365 FIT BODY
365 FIT BODY← Back

Privacy policy

Last updated: 10 May 2026

01 Overview

This privacy policy explains what personal data we process when you use 365 FIT BODY ("the App"), for which purposes, on what legal basis, and which rights you have under the General Data Protection Regulation (GDPR). We process as little data as possible. We do not sell or rent your data.

02 Controller

Controller in the sense of Art. 4 No. 7 GDPR: [MISSING — Name / Company] [MISSING — Address] Email: [MISSING — contact email] We have not appointed a data protection officer because the legal requirements are not met.

03 What data we process

When you register and use the App, we store: • Email address, name (for sign-in and personalisation) • Encrypted password (bcrypt hash; we never see your plain-text password) • Optional: body weight, height, language preference (for training features and localisation) • Training data: your custom exercises, training plans, completed sets (reps, weight), cardio entries • Journal entries: daily water intake • Subscription status (plan, status, period end; see Payment section) Legal basis: Art. 6 (1)(b) GDPR (contract performance). To the extent that you enter health data such as body weight, processing is based on your explicit consent under Art. 9 (2)(a) GDPR; you can revoke this at any time by deleting the entries or closing your account.

04 Server logs, cookies & authentication

When you use the App, your browser transmits technically necessary data to our server (IP address, date/time, requested URL, user agent). These logs are used solely for security and stability and are deleted after a maximum of 14 days. Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in stable, secure operation). For sign-in we use a technically necessary refresh-token cookie (HttpOnly, Secure, SameSite=Lax). This cookie is required to keep you signed in. It is not used for advertising or tracking. The App does not use any third-party analytics tools (no Google Analytics, no Facebook Pixel, no TikTok Pixel).

05 Payment processing (Stripe)

For subscriptions, we use Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. When you subscribe, payment data is processed directly by Stripe. We do not store your card or bank details. From Stripe we receive only the information required to fulfil our contract: Stripe customer ID, Stripe subscription ID, plan, status, period end. Legal basis: Art. 6 (1)(b) GDPR (contract performance). Stripe acts as our processor under Art. 28 GDPR. More info: https://stripe.com/privacy

06 PWA, local storage & service worker

365 FIT BODY is a Progressive Web App. When you save it to your home screen and use it, application files are stored locally in your browser (service worker, IndexedDB, localStorage) so the App loads quickly and partially works offline. This includes: your auth token (for automatic sign-in) and cached exercise/training data for offline display. This data stays on your device. You can clear it at any time via your browser settings or by signing out from the App.

07 Your rights

Under the GDPR you have the following rights in particular: • Access to data we store about you (Art. 15) • Rectification of inaccurate data (Art. 16) • Erasure of your data (Art. 17) • Restriction of processing (Art. 18) • Data portability (Art. 20) • Objection to processing (Art. 21) • Withdrawal of given consent with effect for the future (Art. 7 (3)) Many of these rights can be exercised directly in the App: change profile data in Settings, delete training and journal entries, close your account via Settings. You also have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR), typically at your place of residence.

08 Retention

We store your data only as long as your account is active or a statutory retention obligation applies (e.g. commercial or tax law). After you close your account, training and journal data is deleted within 30 days. Billing-related data (invoices, Stripe transactions) is retained for up to 10 years where legally required.

09 Security

All transmission is encrypted via HTTPS (TLS). Passwords are stored only as a bcrypt hash. The server is operated in Germany (Hetzner Online GmbH, Nuremberg).

10 Changes to this policy

We update this policy when features or legal requirements change. The current version is always available on this page.