Back to FitCircle

Privacy Policy

Last Updated: December 4, 2025

Version 1.0

1. Introduction

Welcome to FitCircle. We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, store, and protect your information when you use our fitness tracking platform.

Data Controller: FitCircle Inc.
Contact: privacy@fitcircle.ai

2. Data We Collect

2.1 Personal Information

  • Email address (required for account creation)
  • Display name and profile information
  • Account preferences (unit system, timezone)

2.2 Health Data (Special Category Data under GDPR Article 9)

With your explicit consent, we collect:

  • Weight measurements
  • Step counts and physical activity data
  • Mood and energy level ratings
  • Challenge participation and progress

2.3 Technical Data

  • IP address (for security and analytics)
  • Browser type and version
  • Device information
  • Cookie identifiers
  • Usage data (pages visited, features used)

3. How We Use Your Data

3.1 Essential Services (Legal Basis: Contract Performance)

  • Provide core fitness tracking functionality
  • Manage your account and authentication
  • Enable challenge participation and social features
  • Send essential service communications

3.2 Analytics (Legal Basis: Consent)

With your explicit consent, we use Amplitude Analytics to:

  • Understand how users interact with FitCircle
  • Improve features and user experience
  • Identify and fix bugs
  • Session replay for UX improvement (anonymized)

You can withdraw consent at any time through your Privacy Settings.

4. Third-Party Services

We share data with the following third parties:

Supabase (Database & Authentication)

Stores all user data. Supabase is GDPR-compliant and hosted in secure data centers.

Supabase Privacy Policy →

Amplitude (Analytics) - Optional

Tracks usage patterns and session data. Only active if you consent to analytics cookies.

Amplitude Privacy Policy →

Vercel (Hosting)

Hosts our application. May collect basic request logs (IP addresses, user agents).

Vercel Privacy Policy →

5. Cookie Policy

5.1 Essential Cookies (No Consent Required)

  • sb-access-token - Supabase authentication (session management)
  • sb-refresh-token - Supabase authentication (persistent login)
  • fc_consent - Stores your cookie preferences

5.2 Analytics Cookies (Consent Required)

  • amplitude_* - Amplitude tracking (usage analytics, session replay)

You can manage cookie preferences at any time in your Privacy Settings.

6. Your Rights (GDPR & CCPA)

6.1 GDPR Rights (EU/EEA Residents)

  • Right to Access: Request a copy of your data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Delete your account and data
  • Right to Data Portability: Export your data in JSON format
  • Right to Object: Opt-out of analytics and processing
  • Right to Restrict Processing: Limit how we use your data
  • Right to Withdraw Consent: Change your cookie preferences

6.2 CCPA Rights (California Residents)

  • Right to Know: What personal information we collect
  • Right to Delete: Request deletion of your data
  • Right to Opt-Out: Do not sell or share my personal information
  • Right to Non-Discrimination: Equal service regardless of privacy choices

Exercise Your Rights:

Go to Privacy Settings to:

  • Download your data (JSON export)
  • Delete your account
  • Manage cookie preferences
  • Opt-out of data sharing (CCPA)

7. Data Retention

  • Active Account Data: Retained while your account is active
  • Deleted Account Data: Erased within 30 days of deletion request
  • Consent Records: Retained for 5 years (compliance requirement)
  • Aggregate Analytics: Anonymized data may be retained indefinitely

8. Data Security

We implement industry-standard security measures to protect your data:

  • End-to-end encryption for data in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Row-level security (RLS) policies in database
  • Regular security audits and updates
  • Limited employee access to personal data

9. International Data Transfers

FitCircle is hosted in the United States. If you are accessing from the EU/EEA, your data will be transferred to the US. We rely on:

  • EU-US Data Privacy Framework (Amplitude, Vercel)
  • Standard Contractual Clauses (SCCs) where applicable
  • Your explicit consent for health data processing

10. Children's Privacy

FitCircle is not intended for users under 18 years of age. We do not knowingly collect data from children. If we discover that we have collected data from a child, we will delete it immediately.

11. Changes to This Policy

We may update this privacy policy from time to time. Material changes will require re-consent. You will be notified via:

  • Email notification (for significant changes)
  • Cookie consent banner (for cookie-related changes)
  • In-app notification

12. Contact Us

For privacy-related questions or to exercise your rights, contact us:

Email: privacy@fitcircle.ai

Response Time: Within 30 days (GDPR) or 45 days (CCPA)

You also have the right to lodge a complaint with your local data protection authority.

13. Consent Withdrawal

You can withdraw consent for analytics at any time without affecting the lawfulness of processing based on consent before its withdrawal. Visit Privacy Settings to manage your preferences.

Need to Exercise Your Rights?

Download your data, delete your account, or manage cookie preferences.

Go to Privacy Settings