FitCONNECT — Privacy Policy

FitCONNECT places the highest importance on protecting the personal data of its Users. This Privacy Policy describes, in a transparent manner, what data we collect, why we collect it, who can access it, how long we retain it, and what rights you have. It applies to any use of the FitCONNECT Platform and complements the Terms and Conditions of Use.

1. Our commitment

FitCONNECT undertakes to process your personal data fairly, transparently, and securely, in strict compliance with Tunisian law and, where applicable, with the General Data Protection Regulation (GDPR) of the European Union.

The FitCONNECT team only uses your data for the purposes described below. We never sell, rent, or transfer your data to third parties for commercial purposes. We never have access to your passwords in clear text.

2. Data controller

The controller of your personal data within the meaning of Law 2004-63 and the GDPR is FitCONNECT, headquartered in Tunisia.

Name: FitCONNECT
Country of establishment: Tunisia
General email: info@fitconnect-tn.com
Email dedicated to data protection: legal@fitconnect-tn.com

3. Legal framework

The processing operations described in this Policy are governed by:

Tunisian Law No. 2004-63 of 27 July 2004 on the protection of personal data and its implementing texts;
Law No. 2017-7 of 25 January 2017 on cybersecurity;
Regulation (EU) 2016/679 (GDPR) when the User resides in the European Union;
any other mandatory provision applicable to data protection.

4. Categories of data collected

4.1 Data provided directly by the User

Identity: first name, last name, username, email address, password (stored only in hashed form), phone number (optional).
Civil status: date of birth (used to verify legal age), gender.
Location: city and country of residence as declared.
Sports profile: height, weight, favorite sports, declared goals.
Profile picture and any photo or video published voluntarily (stories, posts).

4.2 Data generated by use of the Service

Connection data: IP address, device type, device identifier, operating system, device language, date and time of connection.
Usage data: pages viewed, features used, application events, push notification tokens (Firebase).
Activity data: bookings, participations, messages exchanged with other Users and with Partners (messages are stored in clear text on our servers and are not end-to-end encrypted).
Payment data: amounts, currency, payment-provider transaction identifier, status, date. No bank-card data (full number, CVV, expiration date) is stored by FitCONNECT — this data remains with the payment provider.

4.3 Inferred data

Subscription tier (Free, Silver, Gold), subscription history.
Sports preferences inferred from your activity on the Platform.
Aggregated and anonymized statistics on Platform usage.

5. Purposes and legal bases

In accordance with Article 6 of the GDPR and Tunisian law, each processing operation is based on a specific legal basis:

Performance of the contract

Creation and management of the User account.
Connection with Partners, management of bookings and messages.
Processing of payments and issuance of receipts.
Provision of subscribed features (Silver, Gold).

Legitimate interest

Platform security, prevention of fraud and abuse.
Improvement and optimization of the Service (anonymized usage statistics).
Response to support requests.
Defense of FitCONNECT's rights in case of dispute.

Consent

Sending of promotional or editorial push notifications.
Marketing communications by email.
Use of features based on artificial intelligence (generation of personalized plans).

Legal obligation

Retention of invoices and proofs of payment (10 years, Tunisian Commercial Code).
Response to requests from competent Tunisian authorities.
Data-breach notification obligations.

6. Recipients and processors

Your data is processed by authorized FitCONNECT staff and, to the extent strictly necessary to provide the Service, by the following technical processors. All our processors are contractually bound to respect the confidentiality and security of your data.

List of processors and recipients

PayPal (Luxembourg / international) — processing of card and PayPal-account payments. Data shared: internal identifier, amount, currency, billing email. No bank-card data passes through our servers.
Hostinger (Lithuania / European Union) — provision of SMTP servers used to send transactional emails (account verification, password reset, booking notifications, invoices).
Google LLC (United States), via Firebase Cloud Messaging — delivery of push notifications to your device. Data shared: device token, content of the notification.
Google LLC (United States), via Google Cloud Storage — secure hosting of images, videos, and files published (notably stories). Files are stored in a bucket dedicated to FitCONNECT.
Google reCAPTCHA (United States) — protection against bots and automated attacks during sensitive actions (sign-up, login).
OpenAI (United States) — only when you use the AI Coach or the personalized-plan generator. Data sent: sports goals, level, training history, and preferences provided by you, without direct identifiers (email, name). Data is transmitted to generate a response and is not used by OpenAI to train its models in the context of our integration.
Third-party authentication providers (Google, Apple, Facebook) — only when you choose to sign up or log in via one of these providers. Data received depending on the scope you authorize (typically: name, email, unique provider identifier).

We do not share any of your data with advertising networks or data brokers. None of your data is sold to third parties.

7. International transfers

Some of our processors (notably Google and OpenAI) are established in the United States. Data transfers to these countries are carried out under appropriate safeguards within the meaning of the GDPR, in particular Standard Contractual Clauses adopted by the European Commission, or equivalent mechanisms (for example, the Data Privacy Framework where the processor is certified).

You may obtain a copy of the applicable safeguards by sending your request to legal@fitconnect-tn.com.

8. Our internal security commitment

The FitCONNECT team never has access to your passwords in clear text (bcrypt algorithm). Your data is consulted by our team only strictly within the framework of monitoring Platform rules, user support, fraud prevention, or fulfillment of legal obligations — never for any other purpose.

We do not sell, rent, or transmit your data to third parties for commercial or advertising purposes. Transmission to a third party may only occur in the following cases:

when it is necessary for the performance of the contract (for example, transmission of a booking to a Partner);
when it is required by law or by a competent authority;
with your explicit and prior consent.

9. Retention periods

Your data is retained for the duration necessary to fulfill the purposes described above:

Active-account data: as long as your account is open.
Grace period after deletion request: 30 days, during which you may cancel the deletion by logging back in.
After final deletion: your personal identifiers (name, email, phone) are erased or anonymized.
Accounting data and invoices: 10 years from the end of the relevant fiscal year, in application of the Tunisian Commercial Code.
Logs of acceptance of legal terms (legal_acceptances): retained in pseudonymized form as proof of acceptance, for the applicable limitation period.
Security logs and administrative-audit logs: 12 months as a general rule, up to 10 years in case of an ongoing dispute, investigation, or proceeding.
Accounts inactive for more than 24 months: may be deleted or anonymized after prior notification to your email address.

Disasters, fraud, or disputes: in the event of a serious matter (fraud, security breach, criminal offense, ongoing judicial dispute), the data strictly necessary for the defense of our rights or for cooperation with the authorities may be retained beyond the indicated periods, within the limits of applicable legal limitation periods.

10. Minors

The Platform is strictly reserved for persons of legal age (≥ 18 years). We do not knowingly collect minors' data. If we discover that an account has been created by a minor, we proceed to its immediate blocking and to the deletion of the associated data as soon as possible.

If you are a parent or legal guardian and believe a minor has created an account without your authorization, contact us without delay at legal@fitconnect-tn.com.

11. Security

FitCONNECT implements reasonable technical and organizational measures to protect your data against destruction, loss, alteration, disclosure, or unauthorized access. These measures notably include:

encryption of communications via TLS (HTTPS);
storage of passwords in hashed form (bcrypt);
authentication using secure tokens (Laravel Sanctum);
rate-limiting of login attempts (anti-brute-force);
logging of IP addresses and sensitive actions;
regular database backups;
strict access controls for team members handling data.

In the event of a data breach likely to result in a risk to the rights and freedoms of the persons concerned, FitCONNECT undertakes to notify the competent authority (INPDP in Tunisia, and where applicable the competent European supervisory authority) within 72 hours, and to inform the Users concerned without undue delay, in accordance with Article 33 of the GDPR.

12. Your rights

In accordance with Law 2004-63 and, where applicable, with Articles 15 to 22 of the GDPR, you have the following rights over your personal data:

Right of access: obtain a copy of the data concerning you.
Right of rectification: correct any inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): see Article 13 of the Terms and the "Delete my account" function in the application.
Right to restriction of processing.
Right to object to a processing operation based on legitimate interest.
Right to data portability: upon request sent to legal@fitconnect-tn.com, we will transmit a copy of your data in a structured, commonly used, machine-readable format. This portability is currently performed upon email request and is not, to date, available as a self-service option in the application.
Right to withdraw your consent at any time (without retroactive effect).
Right to lodge a complaint with the National Authority for the Protection of Personal Data (INPDP, Tunisia) or, if you reside in the European Union, with the competent supervisory authority of your country of residence.

To exercise any of these rights, contact us at legal@fitconnect-tn.com. We may ask you for proof of identity in order to avoid any disclosure of your data to an unauthorized third party. We endeavor to respond within one month of receiving the request, extendable by two months in case of particular complexity.

13. Cookies and similar technologies

The FitCONNECT mobile application does not use cookies in the classical sense. However, it uses local storage spaces (SharedPreferences, cache) in order to:

preserve your session and your authentication token;
remember your preferences (language, theme);
temporarily store viewed content in order to reduce data consumption and improve performance.

The associated website, when consulted, only uses technical cookies strictly necessary for the session, marked Secure and HttpOnly.

14. Modifications to this Policy

This Privacy Policy may be updated to reflect changes in the Service, in legislation, or in our practices. Any substantial modification triggers a re-acceptance mechanism: you will be invited to take note of and expressly accept the new Policy at your next login. The version in force is always accessible from the application.

15. Contact

For any question relating to this Privacy Policy or to the exercise of your rights:

Email dedicated to data protection: legal@fitconnect-tn.com
General email: info@fitconnect-tn.com

Privacy Policy