Privacy Policy

Welcome to FitCard. This Privacy Policy explains how FitCard ( "Get Your Business Booming LLC", "FitCard", "we", "us", or "our") collects, uses, discloses, and safeguards your personal data when you use our platform at fitcard.co and any associated subdomains (collectively, the "Platform").

FitCard is the data controller for personal data collected directly from trainers and visitors to our Platform. Where FitCard processes personal data on behalf of a Trainer (such as their clients' booking and progress data), FitCard acts as a data processor and the Trainer is the data controller.

Data Protection contact: privacy@fitcard.co

Trainer: A professional personal trainer who has registered for and uses the FitCard Platform.

Client: An individual who books, pays for, or receives personal training services from a Trainer through the Platform.

Visitor: Any person who visits a Trainer's FitCard profile or the FitCard website without logging in.

Health-Adjacent Data: Fitness, biometric, body composition, and progress data that may qualify as health data under Article 9 GDPR.

From Trainers: Identity data (name, photo, qualifications, bio), contact data (email, phone, social links), account data, financial data via Stripe Connect, business data (session types, pricing, availability), and usage analytics.

From Clients: Name, email, booking data, payment references, communication preferences, and device data for push notifications.

Health-Adjacent Data: Body metrics, progress photos, and training notes are only processed with the Client's explicit, separate consent. Trainers must not record health-adjacent data until the Client has completed the FitCard consent flow.

Automatically: IP address, browser type, device identifiers, pages visited, and cookie data.

We use your data to: provide and operate the Platform; process bookings and payments; deliver session reminders via our four-channel notification cascade; host Trainer profile cards; generate QR codes and shareable links; monitor security and fraud; send transactional and service communications; and improve the Platform via anonymised analytics.

We do not sell your personal data.

We share data only with trusted sub-processors (Supabase, Vercel, Stripe, Resend, Twilio, OneSignal, Google FCM, Sentry) under data processing agreements. We may disclose data when required by law, with professional advisers under confidentiality, or with your express consent.

Some sub-processors are outside the UK and EEA. We ensure appropriate safeguards including Standard Contractual Clauses (SCCs) and the UK International Data Transfer Agreement (IDTA).

Trainer account data: duration of subscription + 2 years. Client booking & payment data: 6 years. Health-adjacent data: until consent withdrawn or account deletion. Notification logs: 12 months. Deleted account data: 30-day recovery window before hard deletion.

You have the right to: access, rectify, erase, restrict processing, data portability, object, and withdraw consent. You may request data export (CSV/JSON) or erasure via your dashboard or by contacting privacy@fitcard.co. We respond within 30 days (extendable to 60 for complex requests). Erasure requests are processed within 72 hours.

You may lodge a complaint with your local supervisory authority (e.g. ICO in the UK).

When Trainers use FitCard to manage Client data, the Trainer is the data controller and FitCard is the processor. Our Data Processing Agreement (DPA) forms Schedule A to our Terms of Service. Trainers must obtain valid consent from Clients and provide appropriate privacy notices.

We implement Row-Level Security, encryption in transit (TLS 1.2+) and at rest (AES-256), magic-link authentication, least-privilege access, monitoring via Sentry, and documented breach notification procedures (72-hour reporting to relevant authorities).

We use strictly necessary cookies (session, CSRF), analytics cookies (with consent), and preference cookies. You may withdraw cookie consent at any time via the cookie settings in the footer.

The Platform is not directed at children under 16 (or 18 where applicable). We do not knowingly collect data from children. If you believe we have, contact privacy@fitcard.co and we will delete it.

We may update this Policy. Material changes will be notified to Trainers by email at least 14 days before taking effect. Continued use constitutes acceptance.

For privacy requests or questions: privacy@fitcard.co

Get Your Business Booming LLC · We aim to respond within 5 business days.