Privacy Policy

Who we are: Fitlyst Ltd ("Fitlyst", "we", "us"). Contact: privacy@fitlyst.com

Registered office: [TO BE UPDATED]. Jurisdiction: England & Wales.

This Privacy Policy explains what data we collect, why we collect it, how we use and share it, and the choices available to you. It applies to our website, web app, and related services.

1. What we collect

1.1 Account & Identity

Name, email, password hash (if using email login) or OAuth profile (e.g., Google).

For trainers: business profile (bio, services, pricing, availability, location), identity information required by Stripe for payouts (collected and processed by Stripe Connect).

1.2 Usage & Bookings

Bookings, session details (time, location/online), messages (for client–trainer communications), preferences, and support interactions.

1.3 Payment Data

Payments and payouts are processed by Stripe. We do not store full card numbers. We store Stripe identifiers (e.g., customer ID, account ID, payment/payout status) to operate the platform.

1.4 Device & Cookies

Device/browser data, IP address, and cookie identifiers.

Analytics via PostHog (self- or cloud-hosted per our configuration) to understand product usage in a privacy-respecting way. See our Cookie Policy for details.

1.5 Files/Media

Images and documents you upload (e.g., profile photos) are stored on AWS S3 via presigned URLs.

2. How we use your data (purposes & legal bases)

• Provide and improve the service (performing our contract with you): account creation, booking management, messaging, payouts (via Stripe), and support.
• Fraud prevention and security (legitimate interests): protect accounts, detect misuse.
• Analytics & product improvement (legitimate interests/consent where required): measure and improve features via PostHog.
• Marketing communications (consent where required; otherwise legitimate interests): product updates; you can opt out anytime.
• Legal compliance: tax, accounting, regulatory requests.

3. Sharing your data

• Stripe (payments, KYC/KYB, payouts via Stripe Connect).
• Hosting & storage: Neon (PostgreSQL) via Drizzle ORM; AWS S3 (file storage).
• Analytics: PostHog (aggregated usage analytics; we avoid collecting sensitive data).
• Email/notifications: our email/SMS provider(s) for account and service messages.
• Service providers acting on our instructions under data processing agreements.
• Legal or corporate events: compliance with law; merger, acquisition, or asset sale.

We do not sell personal data.

4. International transfers

Where providers process data outside the UK/EU, we use appropriate safeguards (e.g., Standard Contractual Clauses or UK Addendum). Details available on request.

5. Retention

We keep data for as long as needed to provide the service and meet legal obligations (e.g., tax/financial records typically 6–10 years), then delete or anonymise it.

6. Your rights (GDPR/UK GDPR)

You may have rights to access, rectify, erase, restrict processing, object, and data portability. You can also withdraw consent at any time (does not affect prior processing).

Submit a request: visit /privacy/rights (Data Subject Rights Portal) or email privacy@fitlyst.com.

7. Cookies & tracking

See our Cookie Policy for categories, retention, and how to manage preferences: /cookies and /cookies/preferences.

8. Security

We use industry-standard measures (encryption in transit, access controls, least privilege). No method is 100% secure, but we work to protect your data. Breach notifications will follow applicable laws.

9. Children

Fitlyst is for users 18+. If a minor uses the platform (e.g., training with parental consent via a trainer), the responsible adult must provide and manage consent. If you believe a child has provided data without consent, contact privacy@fitlyst.com.

10. Changes

We may update this policy. Material changes will be highlighted in-app or by email. Continued use means you accept the updated policy.