← Back to Fitley

Health Data & Fitness Information

Last updated: 14 March 2026

This section supplements our Privacy Policy and explains how Fitley collects, uses, and protects your fitness and workout data. Because this data can reveal information about your physical health, it is classified as special category data under Article 9 of the UK General Data Protection Regulation (UK GDPR). We apply additional safeguards to this data as described below.

1. What fitness data we collect

When you use Fitley to track workouts and follow creator programmes, we collect:

  • Workout session data — exercises performed, sets, repetitions, weight lifted, training volume, and Rate of Perceived Exertion (RPE)
  • Derived metrics — estimated one-rep max (e1RM) and training volume trends. Derived metrics means calculations generated solely from your logged workout data. We will notify you and, where required, seek fresh consent before introducing materially new categories of derived data.
  • Workout history — a longitudinal record of your sessions over time, including dates, frequency, and progression
  • Media content — photos and videos posted by creators as part of workout programmes

Photos you send via paid messages are processed under our general Privacy Policy. If a photo reveals health information (e.g., progress photos), it will be treated as health data subject to your existing consent.

2. Why this data is treated as health data

Under Article 4(15) UK GDPR, health data means personal data related to the physical health of a person which reveals information about their health status. Your workout data — particularly when tracked over time and combined across exercises, weight, and exertion — can reveal information about your physical fitness, capacity, and health. We therefore treat all fitness data listed above as special category health data and apply the protections required by Article 9 UK GDPR.

3. Our lawful basis for processing your fitness data

We rely on the following legal bases to process your fitness data:

  • For general processing (Article 6(1)): Contractual necessity under Article 6(1)(b). Processing your workout data is necessary to provide Fitley’s core service, including delivering workout programmes, tracking your progress, and enabling interaction with creators.
  • For special category health data (Article 9(2)): Your explicit consent under Article 9(2)(a). Because your fitness data reveals information about your physical health and is therefore special category data, we also require your separate, explicit consent before processing it. This consent is collected during account registration via a dedicated consent step that is separate from your acceptance of our general Terms of Service.

Both conditions must be met for us to lawfully process your fitness data.

4. How we collect your consent

During account registration, we present a dedicated health data consent step that is separate from your acceptance of our general Terms of Service. This consent:

  • Explains what fitness data we collect and why it qualifies as health data
  • Describes how the data will be used, stored, and who it may be shared with
  • Requires a clear affirmative action — ticking a dedicated checkbox — before your account can be created
  • Is not pre-ticked, bundled with other consents, or presented as a condition hidden within other terms

You cannot create a Fitley account or use any workout tracking, programme following, or exercise logging features without providing this consent. This is because the processing of your fitness data is both:

  • Necessary to perform our contract with you — we cannot deliver a workout tracking service without processing workout data; and
  • Required to have your explicit consent because the data is special category health data under UK GDPR, for which contractual necessity alone is not a sufficient legal basis.

We keep a timestamped record of when your consent was given, and a full history of any subsequent changes.

5. Withdrawing your consent

You have the right to withdraw your consent to the processing of your fitness data at any time. You can do this by:

  • Visiting Account Settings > Privacy > Health Data Consent and selecting “Withdraw consent”
  • Contacting us at fin@getfitley.com

If you withdraw consent: (a) we will delete your fitness and workout data within 30 days; (b) any active creator subscriptions will be cancelled at the end of the current billing period — you will not be charged for subsequent periods; (c) you will no longer be able to access workout programmes, log exercises, or use other fitness features; (d) your account and non-fitness data (such as your profile and payment history) will be retained unless you separately request account deletion; (e) you may re-consent at any time through Account Settings > Privacy, but previously deleted fitness data cannot be restored.

Withdrawing consent does not affect the lawfulness of any processing carried out before withdrawal.

6. How we protect your fitness data

We apply the following safeguards to your fitness and workout data:

  • Encryption: All fitness data is encrypted in transit via TLS and at rest through our hosting providers (Vercel and Supabase).
  • Access controls: Row-Level Security policies ensure that only you can access your individual workout performance data (sets, repetitions, weight, and RPE). Creators you subscribe to can see that you are subscribed and how many workouts you have completed, but cannot access your individual exercise performance data
  • Image protection: EXIF metadata (including GPS location data) is automatically stripped from all uploaded images before storage
  • Data minimisation: We only collect fitness data that is necessary to deliver the workout tracking and programme features you use
  • Staff access: Access to fitness data by Fitley staff is limited to what is strictly necessary for providing support and maintaining the service
  • Breach notification: We will notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to your rights and freedoms, in accordance with Article 33 UK GDPR. We will notify affected individuals without undue delay where the breach is likely to result in a high risk, in accordance with Article 34 UK GDPR.

7. Who has access to your fitness data

Your fitness data may be accessed by:

  • You — via your workout log and progress tracking features
  • Creators you subscribe to — creators can see that you are subscribed to their programme and the number of workouts you have completed. This is subscriber-specific engagement information. Creators cannot access your individual workout performance data (specific exercises, sets, repetitions, weight lifted, or RPE values). All performance metrics remain private to you.
  • Our data processors — specifically Supabase (database hosting and storage) which stores your fitness data on our behalf, and Vercel (application hosting) which processes requests containing fitness data in transit. Both processors act only on our instructions and under the terms of our Data Processing Agreements. International transfers: Your fitness data may be transferred to and processed in countries outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) approved by the ICO, and we assess the adequacy of protection in the destination country. See our main Privacy Policy for full details of all processors, hosting locations, and international transfer safeguards.

We do not sell your fitness data. We do not share it with advertisers. We do not use it to build profiles for marketing purposes.

We share your workout completion count with your subscribed creator to support programme engagement. This is aggregate count data only and does not include details of exercises, weight, or exertion. We do not consider this count alone to constitute health data, but we apply the same access controls and security measures to it.

8. Data retention schedule

We retain different categories of fitness data for the following periods:

Data categoryRetention periodBasis
Workout session dataDuration of active account + 30 days after deletion/consent withdrawalContractual necessity and explicit consent
Derived metricsSame as workout session dataCalculated from session data
Workout historyDuration of active account + 30 days after deletion/consent withdrawalContractual necessity and explicit consent
Consent records6 years from date of last consent changeLegal obligation (Limitation Act 1980)
DPIA recordsRetained for as long as processing continues + 3 yearsRegulatory best practice

After the applicable retention period expires, data is permanently and irreversibly deleted from our systems, including backups, within 30 days.

9. Retention and deletion

We retain your fitness data for as long as your account is active and you maintain your consent. If you delete your account, all associated fitness data is permanently deleted through our account deletion process. If you withdraw consent without deleting your account, fitness data is deleted within 30 days.

We do not retain your fitness data beyond the periods described above. When your account is deleted or your consent is withdrawn, your workout data is permanently deleted and is not retained in any form.

10. Your rights regarding your fitness data

In addition to your general data protection rights set out in our main Privacy Policy, you have the following rights specifically in relation to your fitness data:

  • Right of access: Request a copy of all fitness data we hold about you
  • Right to rectification: Correct any inaccurate workout data
  • Right to erasure: Request deletion of your fitness data
  • Right to data portability: Receive your fitness data in a structured, commonly used, machine-readable format (typically JSON or CSV)
  • Right to restrict processing: Request that we limit how we use your fitness data while a concern is resolved
  • Right to withdraw consent: Withdraw your consent at any time as described in Section 5 above

To exercise any of these rights, contact us at fin@getfitley.com. We will respond within one month. We may ask you to verify your identity before processing your request. If your request is complex or we receive a large number of requests, we may extend the response period by up to two further months, in which case we will inform you of the extension and the reasons for it within one month of receiving your request.

11. Data Protection Impact Assessment

Because Fitley processes special category health data at scale, we have conducted a Data Protection Impact Assessment (DPIA) in accordance with Article 35 UK GDPR. This assessment evaluates the necessity and proportionality of our fitness data processing, identifies risks to your rights and freedoms, and documents the measures we take to mitigate those risks. A summary of this assessment is available on request.

12. Contact and complaints

If you have questions or concerns about how we handle your fitness data, please contact us at fin@getfitley.com.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

© 2026 Fitley. This document was last updated on 14 March 2026.