Health Data & Fitness Information

Last updated: 8 April 2026

This section supplements our Privacy Policy and explains how Fitley collects, uses, and protects your fitness, workout, and nutrition data. Because this data can reveal information about your physical health, it is classified as special category data under Article 9 of the UK General Data Protection Regulation (UK GDPR). We apply additional safeguards to this data as described below.

1. What fitness and nutrition data we collect

When you use Fitley to track workouts, log nutrition, and follow creator programmes, we collect:

Workout session data — exercises performed, sets, repetitions, weight lifted, training volume, and Rate of Perceived Exertion (RPE)
Derived metrics — estimated one-rep max (e1RM) and training volume trends. Derived metrics means calculations generated solely from your logged workout data. We will notify you and, where required, seek fresh consent before introducing materially new categories of derived data.
Workout history — a longitudinal record of your sessions over time, including dates, frequency, and progression
Nutrition data — food logs, calorie intake, macronutrient breakdowns (protein, carbohydrates, fat), and dietary preferences or goals
Media content — photos and videos posted by creators as part of workout programmes

Photos you send via paid messages are processed under our general Privacy Policy. If a photo reveals health information (e.g., progress photos), it will be treated as health data subject to your existing consent.

2. Why this data is treated as health data

Under Article 4(15) UK GDPR, health data means personal data related to the physical health of a person which reveals information about their health status. Your workout data — particularly when tracked over time and combined across exercises, weight, and exertion — can reveal information about your physical fitness, capacity, and health. Your nutrition data can similarly reveal information about your health, including dietary requirements, allergies, and physical condition. We therefore treat all fitness and nutrition data listed above as special category health data and apply the protections required by Article 9 UK GDPR.

3. Our lawful basis for processing your fitness data

We rely on the following legal bases to process your fitness data:

For general processing (Article 6(1)): Contractual necessity under Article 6(1)(b). Processing your workout data is necessary to provide Fitley’s core service, including delivering workout programmes, tracking your progress, and enabling interaction with creators.
For special category health data (Article 9(2)): Your explicit consent under Article 9(2)(a). Because your fitness data reveals information about your physical health and is therefore special category data, we also require your separate, explicit consent before processing it. This consent is collected during account registration via a dedicated consent step that is separate from your acceptance of our general Terms of Service.

Both conditions must be met for us to lawfully process your fitness data.

4. How we collect your consent

During account registration, we present a dedicated health data consent step that is separate from your acceptance of our general Terms of Service. This consent:

Explains what fitness data we collect and why it qualifies as health data
Describes how the data will be used, stored, and who it may be shared with
Requires a clear affirmative action — ticking a dedicated checkbox — before your account can be created
Is not pre-ticked, bundled with other consents, or presented as a condition hidden within other terms

You cannot create a Fitley account or use any workout tracking, nutrition logging, programme following, or exercise logging features without providing this consent. This is because the processing of your fitness and nutrition data is both:

Necessary to perform our contract with you — we cannot deliver a workout tracking and nutrition logging service without processing workout and nutrition data; and
Required to have your explicit consent because the data is special category health data under UK GDPR, for which contractual necessity alone is not a sufficient legal basis.

We keep a timestamped record of when your consent was given, and a full history of any subsequent changes.

5. Withdrawing your consent

You have the right to withdraw your consent to the processing of your fitness data at any time. You can do this by:

Visiting Account Settings > Privacy > Health Data Consent and selecting “Withdraw consent”
Contacting us at fin@getfitley.com

If you withdraw consent: (a) we will delete your fitness, workout, and nutrition data within 30 days; (b) any active creator subscriptions will be cancelled at the end of the current billing period — you will not be charged for subsequent periods; (c) you will no longer be able to access workout programmes, log exercises, track nutrition, or use other fitness features; (d) your account and non-fitness data (such as your profile and payment history) will be retained unless you separately request account deletion; (e) you may re-consent at any time through Account Settings > Privacy, but previously deleted fitness and nutrition data cannot be restored.

Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

6. How we protect your fitness data

We apply the following safeguards to your fitness, workout, and nutrition data:

Encryption: All fitness and nutrition data is encrypted in transit via TLS and at rest through our hosting providers (Vercel and Supabase).
Access controls: Row-Level Security policies ensure that only you can access your individual workout performance data (sets, repetitions, weight, and RPE) and nutrition data. Creators you subscribe to can see that you are subscribed and how many workouts you have completed, but cannot access your individual exercise performance data or nutrition logs
Image protection: EXIF metadata (including GPS location data) is automatically stripped from all uploaded images before storage
Data minimisation: We only collect fitness and nutrition data that is necessary to deliver the workout tracking, nutrition logging, and programme features you use
Staff access: Access to fitness and nutrition data by Fitley staff is limited to what is strictly necessary for providing support and maintaining the service
Breach notification: We will notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to your rights and freedoms, in accordance with Article 33 UK GDPR. We will notify affected individuals without undue delay where the breach is likely to result in a high risk, in accordance with Article 34 UK GDPR.

7. Who has access to your fitness data

Your fitness and nutrition data may be accessed by:

You — via your workout log, nutrition log, and progress tracking features
Creators you subscribe to — creators can see that you are subscribed to their programme and the number of workouts you have completed. This is subscriber-specific engagement information. Creators cannot access your individual workout performance data (specific exercises, sets, repetitions, weight lifted, or RPE values). All performance metrics remain private to you.
Our data processors — specifically Supabase (database hosting and storage) which stores your fitness data on our behalf, and Vercel (application hosting) which processes requests containing fitness data in transit. Both processors act only on our instructions and under the terms of our Data Processing Agreements. International transfers: Your fitness data may be transferred to and processed in countries outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the ICO, and we assess the adequacy of protection in the destination country. See our main Privacy Policy for full details of all processors, hosting locations, and international transfer safeguards.

We do not sell your fitness or nutrition data. We do not share it with advertisers. We do not use it to build profiles for marketing purposes.

We share your workout completion count with your subscribed creator to support programme engagement. This is aggregate count data only and does not include details of exercises, weight, or exertion. We do not consider this count alone to constitute health data, but we apply the same access controls and security measures to it.

8. Data retention schedule

We retain different categories of fitness and nutrition data for the following periods:

Data category	Retention period	Basis
Workout session data	Duration of active account + 30 days after deletion/consent withdrawal	Contractual necessity and explicit consent
Derived metrics	Same as workout session data	Calculated from session data
Workout history	Duration of active account + 30 days after deletion/consent withdrawal	Contractual necessity and explicit consent
Nutrition data	Duration of active account + 30 days after deletion/consent withdrawal	Contractual necessity and explicit consent
Consent records	6 years from date of last consent change	Legal obligation (Limitation Act 1980)
DPIA records	Retained for as long as processing continues + 3 years	Regulatory best practice

After the applicable retention period expires, data is permanently and irreversibly deleted from our systems, including backups, within 30 days.

9. Retention and deletion

We retain your fitness and nutrition data for as long as your account is active and you maintain your consent. If you delete your account, all associated fitness and nutrition data is permanently deleted through our account deletion process. If you withdraw consent without deleting your account, fitness and nutrition data is deleted within 30 days.

We do not retain your fitness or nutrition data beyond the periods described above. When your account is deleted or your consent is withdrawn, your workout and nutrition data is permanently deleted and is not retained in any form.

10. Your rights regarding your fitness and nutrition data

In addition to your general data protection rights set out in our main Privacy Policy, you have the following rights specifically in relation to your fitness and nutrition data:

Right of access: Request a copy of all fitness and nutrition data we hold about you
Right to rectification: Correct any inaccurate workout or nutrition data
Right to erasure: Request deletion of your fitness and nutrition data
Right to data portability: Receive your fitness and nutrition data in a structured, commonly used, machine-readable format (typically JSON or CSV)
Right to restrict processing: Request that we limit how we use your fitness and nutrition data while a concern is resolved
Right to withdraw consent: Withdraw your consent at any time as described in Section 5 above

To exercise any of these rights, contact us at fin@getfitley.com. We will respond within one month. We may ask you to verify your identity before processing your request. If your request is complex or we receive a large number of requests, we may extend the response period by up to two further months, in which case we will inform you of the extension and the reasons for it within one month of receiving your request.

11. Data Protection Impact Assessment

Because Fitley processes special category health data at scale, we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 UK GDPR. This assessment evaluates the necessity and proportionality of our fitness and nutrition data processing, identifies risks to your rights and freedoms, and documents the measures we take to mitigate those risks. A summary of this assessment is available on request.

12. Contact and complaints

If you have questions or concerns about how we handle your fitness and nutrition data, please contact us at fin@getfitley.com.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.