Privacy Policy

FitFast is a mobile fitness coaching product operated from Cairo, Egypt. In this policy, 'we', 'us', and 'FitFast' refer to the FitFast team. 'You' refers to the person using the app.

For any privacy question, email privacy@fitfast.app. For complaints, you can also contact Egypt's Personal Data Protection Centre under Law 151/2020.

Account data — name, email, phone, preferred language, password hash (we never see your plain password). Provided by you at signup.

Health and body data — age, sex, height, weight, target weight, activity level, dietary pattern, allergies, medical conditions, training experience, InBody scans, progress photos, weekly check-in weight and adherence scores. This is 'sensitive personal data' under Egyptian PDPL Article 12 and we process it only with your explicit consent (captured at onboarding).

Billing data — name, email, phone, the payment method you choose, the last 4 digits of your card, and a token issued by Fawaterak. We never store your full card number; that stays with Fawaterak.

App usage data — pages you visit, features you use, errors your device encounters, push token (if you opt into notifications), rough location from your IP address (country and city), device type and browser version.

AI-generated data — the meal plans, workout plans, and coaching insights we produce for you. This is derived from the data above and stored on your account.

Contract performance — to deliver the service you paid for (generate plans, track check-ins, process payments, send notifications you opted into).

Explicit consent — for health and body data (Egyptian PDPL Article 12), for push notifications, and for optional analytics. You can withdraw consent at any time from Settings.

Legitimate interest — for fraud prevention, security, and anonymous aggregated analytics that help us improve the product without identifying individual users.

Legal obligation — to keep financial records for 5 years (Egyptian Tax Law 91/2005 and VAT Law 67/2016) and to respond to lawful requests from Egyptian authorities.

We share data only with the sub-processors we need to run the product. Each one is bound by a contract requiring equivalent protection:

Supabase (US region) — hosts our database, authentication, and file storage (progress photos, InBody scans). Encrypted at rest and in transit.

Fawaterak (Egypt) — processes all payments. They see your name, email, phone, and card details; we see only the last 4 digits and a token.

OneSignal (US) — delivers push notifications if you opt in. They receive your push token and notification content (never your email, health data, or payment info).

OpenRouter (US) — routes meal-plan and workout-plan prompts to the AI models we use. They receive the generation inputs (your goal, current weight, dietary pattern, allergies, activity level) anonymised with a client ID — they never receive your name, email, or contact info.

Google Cloud Vision (US) — reads your InBody scan images into structured numbers. Images sent for OCR are not retained by Google beyond the scanning request.

Railway (US) — hosts our backend API (compute only, no primary storage).

Vercel (US) — hosts the web apps (marketing site + client app + admin app).

We do NOT sell your data. We do NOT share it with advertisers or data brokers.

Several of our sub-processors are based outside Egypt (Supabase, OneSignal, OpenRouter, Google Cloud Vision, Railway, Vercel — all US-based). Per Egyptian PDPL Article 14, we rely on standard contractual clauses that impose equivalent protection on the recipient.

Account data — while your account is active, plus 30 days after deletion request (to allow recovery).

Health and body data — same as account data.

Progress photos and InBody scans — same as account data.

Billing records — 5 years from the transaction date, as required by Egyptian Tax Law 91/2005 and VAT Law 67/2016. Retained even if you delete your account.

Audit logs of your data-rights requests — 2 years, for compliance accountability under PDPL Article 7.

Anonymised aggregated analytics — retained indefinitely (cannot identify you).

Under Egyptian PDPL Law 151/2020 (Articles 2, 16–22) and GDPR Articles 15–22, you have the right to: access the data we hold about you, correct inaccuracies, delete your account, download a copy of your data (data portability), object to certain processing, and withdraw consent for optional processing.

All of these are self-serve: Settings → Privacy. If you can't reach these settings (e.g., can't log in), email privacy@fitfast.app and we'll respond within 30 days, as required by PDPL.

FitFast is for adults 18 years old and over. We don't knowingly collect data from anyone under 18. If you believe a minor has registered, email privacy@fitfast.app and we'll delete the account.

We update this policy when our practices change. For material changes (new categories of data, new sub-processors, new purposes) we'll notify you by email and in-app at least 14 days before the change takes effect. Minor updates (clearer wording, typos) take effect when posted; the 'Last updated' date at the top tracks this.

Questions: privacy@fitfast.app. Complaints to the regulator: Egypt's Personal Data Protection Centre (established under Law 151/2020, Ministry of Communications and Information Technology).