Privacy Policy
Last updated: 2026-04-11
This Privacy Policy describes how TheFitnessDB ("we," "us," "our") collects, uses, and protects your personal data when you use our website, API, and related services. We are committed to GDPR compliance and data minimization.
1. Data Controller
The data controller for personal data processed through the Services is TheFitnessDB. For contact details, see our Impressum page or contact us at [email protected].
2. Data We Collect
We collect the minimum data necessary to operate the Services: account information (email address, name) when you register; billing information processed by Stripe (we do not store full card numbers); API usage logs (request counts, endpoints called, timestamps) for rate limiting and analytics; and anonymized, aggregate website analytics via Plausible (no cookies, no personal data).
3. How We Use Your Data
We use your data to provide and maintain the Services, process payments and manage subscriptions, enforce rate limits and prevent abuse, send transactional emails (account confirmation, billing receipts, password resets), and improve the Services based on aggregate usage patterns. We do not sell your personal data, use it for advertising, or share it with third parties beyond our sub-processors.
4. Legal Basis for Processing (GDPR)
We process your data under the following legal bases: contract performance (Article 6(1)(b)) for account management and service delivery; legitimate interest (Article 6(1)(f)) for security, fraud prevention, and service improvement; and consent (Article 6(1)(a)) where explicitly obtained, such as for marketing communications (opt-in only).
5. Sub-Processors
We use the following sub-processors to deliver the Services: Supabase (database hosting and authentication, EU region), Cloudflare (CDN, DNS, Pages hosting, DDoS protection), Stripe (payment processing, Merchant of Record), Resend (transactional email delivery), Plausible (cookieless web analytics, EU-hosted), and Sentry (error tracking, frontend only). All sub-processors maintain appropriate data processing agreements and security certifications.
6. Data Retention
Account data is retained for the duration of your account. API usage logs are retained for 90 days. Billing records are retained as required by applicable tax legislation (typically 7–10 years). You may request deletion of your account and associated personal data at any time.
7. Your Rights (GDPR)
Under GDPR, you have the right to: access your personal data (Article 15), rectify inaccurate data (Article 16), erase your data ("right to be forgotten," Article 17), restrict processing (Article 18), data portability (Article 20), and object to processing (Article 21). To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. International Data Transfers
We prioritize EU-based sub-processors. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or the processor's adherence to an adequacy decision.
9. Security
We implement industry-standard security measures including encryption at rest and in transit (TLS 1.2+), Row Level Security on database records, hashed API key storage, and regular security reviews. Despite these measures, no method of electronic transmission or storage is 100% secure.
10. Children's Privacy
The Services are not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
12. Contact
For questions or data subject requests, contact us at [email protected].