Privacy Policy

MyFitnessGoals ("we", "us", "our") respects your privacy and is committed to protecting your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Croatian data protection laws.

This Policy is written in a category-based way so it remains accurate as our services evolve. Where we introduce materially new processing activities, we will update this Policy before or when those changes take effect.

The data controller responsible for your personal data is:

Depending on how you use the App, we may collect and generate the following categories of personal data:

• Account Information: Information needed to create, secure, and administer your account, such as email address, password credentials, account role, country, consent timestamps, and service status information.
• Profile Information: Information you choose to add to your profile or that is needed to provide the service, such as name, date of birth, sex, profile images, trainer-client relationship data, and subscription-related identifiers.
• Fitness Data: Fitness, training, and progress information that you or your trainer record in the App, such as routines, workouts, exercise history, body measurements, goal phases, readiness entries, fitness goals, and uploaded progress media.
• Communications: Messages, attachments, service emails, support requests, and related metadata needed to provide communication and account-support functions.
• Technical Data: Technical and device-related information reasonably necessary to operate and secure the service, such as IP-derived location context, device language, authentication events, log data, and push-notification tokens where enabled.
• Usage Data: Operational and product-usage information we use to maintain, improve, troubleshoot, and protect the service.

We process personal data only where we have a valid legal basis under the GDPR. The applicable basis depends on the context and the type of data involved.

• Contract Performance (Art. 6(1)(b)): For account creation, authentication, subscriptions, trainer-client workflows, messaging, workout tracking, and other processing necessary to provide the service you request.
• Consent (Art. 6(1)(a)): Where consent is required, including explicit consent under Article 9(2)(a) GDPR for health and fitness data, optional communications, and any non-essential cookies or similar technologies we may use in the future.
• Legitimate Interests (Art. 6(1)(f)): For service administration, product improvement, abuse prevention, network and account security, incident response, fraud prevention, and internal operational analytics, where our interests are not overridden by your rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): To comply with applicable laws, regulations, and legal processes.

Certain fitness and body-related information processed through the App may qualify as special category data under Article 9 GDPR. We rely on your explicit consent under Article 9(2)(a) GDPR for this processing, and only for the purpose of providing the fitness-related features you choose to use.

You may withdraw this consent at any time through your account settings or by contacting us. Depending on the request and the feature involved, withdrawal may limit or end the availability of certain fitness features, and may require deletion or anonymization of related data where applicable.

We process messages and shared media to provide trainer-client communication features. We do not access message content as part of routine operations, but limited access may occur where necessary:

• When legally required by court order or law enforcement
• To investigate abuse reports or violations of our Terms of Service
• To protect users and platform security

We use personal data only for legitimate, documented service purposes, including to:

• Providing and maintaining the App and its features
• Creating and managing your user account
• Processing payments and subscriptions
• Enabling communication between trainers and clients
• Sending service-related notifications
• Improving and personalizing user experience
• Ensuring security and preventing fraud
• Complying with legal obligations
• Providing customer support

Payments and subscriptions are processed through Stripe. We do not store full payment card details on our own systems. We receive only the payment and subscription information needed to manage billing, entitlement, invoices, fraud prevention, and related customer support.

For more information, see Stripe's Privacy Policy.

We may disclose personal data to the following categories of recipients where necessary to operate the App and comply with law:

• Cloud Infrastructure Providers: Hosting, infrastructure, storage, backup, and related technical service providers that help us run the App and store uploaded content.
• Payment Processors: Payment and billing providers that process subscriptions, payments, refunds, and invoicing.
• Email Service Providers: Providers that send transactional emails, verification emails, password-reset emails, and other essential service communications.
• Analytics Providers: Internal or external service providers we use for operational measurement, debugging, reliability, and service improvement, subject to appropriate contractual and technical safeguards.

Current providers include: DigitalOcean (cloud hosting, object storage), Stripe (payment processing), SendGrid (email delivery), Firebase / Google (push notifications, error logging), and Microsoft Azure (admin authentication).

We may also disclose data in limited circumstances:

• When legally required by law, court order, or government request
• During business transfers (merger, acquisition, sale of assets)
• With your explicit consent

Where third-party processors act on our behalf, we require them to process personal data under appropriate contractual safeguards and only for authorized purposes.

We keep personal data only for as long as necessary for the purposes described in this Policy, including service delivery, security, support, legal compliance, dispute handling, and backup cycles. The periods below are our general retention rules and may vary where law or a specific operational need requires a different period.

• Account Data: For the life of the account and for a limited follow-up period needed to complete deletion workflows, resolve support issues, secure the service, and maintain minimal audit records.
• Fitness and Workout Data: For the life of the account, and then only for the period needed to complete deletion, anonymization, backup expiry, or other lawful retention steps.
• Chat Messages: For the life of the account, and then only for the period needed to complete deletion, backup expiry, abuse handling, or other lawful retention steps.
• Transaction Records: 7 years (as required by Croatian tax law)
• Technical Logs: Only for as long as reasonably needed for security, debugging, fraud prevention, and service reliability.
• Backup Data: Up to 30 days after deletion from primary systems

When personal data is no longer needed, we delete it, anonymize it, or isolate it from active use, unless continued retention is required or permitted by law.

Under GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of your personal data
• Right to Rectification (Art. 16): Request correction of inaccurate data
• Right to Erasure (Art. 17): Request deletion of your data ("right to be forgotten")
• Right to Restriction (Art. 18): Request limitation of processing
• Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7): Withdraw consent at any time where processing is based on consent

How to Exercise Your Rights

To exercise your rights, please contact us at budalic@hotfix-doo.com. We may need to verify your identity before acting on a request. We will handle requests in accordance with applicable law.

Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP):

Some of our service providers may process personal data outside the European Economic Area. When this happens, we take appropriate safeguards required by applicable law.

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Transfer Impact Assessments where required

You may contact us if you want more information about the safeguards relevant to a particular transfer scenario.

We do not make solely automated decisions that produce legal or similarly significant effects about you through the App. If that changes, we will update this Policy and provide any required information.

We use essential cookies and similar storage technologies that are reasonably necessary for security, authentication, language preferences, and core service functionality.

As of the last update date of this Policy, we do not describe any non-essential analytics or advertising cookies in this document. If we introduce non-essential cookies or similar technologies that require consent, we will ask for consent before using them where required by law.

We use technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, loss, and misuse. These measures are risk-based and evolve over time.

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication and password hashing
• Access controls and employee training
• Regular security assessments
• Incident response procedures

No system can guarantee absolute security, but we work to maintain measures appropriate to the nature of the data and the risks involved.

The App is not intended for children below the age at which they can validly use the service under applicable law without required parental or guardian authorization. If we learn that personal data has been provided in breach of this rule, we may suspend the account and delete the relevant data.

We may update this Privacy Policy from time to time to reflect legal, operational, or product changes.

• Updating the "Last updated" date at the top of this policy
• Sending an email notification for significant changes
• Displaying a notice within the App

Your continued use of the App after the effective date of an updated Policy will be subject to that updated version, except where the law requires a different form of notice or consent.