Privacy Policy

Last updated: 5 March 2026

1. Introduction

JOINFIZ LTD ("Fiz", "we", "us", or "our") operates the Fiz mobile application and website at joinfiz.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. By using Fiz, you consent to the practices described in this policy. If you do not agree, please discontinue use of the app.

2. Information We Collect

We collect the following categories of information:

Account Information

Email address, password (hashed), first and last name, username, and profile picture.

Profile Information

Bio, location, unit preferences (metric/imperial), timezone, profile links, and affiliate codes.

Health & Fitness Data

When you connect Apple HealthKit or Google Health Connect, we may read:

• Heart rate (average and maximum during workouts)
• Active calories burned
• Steps taken
• Distance covered
• Body weight and height
• Blood pressure readings
• Workout duration

Fitness Activity Data

Workout scores, training metrics, personal records, activity images, comments on activities, strain and load calculations, muscle group breakdowns, and achievement badges.

Location Data

If you provide a location on your profile, we use Google Geocoding API to convert it to coordinates for features such as timezone detection. We do not continuously track your location.

Device Information

Device push notification tokens for delivering notifications. We do not collect device identifiers for advertising purposes.

Usage Data

Timestamps of when you accepted our Terms of Service and Privacy Policy, marketing consent preferences, and general usage patterns within the app.

3. How We Collect Information

• Directly from you: When you create an account, fill in your profile, log workouts, post activities, or communicate with us.
• Automatically: Timezone detection based on your device, push notification tokens when you enable notifications.
• From third-party services: Health data from Apple HealthKit or Google Health Connect (only with your explicit permission), subscription status from RevenueCat.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent: Health data access, marketing communications, and optional profile information.
• Contract: Processing necessary to provide you with the Fiz service, including account management, workout tracking, and social features.
• Legitimate interest: Service improvement, security, and fraud prevention.

5. How We Use Your Information

We use the information we collect to:

• Provide and maintain the Fiz platform, including workout creation, score logging, activity tracking, and social features.
• Personalise your experience, such as displaying workouts in your preferred units and timezone.
• Power AI-generated workouts and programmes using Google Gemini (see Section 7).
• Display leaderboards, challenges, and achievement badges.
• Send push notifications about social interactions, challenges, and updates.
• Process subscription payments and manage entitlements.
• Ensure safety and enforce our terms of service, including content moderation.
• Respond to support requests via [email protected].

6. Health Data

Health and fitness data receives special protection under our policy:

• We only access health data with your explicit opt-in consent via Apple HealthKit or Google Health Connect.
• Health data is read-only — we never write to your health platforms.
• You control whether health data from individual activities is shared publicly via the "Share Health Data" toggle on each activity.
• Health data is never sold to third parties, used for advertising, or shared with insurers.
• You can disconnect health integrations at any time through the app settings.
• When you delete your account, all associated health data is permanently deleted.

7. AI-Generated Content

Fiz uses Google Gemini API to generate workouts and programmes based on your text prompts. When you use the AI workout creator:

• Your text prompt is sent to Google Gemini for processing.
• We do not include personally identifiable information (name, email, health data) in prompts sent to Google Gemini.
• Generated workout content is stored in your Fiz account.
• AI usage is subject to quotas based on your subscription tier (Free, Pro, or Partner).
• Google Gemini's own privacy policy governs how Google processes these requests.

8. Location Data

When you add a location to your profile, we use Google Geocoding API to convert the place name to geographic coordinates. This is used for timezone detection and displaying your location on your profile. We do not track your real-time GPS location or create movement profiles.

9. Information Sharing with Other Users

Depending on your privacy settings:

• Public accounts: Your profile, workouts, activities, and collections are visible to all Fiz users.
• Private accounts: Your content is only visible to approved followers.
• You can control whether you appear in search results and on leaderboards via privacy settings.
• Comments, likes, and follows are visible to the relevant users.
• You can block users to prevent them from viewing your content or interacting with you.

10. Third-Party Service Providers

We use the following third-party services to operate Fiz:

• Supabase: Authentication, database hosting, file storage, and edge functions. Data is stored on Supabase's infrastructure with row-level security.
• RevenueCat: Subscription management and in-app purchase processing.
• Stripe: Payment processing for subscriptions (via RevenueCat). We do not store your payment card details.
• Google Gemini API: AI workout and programme generation.
• Google Geocoding API: Location-to-coordinates conversion.
• Apple HealthKit: Reading health and fitness data on iOS devices.
• Google Health Connect: Reading health and fitness data on Android devices.

11. Data Storage & Security

We implement appropriate technical and organisational measures to protect your data:

• All data is transmitted over HTTPS/TLS encryption.
• Database access is protected by row-level security (RLS) policies ensuring users can only access their own data.
• Passwords are hashed and never stored in plain text.
• File storage uses signed URLs with expiration for secure access.
• We regularly review and update our security practices.

12. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. When you delete your account, we permanently delete your personal data, including activities, workouts, scores, comments, likes, saves, follows, and health data. Some anonymised, aggregated data may be retained for analytics purposes. We may retain certain data as required by law or for legitimate business purposes such as resolving disputes.

13. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data via your profile settings.
• Deletion: Request deletion of your account and all associated data.
• Portability: Request your data in a machine-readable format.
• Restrict processing: Request that we limit how we use your data.
• Withdraw consent: Withdraw consent for health data access, marketing, or other optional processing at any time.
• Object: Object to processing based on legitimate interest.

14. Data Export

You can request a full export of your personal data at any time. Fiz provides a GDPR-compliant data export feature that compiles your profile information, workouts, activities, scores, social data, and health data into a downloadable format. To request an export, contact us at [email protected].

15. Account Deletion

You can delete your account at any time. Deletion is permanent and cascading — it removes your profile, all workouts you created, activities, scores, comments, likes, saves, follows, blocked users, collections, challenge participations, notification tokens, and any associated health data. This action cannot be undone.

16. Children's Privacy

Fiz is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected].

17. International Data Transfers

Your data may be transferred to and processed in countries other than your own. Our service providers, including Supabase, Google, and RevenueCat, may process data in various jurisdictions. Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

18. Cookies & Tracking

The Fiz mobile app does not use cookies. Our website (joinfiz.com) may use essential cookies for basic functionality. We do not use third-party analytics trackers, advertising cookies, or tracking pixels. We do not sell your data to advertisers or data brokers.

19. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the app and updating the "Last updated" date. Your continued use of Fiz after changes are posted constitutes acceptance of the updated policy.

20. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us:

JOINFIZ LTD
Email: [email protected]
Website: joinfiz.com