Legal

Fitzenia Privacy Policy

Effective date: May 5, 2026

Last updated: May 5, 2026

Controller: Javier Mejia, sole proprietor (Einzelunternehmen) trading as Zenthek, Berlin, Germany

Contact: support@fitzenia.com

1. At-a-Glance Summary

This summary highlights the most important points. It is informational only and does not replace the full Policy below.

What we collect: account and profile data, your nutrition and fitness logs, weight, body-composition entries, food and progress photos you choose to upload, AI prompts and outputs you generate, billing status from your app store, diagnostics, analytics, and (once enabled) advertising identifiers.
Why: to operate the app, keep your data in sync across your devices, deliver AI-assisted features, prevent abuse, comply with the law, and (in the future) show you advertising.
Where it lives: primarily on your device and on Supabase infrastructure hosted in the European Union. Some sub-processors operate from the United States under appropriate transfer safeguards.
Who we share it with: the sub-processors listed in Section 13. We do not sell or share your data for monetary consideration today; once Google AdMob personalized advertising is enabled, that activity will trigger "sale" and "share" disclosures under U.S. state laws and you will be able to opt out.
How long: we keep your account data while your account exists and delete it immediately when you ask us to via Settings → Delete Account. See Section 20.
Your rights: access, correction, deletion, portability, objection, opt-out of targeted ads, and the right to lodge a complaint. See Section 29.
Contact: support@fitzenia.com.

2. About This Privacy Policy

This Privacy Policy ("Policy") explains how we collect, use, share, store, and protect personal data when you use the Fitzenia mobile applications, the Fitzenia websites at fitzenia.com, our customer support channels, and any connected services we provide (together, the "Service").

This Policy applies in addition to the in-app permission prompts and consent banners you see when you first use a feature (for example, camera access, photo-library access, Health Connect or HealthKit authorization, or the consent banner shown to users in the European Economic Area, the United Kingdom, and Switzerland for advertising). Where those prompts conflict with this Policy on a specific point, the prompt and the choice you make there control for that feature.

This Policy also applies in addition to the Fitzenia Terms and Conditions. Capitalized terms not defined here have the meaning given in the Terms.

Throughout this Policy we distinguish between processing that is currently active and processing that is planned and only used if and when enabled. Sections that describe planned processing are marked accordingly.

3. Who Controls Your Data (Controller Identity)

The data controller for the Service is:

Name: Javier Mejia, sole proprietor (Einzelunternehmen) operating under the trade name "Zenthek".
Postal address: Badstr. 35, Berlin, Deutschland 13357, Germany.
Country of establishment: Germany (European Union).
Email: support@fitzenia.com.

Because the controller is established in the European Union, the controller is not required to designate an Article 27 representative for the EU/EEA. We do not currently process the personal data of UK residents at a scale that requires a UK Article 27 representative; if that changes, we will appoint one and update this Policy.

We have not designated a Data Protection Officer because our processing does not meet the thresholds in GDPR Art. 37(1). You may direct any data-protection question to the email address above.

4. Who This Service Is For

Fitzenia is intended for users aged 16 and older. The Service is not directed to children under 13, and we do not knowingly collect personal data from children under 13.

If we become aware that we have collected personal data from a child under 13 without legally sufficient parental consent, we will take reasonable steps to delete it. Parents and guardians who believe their child has provided personal data to us may contact support@fitzenia.com.

Where applicable U.S. state law requires opt-in consent before "selling" or "sharing" the personal data of users between 13 and 16 (for example, the California Consumer Privacy Act), we will not enable that processing for those users without their opt-in consent or, where required, the consent of a parent or guardian. See Section 28 for details.

5. Categories of Personal Data We Process

Depending on how you use the Service, we may process the following categories of personal data:

Account and authentication data: email address, login credentials (hashed at the auth provider), authentication tokens, account IDs, sign-in metadata for email and password sign-in, Google Sign-In, and Sign in with Apple.
Profile and onboarding data: display name, email, date of birth, sex, height, weight, fitness goal, pace preference, body-fat estimate, activity level, exercise frequency, lifting experience, protein preference, and calorie targets.
Nutrition and fitness log data: diary entries (food and meal logs), custom foods, custom meals, recent searches, barcode lookups, ingredient breakdowns, notes you provide, and weight history.
Health-platform data: steps, calories burned, exercise records, weight, and body-composition data we read or write through Apple Health / HealthKit or Android Health Connect when you authorize the connection.
Photos and media: food photos you capture or upload for AI-assisted analysis; progress photos you choose to save; metadata such as image dimensions and a pose label you select.
AI prompts, inputs, and outputs: the text or image you submit to an AI feature, the contextual data we attach (for example, your meal title or current macro context), and the AI-generated response we return for your review.
Billing and subscription metadata: RevenueCat customer ID, app-store transaction identifiers, subscription status, entitlement state, plan, renewal/expiration timestamps, and country of purchase. We do not receive or store payment card numbers, bank details, or other payment instrument data — those are handled exclusively by Apple and Google.
Device, network, and diagnostics data: device model, operating system version, app version, crash reports, technical diagnostics, language and locale, network type, time-zone offset, IP address (truncated where possible), and unique device or installation identifiers.
Analytics and usage data: events such as screen views, feature interactions, retention cohorts, and aggregated usage metrics produced by Firebase Analytics on both Android and iOS once enabled (see Section 16).
Advertising identifiers and ad-event data: the Google Advertising ID (Android), the Identifier for Advertisers (iOS, when not reset to zero), ad impressions, clicks, and limited contextual signals collected by the Google Mobile Ads SDK / AdMob when this functionality is enabled in a future release. See Section 15.
Inferences and segment data: derived signals such as the body-composition estimates we calculate from your inputs, AI insight summaries, and (once advertising is live) interest segments inferred by Google's advertising systems.
Support and communications: the messages you send to us, attachments, and the related correspondence record.

Some of the data above — in particular health, nutrition, body-composition, weight, and image data — may be treated as sensitive, special-category, or consumer health data under applicable law. See Section 7 and Section 27.

6. Sources of Personal Data

We collect personal data from the following sources:

Directly from you when you create an account, complete onboarding, log a meal or weight entry, send us a message, or upload a photo.
Automatically from your device when you use the app — for example, crash logs, technical diagnostics, anonymized usage events, and app-store subscription state.
From identity providers when you sign in with Google or Apple — we receive a unique account identifier, your email, and the basic profile fields those providers expose.
From health platforms — if you authorize the integration, we read selected nutrition, exercise, weight, and body-composition records from Apple Health / HealthKit or Android Health Connect, and we write back the records you ask us to.
From the app stores — Apple App Store and Google Play, via RevenueCat, deliver receipts, subscription state, and the country code of the purchase.
From advertising and analytics SDKs — once Firebase Analytics and Google AdMob are enabled, those SDKs generate diagnostic and ad-related signals that we receive in dashboards.
From third-party food data sources (USDA FoodData Central, Open Food Facts) — this is product information about foods, not personal data about you, but our queries to those sources may include limited request metadata.

7. Sensitive and Special-Category Data

Fitzenia processes information that relates to your health, wellness, nutrition, body composition, exercise habits, and physical progress. This includes body-fat estimates, calorie targets, food logs, weight history, health-platform records, and photos tied to those features.

We treat this information as special-category data under Article 9 GDPR / UK GDPR and as sensitive personal information under U.S. state laws such as the CCPA/CPRA. We process it on the basis of your explicit consent, given by your decision to use the relevant feature, enable the relevant integration, or upload the relevant content. You can withdraw that consent at any time by disabling the feature, revoking the platform permission, or deleting your data via in-app controls or by contacting us.

We process this data only for the Service's core fitness, tracking, personalization, sync, safety, and support purposes described in this Policy. We do not use special-category data for advertising. We do not use progress-photo or body-fat simulation data as biometric identifiers, and we do not perform biometric identification on it.

8. Legal Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on the following legal bases:

Performance of a contract (Art. 6(1)(b)) — to provide the account, sync, and core tracking features you request.
Consent (Art. 6(1)(a) and Art. 9(2)(a)) — for health-platform connections, AI features, progress photos, push notifications where required, advertising identifiers in the EEA/UK, and other permission-gated processing.
Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, debugging, diagnostics, internal analytics that do not rely on advertising identifiers, fraud prevention, and improving the Service. Where we rely on legitimate interests, we have balanced our interests against your rights and you may object at any time.
Compliance with a legal obligation (Art. 6(1)(c)) — for retention of billing records under tax law, responding to lawful requests, and complying with consumer-protection law.
Vital interests (Art. 6(1)(d)) — in narrow situations where processing is necessary to protect a person's life or physical integrity.

Where consent is the legal basis, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

9. How We Use Your Data (Processing Purposes)

We use personal data for the following purposes:

Account creation and management — to register your account, authenticate you across devices, and manage subscription entitlements. Legal basis: contract.
Nutrition and fitness tracking — to provide diary logging, food search, barcode scanning, custom meals, weight tracking, and adaptive TDEE calculation. Legal basis: contract.
Cross-device synchronization — to keep your data consistent across the devices you sign in on, via Supabase Postgrest and Realtime channels. Legal basis: contract.
Health-platform integration — to read and write nutrition, exercise, weight, and body-composition records when you authorize Apple Health / HealthKit or Android Health Connect. Legal basis: consent.
AI-assisted features — to analyze food photos, generate insight summaries, and (in the future) provide an AI nutrition coach. Legal basis: consent. See Section 10.
Personalization — to compute body-composition estimates, calorie targets, macro splits, and progress narratives. Legal basis: contract and, for some elements, consent.
Service security and abuse prevention — to detect and block fraud, abuse, scraping, account takeover, and policy violations. Legal basis: legitimate interests.
Diagnostics, debugging, and stability — to receive crash reports and technical diagnostics through Firebase Crashlytics. Legal basis: legitimate interests.
Product analytics — to understand which features are used and where users encounter friction, via Firebase Analytics on Android and iOS once enabled. Legal basis: consent in the EEA/UK; legitimate interests in jurisdictions where consent is not required for first-party analytics.
Advertising (planned) — to display ads through Google AdMob in a future release of the app. Legal basis: consent in the EEA/UK; consent or opt-out (depending on the state) in the United States. See Section 15.
Customer support — to respond to your messages and resolve issues. Legal basis: contract and legitimate interests.
Legal and regulatory compliance — to comply with tax, consumer-protection, and law-enforcement obligations and to enforce our Terms. Legal basis: legal obligation and legitimate interests.

10. AI Features and Automated Processing

Some features of the Service rely on artificial intelligence. We separate these features by where the processing happens:

On-device AI (data does not leave your device). The food gatekeeper and person gatekeeper, our depth estimator, and our local insight generator run entirely on your device. On Android they use Google ML Kit and the Gemini Nano runtime exposed by Google AICore. On iOS 26 and later, they use Apple Vision and the Apple Foundation Models framework. The text and images these models see do not leave your device for these on-device steps and we do not receive a copy.
Server-side AI (data is sent to a sub-processor for processing). When you use AI-assisted food-photo analysis or, in the future, the AI nutrition coach, the relevant image and the contextual data you provide are sent to our backend ("Fitzenia-api") and from there to a model provider. Today we use OpenAI and Google Gemini as model providers, depending on the feature. We will update Section 13 if we add or replace a model provider. Inputs and outputs are processed for the purpose of fulfilling your request and are not used to train the providers' general-purpose models, subject to each provider's contract terms.

No solely automated decisions with legal or similarly significant effects. Fitzenia does not use AI or any other automated process to make decisions about you that produce legal effects or similarly significant effects within the meaning of GDPR Art. 22. AI outputs are suggestions for your review and are intended to support, not replace, your judgment. If we ever introduce an automated decision that would fall within Art. 22, we will provide the disclosures and human-review rights that article requires.

Sanitization of AI inputs. User-provided text that we route to a model is escaped to remove control characters, role tags, and triple-quoted blocks before it is added to the prompt. AI outputs are filtered for medical claims, gram prescriptions, URLs, and unsafe imperatives before display. These mitigations are described in our AiPromptInputEscaper and AiInsightResponseSanitizer components.

Local insight cache. AI insights generated on your device are stored on your device only, in a local cache keyed to your account, and are deleted when you sign out.

11. Apple Health, HealthKit, and Android Health Connect

If you authorize the integration, the Service can read and, where supported and authorized by you, write nutrition, exercise, weight, calorie, and body-composition records to and from Apple Health / HealthKit (iOS) or Android Health Connect (Android).

These permissions are entirely optional. If you do not grant them, the related sync features will not be available, but you can still use the rest of the Service.

Data we access from HealthKit or Health Connect is used solely for the integration features described in this Policy. We do not use HealthKit or Health Connect data to advertise to you, and we do not share that data with our advertising or analytics partners. This commitment is required by Apple's HealthKit policy and by Health Connect's developer policy and we honor it on both platforms.

12. Photos and Image Processing

When you choose to use a feature that processes images, the following pipeline applies:

Capture and consent — you trigger the camera or photo picker. iOS shows the system camera and photo-library prompts. Android uses the photo picker and runtime camera permission.
On-device gatekeeping — for AI food scans, our food gatekeeper runs locally and may reject images that do not look like food. For progress photos, our person gatekeeper runs locally and may surface a warning if the image does not appear to contain a person; it never blocks the upload.
Compression — images are compressed on your device to a maximum dimension of 1024 pixels at JPEG quality 75 before any upload, to reduce the data we transmit and store.
Server-side AI analysis (food scans only) — the compressed image and the contextual data you provide are transmitted over TLS to Fitzenia-api and on to the model provider described in Section 10. The result is returned to you for review.
Storage (progress photos and saved AI scans only) — images you choose to save are uploaded to private Supabase Storage buckets named progress-photos and ai-scan-photos. These buckets are private; access is governed by Postgres row-level security so that only your authenticated account can read or write objects under your user prefix.
Local copies — the app keeps a best-effort local cache of images on your device for offline display.
Deletion — deleting a photo from within the app removes the row from our database, the corresponding object from Supabase Storage, and the local copy from your device, in that order, in a single synchronous operation.

We do not use images you upload for advertising and we do not use them to train AI models.

13. Sub-Processors and Third-Party Service Providers

The following providers process personal data on our behalf or in connection with the Service. We update this section when providers change. Transfers outside the EEA/UK are protected by the safeguards described in Section 19.

Provider	Purpose	Categories of data	Country / region	Transfer safeguard
Supabase, Inc.	Authentication, Postgres database, Storage, Realtime sync	Account, profile, nutrition logs, weight, photos, billing metadata	European Union (Frankfurt region) for the Fitzenia project	Intra-EU; Standard Contractual Clauses for any onward US support access
Apple, Inc. — Sign in with Apple	Identity provider for sign-in	Apple account identifier, email (optionally relayed)	United States / global	Apple Data Privacy Framework certification; SCCs
Google LLC — Google Sign-In	Identity provider for sign-in	Google account identifier, email, basic profile	United States / global	EU-US Data Privacy Framework; SCCs
Google LLC — Firebase Crashlytics	Crash reporting and stability diagnostics	Crash stack traces, device model, OS version, app version, anonymized installation ID	United States	EU-US Data Privacy Framework; SCCs
Google LLC — Firebase Analytics (Android and iOS)	Product analytics	Event names, screen views, app/device metadata, anonymized installation ID, app instance ID	United States	EU-US Data Privacy Framework; SCCs; consent in the EEA/UK
Google LLC — Google Mobile Ads SDK / AdMob (planned)	Advertising delivery and measurement	Advertising identifier (AAID/IDFA), ad-event data, IP address, coarse location, contextual app data	United States / global	EU-US Data Privacy Framework; SCCs; CMP-managed consent in the EEA/UK
Google LLC — Gemini API	Server-side AI image analysis and language generation	Images you submit to AI features; prompt text and limited context	United States; EU regions where available	EU-US Data Privacy Framework; SCCs; data-processing terms
OpenAI, L.L.C. (OpenAI)	Server-side AI image analysis and language generation	Images you submit to AI features; prompt text and limited context	United States	SCCs; OpenAI Data Processing Addendum; "no training on API data" terms
RevenueCat, Inc.	Subscription management, entitlement evaluation, billing analytics	RevenueCat customer ID, store transaction identifiers, subscription state, country	United States	EU-US Data Privacy Framework; SCCs
Apple, Inc. — App Store	Payment processing for iOS subscriptions	Transaction identifiers, receipts, country (Apple holds the payment instrument data)	United States / global	Apple's own privacy framework; SCCs where applicable
Google LLC — Google Play Billing	Payment processing for Android subscriptions	Transaction identifiers, receipts, country (Google holds the payment instrument data)	United States / global	EU-US Data Privacy Framework; SCCs
Fitzenia-api (operated by us)	Backend orchestration for food search, barcode lookup, AI image analysis, account operations	Authenticated request data; transit envelope for AI sub-processor calls	European Union	Same controller/processor as the rest of the Service
USDA FoodData Central	Public food-composition data source	No personal data; product/nutrient queries only	United States (public domain)	n/a (public-domain dataset)
Open Food Facts	Open food-composition and barcode data source	No personal data; product/barcode queries only	European Union / global open data	n/a (open data, ODbL-licensed)
AdMob, UMP	Consent capture and signaling for advertising in the EEA, UK, and Switzerland; IAB TCF v2.2 string generation	Consent flags, vendor list version, consent timestamp, app instance ID	SCCs and Data Privacy Framework where applicable

Where a sub-processor is marked "planned", the corresponding processing is not active in the production app today. We will update this Policy and, where required, request renewed consent before activating it.

We do not use Sentry, Mixpanel, Amplitude, PostHog, FatSecret, or Edamam at this time.

14. Food Databases, Attribution, and Source Handling

The Service uses third-party food databases and APIs to support food lookup, nutrition information, and barcode features. The current sources are:

USDA FoodData Central — a public-domain food-composition dataset operated by the U.S. Department of Agriculture.
Open Food Facts — a collaborative open-data food product database. Content is licensed under the Open Database License and remains subject to the attribution and licensing obligations of that license.

If we add commercial food data providers in the future, we intend to access them by API rather than by importing their content into a permanent shared redistributable database, and any per-user caching will be limited to functional caching needed to operate the Service.

We do not claim ownership of third-party food-database content.

15. Advertising and Targeted Advertising (Google AdMob — Planned)

The Service does not display advertising at the time this Policy is published. We are preparing to introduce Google AdMob with personalized advertising in a future release of the app. This section describes how that will work and how to opt out. We will update the effective date of this Policy when AdMob goes live.

What AdMob will receive

When personalized advertising is active and you have granted any required consent or opt-in, the Google Mobile Ads SDK / AdMob may collect or receive:

your Google Advertising ID (Android) or Identifier for Advertisers (iOS, only if you have not enabled "Limit Ad Tracking" or denied App Tracking Transparency);
IP address, coarse location derived from IP, device model, OS version, language, and app version;
ad impressions, clicks, view durations, and limited contextual signals from the ad placement;
interest segments and frequency-capping signals derived by Google's advertising systems.

AdMob does not receive your nutrition logs, weight history, body-composition data, AI prompts, photos, health-platform data, or other Service content.

Consent in the EEA, the United Kingdom, and Switzerland

Before any personalized-advertising signals are collected from users in the EEA, the UK, or Switzerland, the app will display a Consent Management Platform (CMP) banner that complies with the IAB Transparency & Consent Framework (TCF) v2.2 and Google's "EU user consent policy". You will be able to accept, reject, or customize. Rejecting personalized advertising will result in either non-personalized ads or no ads at all, depending on the placement.

App Tracking Transparency on iOS

On iOS, the app will request your permission via Apple's App Tracking Transparency framework before allowing AdMob to use the IDFA for cross-app tracking. If you decline, advertising will be served on a non-tracked, contextual basis only.

"Sale" and "share" disclosure for U.S. state laws

Once personalized AdMob advertising is enabled, our use of advertising identifiers and ad-event data with Google constitutes a "sale" and a "share" for the purposes of the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, and similar U.S. state laws. We do not receive monetary payment from Google for individual identifiers; the legal definition still treats the exchange as a "sale" or "share" because we receive advertising services in return.

You can opt out of this activity at any time. See Section 26 and Section 29 for the methods, including a global opt-out via the Global Privacy Control where required.

What we will never do with advertising identifiers

We will not combine advertising identifiers with health-platform data, AI prompts or outputs, food images, progress photos, weight history, body-composition estimates, or other special-category content for advertising purposes. We will not enable personalized advertising for users we know or believe to be under 16 without their opt-in (or, where required, their parent's consent). We will not share advertising data with data brokers.

16. Analytics, Diagnostics, and Crash Reporting

We use the following first-party analytics and diagnostics tools:

Firebase Crashlytics on Android and iOS — collects crash stack traces, device model, OS version, app version, and an anonymized installation ID. We use this strictly to diagnose and fix bugs.
Firebase Analytics on Android and iOS, once enabled — collects events such as screen views, feature interactions, and aggregated usage metrics. In the EEA/UK we will request consent through the same CMP described in Section 15; outside those regions we rely on legitimate interests where local law permits and on consent or opt-out where it does not.

You can disable analytics at any time from in-app settings. Disabling analytics does not affect crash reporting, which is essential for service stability.

Firebase Analytics' default retention for user-level data is 14 months. We have not changed that default; we may shorten it if your jurisdiction requires.

17. Cookies, SDKs, and Similar Technologies

The Fitzenia mobile apps do not use browser cookies. They do, however, rely on software development kits (SDKs) that create persistent identifiers on your device:

The Firebase SDK creates an anonymous installation ID and an app-instance ID, used for crash and analytics correlation.
The RevenueCat SDK creates a customer ID linked to your Fitzenia account.
The Google Mobile Ads SDK (when active) uses the Google Advertising ID on Android and the IDFA on iOS, subject to your platform settings.

You can reset your Google Advertising ID under Settings → Google → Ads on Android. You can disable IDFA cross-app tracking under Settings → Privacy & Security → Tracking on iOS or by declining the App Tracking Transparency prompt.

The fitzenia.com website uses only essential cookies for navigation and security; it does not use advertising cookies. If we add advertising or analytics cookies to the website in the future, we will update this section and present an appropriate cookie banner.

19. International Data Transfers

The Service is operated from the European Union and our primary data store (Supabase) is hosted in the EU (Frankfurt region) for the Fitzenia project. Some of our sub-processors are established in the United States or other third countries, and your personal data may be transferred to or accessed from those countries.

Where a transfer outside the EEA, the UK, or Switzerland takes place, we rely on one or more of the following safeguards:

Adequacy decisions issued by the European Commission, the UK, or Switzerland for the destination country, where available.
EU-US Data Privacy Framework, UK Extension, and Swiss-US Data Privacy Framework certifications held by Google, Apple, and other certified U.S. providers.
Standard Contractual Clauses (EU SCCs and the UK International Data Transfer Addendum) executed with the relevant provider.
Supplementary measures such as encryption in transit and at rest, pseudonymization where feasible, and contractual restrictions on government-access requests.

You may request a copy of the safeguards we rely on for a specific transfer by emailing support@fitzenia.com.

20. How Long We Keep Your Personal Data

We keep personal data only for as long as necessary for the purposes set out in this Policy and to comply with our legal obligations. Where you ask us to delete your data via Settings → Delete Account, our system performs an immediate cascade deletion across your local device, the Postgres database, the Storage buckets, and our backend caches; no soft-delete grace period is applied.

Data	Retention
Account, authentication, and profile data	Lifetime of the account; deleted immediately on a verified deletion request.
Onboarding, goal, and calorie-target data	Lifetime of the account; deleted immediately on a verified deletion request.
Diary entries, weight logs, custom foods, custom meals, recent searches	Lifetime of the account; deleted immediately on a verified deletion request.
Progress photos and saved AI-scan photos	Lifetime of the account; deleted from Storage and the database immediately on the in-app delete action.
Local AI insight cache	Stored on your device only; cleared automatically on sign-out.
Crash reports (Firebase Crashlytics)	Up to 90 days at the provider's default; aggregated diagnostics may be retained longer.
Analytics events (Firebase Analytics)	Up to 14 months at the provider's default for user-level data.
Billing and subscription records (RevenueCat, Apple, Google)	Retained for the period required by tax and accounting law (in Germany, generally up to 10 years).
Support correspondence	For as long as needed to resolve your request and a reasonable period thereafter for audit and legal purposes.
Operational backups	Rolling 30-day backups; deleted records are tombstoned and purged from backups when the backup expires.

Where law requires us to keep specific categories of data longer (for example, tax law for billing records), we will keep them for the legally required period and then delete them.

21. Security Measures

We use administrative, organizational, and technical measures designed to protect personal data, including:

encryption in transit (TLS) for all network connections;
encryption at rest at our infrastructure providers;
private Supabase Storage buckets and Postgres row-level security so that authenticated users can access only data tied to their own account;
per-user content scoping in our APIs and database;
secret-management practices that keep API keys for AI providers and other services on the server side, never on the client;
regular updates to dependencies and review of security advisories.

No method of transmission, storage, or security control is guaranteed to be completely secure. We cannot guarantee absolute security, but we work in good faith to maintain reasonable, defensible safeguards proportional to the risks of the Service.

22. Your Privacy Rights — Global Baseline

Subject to applicable law and to verification of your identity, you generally have the right to:

Access a copy of the personal data we hold about you.
Correct personal data that is inaccurate or incomplete.
Delete personal data ("right to erasure"), including via the in-app Delete Account feature.
Restrict or object to certain processing.
Port your data in a structured, commonly used, machine-readable format.
Withdraw consent where consent is the legal basis.
Opt out of targeted advertising and the activity that constitutes a "sale" or "share" under U.S. state laws.
Lodge a complaint with a competent supervisory authority.

See Section 29 for how to exercise these rights.

23. Your Privacy Rights — EEA, UK, and Switzerland (GDPR)

Under the GDPR, the UK GDPR, and the Swiss FADP, you have the rights described in Articles 12 to 22 GDPR, including the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), objection (Art. 21), and not to be subject to a solely automated decision with legal or similarly significant effects (Art. 22).

We will respond to a verified request within one month, extendable by up to two further months for complex or numerous requests, with notice. There is no fee unless your request is manifestly unfounded or excessive.

If you believe our processing infringes the GDPR, you may lodge a complaint with the supervisory authority of your habitual residence, your place of work, or where the alleged infringement occurred. The competent authority for our establishment in Berlin is:

Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI)
Friedrichstr. 219, 10969 Berlin, Germany
www.datenschutz-berlin.de

UK residents may complain to the Information Commissioner's Office (ICO) at ico.org.uk.

24. Your Privacy Rights — United States

If you are a resident of a U.S. state with a comprehensive consumer-privacy law, you have the rights granted by your state's law. The rights vary in detail; the table below summarizes how the most common rights apply to the Service.

State / Law	Right to know / access	Right to delete	Right to correct	Right to portability	Right to opt out of targeted ads / sale / share	Right to appeal
California (CCPA/CPRA)	Yes	Yes	Yes	Yes	Yes — "Do Not Sell or Share" + sensitive PI limit	n/a (regulatory complaint)
Virginia (VCDPA)	Yes	Yes	Yes	Yes	Yes — targeted ads, sale, profiling	Yes
Colorado (CPA)	Yes	Yes	Yes	Yes	Yes — targeted ads, sale, profiling; Universal Opt-Out Mechanism honored	Yes
Connecticut (CTDPA)	Yes	Yes	Yes	Yes	Yes — including via UOOM (e.g. Global Privacy Control)	Yes
Utah (UCPA)	Yes	Yes	No	Yes	Yes — targeted ads, sale	n/a
Texas (TDPSA)	Yes	Yes	Yes	Yes	Yes — targeted ads, sale, profiling	Yes
Oregon (OCPA)	Yes	Yes	Yes	Yes	Yes	Yes
Montana (MTCDPA)	Yes	Yes	Yes	Yes	Yes	Yes
Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island	Yes	Yes	Where granted by law	Yes	Yes — targeted ads, sale (where applicable)	Where granted by law

We will not discriminate against you for exercising any of these rights. We will not deny you the Service, charge you a different price, or provide a different level of quality solely because you exercised a privacy right, except to the extent a difference is permitted by law and reasonably related to the value of the data.

If we deny your request, you may appeal by replying to our response email within a reasonable time. We will provide a written response to your appeal within the timeframe required by your state's law and, if we deny the appeal, identify the appropriate regulator you may contact.

25. California-Specific Disclosures (CCPA / CPRA)

This section provides the disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA").

Categories of personal information we collect

In the past 12 months, we have collected the following CCPA categories:

Identifiers — name, email, account ID, device IDs, IP address, advertising identifiers (when AdMob is active).
Customer-records information — account, profile, and billing-status fields.
Commercial information — subscription state, plan, transaction identifiers (no payment instrument data).
Internet/network activity information — app interactions, screen views, diagnostic events.
Geolocation information — coarse location derived from IP address (no precise location).
Audio, visual, and similar information — food and progress photos you upload.
Inferences — body-composition estimates, AI insight summaries, and (when AdMob is active) advertising interest segments produced by Google.
Sensitive personal information — health, nutrition, weight, and body-composition data; account credentials. We use sensitive personal information only for the purposes permitted under CCPA §7027(m), which include providing the Service you requested, ensuring security and integrity, and short-term, transient use. We do not use sensitive personal information to infer characteristics about you for profiling purposes.

Categories sold or shared

We do not sell or share personal information today. Once Google AdMob personalized advertising is enabled, the categories we will share for cross-context behavioral advertising are: Identifiers (advertising IDs and IP), Internet/network activity information, Geolocation information (coarse), and Inferences (interest segments produced by Google). You may opt out at any time via the methods in Section 26.

Categories disclosed for a business purpose

We disclose the categories above to the sub-processors listed in Section 13 for the business purposes described next to each provider.

Sources, purposes, and retention

See Section 6 (sources), Section 9 (purposes), and Section 20 (retention).

Financial incentives and "Shine the Light"

We do not offer financial incentives or programs that involve the sale of personal information. California's "Shine the Light" law (Civil Code §1798.83) permits California residents to request information about disclosures to third parties for direct-marketing purposes; we do not make such disclosures.

27. Consumer Health Data (Washington MHMDA, Nevada SB 370, Connecticut)

Some of the data we process may qualify as consumer health data under Washington's My Health My Data Act (MHMDA), Nevada's SB 370, and the consumer-health-data provisions of the Connecticut Data Privacy Act. This includes data that identifies your past, present, or future physical or mental health status, including nutrition habits, body composition, weight, exercise activity, and health inferences.

We collect and use that information solely to provide and improve the Service, support authorized health-platform synchronization, personalize features you have enabled, prevent abuse, and (with your separate explicit consent) provide AI-assisted analysis as described in Section 10.

Consent. By using a feature that processes consumer health data (for example, logging weight, syncing with HealthKit/Health Connect, or running an AI food scan), you provide the explicit consent required by MHMDA and similar laws. You may withdraw that consent by disabling the feature, revoking the platform permission, or deleting the data via in-app controls or by contacting us.

No sale of consumer health data. We do not sell consumer health data.

Geofencing. We do not implement geofences around facilities providing health-care services for the purpose of identifying, tracking, or sending notifications to consumers regarding their consumer health data.

HIPAA. Fitzenia is not a HIPAA "covered entity" or "business associate". We do not promise HIPAA-regulated treatment of your data.

Breach notification. If a security incident triggers notice obligations under applicable law (including consumer-health-data breach notification rules), we will notify affected users and authorities as required.

28. Children's Privacy (COPPA + CCPA Under-16)

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13 within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA). If we learn that we have collected personal information from a child under 13 without legally sufficient parental consent, we will take reasonable steps to delete that information.

For users between 13 and 16 (or, where local law sets a higher age, up to that age), we do not "sell" or "share" personal information for cross-context behavioral advertising without affirmative opt-in consent from the user (or, where required, the user's parent or guardian). Once Google AdMob personalized advertising is enabled, our systems will gate that processing accordingly.

Parents and guardians who believe their child has provided personal data to us in violation of applicable law may contact support@fitzenia.com and we will review and act on the request.

29. How to Exercise Your Privacy Rights

You can exercise the rights described in this Policy in any of the following ways:

Email us at support@fitzenia.com with the subject line Privacy Request. Tell us which right you want to exercise and the email address associated with your account.
Delete your account in-app via Settings → Delete Account. This triggers an immediate cascade across your local device, the Postgres database, the Storage buckets, and our backend caches.
Send a Universal Opt-Out signal (e.g. GPC) where supported, to opt out of targeted advertising and "sale/share" for the relevant browser or app instance.
Use platform-level controls to manage advertising identifiers (App Tracking Transparency on iOS, Ads settings on Android).

Authorized agents. If you are in California or another state that recognizes authorized agents, you may have an authorized agent submit a request on your behalf. We may require written authorization and will verify the request.

Verification. Before fulfilling a request, we will take reasonable steps to verify your identity, typically by requiring you to act from the email address associated with your account or to confirm details about your account. We will never charge a fee for a baseline request unless it is manifestly unfounded or excessive.

Response times. We respond to GDPR/UK GDPR requests within one month, extendable as permitted by law. We respond to CCPA/CPRA and similar U.S. state requests within 45 days, extendable by 45 more days with notice.

30. Changes to This Policy, Right to Complain, and Contact

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we update it, we will revise the effective date at the top and, for material changes, provide additional notice in the app, on the website, or by email where appropriate. Changes that require new consent (for example, activating AdMob personalized advertising) will not take effect for you until you have provided that consent.

You can lodge a complaint with the data protection authority of your country or state. EU users may complain to the BlnBDI in Berlin (see Section 23). UK users may complain to the ICO. California users may complain to the California Privacy Protection Agency or the California Attorney General. Other state regulators are listed on each state's official privacy-rights page.

Contact:

Email: support@fitzenia.com
Postal address: Badstr. 35, Berlin, Deutschland 13357, Germany
Controller: Javier Mejia, sole proprietor (Einzelunternehmen) trading as Zenthek