Privacy Policy

Fitness Challenges
Effective date: May 1, 2026
Last updated: May 1, 2026

This Privacy Policy explains how Fitness Challenges ("we," "us," or "our") collects, uses, stores, and shares information when you use the Fitness Challenges mobile application for iOS and Android (the "App") and the related backend services available at https://fitchallenges.app (collectively, the "Service").

By creating an account or using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.

Quick summary. Fitness Challenges is a social fitness-competition app. We collect the account information you give us, the health and workout data you choose to share from Apple Health / Health Connect / Samsung Health, your profile photo, the content you post inside challenges (reactions, comments, chat), and a Firebase push-notification token. We use this information solely to operate the challenges, score activities, send notifications, and keep the Service secure. We do not sell your personal data, do not run advertising, and do not use third-party analytics or tracking SDKs.

Table of Contents

1. Information We Collect 2. How We Use Information 3. Apple Health, Health Connect & Samsung Health 4. Legal Bases for Processing (EEA / UK) 5. How We Share Information & Sub-processors 6. Data Retention 7. Security 8. Your Rights and Choices 9. Children's Privacy 10. International Data Transfers 11. California Privacy Rights 12. Cookies and Similar Technologies 13. Changes to this Policy 14. How to Contact Us

1. Information We Collect

1.1 Information You Provide When You Create an Account

When you sign up, we ask for:

1.2 Profile Information

1.3 Health and Fitness Data

With your explicit, per-platform permission, the App reads the following data from Apple HealthKit (iOS), Google Health Connect (Android), and/or Samsung Health (Samsung devices):

When you log a workout into a challenge, the App sends the workout summary and the associated heart-rate samples to our backend servers, where they are stored on your account so that activity scores, leaderboards, and heart-rate zones can be calculated. Heart-rate samples are stored as numeric data points only (timestamp + BPM); we do not derive medical or diagnostic conclusions from them.

During an optional live workout session, your current heart rate is sampled approximately every five seconds and broadcast in real time to other contestants in the same challenge. Samples are sent over a secure WebSocket and fanned out via a transient managed Redis pub/sub channel (see Section 5.2). Live samples are not retained as a permanent history; only the live-session record (start time, end time, status) is kept.

The App requests read-only access to your health data. We do not write data back to Apple Health, Health Connect, or Samsung Health.

1.4 Content You Create Inside Challenges

1.5 Challenge Settings (when you create a challenge)

If you create a challenge, we store the challenge name, description, start and end dates, scoring rules, optional join password, and the invite code. You are identified as the creator.

1.6 Push-Notification Token

To deliver push notifications (e.g., when a friend reacts to your workout), the App registers with Apple Push Notification service and Firebase Cloud Messaging and sends the resulting Firebase token to our servers. The token is a per-installation pseudonymous identifier — it is not your name, email, or device serial number — and is rotated by the operating system or Firebase from time to time; we replace the stored value when the App reports a new token.

1.7 Information Collected Automatically

1.8 Information Stored on Your Device

What we do NOT collect. We do not collect your precise GPS location, your contacts, your microphone audio, your photo library beyond the single image you pick for your avatar, your advertising identifier (IDFA / GAID), or any biometric identifiers. We do not embed third-party advertising, marketing, or behavioural-analytics SDKs.

2. How We Use Information

We use the information described above to:

We do not use your information for behavioural advertising or sale to data brokers. The Service applies automated rules to detect rule violations (such as “strikes” or disqualification from a challenge); these decisions can be reviewed by a human on request, as described in Section 8.2.

3. Apple Health, Health Connect & Samsung Health

Health and fitness data is sensitive. We apply the following principles to it:

These commitments are made to satisfy the requirements of the Apple HealthKit framework and the Google Health Connect data-handling policies in addition to applicable law.

If you are in the European Economic Area or the United Kingdom, our legal bases under the GDPR / UK GDPR are:

5. How We Share Information & Sub-processors

We share information only as described below.

5.1 With Other Users of the Service

Your first name, last name, avatar, workout activities (type, duration, average heart rate, energy, score), reactions, comments, chat messages, and — during live sessions — your real-time heart rate are visible to the other contestants enrolled in the same challenge. They are not publicly indexed on the open internet.

5.2 With Sub-processors That Help Us Operate the Service

We use a small number of trusted third-party providers (sub-processors). Each is bound by contractual confidentiality and data-protection terms and may only process your information on our instructions for the purpose listed.

ProviderPurposeData involvedRegion
Amazon Web Services (AWS) Application hosting and database storage All account, challenge, activity, and health-data records United States (us-east-2)
Google Cloud Storage Storage of profile-photo objects (under profiles/{userId}/avatar/{uuid}) Avatar image bytes only United States
Google Firebase Cloud Messaging Push-notification delivery FCM token, notification payload, IP, Firebase installation ID United States
Firebase Remote Config Server-side feature flags / API base URL Firebase installation ID, IP United States
Apple Push Notification service Delivery of push notifications on iOS APNs device token Operated by Apple Inc.
Email delivery provider (SMTP) Sending password-reset codes and account-security emails Recipient email address, message contents United States
Redis (managed cache) Transient pub/sub fan-out for live-workout heart-rate streams Heart-rate sample, user ID, challenge ID (in-memory only) United States

5.3 For Legal Reasons

We may disclose information if we believe in good faith that disclosure is necessary to (a) comply with a law, regulation, subpoena, court order, or other legal process; (b) protect the rights, property, or safety of Fitness Challenges, our users, or the public; or (c) detect, prevent, or otherwise address fraud, security, or technical issues.

5.4 Business Transfers

If Fitness Challenges is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (for example, by email and/or a prominent notice in the App) of any such change in ownership or control of your personal information, and you will have the opportunity to delete your account before the transfer takes effect.

5.5 We Do Not Sell Your Personal Information

We do not sell, rent, or trade your personal information, and we do not "share" it for cross- context behavioural advertising as those terms are defined under the California Consumer Privacy Act / CPRA.

6. Data Retention

CategoryRetention
Account record (name, email, DOB, password hash, role, resting heart rate, total challenge score, strike count, disqualification flag, current-challenge reference, avatar object key, created/updated timestamps) Until you delete your account.
Activities, workout summaries, heart-rate data points For the lifetime of your account; deleted when your account is deleted.
Profile photo (Google Cloud Storage object) Until replaced or until your account is deleted.
Reactions, cheers, comments, chat messages Retained as part of the challenge record. Deleted when your account is deleted (you may also delete individual messages where the App provides that option).
Live-workout session records Session metadata (start, end, status) retained with the challenge; transient in-flight heart-rate samples are not persisted.
Push-notification (FCM) tokens Replaced on each token refresh; removed when you sign out, uninstall, or delete the account.
Password-reset codes Valid for 24 hours; invalidated on use.
Server access & application logs Retained for a limited operational period for security, debugging, and abuse investigation, then deleted or rotated. We are working toward a documented retention schedule of no more than 90 days.
Backups Encrypted database backups are taken on a routine schedule; deleted records may persist in those backups until they are overwritten in the normal backup-rotation cycle, which we currently target at 30 days.

When you delete your account from Profile → Delete Account, the App calls our delete endpoint and we remove your account record, your activities, your workout summaries, your stored heart-rate data points, and your registered push-notification tokens from active systems, and we issue deletion of your profile-photo object in Google Cloud Storage. Content you authored inside a shared challenge — reactions, cheers, comments, chat messages, and live-session records — is removed or anonymised on a best-effort basis as part of this process; if you believe any such content remains after deletion, please email adham.developer.mohamed@gmail.com and we will remove it. Residual copies in encrypted backups are overwritten in the normal backup-rotation cycle described above.

7. Security

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

8. Your Rights and Choices

8.1 In-App Controls

8.2 Statutory Rights

Depending on where you live, you may have the right to:

To exercise any of these rights, email us at adham.developer.mohamed@gmail.com. We will verify the request comes from you — either through a signed-in action in the App or by sending a confirmation link to the email registered on the account — and respond within the time limits required by applicable law (generally within 30 days under the GDPR; 45 days under the CCPA).

9. Children's Privacy

The Service is not directed to children under 13 (or under 16 where required by local law, including in the European Economic Area and the United Kingdom). We do not target the Service to children, and we do not knowingly create accounts for children below those ages.

We collect a date of birth at signup so that we can compute age-based heart-rate zones. We are in the process of adding a date-of-birth-based age gate that will block account creation for users below the applicable minimum age. Until that gate is live, if we become aware that an account belongs to a child below the applicable age, or if a parent or guardian notifies us at adham.developer.mohamed@gmail.com, we will close the account and delete the associated personal information promptly.

10. International Data Transfers

Fitness Challenges is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and any other country in which our sub-processors maintain facilities. The data- protection laws of those countries may differ from those of your country.

For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) where required, including those incorporated into the data-processing agreements of our sub- processors (Google, AWS, etc.). You may request a copy of the relevant safeguards by emailing adham.developer.mohamed@gmail.com.

11. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA) gives you the rights described in Section 8.2, plus the right not to receive discriminatory treatment for exercising those rights, and the right to limit our use of your Sensitive Personal Information.

Categories of personal information collected in the last 12 months:

We do not collect: precise geolocation, sensory (audio / video) data, biometric identifiers, commercial purchase history, or government IDs.

Categories of sources: directly from you; from your device's operating system; from your health platform (with your permission).

Categories of third parties to whom information is disclosed for business purposes: hosting and database (AWS), object storage (Google Cloud), push-notification providers (Apple, Google), transactional email provider, managed cache (Redis). See Section 5.2 for details.

Use of Sensitive Personal Information. We use SPI only for the purposes described in Section 2 — running the challenges, scoring, computing heart-rate zones, and operating live workouts. We do not use or disclose SPI for purposes other than those permitted under CPRA §1798.121(a). You may submit a Right-to-Limit request to adham.developer.mohamed@gmail.com.

Sale or sharing: We do not sell or share personal information for cross- context behavioural advertising.

To exercise CCPA / CPRA rights, contact adham.developer.mohamed@gmail.com. You may also designate an authorised agent in writing to act on your behalf; we will verify the request by sending a confirmation to the email registered on the account.

12. Cookies and Similar Technologies

The mobile App itself does not use cookies. The Firebase SDK that powers push notifications and Remote Config uses a Firebase installation ID for those features to function; this is not used for advertising. Our public marketing website, if any, may use functional cookies; that is described separately at the website itself.

13. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes.

14. How to Contact Us

If you have questions about this Privacy Policy or our handling of your information, contact us:

14.1 Data Controller

The data controller responsible for your personal information is [LEGAL ENTITY NAME], of [REGISTERED ADDRESS]. For data- protection questions, contact adham.developer.mohamed@gmail.com. We have not appointed a Data Protection Officer because we are not required to under GDPR Article 37; the privacy mailbox above is the primary contact for all data-protection matters.

14.2 EU / UK Representative

For users in the European Economic Area, our Article 27 representative is [EU REPRESENTATIVE NAME, ADDRESS, EMAIL]. For users in the United Kingdom, our UK GDPR representative is [UK REPRESENTATIVE NAME, ADDRESS, EMAIL]. (If you do not yet have appointed representatives, this section should be removed or completed before publication in those regions.)

© 2026 Fitness Challenges. All rights reserved.