Privacy Policy

Last updated: March 12, 2026

Table of Contents

1. Introduction

FITGYAL (“Company,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the FITGYAL mobile application, website at fitgyal.us, and all related services (collectively, the “Service”).

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not access or use the Service.

We encourage you to read this Privacy Policy in its entirety. If you have any questions, please contact us at support@fitgyal.us.

2. Information We Collect

2.1 Information You Provide Directly

  • Account information: Name, email address, username, password (hashed), date of birth, and profile photo when you create an account via Supabase authentication;
  • Profile information: Bio, avatar image, display name, fitness goals, height, weight, and other optional profile details you choose to share;
  • Activity and health data: Workout logs (exercise type, duration, intensity), meal logs (food items, calories, macronutrients), water intake records, weight entries, step counts, and other fitness-related data you input;
  • User-generated content: Posts, comments, messages, photos, dance videos (Thinfluencer subscribers), and other content you create and share through the Service;
  • Payment information: When making purchases, your payment information (credit card number, billing address) is collected and processed by Stripe. We receive only a payment token, the last four digits of your card, card type, and transaction confirmation. We do not store full payment card details;
  • Communications: Information you provide when contacting our support team, responding to surveys, or participating in promotions;
  • Social interactions: Follow/unfollow actions, Squad memberships, direct messages, post likes, and other social activity.

2.2 Information Collected Automatically

  • Device information: Device type, operating system and version, unique device identifiers, browser type and version, screen resolution, and device settings;
  • Usage data: Pages and features accessed, time spent on pages, click patterns, app opens, session duration, navigation paths, and interactions with the Service;
  • Location data: General location information derived from your IP address. We do not collect precise GPS location unless you explicitly grant permission for location-based features;
  • Log data: IP address, access times, referring URLs, error logs, and server logs;
  • Cookie and tracking data: Information collected through cookies, pixel tags, and similar technologies. See our Cookie Policy for details;
  • Push notification tokens: Device tokens used to deliver push notifications when you opt in.

2.3 Information from Third Parties

  • Authentication providers: If you sign in using third-party authentication (e.g., Google, Apple), we receive your name, email address, and profile image from the provider;
  • Payment processors: Transaction status, payment confirmations, and limited card information from Stripe;
  • Analytics providers: Aggregated and anonymized usage data from our analytics tools.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service: Create and manage your account, process transactions, deliver features, and provide customer support;
  • Personalize your experience: Customize content, recommendations, and features based on your preferences and activity;
  • Process payments: Facilitate Thinfluencer subscriptions, FitCoin purchases, Squad creation fees, and sweepstakes prize fulfillment;
  • FitCoin and gamification: Track and manage FitCoin balances, calculate rewards, maintain streaks, and administer mini games and sweepstakes;
  • Social features: Enable follows, Squad interactions, messaging, content sharing, and leaderboards;
  • Livestreaming: Facilitate LiveKit-powered livestreaming features for eligible users;
  • Communications: Send you transactional emails (via Resend), push notifications, in-app messages, and account updates;
  • Safety and security: Detect, prevent, and address fraud, abuse, security threats, and technical issues. Enforce our Terms of Service and Acceptable Use Policy;
  • Analytics and improvement: Analyze usage patterns, measure feature performance, and improve the Service;
  • Legal compliance: Comply with applicable laws, regulations, legal processes, and governmental requests;
  • Marketing: With your consent, send promotional emails about new features, products, or services. You can opt out at any time.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

  • Service providers: We share information with trusted third-party service providers who perform services on our behalf, including:
    • Supabase: Authentication, database hosting, and file storage;
    • Stripe: Payment processing and subscription management;
    • Resend: Transactional and marketing email delivery;
    • LiveKit: Livestreaming infrastructure;
    • Analytics providers: Anonymized usage analytics and performance monitoring.
  • Other users: Your profile information, posts, and other content you choose to make public are visible to other users of the Service;
  • Legal requirements: We may disclose your information if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others;
  • Law enforcement: We cooperate with law enforcement agencies, including reporting CSAM to NCMEC and complying with valid legal requests;
  • Business transfers: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such transfer;
  • With your consent: We may share your information for other purposes with your explicit consent.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. Specific retention periods include:

  • Account data: Retained for the duration of your account plus 30 days after account deletion to allow for account recovery;
  • Activity logs: Workout, meal, water, and weight data retained for the duration of your account;
  • Payment records: Transaction records retained for 7 years for tax and legal compliance;
  • User content: Posts, photos, and videos deleted within 30 days of removal or account deletion, though cached or archived copies may persist;
  • Communications: Support communications retained for up to 3 years;
  • Log data: Server and access logs retained for up to 12 months;
  • Anonymized data: Aggregated, de-identified data may be retained indefinitely for analytics and product improvement.

When data is no longer needed, we securely delete or anonymize it. You may request early deletion of your data by contacting us, subject to legal retention obligations.

6. Data Security

We implement industry-standard technical and organizational security measures to protect your personal information, including:

  • Encryption of data in transit using TLS/SSL;
  • Encryption of sensitive data at rest;
  • Password hashing using secure algorithms (via Supabase Auth);
  • Row-level security policies in our database;
  • Regular security assessments and vulnerability testing;
  • Access controls and authentication for internal systems;
  • Secure payment processing through Stripe (PCI DSS compliant);
  • Monitoring and logging of access to systems containing personal data.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach, we will notify affected users and relevant authorities as required by applicable law.

7. Children’s Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are under 13, you may not create an account or use the Service.

COPPA Compliance: In compliance with the Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or disclose personal information from children under 13 without verifiable parental consent. If we learn that we have collected personal information from a child under 13 without proper consent, we will promptly delete that information.

If you are a parent or guardian and believe that your child under 13 has provided personal information to us, please contact us immediately at support@fitgyal.us so that we can take appropriate action.

For users between 13 and 18, we encourage parental supervision and recommend that parents review our Child Safety Policy.

For more information about our child safety practices, please see our Child Safety Policy.

8. GDPR - European Users

If you are located in the European Union (EU) or European Economic Area (EEA), the General Data Protection Regulation (GDPR) applies to our processing of your personal data. This section provides additional information specific to your rights under the GDPR.

8.1 Data Controller

FITGYAL is the data controller for the personal data we process in connection with the Service. You can contact us at support@fitgyal.us.

8.2 Lawful Basis for Processing

We process your personal data on the following legal bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to perform the contract between you and FITGYAL (i.e., providing the Service, managing your account, processing payments, delivering FitCoins);
  • Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving the Service, preventing fraud, ensuring security, and conducting analytics, provided such interests are not overridden by your data protection rights;
  • Consent (Article 6(1)(a)): Processing based on your explicit consent, such as sending marketing communications, processing optional location data, and setting non-essential cookies. You may withdraw consent at any time;
  • Legal obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax reporting, responding to legal requests, and reporting CSAM.

8.3 Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Article 15): You have the right to obtain confirmation of whether we process your personal data and to request a copy of that data;
  • Right to rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data;
  • Right to erasure (Article 17): You have the right to request deletion of your personal data (“right to be forgotten”), subject to certain exceptions (legal obligations, public interest, etc.);
  • Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller;
  • Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes;
  • Right to restriction (Article 18): You have the right to request restriction of processing in certain circumstances, such as when you contest data accuracy or object to processing;
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal;
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state where you reside, work, or where the alleged infringement occurred.

8.4 Exercising Your Rights

To exercise any of these rights, please contact us at support@fitgyal.us. We will respond to your request within 30 days. We may request verification of your identity before processing your request. If you are not satisfied with our response, you may contact our Data Protection Officer (DPO) at support@fitgyal.us.

8.5 Data Transfers Outside the EEA

Your personal data may be transferred to and processed in countries outside the EEA, including the United States. When we transfer data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms under GDPR Article 46.

9. CCPA/CPRA - California Users

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information.

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, username, IP address, device identifiers;
  • Personal information under Cal. Civ. Code 1798.80(e): Name, physical characteristics or description (profile photo);
  • Commercial information: Purchase history, subscription status, FitCoin balance;
  • Internet/electronic activity: Browsing history, search history, interaction with the Service;
  • Geolocation data: Approximate location from IP address;
  • Audio, visual, or similar information: Profile photos, post images, dance videos;
  • Health information: Workout data, meal logs, weight, water intake (voluntarily provided);
  • Inferences: Fitness preferences, interests, and behavior patterns derived from collected data.

9.2 Your California Privacy Rights

  • Right to know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it;
  • Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions;
  • Right to correct: You have the right to request correction of inaccurate personal information;
  • Right to opt out of sale/sharing: You have the right to opt out of the sale or sharing of your personal information. FITGYAL does not sell your personal information. We do not share personal information for cross-context behavioral advertising;
  • Right to limit use of sensitive personal information: You have the right to limit the use and disclosure of sensitive personal information to uses necessary to provide the Service;
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights.

9.3 Do Not Sell or Share

FITGYAL does not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising purposes. As such, we do not offer a “Do Not Sell or Share My Personal Information” opt-out mechanism, as there is no sale or sharing to opt out of.

9.4 Exercising Your Rights

To submit a request, contact us at support@fitgyal.us. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf. We will respond to verifiable consumer requests within 45 days. If additional time is needed, we will inform you of the extension and the reason.

10. UK GDPR Compliance

If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply to our processing of your personal data.

Your rights under the UK GDPR are substantially similar to those described in the GDPR section above (Section 8), including the rights of access, rectification, erasure, data portability, objection, restriction, and the right to lodge a complaint with the Information Commissioner’s Office (ICO).

For transfers of personal data from the UK to countries outside the UK that have not been deemed adequate by the UK government, we rely on appropriate safeguards such as the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.

To exercise your rights under the UK GDPR, please contact us at support@fitgyal.us.

11. International Data Transfers

FITGYAL is based in the United States. Your personal information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your jurisdiction.

When we transfer personal data internationally, we ensure appropriate safeguards are in place to protect your data, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • UK International Data Transfer Agreements (IDTAs);
  • Reliance on adequacy decisions where applicable;
  • Contractual commitments with our service providers to maintain equivalent levels of data protection;
  • Supplementary measures as necessary to ensure the effectiveness of the transfer mechanisms.

Our key service providers and their data processing locations include:

  • Supabase: United States (database, authentication, storage);
  • Stripe: United States (payment processing);
  • Resend: United States (email delivery);
  • LiveKit: United States (livestreaming infrastructure).

12. Cookies

We use cookies and similar tracking technologies to operate and improve the Service. For comprehensive information about the cookies we use, how they work, and how to manage them, please see our Cookie Policy.

Key cookies include Supabase authentication session cookies, which are essential for the Service to function. We also use functional cookies for preferences and analytics cookies for usage analysis.

13. Third-Party Links

The Service may contain links to third-party websites, applications, or services that are not operated by FITGYAL. We are not responsible for the privacy practices or content of these third parties. We encourage you to read the privacy policies of any third-party services you visit.

The inclusion of a link does not imply endorsement by FITGYAL. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

14. Push Notifications

With your consent, we may send push notifications to your device regarding account activity, FitCoin rewards, streak reminders, social interactions, sweepstakes results, and other Service-related updates.

Opt-out: You can opt out of push notifications at any time by:

  • Adjusting notification settings within the FITGYAL app;
  • Disabling notifications for FITGYAL in your device’s system settings (Settings > Notifications on iOS; Settings > Apps > FITGYAL > Notifications on Android);
  • Contacting us at support@fitgyal.us.

Opting out of push notifications will not affect your ability to use the Service, but you may miss time-sensitive updates such as sweepstakes results and streak reminders.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this Privacy Policy;
  • Notify you via email, in-app notification, or push notification;
  • Post the updated Privacy Policy on our website at fitgyal.us;
  • Where required by law (e.g., under GDPR), obtain your consent for material changes to how we process your data.

We encourage you to periodically review this Privacy Policy for the latest information about our data practices. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of such changes.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For GDPR-related inquiries, EU residents may also contact our Data Protection Officer at the email address above. We will respond to all privacy-related inquiries within 30 days.

This Privacy Policy is effective as of March 12, 2026.