Privacy Policy

This Privacy Policy explains how FitOr4Fit ("FitOr4Fit", "we", "us", "our") collects, uses, shares, and protects information in connection with the FitOr4Fit mobile application and related services (the "Service").

By using the Service, you agree to this Privacy Policy. If you do not agree with it, please do not use the Service.

1. Who We Are and How to Contact Us

The Service is provided by:

FitOr4Fit
770 East 500 South
Salt Lake City, UT 84102
United States

For the purposes of data protection laws (including the EU General Data Protection Regulation "GDPR" and the UK GDPR), FitOr4Fit is the data controller of your personal information, unless stated otherwise.

If you have questions or concerns about this Privacy Policy or our data practices, you can contact us at:

• Email: support@fitor4fit.com
• Address: as listed above

If you are located in the European Economic Area (EEA), United Kingdom (UK), or another jurisdiction with specific privacy rights, you may have additional rights described in Section 10.

2. Information We Collect

We collect the following categories of information about you when you use the Service:

2.1 Account and Profile Information

When you register and use the Service, we may collect:

• Identifiers:
  • A unique user ID assigned by our authentication provider (Supabase).
  • Your email address.
  • Your name or display name (e.g., full name from your Google/Apple profile).
• Profile Data:
  • Optional profile photo or avatar URL.
  • Payout preferences (e.g., whether you prefer PayPal or Venmo, if supported).
  • Payout details such as a PayPal email address or Venmo phone number, which are used only to send you payouts.
  • Auto-join settings and preferred weekly goal distance, if you choose to enable them.

We may also receive certain information from the third-party providers you use to sign in (e.g., Google or Apple), such as your name, email address, and profile image, according to their privacy policies and your settings.

2.2 Challenge, Usage, and Device Information

When you use the Service, we may collect:

• Challenge and Participation Data:
  • Challenges you join, your selected goals, and your progress and results (e.g., committed, completed, failed).
  • Prize pool allocations and payout amounts credited to your in-app balance.
• App Usage Data:
  • Actions you take in the app (e.g., screens viewed, buttons tapped, settings changed).
  • Timestamps of key events (e.g., challenge join/leave, workouts synced, payouts requested).
• Device and Technical Data:
  • Device type, operating system version, app version, language, time zone, and approximate region (based on device settings).
  • Log data such as IP address, crash reports, performance metrics, and error logs, which help us troubleshoot and improve the Service.

2.3 Health, Fitness, and Location Information

With your explicit permission, we access certain health and fitness data from:

• Apple HealthKit on iOS.
• Android Health Connect or similar health data frameworks on Android.

Depending on your permissions and platform, we may access:

• Workout Records Related to Walking/Running:
  • Workout type (e.g., walking, running).
  • Start and end time.
  • Duration.
  • Distance traveled.
  • Source application (e.g., Apple Health, Nike Run Club, Strava).
• Route and GPS Data:
  • Sequences of latitude/longitude points with timestamps and (where available) accuracy information.
  • Derived metrics such as speed and pace that we infer from GPS points.
• Processed Workout Summaries Stored in Our Database:
  • Total distance and duration of each workout.
  • Average pace and validation scores (to detect unusual patterns).
  • Aggregated weekly totals and challenge-level progress.

We do not intentionally collect or store other categories of health data such as heart rate, weight, or medical conditions unless clearly needed for a feature and explicitly disclosed to you.

2.4 Payment and Financial Information

We use third-party payment processors (e.g., Stripe for entry fees; PayPal, Tremendous, or similar services for payouts). Through these providers and our database, we may collect:

• From Stripe and Supabase:
  • Payment method identifiers (e.g., Stripe customer ID).
  • Limited card details such as card brand, last 4 digits, and expiration month/year.
  • Payment Intent IDs and transaction statuses for entry fees.
• Transaction Records in Our System:
  • Transaction ID.
  • User ID and, where applicable, challenge ID.
  • Type (entry fee, payout, fee, withdrawal).
  • Amount and currency.
  • Status (pending, completed, failed).
• Payout Data:
  • Payout method (e.g., PayPal or other supported provider).
  • Payout identifiers such as PayPal email address or Venmo phone number, used to send funds to you.

We do not store full payment card numbers or CVV codes on our servers. These are processed directly by our payment processors.

2.5 Communications and Support

If you contact us by email or through support channels, we may collect:

• Your contact details (e.g., name and email address).
• The content of your messages and any attachments you send.
• Notes about our communications with you and how we resolved your inquiry.

2.6 Push Notifications

If you enable push notifications, we may collect:

• A device-specific token or identifier used to deliver notifications.
• Your notification preferences (e.g., reminders for progress, challenge deadlines, payout alerts).

You can disable push notifications at any time through device settings, though this may affect certain features (such as reminders).

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 To Provide and Operate the Service

• Create and manage your account.
• Authenticate you via Google/Apple and Supabase.
• Allow you to join challenges, set goals, track progress, and view results.
• Sync and process health and workout data to calculate your progress, distance, and pace.
• Determine challenge outcomes, build prize pools, and allocate winnings.
• Manage your in-app balance and process payments and withdrawals.

3.2 To Ensure Fair Play and Prevent Fraud

• Validate workouts using GPS routes, pace calculations, source app checks, and other algorithms.
• Detect suspicious patterns or anomalies that may indicate cheating (e.g., unrealistic speeds, improbable routes, or manual entries presented as GPS workouts).
• Enforce challenge rules and our Terms of Service, including by adjusting results or suspending/terminating accounts where appropriate and permitted by law.

3.3 To Communicate with You

• Send transactional communications and service messages, such as:
  • Confirmations of challenge entry or withdrawal requests.
  • Updates about challenge progress, results, and payouts.
  • Security, legal, or policy-related notices.
• Respond to your questions, requests, and support inquiries.
• Send reminders and alerts via push notifications, in-app messages, or email to help you stay on track with your goals and challenges (where permitted by law and your preferences).

3.4 To Improve and Develop the Service

• Monitor and analyze usage, performance, and trends.
• Debug errors and troubleshoot technical issues.
• Test new features, interfaces, and service offerings.
• Create aggregated or de-identified statistics that help us understand how the Service is used.

3.5 To Comply with Legal Obligations and Enforce Rights

• Maintain records required by law (e.g., financial and accounting records).
• Comply with lawful requests from courts, law enforcement, regulators, or other authorities.
• Enforce our Terms of Service, investigate potential violations, and protect our rights, property, or safety, and those of our users or others.

Where applicable law requires a legal basis for processing (for example, under the GDPR or UK GDPR), we rely on:

• Performance of a contract: Processing necessary to provide the Service you request (e.g., tracking progress, calculating challenge results, processing entry fees and payouts).
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, preventing fraud, securing our systems, and understanding usage, provided these interests are not overridden by your rights and interests.
• Consent: Processing health data, precise location data, or certain types of notifications where your explicit consent is required. You can withdraw your consent at any time (e.g., by changing app or device settings), but this will not affect processing already performed.
• Legal obligations: Processing necessary to comply with legal requirements (e.g., tax, accounting, or regulatory obligations).

4. How We Share Your Information

We share information with third parties only in the ways described in this Privacy Policy or when we have your consent.

4.1 Service Providers and Subprocessors

We share information with third-party vendors who help us operate, maintain, and improve the Service, including:

• Supabase (authentication, database, hosting, serverless functions).
• Stripe (payment processing for entry fees).
• PayPal, Tremendous, or similar providers (payouts and withdrawals).
• Cloud infrastructure and logging providers (e.g., for storage, backups, monitoring, and logging).
• Analytics and crash-reporting tools (to understand usage and improve stability).
• Notification providers, including platform push-notification services and Expo.

These service providers are authorized to process your information only as necessary to perform services for us and are subject to appropriate confidentiality, security, and data protection obligations.

4.2 Other Users

To support challenge functionality, we may display limited information about you to other users, such as:

• Your first name or chosen display name.
• Aggregated statistics or leaderboard positions (e.g., whether you successfully completed a challenge and basic progress summaries).

We do not share your email address, payout details (such as PayPal email or Venmo phone), or raw health data with other users.

4.3 Legal and Safety Reasons

We may disclose your information if we believe in good faith that such disclosure is reasonably necessary to:

• Comply with any applicable law, regulation, legal process, or governmental request.
• Protect the rights, property, or safety of FitOr4Fit, our users, or the public.
• Detect, prevent, or address fraud, security, or technical issues.
• Enforce our Terms of Service or investigate potential violations.

4.4 Business Transfers

If we are involved in a merger, acquisition, restructuring, financing, or sale of assets, your information may be transferred as part of that transaction, subject to continued protection consistent with this Privacy Policy. We will provide notice of any such transfer where required by law.

4.5 No Sale of Personal Information

We do not sell your personal information as the term "sell" is commonly defined, including under the California Consumer Privacy Act (CCPA/CPRA). We do not share your health or precise location data with third-party advertisers for targeted advertising.

5. Health and Sensitive Data

Because the Service processes health- and location-related data, we apply additional safeguards:

• We only request permissions for the health data types and GPS information necessary to provide the Service (e.g., walking/running workouts and associated distance/route).
• We use this data primarily to:
  • Track your progress and calculate challenge results.
  • Validate workouts and detect possible cheating or fraud.
  • Provide you with workout history and analytics in the app.
• We do not use health or precise location data for marketing or advertising purposes.
• We do not disclose health data or precise location data to third parties for their own advertising or profiling.

Under GDPR/UK GDPR, health data is considered "special category data." We process it only when you have given your explicit consent (e.g., granting permissions in Apple Health or Health Connect and within the app) and only for the limited purposes described above.

You can revoke access to health data at any time in your device settings; however, this may limit or prevent the Service from functioning as intended.

6. Data Retention

We retain your information for as long as reasonably necessary to:

• Provide and maintain the Service.
• Fulfill the purposes outlined in this Privacy Policy.
• Comply with our legal, tax, and accounting obligations.
• Resolve disputes and enforce our agreements.

In general:

• Account and profile information is retained while your account is active and for a reasonable period afterward, unless you request deletion and no legal obligation requires further retention.
• Transaction and payout records may be retained for longer periods as required by financial and tax laws.
• Health and workout data may be retained while you use the Service to provide history and analytics; we may later retain aggregated or de-identified data that no longer identifies you.

When we no longer need personal information, we will delete or anonymize it, subject to technical, legal, and security constraints.

7. Security

We implement reasonable and appropriate administrative, technical, and physical safeguards designed to protect your information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Examples include:

• Using Supabase with row-level security so that users can only access their own data where appropriate.
• Applying access controls and role-based permissions for internal systems.
• Encrypting data in transit and at rest where supported by our infrastructure providers.
• Monitoring logs and alerts for suspicious activity.

However, no method of transmission over the internet or method of electronic storage is 100% secure. You are responsible for maintaining the security of your device and the accounts (e.g., Google, Apple, PayPal) you connect to the Service.

8. International Data Transfers

We and our service providers may process your information in the United States and other countries that may have different data protection laws than your country of residence.

Where required by law (e.g., for EEA/UK users), we take steps to ensure that appropriate safeguards are in place for cross-border transfers of personal information, such as:

• Standard Contractual Clauses approved by the European Commission or UK authorities.
• Other lawful transfer mechanisms under applicable data protection laws.

By using the Service, you understand that your information may be transferred to and processed in countries outside of your own, including the United States.

9. Your Rights and Choices

Your rights vary depending on where you live, but may include the following:

9.1 General Rights

Subject to applicable law, you may have the right to:

• Access: Request a copy of the personal information we hold about you.
• Rectification: Request that we correct or update inaccurate or incomplete information.
• Deletion: Request that we delete certain personal information, subject to legal retention requirements.
• Restriction: Request that we restrict certain processing activities in specific circumstances.
• Portability: Request that we provide personal information in a structured, commonly used, and machine-readable format and transmit it to another controller where technically feasible.
• Objection: Object to certain processing activities, especially where we rely on legitimate interests as the legal basis.
• Withdraw Consent: Withdraw your consent where processing is based on consent (e.g., access to health data or certain notifications). This will not affect processing that has already taken place.

You can exercise some rights directly in the app or in your device settings (for example, revoking HealthKit or Health Connect permissions or disabling notifications). For other rights, you can contact us using the details above.

We may need to verify your identity before fulfilling your request, and some requests may be limited or denied where allowed by law (for example, where fulfilling the request would conflict with legal obligations or the rights of others).

9.2 Rights of EEA/UK Users

If you are located in the EEA or UK, you have the rights set out above under the GDPR/UK GDPR and also the right to lodge a complaint with your local data protection authority. A list of EU supervisory authorities can be found on the European Data Protection Board website, and the UK authority is the Information Commissioner's Office (ICO).

10. California Privacy Notice (CCPA/CPRA)

If you are a California resident, this section supplements the rest of this Privacy Policy and describes additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

10.1 Categories of Personal Information We Collect

In the past 12 months, we may have collected the following categories of personal information, as defined by California law:

• Identifiers: User ID, email address, name, device identifiers, IP address.
• Customer Records: Payment-related identifiers (e.g., Stripe customer ID), payout identifiers (e.g., PayPal email, Venmo phone).
• Protected Classifications: We do not intentionally collect data revealing race, ethnicity, or similar characteristics, unless provided in user content (which we discourage).
• Commercial Information: Records of entry fees, payouts, withdrawals, and other transactions related to challenges.
• Internet or Network Activity: Log data, usage data, and device information related to your interaction with the Service.
• Geolocation Data: GPS-based location associated with workouts (as part of health and fitness tracking).
• Sensitive Personal Information (as defined by CPRA): Health-related data (e.g., walking/running workouts and distance) and precise geolocation data used to track workouts and detect fraud.

10.2 Sources of Personal Information

We obtain the categories of personal information described above from:

• You directly (e.g., when you register, join challenges, or contact us).
• Your device and interactions with the Service (e.g., usage logs and performance data).
• Third-party services you connect or that we use to provide the Service (e.g., Supabase, Stripe, PayPal, Tremendous, Apple HealthKit, Health Connect).

10.3 Purposes for Collection and Use

We use personal information for:

• Providing and operating the Service (including tracking progress and managing challenges, payments, and payouts).
• Ensuring fair play and preventing fraud (including validating workouts using health and GPS data).
• Communicating with you, including sending service and support messages.
• Improving the Service and developing new features.
• Complying with legal obligations.

We do not use sensitive personal information (such as health and precise geolocation data) to infer characteristics about you for marketing or for cross-context behavioral advertising. We use it only as necessary to provide the Service and ensure fair play.

10.4 Disclosure of Personal Information

We may disclose the categories of personal information listed above to the service providers and third parties identified in Section 4 for the business purposes described in this Privacy Policy.

We do not "sell" or "share" personal information (including sensitive personal information) for cross-context behavioral advertising as those terms are defined in the CCPA/CPRA.

10.5 Your California Privacy Rights

If you are a California resident, you have the right to:

• Know: Request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, our business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Delete: Request that we delete certain personal information we have collected from you, subject to exceptions (e.g., when retention is required by law or for security reasons).
• Correct: Request that we correct inaccurate personal information about you.
• Non-Discrimination: Not be discriminated against for exercising your rights (for example, we will not deny you the Service or charge different prices solely because you exercised your rights).

You can exercise these rights by contacting us at the email address provided in Section 1 and indicating that you are making a request under the CCPA/CPRA. We may need to verify your identity before fulfilling your request.

You may also authorize an agent to make requests on your behalf, subject to verification and applicable law.

11. Children's Privacy

The Service is not intended for children under 18 years of age, and we do not knowingly collect personal information from children under 18.

If we become aware that we have collected personal information from a child under 18 without appropriate consent, we will take steps to delete that information where required by law. If you believe a child has provided us with personal information, please contact us using the details above.

12. Third-Party Links and Services

The Service may contain links to third-party websites, apps, or services. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party services you interact with.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will:

• Update the "Last updated" date at the top of this document.
• Provide additional notice where required by law (for example, via in-app notice or email).

If you continue using the Service after the revised Privacy Policy becomes effective, you are deemed to have accepted the changes. If you do not agree with the changes, you should stop using the Service.

14. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us at:

FitOr4Fit
770 East 500 South
Salt Lake City, UT 84102
United States
Email: support@fitor4fit.com