← Back to sign in
FITNESS APP
Privacy Policy
Last updated: 2026-06-23
This is a template. Have a qualified Indian lawyer review and adapt it before public launch. It is provided as a starting point only and does not constitute legal advice.
1. Who we are
Fitness App is a personal fitness-tracking application for Android. This Privacy Policy describes what personal data we collect, why we collect it, where it is stored, and the rights you have over it under the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable laws.
2. What we collect
2.1 Data stored on your device only
Most of your data never leaves your phone. The following is stored locally in an encrypted database and is not transmitted to our servers:
- Workout history (exercises, sets, reps, weights, dates)
- Body composition entries (weight, body fat, measurements)
- Progress photos
- Macro / nutrition logs
- Custom workout templates and weekly schedule
- Equipment and personal settings
2.2 Data stored on our servers
To operate your subscription and license, we hold the following on Cloudflare Workers KV storage:
- Your license key, tier (trial / monthly / etc.), status, activation date, and expiry
- A randomly generated device UUID that identifies your device (not your identity)
- Your contact email, if you provided one (used for device-transfer OTPs and account-deletion confirmations)
- A non-personal counter of workouts logged (used to grant the trial extension)
- Referral information if you signed up using a Creator coupon code
- Aggregate, anonymized analytics (daily signup counts, retention cohorts, MRR) — no individual user is identifiable
2.3 Creator program data (influencers only)
If you join the Creator program, we additionally store your name, email, social-media handles (optional), notes, password hash (PBKDF2 with 600,000 iterations), and UPI ID for payouts.
3. Why we collect it (lawful basis)
- Contract performance — license key, device UUID, subscription status: required to deliver the paid service you signed up for.
- Legitimate interest — rate limits, fraud signals (rooted-device flag), aggregate analytics: required to keep the service running and secure.
- Consent — contact email, weekly Creator email reports, push notifications (future): collected only when you provide it.
4. Who we share it with
We share personal data only with the following processors, each used for a specific operational purpose:
- Cloudflare — hosts the backend (Workers + KV) and the Creator dashboard (Pages). Data is stored at Cloudflare's global edge.
- Resend — sends transactional emails (transfer OTPs, password reset links, deletion confirmations, weekly Creator reports).
- Razorpay (Phase 2, when payments launch) — processes subscription payments. Card / UPI details go directly to Razorpay; we never see them.
- Anthropic — when you use AI features inside the App (e.g. exercise form analysis), we send the request to Anthropic's API on your behalf. Anthropic processes the request and returns a response; we do not send your identity along with it.
We do not sell your data. We do not share it with advertisers. We do not use ad-tracking SDKs.
5. Your rights under the DPDP Act, 2023
You have the right to:
- Access — download a copy of all server-side data we hold about you (App → Settings → Privacy & Data → "Export my data").
- Correct — request correction of inaccurate data by emailing privacy@yourapp.com.
- Erase — request deletion of your account. Deletion is scheduled 30 days out (a grace period in case you change your mind) and can be cancelled inside the App during that window.
- Withdraw consent — at any time. Note that some processing is necessary to deliver the paid service, so withdrawal may end your subscription.
- Grievance — contact our grievance officer (below) for any complaint. We will respond within 30 days.
6. How long we keep it
- Active licenses: kept for as long as the license is active.
- Deleted accounts: erased 30 days after the request, with a final confirmation email to your contact address.
- Aggregate analytics: kept indefinitely (no personal data, cannot be re-linked to you).
- On-device data: stays on your device until you delete it or uninstall the App.
7. Children's privacy
The App is intended for users 16 and older. We do not knowingly collect data from children under 16. If you believe we have, contact privacy@yourapp.com and we will delete it.
8. Security
Server data is encrypted at rest by Cloudflare and in transit via TLS. Passwords are hashed with PBKDF2-SHA-256 at 600,000 iterations (OWASP 2023 recommendation). The Android app uses Android-keystore-backed secure storage for license JWTs and device UUIDs, and pins the TLS certificate of our backend to prevent man-in-the-middle attacks.
9. Cookies and tracking
The Android App does not use cookies or any third-party tracking SDKs. The web dashboard uses only sessionStorage to keep you signed in during a tab session; it is cleared when you close the tab. No advertising, analytics, or fingerprinting cookies are set.
10. International transfers
Your data is processed by Cloudflare's global edge network and may be temporarily held in data centres outside India. Cloudflare maintains industry-standard data-protection certifications. By using the App you consent to this transfer for the operational purposes described above.
11. Changes to this policy
We may update this Policy from time to time. Material changes will be posted here with an updated "Last updated" date, and (where appropriate) communicated to you via email or in-app notice.
12. Contact and grievance officer
For any privacy-related question, request, or complaint: privacy@yourapp.com. We aim to respond within 30 days.