Privacy Policy

Last updated: April 2026

This Privacy Policy explains how KEJ SASU ("we", "us", "KEJ") collects, uses, and protects your personal data when you use the Fitntial mobile application and the website fitntial.tech (together, the "Service").

We comply with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act ("Loi Informatique et Libertés").

1. Data controller

The data controller is:

• KEJ SASU
• Registered office: 229 rue Solférino, 59000 Lille, France
• RCS Lille Métropole 935 394 866
• Represented by Pierre-Emmanuel Digbo, President
• Contact: support@fitntial.com

2. Data we collect

2.1 Account data

When you create an account, we collect:

• Email address, first name, user-chosen display name
• Unique user identifier (UID) generated by Firebase Authentication
• If you sign in with Google: the name, email and profile picture associated with your Google account
• Encrypted password (if you register with email/password — handled by Firebase Authentication)

2.2 Profile & fitness data

To provide you with a personalized experience, you may enter:

• Age, gender, height, weight, body mass index (BMI)
• Fitness goals, experience level, training preferences
• Dietary preferences (vegetarian, vegan, omnivore, allergies)
• Weight history and BMI entries over time

2.3 Activity data

• Completed workouts, exercises performed, sets, weights lifted, durations
• Meals logged, food and calorie intake, custom recipes
• Points earned, badges, challenges completed
• AI-generated programs and nutrition plans (computed locally by our application logic)

2.4 Profile picture

If you upload a profile picture, it is stored in Firebase Storage and associated with your account. You can replace or delete it at any time from the app.

2.5 Health Connect & Samsung Health data (optional)

Fitntial can integrate with Health Connect (Android) and the Samsung Health SDK, but only if you explicitly grant permission in the app. When you do:

• We import data such as step count, active calories, and related activity metrics
• Data is used solely to display it to you, calculate points, and improve personalization within Fitntial
• You can revoke this access at any time from your device settings or from the Fitntial app

2.6 Community & social data

If you use the community features, we process friends lists, friend requests, challenge invitations, and any comments or messages you post. Some of this data is visible to other Fitntial users (see section 2.8).

2.7 Technical data

• Device model, OS version, language, country, time zone
• App version, screen sizes, crash reports (via Firebase Crashlytics)
• Usage events and interactions (via Firebase Analytics), pseudonymised with a Firebase Instance ID
• IP address (short-term, for security and abuse prevention)

2.8 Information visible to other users

Certain features are social by design. The following may be visible to other Fitntial users:

• Your display name and profile picture
• Your points, badges, and position on the leaderboard
• Comments and entries you post on shared challenges

Sensitive data (weight, BMI, meals, exact workouts) is not visible to other users by default.

2.9 Billing data

Subscription payments are processed by Google Play Billing. We do not collect or store your payment card details. We receive from Google Play: your order ID, subscription status (active, cancelled, grace period), and the associated Google account email for invoicing and support.

3. Purposes & legal bases

Under GDPR Article 6, we process your personal data based on the following legal grounds:

Purpose	Data used	Legal basis
Create and manage your account; authenticate you	Email, UID, password, Google Sign-In data	Performance of a contract (Art. 6(1)(b))
Deliver the core Service: workouts, nutrition tracking, AI plans	Profile, fitness, activity, preferences data	Performance of a contract (Art. 6(1)(b))
Community & leaderboards	Display name, profile picture, points, public comments	Performance of a contract (Art. 6(1)(b))
Import Health Connect / Samsung Health data	Steps, calories, health metrics	Explicit consent (Art. 6(1)(a) & 9(2)(a) for health data)
Process subscription payments	Google Play order ID, subscription status	Performance of a contract (Art. 6(1)(b))
Maintain invoices and accounting records	Subscription and payment records	Legal obligation (Art. 6(1)(c) — French Code de commerce L.123-22)
Analytics, service improvement, bug fixing	Crash reports, pseudonymised usage events, technical data	Legitimate interest (Art. 6(1)(f)) — improving reliability and UX
Prevent fraud, abuse, security incidents	IP address, device info, abnormal activity logs	Legitimate interest (Art. 6(1)(f))
Respond to your requests (support, rights)	Contact details, message content	Legitimate interest & legal obligation

Health data (from Health Connect or Samsung Health) is considered a special category under GDPR Article 9. We process it exclusively based on your explicit consent, which you can withdraw at any time without affecting the lawfulness of prior processing.

4. Third-party services

To operate Fitntial, we rely on carefully selected providers. Each acts as a processor or sub-processor bound by a data processing agreement (DPA).

Provider	Role	Location
Google Ireland Ltd. (Firebase)	Authentication, Realtime Database, Firestore, Storage, Cloud Functions, Crashlytics, Analytics	EU; some sub-processors in the US (under EU-US Data Privacy Framework)
Google LLC (Google Sign-In)	Third-party authentication	US (under EU-US Data Privacy Framework)
Google LLC (Google Play Billing)	Subscription payments	US (under EU-US Data Privacy Framework)
Samsung Electronics Co., Ltd.	Samsung Health SDK integration (if you enable it)	South Korea — data stays on your device; only aggregated metrics are imported into Fitntial if you grant permission
OVH SAS	Website hosting (fitntial.tech)	France (EU)

We do not sell your data, and we do not share it with advertising networks or data brokers.

5. International data transfers

Firebase services are primarily hosted in the European Union. However, some Google sub-processors may be located in the United States. Such transfers are covered by:

• The EU-US Data Privacy Framework, to which Google LLC adheres, and/or
• The European Commission's Standard Contractual Clauses (SCCs).

You can request a copy of the safeguards in place by contacting support@fitntial.com.

6. Data retention

We retain your personal data only for as long as necessary for the purposes described above:

Data category	Retention period
Account and profile data	Until you delete your account
Fitness, nutrition, and activity data	Until you delete your account
Profile picture	Until you delete it or your account
Health Connect / Samsung Health data	Until you revoke the permission or delete your account
Crashlytics reports	90 days (Google default)
Firebase Analytics events	Up to 14 months (pseudonymised)
Support correspondence	3 years after last contact
Invoices and accounting records	10 years (French Code de commerce L.123-22)
Encrypted backups after deletion	Up to 7 days (Firestore point-in-time recovery)

For more details on account deletion, see our account deletion page.

7. Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (HTTPS / TLS) for all communications
• Encryption at rest for Firebase Storage, Realtime Database and Firestore
• Firebase Authentication with salted and hashed passwords (scrypt)
• Granular access controls via Firebase Security Rules
• Regular software updates and monitoring of security advisories
• Secure credentials management (API keys stored outside source control)

No system is 100% secure. In case of a personal data breach likely to create a risk to your rights and freedoms, we will notify the CNIL within 72 hours and, where required, inform you directly without undue delay (GDPR Art. 33–34).

8. Your GDPR rights

Under the GDPR, you have the right to:

• Access — obtain a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure ("right to be forgotten") — delete your data
• Restriction — limit how we use your data
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interest
• Withdraw consent — at any time, for processing based on consent (e.g. Health Connect)
• Define post-mortem directives — decide what happens to your data after death (French Law)

You can exercise most of these rights directly from the app (edit profile, delete account) or by contacting support@fitntial.com. We will respond within one month (extendable by two months for complex requests).

We may ask you to verify your identity (e.g. confirm from the email address associated with your account) to protect your data from unauthorized access.

9. Children

Fitntial is not intended for children under 16 years old. We do not knowingly collect personal data from minors under that age. If you believe a child under 16 has provided us with personal data, please contact support@fitntial.com and we will promptly delete the information.

10. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. The "Last updated" date at the top of this page indicates the latest revision.

For material changes (new processing, new sub-processor, new purpose), we will notify you through the app or by email at least 30 days before they take effect. Continued use of the Service after that date constitutes acceptance of the revised Policy.

11. Contact & complaints

For any question or request regarding your personal data, please contact:

KEJ SASU
229 rue Solférino, 59000 Lille, France
Email: support@fitntial.com

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In France, this is the:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 place de Fontenoy — TSA 80715
75334 Paris Cedex 07, France
www.cnil.fr