Privacy Policy
Last updated: April 17, 2026
This Privacy Policy explains how FitFam ("we", "us", or "our") collects, uses, stores, and shares information about you when you use the FitFam mobile application and the website at fit-fam-app.com (collectively, the "Service").
We built FitFam to be private by default. We collect the minimum data needed to run group fitness challenges, we do not sell your data to anyone, and we do not use your data for advertising.
1. Information We Collect
1.1 Information you provide
- Account information. When you sign in with Google, we receive your name, email address, profile picture URL, and a Google account identifier. We do not receive your Google password.
- Profile information. A handle (username) you choose, an optional avatar photo you upload, and the initials/color used as a fallback avatar.
- Group and challenge content. Names of groups and challenges you create or join, invite codes, and your role in each group.
- Workouts. Workout type, duration, calories burned, distance, the time you logged the workout, and any photos you attach.
- Communications. If you email us at hello@fit-fam-app.com, we keep that correspondence to respond and provide support.
1.2 Information collected automatically
- Device push tokens. If you allow push notifications, we store an Expo Push token tied to your account so we can send challenge notifications. You can disable push at any time in your device settings or in the app's Notifications settings.
- Server logs. Our backend logs request metadata (IP address, timestamp, route, status code, user-agent) for security and debugging. Logs are retained for up to 30 days.
1.3 Information from connected services
- Apple HealthKit. If you grant access, we read your recent workouts (type, duration, calories, distance, start time) so you do not have to log them manually. Health data is synced through your device only and is sent to our backend solely to attribute workouts to challenges. We do not sell or share HealthKit data, and we do not use it for advertising or marketing.
- Oura Ring. If you connect Oura, we store an OAuth access and refresh token to read activity and readiness data associated with your account.
- Stripe. If you participate in a paid challenge, you complete payment through Stripe. Stripe may collect your full name, email, and payment method details. We receive a Stripe customer ID and the status of your transactions; we never receive or store your full card number.
2. How We Use Your Information
- To create and manage your account, groups, and challenges.
- To compute leaderboards, points, streaks, and challenge winners.
- To process challenge buy-ins and payouts through Stripe.
- To send push notifications you have opted into (workout reminders, group activity, leaderboard changes).
- To respond to your support requests.
- To detect, prevent, and address fraud, abuse, and security incidents.
- To comply with legal obligations.
3. How We Share Your Information
We do not sell your personal information. We share it only as follows:
3.1 Within your groups
Your name, avatar, workout counts, points, streak, and rank are visible to other members of any group or challenge you have joined. Photos you attach to a workout in a challenge are visible to that challenge's participants.
3.2 With service providers (sub-processors)
| Provider | Purpose | Data shared |
|---|---|---|
| Google Cloud (us-east1) | Application hosting (Cloud Run), database (Cloud SQL), object storage (Cloud Storage for avatars and workout photos) | All Service data |
| Google Sign-In | Authentication | Google account email, name, profile picture URL, account ID |
| Stripe, Inc. | Payment processing for challenge buy-ins and payouts | Name, email, payment method details (handled directly by Stripe) |
| Expo / Apple Push Notification Service | Delivery of push notifications | Device push token, notification body |
| Oura Health Oy | Reading Oura ring data (only if you connect Oura) | OAuth tokens issued to FitFam by Oura on your behalf |
3.3 For legal reasons
We may disclose information if required by law, subpoena, or to protect the rights, property, or safety of FitFam, our users, or others.
3.4 Business transfers
If FitFam is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you and provide a choice before your information becomes subject to a different privacy policy.
4. Apple HealthKit Disclosure
In accordance with Apple's HealthKit guidelines, FitFam:
- does not use HealthKit data for advertising or other use-based data mining purposes other than improving health, managing health, or for health research;
- does not disclose HealthKit data to any third party without your express consent;
- does not use HealthKit data to target advertising to you;
- uses HealthKit data only to populate workouts inside FitFam challenges you have joined.
5. Data Retention
- Account, group, challenge, and workout records are retained for as long as your account is active.
- Server request logs are retained for up to 30 days.
- If you delete your account, we permanently delete your personal data within 30 days, except where we are required to retain it for legal, accounting, or fraud-prevention reasons.
6. Your Rights and Choices
- Access & portability. You can request a copy of the personal data we hold about you by emailing hello@fit-fam-app.com.
- Correction. You can edit your name, handle, avatar, and notification preferences in the app at any time.
- Deletion. You can delete your account from the Settings screen, or by emailing us. Deletion is permanent.
- Notifications. You can disable push notifications in iOS Settings or in the app's Notifications screen.
- HealthKit. You can revoke FitFam's HealthKit access at any time from iOS Settings > Health > Data Access & Devices.
- Connected accounts. You can disconnect Oura at any time from the Integrations screen, which deletes the OAuth tokens we hold on your behalf.
Depending on where you live (e.g. EEA, United Kingdom, California), you may have additional rights including the right to object to or restrict certain processing, the right to lodge a complaint with a supervisory authority, and rights under the California Consumer Privacy Act (CCPA). To exercise these rights, contact us at hello@fit-fam-app.com.
7. Children
FitFam is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it. If you believe a child has provided us with information, please contact us.
8. International Data Transfers
Our servers are located in the United States. If you access FitFam from outside the United States, your information will be transferred to, stored, and processed in the United States, where data-protection laws may differ from those in your country.
9. Security
We use TLS encryption in transit, encryption at rest for our database and object storage, and follow the principle of least privilege for access to production systems. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.
10. Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you in the app or by email. The "Last updated" date above indicates when this policy was most recently revised.
11. Contact
Questions or requests? Email hello@fit-fam-app.com.