Your privacy matters to us. Vindofit is a health and fitness application, which means some of the information we handle is sensitive. This policy explains, in plain language, what we collect, why, and the control you have over it. It is designed to comply with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).
Items shown like [ … ] must be completed with your final legal entity details and reviewed by qualified legal counsel for your operating jurisdictions before going live. This document is a thorough starting point, not a substitute for legal advice.
1.Who we are
The controller responsible for processing your personal data under the GDPR is:
2.Scope of this policy
This policy applies to the Vindofit mobile applications (iOS and Android), our websites at vindofit.com, and our backend services (the "Services"). It does not apply to third-party products, platforms, or websites that we link to or integrate with, which are governed by their own privacy policies.
3.Data we collect
| Category | Examples |
|---|---|
| Account & identity | Name, email address, password (stored only as a salted hash), profile photo, city, date of birth or age range, sex/gender if provided. |
| Health & fitness | Workouts, exercises, sets/reps/weights, running and activity data, steps, heart rate, sleep, energy/calories, body metrics, recovery and streak data. See section 4. |
| Social | Groups, friends, leagues, messages with coaches, shared workout templates, comments and reactions you choose to post. |
| Device & technical | Device model, operating system, app version, language, time zone, IP address, crash logs, and diagnostic identifiers. |
| Usage | Features used, screens viewed, in-app events, and aggregate interaction metrics. |
| Support | Correspondence you send us and the contents of support requests. |
| Billing | Subscription status and transaction identifiers. Payments are processed by Apple App Store or Google Play; we do not receive or store your full card details. |
4.Health & fitness data — special category
Health and fitness data is treated as a special category of personal data under Article 9 GDPR and is given heightened protection. We process it only on the basis of your explicit consent, which you give when you connect a health source or enable a feature, and which you can withdraw at any time.
Where you grant permission, Vindofit reads data from Apple Health and Google Health Connect strictly to power the features you use (for example, displaying your activity, calculating recovery, or syncing workouts). We request the narrowest set of data types necessary.
Health and fitness data obtained from Apple Health or Google Health Connect is used only to provide app functionality to you. It is not used for advertising, not sold, and not shared with data brokers, consistent with Apple and Google platform requirements.
5.How we obtain your data
- Directly from you — when you create an account, log workouts, message a coach, or contact support.
- Automatically — through your use of the app, including device and usage data.
- From platform health stores — Apple Health and Google Health Connect, only with your explicit permission.
- From app stores — subscription and purchase status from Apple and Google.
6.Why we use your data
- To provide, operate, and personalise the Services and your training experience.
- To sync, store, and display your workouts, health metrics, and progress.
- To enable social features you opt into (groups, leagues, coaching).
- To maintain security, prevent fraud and abuse, and debug issues.
- To communicate with you about service updates and support.
- To comply with legal obligations and enforce our terms.
- To analyse, in aggregated or pseudonymised form, how the app is used so we can improve it.
7.Legal bases for processing
| Processing | Legal basis (GDPR) |
|---|---|
| Providing the core app and account | Performance of a contract — Art. 6(1)(b) |
| Health & fitness data | Explicit consent — Art. 9(2)(a) & Art. 6(1)(a) |
| Security, fraud prevention, product improvement | Legitimate interests — Art. 6(1)(f) |
| Service emails & legal compliance | Legal obligation / legitimate interest — Art. 6(1)(c)/(f) |
| Optional analytics & marketing | Consent — Art. 6(1)(a) |
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
8.Sharing & recipients
We share personal data only as described here:
- Other users — content you choose to make visible (profile, group activity, messages to coaches).
- Service providers — processors acting on our instructions (section 9).
- App stores & payment platforms — Apple and Google, for distribution and billing.
- Legal & safety — authorities or third parties where required by law, to enforce our terms, or to protect rights and safety.
- Business transfers — in connection with a merger, acquisition, or asset sale, subject to this policy.
We do not sell your personal data.
9.Service providers (processors)
We use carefully selected providers under data processing agreements that meet Article 28 GDPR. These may include cloud hosting and database providers, crash reporting and analytics, authentication and push-notification infrastructure (e.g. Google Firebase), and customer support tools. A current list is available on request at [email protected].
10.International data transfers
Where data is transferred outside the European Economic Area, we rely on appropriate safeguards under Chapter V GDPR — typically the European Commission's Standard Contractual Clauses and, where applicable, adequacy decisions. You may request a copy of the relevant safeguards.
11.How long we keep data
We keep personal data only as long as necessary for the purposes set out above. Account and health data are retained while your account is active and deleted (or anonymised) within a reasonable period after account closure, unless a longer period is required to comply with legal obligations, resolve disputes, or enforce agreements. You can delete your account at any time from within the app or by contacting us.
12.Security
We apply appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), hashed passwords, access controls, and least-privilege practices. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work continuously to protect your information and will notify you and the competent supervisory authority of a personal data breach where legally required.
13.Your rights
Subject to applicable law, you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten");
- Restrict or object to certain processing;
- Data portability — receive your data in a structured, machine-readable format;
- Withdraw consent at any time where processing is based on consent;
- Lodge a complaint with a supervisory authority.
To exercise any right, email [email protected]. We respond within the statutory time limit (generally one month). You also have the right to complain to the Austrian Data Protection Authority (Österreichische Datenschutzbehörde, dsb.gv.at) or your local authority.
14.Children
Vindofit is not directed to children under 16. We do not knowingly collect personal data from anyone under 16 (or the higher minimum age set by your country). If you believe a child has provided us data, contact us and we will delete it.
15.Cookies & our website
Our marketing and legal web pages may use strictly necessary cookies and, with your consent, analytics cookies. The mobile app does not use advertising cookies. Where consent is required, we ask for it via a cookie banner and honour your choices.
16.Automated decision-making
We do not make decisions producing legal or similarly significant effects about you based solely on automated processing. Personalised training insights are suggestions only and do not constitute such decisions.
17.Changes to this policy
We may update this policy to reflect changes in our practices or the law. We will post the updated version here with a new effective date and, for material changes, provide notice in the app. Continued use after an update constitutes acceptance of the revised policy.