Datenschutzaufsicht, Promenade 18, 91522 Ansbach, https://www.lda.bayern.de.