Privacy Policy

Kiptly ("we", "our", "the Service") is a fitness tracking application for iOS and Android, together with its marketing website at kiptly.com. This Privacy Policy explains how we collect, use, share, and protect your personal data, and what rights you have under the EU General Data Protection Regulation (GDPR).

Data Controller: Aliaksandr Samuseu, an individual residing in Poland. Contact: [email protected].

1. Data We Collect

We collect only the data necessary to provide the Service. Categories:

• Account data: name, email address, and profile photo, obtained when you sign in via Google or Apple.
• Workout data: exercises, sets, reps, weight, duration, notes, and personal records you record in the Service.
• Body measurements (optional): weight, body fat percentage, and circumferences, if you choose to enter them.
• Health-related data — special category (Art. 9 GDPR): menstrual cycle information (if you enable cycle-aware training) and data read from Apple Health or Google Health Connect (sleep, steps, resting heart rate). Processed only after you give explicit consent in the Service.
• Device data: push notification token, timezone, operating system version, and app version.
• Diagnostics: crash reports and error traces, including stack trace, device type, OS version, app version, and your anonymized account ID. We do not capture your email, name, or workout content in diagnostics.

2. Legal Basis for Processing

Under Article 6 (and Article 9 for health-related data) of the GDPR, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)): processing account, workout, and subscription data is necessary to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f)): security, fraud prevention, crash and error diagnostics. Our interest is keeping the Service stable and safe; you may object at any time.
• Consent (Art. 6(1)(a)): push notifications and any other optional processing we explicitly ask you to agree to. You can withdraw consent at any time without affecting prior processing. We do not send marketing emails, and we do not run analytics that require consent.
• Explicit consent (Art. 9(2)(a)): health-related data (cycle tracking, Apple Health / Health Connect). We ask for this consent separately, and you can revoke it at any time in Settings.

3. How We Use Your Data

• Display your workouts, progress, and analytics inside the Service.
• Synchronize your data across your devices.
• Send push notifications and emails you opted into (workout reminders, trainer messages, transactional receipts).
• Improve reliability, diagnose crashes, and fix bugs using anonymized diagnostics.
• Detect fraud and abuse, including subscription abuse and violations of the Terms of Service.

4. Health & Fitness Data — Special Disclosures

• We process health-related data only with your explicit consent, which you give separately from accepting the Terms of Service.
• We never use health or fitness data for advertising, marketing, or data-mining purposes.
• We never use health or fitness data to determine eligibility for employment, insurance, credit, or housing.
• We never place personal health information in iCloud or any third-party consumer cloud. Your health data is stored on our managed EU servers (Hetzner, Germany) as described in section 5, and replicated only to our encrypted backup storage described there.
• We never sell your data to third parties, and we do not share it with advertisers.
• Apple HealthKit and Google Health Connect: we request only the read permissions you explicitly grant in the Service. The list of requested data types is shown in the permission screen and can be revoked at any time from your device settings.

5. Third-Party Service Providers

We share data with a limited number of processors to operate the Service. Each processor is bound by a Data Processing Agreement (DPA) consistent with Art. 28 GDPR:

• Google Sign-In and Apple Sign-In: user authentication. Data shared: sign-in token, email, name, avatar.
• RevenueCat (United States): subscription lifecycle management. Data shared: anonymized user ID, subscription status. Transfers covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.
• Firebase Cloud Messaging (United States): delivery of push notifications. Data shared: push token. Transfers covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.
• Resend (United States): delivery of transactional emails (receipts, password resets, important account notifications). Data shared: email address, message content. Transfers covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.
• Sentry (United States): crash and error reporting. Data shared: stack trace, device type, OS version, app version, anonymized account ID. We do not transmit email, name, or workout content to Sentry. Transfers covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.
• Hetzner Online GmbH (Germany): primary database and application server hosting, located in the European Union.
• Cloudflare, Inc. (United States, with EU data centers): DNS, DDoS protection, and off-site encrypted backup storage (Cloudflare R2, EU region). Backups rotate within 30 days. Transfers covered by the EU–US Data Privacy Framework and Standard Contractual Clauses.

6. International Data Transfers

Your data is primarily stored on servers located in the European Union (Hetzner, Germany). Some of our processors (listed above) operate in the United States. Those transfers are based on the EU–US Data Privacy Framework, where the processor is certified, and on European Commission Standard Contractual Clauses, with supplementary safeguards as required.

7. Data Retention

• Active accounts: we retain your personal data for as long as your account is active.
• After account deletion: all personal data is permanently removed within 30 days.
• Off-site backups: rotated within 30 days; deleted data leaves backups within this window.
• Crash and error logs: retained in Sentry for up to 90 days, then deleted.
• Aggregated analytics: retained indefinitely in fully anonymized form, with no identifiers that could link back to you.

8. Security

We protect your data with TLS 1.3 encryption in transit and AES-256 encryption at rest. Access to production systems is restricted to authorized personnel and is audited. Secrets and credentials are stored in a managed secrets service.

In the event of a personal data breach likely to affect your rights and freedoms, we will notify the competent supervisory authority within 72 hours, and we will notify affected users without undue delay, as required by Articles 33 and 34 GDPR.

9. Your Rights (GDPR)

Under the GDPR, you have the following rights:

• Right of access (Art. 15): request a copy of your data. Available self-service via Settings → Account → Export Data.
• Right to rectification (Art. 16): edit your profile at any time from Settings.
• Right to erasure (Art. 17): delete your account and all associated data via Settings → Account → Delete Account.
• Right to restriction of processing (Art. 18): ask us to pause processing in specific circumstances.
• Right to data portability (Art. 20): export your workouts and progress as CSV.
• Right to object (Art. 21): object to processing based on legitimate interests.
• Right to withdraw consent (Art. 7(3)): withdraw any consent you have given at any time, as easily as you gave it. Withdrawal does not affect the lawfulness of prior processing.
• Right to lodge a complaint (Art. 77): file a complaint with the Polish supervisory authority, Urząd Ochrony Danych Osobowych (uodo.gov.pl), or with your local EU/EEA data protection authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

We do not perform automated decision-making or profiling that produces legal or similarly significant effects on you.

10. Children's Privacy

The Service is intended for users aged 16 and older. We do not knowingly collect data from children under 16. If you believe a child has provided personal data to the Service, please contact [email protected] and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and with an in-app banner at least 30 days before the changes take effect. The date at the top of this page reflects the most recent update.

12. Contact

For privacy questions or to exercise your rights, contact the Data Controller, Aliaksandr Samuseu, at [email protected].