This Privacy Policy explains how Fitness Challenges ("we," "us," or "our") collects, uses, stores, and shares information when you use the Fitness Challenges mobile application for iOS and Android (the "App") and the related backend services available at https://fitchallenges.app (collectively, the "Service").
By creating an account or using the Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please do not use the Service.
When you sign up, we ask for:
With your explicit, per-platform permission, the App reads the following data from Apple HealthKit (iOS), Google Health Connect (Android), and/or Samsung Health (Samsung devices):
ACTIVITY_RECOGNITION permission
required by Health Connect, and may request READ_PLANNED_EXERCISE and
READ_ACTIVE_CALORIES_BURNED for workout enrichment.When you log a workout into a challenge, the App sends the workout summary and the associated heart-rate samples to our backend servers, where they are stored on your account so that activity scores, leaderboards, and heart-rate zones can be calculated. Heart-rate samples are stored as numeric data points only (timestamp + BPM); we do not derive medical or diagnostic conclusions from them.
During an optional live workout session, your current heart rate is sampled approximately every five seconds and broadcast in real time to other contestants in the same challenge. Samples are sent over a secure WebSocket and fanned out via a transient managed Redis pub/sub channel (see Section 5.2). Live samples are not retained as a permanent history; only the live-session record (start time, end time, status) is kept.
The App requests read-only access to your health data. We do not write data back to Apple Health, Health Connect, or Samsung Health.
If you create a challenge, we store the challenge name, description, start and end dates, scoring rules, optional join password, and the invite code. You are identified as the creator.
To deliver push notifications (e.g., when a friend reacts to your workout), the App registers with Apple Push Notification service and Firebase Cloud Messaging and sends the resulting Firebase token to our servers. The token is a per-installation pseudonymous identifier — it is not your name, email, or device serial number — and is rotated by the operating system or Firebase from time to time; we replace the stored value when the App reports a new token.
EncryptedSharedPreferences on Android).We use the information described above to:
We do not use your information for behavioural advertising or sale to data brokers. The Service applies automated rules to detect rule violations (such as “strikes” or disqualification from a challenge); these decisions can be reviewed by a human on request, as described in Section 8.2.
Health and fitness data is sensitive. We apply the following principles to it:
These commitments are made to satisfy the requirements of the Apple HealthKit framework and the Google Health Connect data-handling policies in addition to applicable law.
If you are in the European Economic Area or the United Kingdom, our legal bases under the GDPR / UK GDPR are:
We share information only as described below.
Your first name, last name, avatar, workout activities (type, duration, average heart rate, energy, score), reactions, comments, chat messages, and — during live sessions — your real-time heart rate are visible to the other contestants enrolled in the same challenge. They are not publicly indexed on the open internet.
We use a small number of trusted third-party providers (sub-processors). Each is bound by contractual confidentiality and data-protection terms and may only process your information on our instructions for the purpose listed.
| Provider | Purpose | Data involved | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Application hosting and database storage | All account, challenge, activity, and health-data records | United States (us-east-2) |
| Google Cloud Storage | Storage of profile-photo objects (under profiles/{userId}/avatar/{uuid}) |
Avatar image bytes only | United States |
| Google Firebase Cloud Messaging | Push-notification delivery | FCM token, notification payload, IP, Firebase installation ID | United States |
| Firebase Remote Config | Server-side feature flags / API base URL | Firebase installation ID, IP | United States |
| Apple Push Notification service | Delivery of push notifications on iOS | APNs device token | Operated by Apple Inc. |
| Email delivery provider (SMTP) | Sending password-reset codes and account-security emails | Recipient email address, message contents | United States |
| Redis (managed cache) | Transient pub/sub fan-out for live-workout heart-rate streams | Heart-rate sample, user ID, challenge ID (in-memory only) | United States |
We may disclose information if we believe in good faith that disclosure is necessary to (a) comply with a law, regulation, subpoena, court order, or other legal process; (b) protect the rights, property, or safety of Fitness Challenges, our users, or the public; or (c) detect, prevent, or otherwise address fraud, security, or technical issues.
If Fitness Challenges is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (for example, by email and/or a prominent notice in the App) of any such change in ownership or control of your personal information, and you will have the opportunity to delete your account before the transfer takes effect.
We do not sell, rent, or trade your personal information, and we do not "share" it for cross- context behavioural advertising as those terms are defined under the California Consumer Privacy Act / CPRA.
| Category | Retention |
|---|---|
| Account record (name, email, DOB, password hash, role, resting heart rate, total challenge score, strike count, disqualification flag, current-challenge reference, avatar object key, created/updated timestamps) | Until you delete your account. |
| Activities, workout summaries, heart-rate data points | For the lifetime of your account; deleted when your account is deleted. |
| Profile photo (Google Cloud Storage object) | Until replaced or until your account is deleted. |
| Reactions, cheers, comments, chat messages | Retained as part of the challenge record. Deleted when your account is deleted (you may also delete individual messages where the App provides that option). |
| Live-workout session records | Session metadata (start, end, status) retained with the challenge; transient in-flight heart-rate samples are not persisted. |
| Push-notification (FCM) tokens | Replaced on each token refresh; removed when you sign out, uninstall, or delete the account. |
| Password-reset codes | Valid for 24 hours; invalidated on use. |
| Server access & application logs | Retained for a limited operational period for security, debugging, and abuse investigation, then deleted or rotated. We are working toward a documented retention schedule of no more than 90 days. |
| Backups | Encrypted database backups are taken on a routine schedule; deleted records may persist in those backups until they are overwritten in the normal backup-rotation cycle, which we currently target at 30 days. |
When you delete your account from Profile → Delete Account, the App calls our delete endpoint and we remove your account record, your activities, your workout summaries, your stored heart-rate data points, and your registered push-notification tokens from active systems, and we issue deletion of your profile-photo object in Google Cloud Storage. Content you authored inside a shared challenge — reactions, cheers, comments, chat messages, and live-session records — is removed or anonymised on a best-effort basis as part of this process; if you believe any such content remains after deletion, please email adham.developer.mohamed@gmail.com and we will remove it. Residual copies in encrypted backups are overwritten in the normal backup-rotation cycle described above.
EncryptedSharedPreferences on Android). Today these tokens do not have a
server-side expiry; signing out removes the token from your device, and you can request
server-side invalidation of all sessions by contacting
adham.developer.mohamed@gmail.com. We are tracking
token rotation as a security improvement.No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.
Depending on where you live, you may have the right to:
To exercise any of these rights, email us at adham.developer.mohamed@gmail.com. We will verify the request comes from you — either through a signed-in action in the App or by sending a confirmation link to the email registered on the account — and respond within the time limits required by applicable law (generally within 30 days under the GDPR; 45 days under the CCPA).
The Service is not directed to children under 13 (or under 16 where required by local law, including in the European Economic Area and the United Kingdom). We do not target the Service to children, and we do not knowingly create accounts for children below those ages.
We collect a date of birth at signup so that we can compute age-based heart-rate zones. We are in the process of adding a date-of-birth-based age gate that will block account creation for users below the applicable minimum age. Until that gate is live, if we become aware that an account belongs to a child below the applicable age, or if a parent or guardian notifies us at adham.developer.mohamed@gmail.com, we will close the account and delete the associated personal information promptly.
Fitness Challenges is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States and any other country in which our sub-processors maintain facilities. The data- protection laws of those countries may differ from those of your country.
For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs) where required, including those incorporated into the data-processing agreements of our sub- processors (Google, AWS, etc.). You may request a copy of the relevant safeguards by emailing adham.developer.mohamed@gmail.com.
If you are a California resident, the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA) gives you the rights described in Section 8.2, plus the right not to receive discriminatory treatment for exercising those rights, and the right to limit our use of your Sensitive Personal Information.
Categories of personal information collected in the last 12 months:
We do not collect: precise geolocation, sensory (audio / video) data, biometric identifiers, commercial purchase history, or government IDs.
Categories of sources: directly from you; from your device's operating system; from your health platform (with your permission).
Categories of third parties to whom information is disclosed for business purposes: hosting and database (AWS), object storage (Google Cloud), push-notification providers (Apple, Google), transactional email provider, managed cache (Redis). See Section 5.2 for details.
Use of Sensitive Personal Information. We use SPI only for the purposes described in Section 2 — running the challenges, scoring, computing heart-rate zones, and operating live workouts. We do not use or disclose SPI for purposes other than those permitted under CPRA §1798.121(a). You may submit a Right-to-Limit request to adham.developer.mohamed@gmail.com.
Sale or sharing: We do not sell or share personal information for cross- context behavioural advertising.
To exercise CCPA / CPRA rights, contact adham.developer.mohamed@gmail.com. You may also designate an authorised agent in writing to act on your behalf; we will verify the request by sending a confirmation to the email registered on the account.
The mobile App itself does not use cookies. The Firebase SDK that powers push notifications and Remote Config uses a Firebase installation ID for those features to function; this is not used for advertising. Our public marketing website, if any, may use functional cookies; that is described separately at the website itself.
We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by email before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the changes.
If you have questions about this Privacy Policy or our handling of your information, contact us:
The data controller responsible for your personal information is [LEGAL ENTITY NAME], of [REGISTERED ADDRESS]. For data- protection questions, contact adham.developer.mohamed@gmail.com. We have not appointed a Data Protection Officer because we are not required to under GDPR Article 37; the privacy mailbox above is the primary contact for all data-protection matters.
For users in the European Economic Area, our Article 27 representative is [EU REPRESENTATIVE NAME, ADDRESS, EMAIL]. For users in the United Kingdom, our UK GDPR representative is [UK REPRESENTATIVE NAME, ADDRESS, EMAIL]. (If you do not yet have appointed representatives, this section should be removed or completed before publication in those regions.)
© 2026 Fitness Challenges. All rights reserved.