Legal

Privacy Policy

Version 1.0 — Effective 1 April 2025 — Controller: JustFit.cc (Netherlands)

This Privacy Policy explains what personal data JustFit.cc collects, why, how long it is retained, and what rights you have. JustFit is built privacy-first: we collect only what is strictly necessary to provide the service.

1. Data Controller

The data controller is JustFit.cc, operated from the Netherlands. You can reach us at support@justfit.cc for any privacy-related matter.

If you require formal legal entity or registered-office details for a contractual, regulatory, or legal request, contact us at support@justfit.cc.

As a Dutch company, JustFit falls under the GDPR as implemented by the Dutch Autoriteit Persoonsgegevens (AP).

2. Data We Collect

Account data

Email address (required to create an account), password hash (salted SHA-256; your plaintext password is never stored), and the timestamp of your last login.

Profile and fitness data

Data you voluntarily provide to personalise your workout plan: display name, biological sex, weight, height, training goal, experience level, available equipment, sport preferences, injury areas, and cycle tracking preferences (optional).

Daily check-in data

When you complete a check-in: mood, energy, sleep hours, stress level, pain signals, and any free-text motivation notes. Check-ins are optional — you can skip them and still get a plan.

Workout history

Completed sessions, duration, perceived exertion, and per-exercise detail (reps, rest taken, adjustments, substitutions).

Passkey credentials

If you register a passkey (Face ID / Touch ID), we store the public key, credential ID, and sign counter. The biometric data never leaves your device.

What we do NOT collect

Advertising identifiers, third-party tracking IDs, or device-fingerprinting profiles
Browser or OS metadata beyond what your device sends in HTTP headers
Location data
Cookies or tracking pixels (see Section 7)
Any data from third-party ad networks or analytics platforms

For security and abuse prevention (for example, authentication rate limiting), our systems may process network/request metadata such as IP-derived request information. This is used only for security operations, never for advertising or behavioral profiling.

3. Legal Basis for Processing

Contract (Art. 6(1)(b) GDPR) — Account data and workout history are processed to provide the service you signed up for.

Legitimate interest (Art. 6(1)(f) GDPR) — Aggregate error logs (server-side only, no PII) used to diagnose technical issues.

Consent (Art. 6(1)(a) / Art. 9(2)(a) GDPR) — Health-related data (cycle, pregnancy, injury) is processed only because you explicitly provide it within the app. You can remove it at any time via Settings → Profile or by deleting your account.

4. Data Retention

Your data is retained for as long as your account is active. When you delete your account (Settings → Account → Delete account), all your personal data is permanently erased from our database within 24 hours. Backup snapshots are purged within 30 days.

We currently retain inactive accounts until you request deletion. If we introduce automated inactivity deletion in the future, we will announce it in advance and update this policy before it takes effect.

5. Third-Party Processors

We share data with as few third parties as possible:

Cloudflare, Inc. — Infrastructure provider (CDN, Pages hosting, D1 database). Data is processed on European edge nodes. Cloudflare DPA: cloudflare.com/privacypolicy

Resend, Inc. — Transactional email (account confirmation, magic links, password reset). Only your email address and the content of the specific email are transmitted. Resend DPA: resend.com/legal/privacy-policy

We do not sell, rent, or share your data with any other third party for marketing, advertising, or analytics purposes.

6. Security

All data is transmitted over HTTPS. Passwords are hashed with a random salt and SHA-256. Passkey authentication uses WebAuthn with ECDSA P-256 — biometric data never leaves your device. JWTs are short-lived (7 days) and signed with a secret key stored in Cloudflare's encrypted environment variables. Auth attempts are rate-limited per IP and per email to prevent brute-force attacks.

Identity data (email) is stored separately from health and fitness data at the database level.

7. Cookies and Tracking

JustFit does not use cookies for tracking, advertising, or analytics. The only browser storage we use:

localStorage — stores your auth token, user ID, cached preferences, and accent colour. This data stays on your device and is never sent to third parties.
sessionStorage — stores a temporary plan cache cleared when you close the tab.

There are no third-party analytics scripts, no Google Tag Manager, no Meta Pixel, and no tracking pixels of any kind. If this changes, this policy will be updated before any tracking is enabled.

8. Your Rights (GDPR)

Under the GDPR you have the following rights with respect to your personal data:

Access Request a copy of all data we hold about you.

Rectification Correct inaccurate data directly in Settings, or request correction by email.

Erasure Delete your account and all associated data instantly via Settings → Account → Delete account.

Export / Portability Download a machine-readable JSON export of your profile, workout history, and progression data directly from Settings — no request needed. You may also contact us for broader GDPR portability rights.

Restriction Ask us to stop processing your data while a dispute is resolved.

Object Object to processing based on legitimate interest.

To exercise any right, email support@justfit.cc from the address linked to your account. We will respond within 30 days (or 3 months for complex requests, with notice).

Lodge a complaint

If you believe your rights have not been respected, you have the right to lodge a complaint with the Dutch supervisory authority:

Autoriteit Persoonsgegevens (AP)
autoriteitpersoonsgegevens.nl — +31 70 888 8500

9. Minimum Age

JustFit is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has created an account, contact us at support@justfit.cc and we will delete the data promptly.

10. Changes to This Policy

If we make material changes to this policy, we will update the version number and effective date at the top of this page and provide notice in-app and/or by email where appropriate. For major legal updates, you may be asked to review and accept updated terms/privacy in-app before continuing.

All previous versions of this policy are available on request.

11. Contact

For any privacy-related question, data subject request, or concern:
support@justfit.cc

JustFit.cc — Privacy Policy v1.0 — Effective 1 April 2025 — Netherlands