Legal
Privacy Policy
Last updated: 27 April 2026
This Privacy Policy explains how FitCursor (“we”, “us”, “our”) collects, uses, shares, and protects your personal data when you use the FitCursor mobile app and related services (the “Service”). It also explains your rights under the EU General Data Protection Regulation (GDPR) and how to exercise them.
We’ve tried to write this in plain English. If anything is unclear, email us at [email protected]and we’ll explain.
1. Who we are (Data Controller)
The data controller responsible for your personal data is:
Panos Koulouris, sole trader
Cyprus, Nicosia
Email: [email protected]
We’re a small operation (one person), so emailing us reaches the person who actually decides how your data is handled.
2. What data we collect
2.1 Data you give us directly
- Account information — your email, display name, and authentication credentials (handled by Firebase; we never see your password), plus your subscription status.
- Profile and onboarding answers — what you tell us about yourself when you set up the app and when you edit your profile later. This includes basic measurements (height, weight, age range, gender), training context (fitness level, goals, equipment, frequency), lifestyle inputs (sleep, stress, activity level), preferences, and any free-text notes you choose to share — including injuries or limitations. Some of this is health data under GDPR Art. 9 (see §3).
- Training data — the workouts, sets, reps, weights, exercise swaps, feedback, and weight log entries you record while using the app. We also keep a history of your profile answers so we can adapt training over time.
2.2 Data from connected wearables and fitness apps (optional)
If you connect a wearable or fitness app (Garmin, Apple Health, Fitbit, Oura, Whoop, and similar) via our integration partner Terra, we receive health and activity data from your device — including activity, sleep, heart-rate, body-composition, recovery (e.g. HRV), and, if your device tracks them, nutrition and menstrual-cycle data. This is special-category health data under GDPR Art. 9 and we only process it with your explicit consent (see §3).
You don’t have to connect a wearable. The Service works without it, and you can disconnect at any time from the Wearables screen in the app.
2.3 Data collected automatically
- Crash and diagnostic data via Sentry — stack traces, device model, OS version, and app version when something goes wrong, so we can fix bugs. This does not include your workout content or profile answers.
- Authentication metadata via Firebase Auth — sign-in timestamps, IP address at sign-in, and similar fraud-prevention signals.
- Server logswhen your device talks to our backend — timestamp, endpoint, and response code. We don’t log request bodies in production.
2.4 Data we explicitly do not collect or send to servers
- Voice command transcripts.When you use voice commands during a workout, speech-to-text runs on your device. The transcript is parsed locally to interpret the command (e.g. “10 reps 50 kg”) and is not transmitted to our servers or to any AI service.
- Microphone audio. We never record or upload raw audio.
- Camera or photos.We don’t access your camera or photo library.
- Contacts, calendar, or location.We don’t read these.
3. Why we use your data (purposes and legal bases)
Under GDPR, every use of your personal data needs a legal basis. Here’s ours, broken down by purpose:
| What we use it for | Legal basis (GDPR Art. 6) |
|---|---|
| Creating and managing your account; providing the core Service (workouts, tracking, history) | Contract (Art. 6(1)(b)) — we can’t deliver the Service without it |
| Generating personalized and adaptive workout plans using your profile, training history, and (if connected) wearable data | Contract (Art. 6(1)(b)) |
| Processing health data from wearables, including HRV, sleep, and (where you’ve enabled it) menstrual cycle data — these are special categories of data under Art. 9 | Explicit consent (Art. 9(2)(a)) — given when you connect a wearable in-app |
| Free-text injury/limitation entries you choose to share | Explicit consent (Art. 9(2)(a)) — you choose what to write |
| Crash reporting and bug-fixing | Legitimate interest (Art. 6(1)(f)) — keeping the app stable |
| Communicating with you about the Service (e.g. responding to support emails) | Contract (Art. 6(1)(b)) and legitimate interest |
| Detecting fraud, abuse, or violations of our terms | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations (e.g. tax records for paid subscriptions) | Legal obligation (Art. 6(1)(c)) |
We do notuse your data for advertising, profiling for marketing purposes, or automated decision-making with legal effects. AI-generated workout suggestions are recommendations — a human can disregard them, and they’re not making decisions about you in a legally significant sense.
You can withdraw consent for special-category processing (wearables, health data) at any time by disconnecting wearables in-app. This won’t affect processing that happened before withdrawal.
4. Who we share data with (sub-processors)
We use the following service providers to run FitCursor. Each one only sees the data they need, and each is bound by a Data Processing Agreement (DPA) consistent with GDPR Art. 28.
| Provider | What they do | What they see | Where data is processed |
|---|---|---|---|
| Google Firebase Authentication | Handles sign-up, sign-in, password reset | Email, password (hashed), auth metadata | United States (Standard Contractual Clauses) |
| Sentry | Crash and error reporting | Stack traces, device model/OS, app version | United States or EU, depending on Sentry region (SCCs where applicable) |
| Railway | Hosts our backend API and PostgreSQL database | Your full account, profile, workout, and wearable data | United States (SCCs) |
| Terra API | Connects wearables and fitness apps to our backend | Your wearable health data; your Terra user identifier | United States / EU (SCCs) |
| OpenAI (via n8n workflow) | Generates workout plan suggestions | A pseudonymized prompt containing your non-identifying profile fields (e.g. fitness level, goal, equipment, recent training summary) and exercise list. We do not send your name, email, or Firebase user ID. | United States (SCCs); per OpenAI API terms, prompts are not used to train OpenAI models |
| n8n (self-hosted on our infrastructure) | Orchestrates the workout-generation workflow | Same as OpenAI above, plus profile fetch from our backend | Same region as Railway |
| Apple App Store / Google Play | Distributes the app and processes in-app purchases | Whatever Apple/Google capture for purchases (we don’t see card details) | Apple’s and Google’s privacy policies apply |
We don’t sellyour personal data to anyone. We don’t share it with advertisers, data brokers, or analytics resellers.
International transfers
Several of our sub-processors are based in the United States. Where this happens, transfers are protected by the EU Standard Contractual Clauses (SCCs)and, where applicable, the providers’ certifications under the EU–US Data Privacy Framework. You can request a copy of the relevant SCCs by emailing [email protected].
5. How long we keep your data
| Data type | Retention |
|---|---|
| Active account data (profile, workouts, wearable data) | While your account is active |
| Account deletion grace period | 30 daysafter you request deletion — we keep your data so you can recover the account if you change your mind, then it’s permanently deleted |
| Anonymized aggregate analytics (no link to you) | May be retained indefinitely |
| Crash reports | 90 days (Sentry default; configurable) |
| Auth logs (Firebase) | Per Firebase’s defaults, generally up to 30 days |
| Tax / payment records (where required by law) | Up to 10 years, as required by EU tax law — only the financial records, not your fitness data |
| Backups | Routine database backups may briefly retain deleted data; these are overwritten on the standard backup rotation (within 30 days of deletion) |
To delete your account, use the in-app Delete Account option in Profile → Account, or email [email protected].
6. Your rights under GDPR
You have the following rights regarding your personal data. We’ll respond to any request within 30 days (extendable by up to 60 more days for complex requests, with notice).
- Right of access (Art. 15) — get a copy of the personal data we hold about you
- Right to rectification (Art. 16) — correct inaccurate data; you can edit most fields directly in Profile
- Right to erasure / “right to be forgotten” (Art. 17) — delete your account and data
- Right to restriction (Art. 18) — ask us to pause processing while a dispute is resolved
- Right to data portability (Art. 20) — receive your data in a machine-readable format (JSON)
- Right to object (Art. 21) — object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3)) — disconnect wearables; remove free-text limitations
- Right not to be subject to solely automated decisions (Art. 22) — none of our processing fits this, but you have the right
- Right to lodge a complaint with your national Data Protection Authority
To exercise any of these rights, email [email protected]with a brief description of what you’d like. We may ask you to confirm the email on your account so we don’t hand someone else’s data to the wrong person.
If you’re unhappy with our response, you can complain to your country’s Data Protection Authority. A list is available at edpb.europa.eu.
7. How we protect your data
- In transit: all communication between the app, our backend, and sub-processors uses TLS (HTTPS).
- At rest: databases are encrypted at the disk level by our hosting provider.
- Authentication: every API request from the app is signed with HMAC-SHA256 in addition to standard authentication, so requests can’t be tampered with in transit.
- Access control: only the data controller (the developer) has production database access, and access is logged.
- Sub-processor security: we only use providers with recognized security certifications (SOC 2, ISO 27001, etc.).
No system is perfectly secure. If we ever discover a personal data breach that’s likely to result in a risk to your rights, we’ll notify the relevant Data Protection Authority within 72 hours and tell affected users without undue delay, as required by GDPR Art. 33–34.
8. Children
FitCursor is not directed at children under 16. We don’t knowingly collect data from anyone under 16. If you believe a child has signed up, email [email protected]and we’ll delete the account.
9. Changes to this policy
If we make material changes to how we handle your data, we’ll update this page and notify you in-app or by email before the changes take effect. The “Last updated” date at the top of this page reflects the most recent revision. Older versions are available on request.
10. Contact
For any privacy question, request, or complaint:
Email: [email protected]
We aim to reply within a few business days.