Skip to content

FitRoutine

Privacy Policy

Last updated

This Privacy Policy explains how Zawilab, operated by Zawaar Abbas from Barcelona, Spain, collects, uses, and protects your personal data when you use FitRoutine. We are the data controller for the personal data described below, and we process it in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Spanish Organic Law on Personal Data Protection (LOPDGDD).

  1. 1.Information We Collect

    We collect only the information needed to operate FitRoutine and to support you. Categories include:

    Account data

    • email address, display name, and a securely hashed password (when you create an account);
    • authentication identifiers issued by third-party sign-in providers (e.g. Sign in with Apple, Google) if you choose to use them;
    • account preferences (units, locale, theme).

    Workout data

    • routines, exercises, sets, reps, weights, RIR, rest timers, personal records, and notes you log;
    • optional body metrics (weight, measurements) and progress photos you choose to attach;
    • workout templates and saved splits you create.

    Device and technical data

    • device model, operating system version, app version, language and region settings;
    • anonymised installation identifiers used for crash reporting;
    • approximate, coarse-level region inferred from device locale (we do not collect precise location).

    Usage data

    If you opt in to anonymised analytics, we collect aggregated event data about which screens are used and which features are most common. This data does not identify you personally.

    Support correspondence

    If you contact us, we receive your email address and the content of your message so we can reply.

  2. 2.How We Use Your Information

    We process your personal data on the following lawful bases under GDPR Article 6:

    Performance of a contract (Art. 6(1)(b))

    Operating account features, syncing your workout data across your devices, providing the workout-tracking and progress features you signed up for.

    Legitimate interests (Art. 6(1)(f))

    Diagnosing and fixing bugs, securing the App against fraud and abuse, and conducting limited internal research to improve features. We balance these interests against your rights and freedoms; you can object at any time (see "Your Rights" below).

    Consent (Art. 6(1)(a))

    Optional analytics and any future marketing emails. Consent is requested via clear in-app prompts and can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.

    Legal obligation (Art. 6(1)(c))

    Retaining records to comply with tax, accounting, or other legal obligations, and responding to lawful requests from public authorities.

  3. 3.Data Storage and Security

    Account credentials and synced workout data are stored using Google Firebase (Cloud Firestore for data, Firebase Authentication for credentials, and Firebase Crashlytics for crash diagnostics). Firebase is operated for European users by Google Ireland Limited; data centres serving European users are located inside the European Economic Area.

    Security measures include:

    • encryption in transit using TLS 1.2 or higher;
    • encryption at rest on Firebase storage;
    • least privilege access controls; only Zawaar Abbas has production level access, behind multi factor authentication;
    • periodic credential rotation and access auditing;
    • automated daily backups, retained for 30 days.

    No system is perfectly secure. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the Spanish supervisory authority (AEPD) within 72 hours and notify affected users without undue delay, as required by GDPR Articles 33 and 34.

  4. 4.Third-Party Services

    We rely on a small number of carefully selected sub-processors, each acting under a Data Processing Agreement (DPA) consistent with GDPR Article 28:

    Google Firebase

    Provider: Google Ireland Limited. Purposes: authentication, cloud database, crash reporting, optional analytics. Data processed: account credentials, workout data, anonymised device identifiers. Privacy information: firebase.google.com/support/privacy.

    App distribution platforms

    Apple App Store (Apple Distribution International Ltd.) and Google Play (Google Ireland Limited) handle download, payment, and subscription management. Their privacy practices apply to data they collect directly through their stores, and we receive only aggregated, non-identifying purchase reports from them.

    What we do not do

    We do not sell, rent, or trade your personal data. We do not share your data with advertising networks or data brokers. We do not use your workout data to train machine-learning models.

  5. 5.Your Rights Under GDPR

    As a data subject, you have the rights set out in Articles 15–22 of the GDPR:

    • Right of access (Art. 15): request a copy of the personal data we hold about you.
    • Right to rectification (Art. 16): ask us to correct inaccurate or incomplete data.
    • Right to erasure / "to be forgotten" (Art. 17): ask us to delete your data, subject to legal retention exceptions.
    • Right to restriction (Art. 18): ask us to limit processing in certain cases (e.g. while accuracy is being verified).
    • Right to data portability (Art. 20): receive your data in a structured, machine readable format (we provide JSON export) and transmit it to another controller.
    • Right to object (Art. 21): object to processing based on legitimate interests. We will stop unless we can show compelling legitimate grounds.
    • Right to withdraw consent (Art. 7(3)): withdraw previously given consent at any time. This does not affect the lawfulness of processing before the withdrawal.
    • Right not to be subject to automated decision making (Art. 22): we do not make decisions about you that produce legal effects using solely automated means.
    • Right to lodge a complaint with a supervisory authority. In Spain, this is the Agencia Española de Protección de Datos at www.aepd.es. You may also complain to the authority of your usual residence or place of work.

    To exercise any of these rights, email zawilabcontact@gmail.comwith the subject "GDPR request". We will respond within one month of receipt, as required by Article 12(3); for complex requests, we may extend this by a further two months and will inform you of the extension.

  6. 6.Data Retention

    We keep personal data only as long as necessary for the purposes for which it was collected, or to meet legal obligations.

    Account & workout data
    Until you delete your account. Permanent removal happens within 30 days of the deletion request.
    Backups
    Up to 60 days after deletion, after which automated backups expire.
    Support correspondence
    Up to 24 months from the last reply, unless a longer period is required by law.
    Crash and diagnostic logs
    90 days, then automatically deleted.
    Tax / accounting records related to purchases
    Up to 6 years, where required under Spanish tax law (Ley General Tributaria).

    You can request earlier deletion at any time by emailing zawilabcontact@gmail.com.

  7. 7.Children's Privacy

    FitRoutine is not directed at children under 13 years old, and we do not knowingly collect personal data from anyone under that age.

    In some EU member states, the digital age of consent under GDPR Article 8 is higher (up to 16). In Spain, the digital age of consent is 14. Where the user is under the applicable age, the parent or legal guardian must give or authorise consent on the user's behalf.

    If you believe a child has provided us with personal data without the necessary consent, please contact zawilabcontact@gmail.com and we will delete the data without undue delay.

  8. 8.Cookies and Tracking

    FitRoutine is a mobile application and does not use traditional web cookies. The App may use:

    • Local device storage for app preferences, authentication tokens, cached exercise content, and offline workout logs;
    • Anonymised device identifiers (e.g. Firebase installation IDs) for crash reporting and, only with your consent, for anonymised analytics;
    • Advertising identifiers: we do not use them. We do not request the iOS App Tracking Transparency permission.

    The accompanying website at zawilab.com uses only essential cookies required for the site to function and does not run analytics, advertising, or third-party trackers.

  9. 9.Changes to This Policy

    We may update this Policy as the App evolves or as the law changes. When we do:

    • we will update the "Last updated" date at the top of this page;
    • for material changes that affect how we process your personal data, we will provide an in-app notice and, where the change relies on consent, ask you to re-consent;
    • previous versions are available on request from zawilabcontact@gmail.com.

  10. 10.Contact Information and Data Controller

    The data controller responsible for your personal data under the GDPR is:

    Controller
    Zawilab, Zawaar Abbas
    Address
    Barcelona, Spain
    Email
    zawilabcontact@gmail.com

    We have not appointed a Data Protection Officer because the scale and nature of our processing does not require one under GDPR Article 37(1). All data-protection enquiries are handled personally by Zawaar Abbas; please use the subject line "GDPR request" so we can prioritise your message.

    For questions about the Terms of Service, see our Terms of Service.