Privacy Policy

1. Overview

FitGraph: Gym Workout Tracker ("FitGraph," "we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (the "App") and related services.

Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our App.

2. What Data We Collect

2.1 Workout & Training Data

• Exercise names, sets, reps, weight, and rest times
• Routine structures and custom exercises you create
• Body measurements (weight, body parts)
• Workout history and timestamps

2.2 Cloud Sync Data (Optional)

• All workout data listed above, only if you sign in with Google or create an account
• Account email address and unique user identifier
• Last sync timestamp

Cloud sync is optional. You can use FitGraph completely offline without creating an account.

2.3 Authentication Data

• If you use Google Sign-In: your email, profile name, and profile picture (stored with your explicit consent)
• Biometric data: fingerprint or face recognition (used only locally for app unlock, never stored on our servers)

2.4 Push Notification Data

• Firebase Cloud Messaging (FCM) token for delivering push notifications
• Notification preferences you set in the App

2.5 Device & Diagnostic Data

• Device model, OS version, and app version
• Crash logs and error reports (via Firebase Crashlytics) — sent only with your consent when enabled
• App usage analytics (which screens you visit) — collected only if you opt in

2.6 Data We Do NOT Collect

• Precise location (GPS) — we do not track your location
• Camera or microphone data
• Contacts or calendar information
• Health/medical data beyond what you manually log
• Browsing history or behavior from other apps

3. How We Use Your Data

• App Functionality: To provide workout logging, routine building, progress tracking, and cloud sync
• Cloud Sync: To securely store and sync your data across your devices
• Push Notifications: To remind you of scheduled workouts or app features
• Crash Reporting: To diagnose and fix bugs (Firebase Crashlytics)
• Analytics: To understand which features are used most and improve the app (optional, opt-in)
• Authentication: To securely identify you and protect your account
• Legal Compliance: To comply with legal obligations or court orders

4. Data Sharing & Third Parties

4.1 Third-Party Services We Use

• Google Firebase:
  • Authentication (Google Sign-In)
  • Cloud storage (Firestore) — only if you enable cloud sync
  • Crash reporting (Crashlytics)
  • Push notifications (Cloud Messaging)
• Google Play Services: For in-app billing, sign-in, and app licensing

4.2 Data We Never Share

• Your workout data is never shared with advertisers, data brokers, or social media platforms
• We do not sell your personal data
• Your data is not used to create behavioral profiles for third-party marketing

4.3 Legal Disclosures

We may disclose your data if required by law (e.g., court order, subpoena) or to protect our legal rights, your safety, or the safety of others.

5. Offline-First Architecture

FitGraph is built to work without the internet. All your workout data is stored locally on your device by default. No data leaves your phone unless you explicitly enable cloud sync.

When you log a workout offline:

• Data is saved to your device's local database (SQLite)
• No internet connection required
• Data syncs to the cloud automatically when online (if cloud sync is enabled)
• Your data remains on your device even if sync fails

6. Data Storage & Security

6.1 Local Storage (On Your Device)

• Encrypted at rest using platform defaults (Android KeyStore, iOS Keychain)
• Protected by biometric lock (fingerprint or face) if enabled
• Only accessible to FitGraph — no other apps can read your data

6.2 Cloud Storage (Firebase Firestore)

• Encrypted in transit (TLS/SSL)
• Encrypted at rest by Google Cloud
• Firestore security rules restrict access to your own data only
• Data is backed up by Google Cloud's infrastructure

6.3 Security Measures

• HTTPS for all API communications
• OAuth 2.0 for authentication
• No plaintext passwords stored (OAuth tokens used instead)
• Regular security updates via app releases

6.4 Limitations

While we implement industry-standard security, no system is 100% secure. If you suspect a breach, contact us immediately.

7. Data Retention

• Local Data: Stored indefinitely until you delete the app or clear app data
• Cloud Data: Retained as long as your account is active. Account deletion removes cloud data within 30 days
• Firebase Crashlytics: Crash logs retained for 90 days
• Analytics Data: Aggregated analytics retained per Google Analytics retention policies (default: 14 months)
• Backup Data: Google Cloud may retain backups for up to 90 days after deletion for disaster recovery

8. Your Rights

8.1 Access & Portability

You can access, review, and export your workout data directly from the FitGraph app. We can also provide a data export on request (email contact@fitgraphs.com).

8.2 Account & Data Deletion

You can permanently delete your FitGraph account and all associated cloud data directly from within the app — no email or web request required.

In-app deletion (recommended):

1. Open FitGraph
2. Go to Settings → Account → Delete Account
3. Confirm deletion when prompted

What gets deleted:

• Your account record (email, user ID, profile)
• All workout data, routines, custom exercises, and body measurements stored in the cloud
• Authentication tokens and FCM push notification tokens

What is retained briefly: Encrypted backups in Google Cloud's infrastructure may persist for up to 90 days for disaster recovery, after which they are permanently purged. Anonymized, aggregated analytics that cannot identify you may be retained.

Local device data: To remove on-device data, also clear app storage via your device Settings → Apps → FitGraph → Storage → Clear Data, or uninstall the app.

Alternative request channel: If you cannot access the app, email contact@fitgraphs.com from the address associated with your account. We will verify and complete deletion within 30 days.

8.3 Opt-Out

• Cloud Sync: Disable in Settings → Cloud Sync
• Push Notifications: Disable in app or device Settings
• Crash Reporting: Disable in Settings → Diagnostics
• Analytics: Opt out in Settings → Analytics (if enabled)

8.4 GDPR & EU/EEA/UK Rights

Data Controller: FitGraph (1 Letterman Drive, Building A, Suite A4-700, San Francisco, CA 94129) is the data controller for personal data processed through the App. You can reach us at contact@fitgraphs.com.

Data Protection Officer: We have not appointed a formal Data Protection Officer as our processing does not meet the GDPR thresholds requiring one. For all data protection inquiries, contact contact@fitgraphs.com and we will respond within 30 days.

Legal bases for processing: We process your data on the basis of (a) your consent (cloud sync, analytics, crash reporting), (b) performance of a contract (providing the App's core features), and (c) legitimate interests (securing accounts, preventing abuse).

If you are in the EU, EEA, or UK, you have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Restrict or object to processing
• Data portability
• Withdraw consent at any time (without affecting prior lawful processing)
• Lodge a complaint with your local supervisory authority

Contact contact@fitgraphs.com to exercise any of these rights.

8.5 California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what categories of personal information we collect and how it is used
• Request access to and a copy of your personal information
• Request deletion of your personal information
• Correct inaccurate personal information
• Opt out of the "sale" or "sharing" of personal information
• Be free from discrimination for exercising any of these rights

We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. We do not use your data for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.

To exercise your California privacy rights, email contact@fitgraphs.com. We will verify your request using the email associated with your account and respond within 45 days.

9. Children's Privacy

FitGraph is not intended for children under 13 (or the applicable age of digital consent in your region). We do not knowingly collect data from children under 13. If we become aware that a child under 13 has provided data, we will delete it promptly. Contact us at contact@fitgraphs.com if you believe a child's data has been collected.

For users aged 13–18, we provide the same privacy protections as adult users.

10. Policy Changes

We may update this Privacy Policy periodically. Changes will be effective when posted with an updated "Effective Date." We encourage you to review this policy regularly.

For material changes, we will notify you via the app or email if you have provided one.

11. Contact Us

Questions or concerns about this Privacy Policy?

• Email: contact@fitgraphs.com
• Website: fitgraphs.com
• Mail: FitGraph
  1 Letterman Drive, Building A, Suite A4-700
  San Francisco, CA 94129
• App Settings: Settings → Help → Report Privacy Issue

We will respond to privacy inquiries within 30 days.