Privacy Policy

The controller of your personal data is Mateusz Adamczyk, a natural person residing in Poland, the independent developer of Fitly.

How to contact us: by email at support@tryfitlyapp.com.

2.1 Account data

• Email address (if you use Sign in with Apple, this may be Apple’s private relay address)
• A stable account identifier from your sign-in provider (Apple or Google), used only to create and secure your Account
• Account creation and last sign-in dates

2.2 Profile data

• Name (optional), date of birth or age, sex
• Height and weight
• Activity level, dietary preferences, calorie and macronutrient goals
• Time zone and language

2.3 Meal and nutrition data

• Meal photos
• AI-estimated nutritional information (calories, macronutrients, ingredients)
• Your manual edits
• Meal, water, and weight logs

2.4 Apple Health (HealthKit) data

With your explicit, per-type permission, the Service can write nutrition and body-metric data to Apple Health and read activity data (such as active energy and steps) to show your activity context inside the app. This data stays on your device and is not stored by us. See Section 13 for full HealthKit disclosures.

2.5 Subscription data

• App Store transaction identifiers
• Subscription status, plan, renewal dates, trial status
• We do not receive your card or bank details — Apple handles all payments.

2.6 Device and technical data

• Device model, iOS version, app version, language, time zone
• A device/installation identifier and IP address, used to keep the Service secure and prevent abuse. We keep these only as long as needed for that purpose.

2.7 Account-deletion record

When you delete your Account we keep a minimal technical record (no content of your data) for a short period, to prevent abuse and for accounting. See Retention below.

Because nutrition, body-metric, and weight data are special-category (health) data, we rely on your explicit consent under Article 9(2)(a) GDPR, given when you set up your profile and choose to log such data or use AI meal scanning. You can withdraw this consent at any time by stopping the relevant feature or deleting your data, without affecting prior processing.

We do not carry out automated decision-making producing legal or similarly significant effects within the meaning of Article 22 GDPR.

When you scan a meal, the photo is sent over an encrypted connection to our AI providers (OpenRouter and Google’s Gemini API) to estimate the foods, portions, and nutritional values. Before sending, the app removes embedded metadata such as location on your device. The photo is then stored in our storage, accessible only to you.

Our commitments:

• Photos are sent only when you start a scan.
• We do not use your photos or data to train AI models, and our providers are engaged under terms that disable training on your content.
• Under our agreements with these providers, your photos are not retained by them beyond what is needed to process your request.

You can use the Service without AI scanning by entering meals manually.

Each processor below acts under a data processing agreement compliant with Article 28 GDPR:

If we add a new sub-processor, we will update this Policy and, where required, notify you in advance.

Some processors are based in the United States. When personal data is transferred outside the European Economic Area, we rely on:

• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with appropriate supplementary measures;
• EU–U.S. Data Privacy Framework certifications where applicable;
• your explicit consent where transfers cannot otherwise be safeguarded.

You may request copies of these safeguards by contacting us.

When you delete your Account, your personal data is deleted from our systems and removed from backups in the normal backup cycle. We do not keep a recovery copy. Limited records are kept only where required by law or to prevent abuse, in the minimum amount necessary.

If you are in the EU, EEA, UK, or Switzerland, you have the right to:

• Access — obtain a copy of your personal data (Article 15);
• Rectification — correct inaccurate or incomplete data (Article 16);
• Erasure— request deletion of your data (Article 17), available in the app’s settings (see Section 7);
• Restriction — limit processing in certain cases (Article 18);
• Portability — receive your data in a structured, machine-readable format (Article 20) by contacting us at support@tryfitlyapp.com;
• Object — to processing based on legitimate interests (Article 21);
• Withdraw consent — where processing is based on consent, without affecting prior processing (Article 7(3)).

To exercise your rights, email support@tryfitlyapp.com. We respond within 30 days (extendable by 60 days for complex requests, with notice). We may need to verify your identity.

You may also lodge a complaint with a supervisory authority. In Poland:

President of the Personal Data Protection Office (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
https://uodo.gov.pl/

You may also contact the supervisory authority in your own country.

These rights apply only if and to the extent the CCPA/CPRA applies to our processing. If you are a California resident, you may have the right to know what personal information we collect, request its deletion or correction, opt out of any sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising), limit the use of sensitive personal information to providing the Service, and not be discriminated against for exercising these rights. To make a request, email support@tryfitlyapp.com.

The Service is not directed to:

• children under 16 in the EU, EEA, UK, or Switzerland (or the higher minimum age set by your country under Article 8 GDPR);
• children under 13 in the United States (COPPA).

We ask for your age at registration and do not knowingly collect data from children below these ages. If you believe we have, contact us and we will delete it.

We use appropriate technical and organizational measures — including encryption in transit and at rest, access controls so other users cannot access your data, private storage for your photos, and passwordless sign-in (we store no passwords) — to protect your personal data.

No system is perfectly secure. If we become aware of a personal data breach affecting your rights, we will notify the supervisory authority within 72 hours (Article 33 GDPR) and notify you without undue delay where the breach is likely to result in high risk (Article 34 GDPR).

Fitly is a native mobile app and uses no cookies and no third-party advertising trackers. Under Apple’s App Tracking Transparency framework, we do not track you across other apps or websites. If we later publish a website at tryfitlyapp.com, a separate cookie notice will apply there.

In line with the Apple App Store Review Guidelines:

• Apple Health data — both what we write and what we read (steps and active energy) — stays on your device. We never upload it to our servers, third parties, or sub-processors.
• We do not use Apple Health data for advertising or marketing.
• We do not sell or disclose Apple Health data to third parties.
• HealthKit access requires your explicit per-type permission, revocable anytime in your iOS Settings under Privacy → Health.

We may update this Policy from time to time. Material changes will be communicated through the application and, where reasonably possible, by email in advance. The “Last updated” date at the top reflects the latest revision.

• Data controller: Mateusz Adamczyk
• Email: support@tryfitlyapp.com

If you are not satisfied with our response, you have the right to lodge a complaint with the supervisory authority (see Section 8).