Privacy Policy

1. Data Controller

The controller responsible for data processing through this website and the AlpaFit mobile application is:

Ugur Kaya
Erich-Ollenhauer-Straße 120
59192 Bergkamen, Germany
Email: [email protected]

2. Scope

This Privacy Policy applies to the AlpaFit website (alpa.fit) and the AlpaFit mobile application for iOS and Android. It explains what personal data we collect, how we use it, who we share it with, and what rights you have regarding your data.

3. Legal Bases for Processing

We process your personal data on the following legal bases under the General Data Protection Regulation (GDPR):

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the AlpaFit service, including workout tracking, cloud sync for signed-in users, and managing your subscription.
• Consent (Art. 6(1)(a) GDPR): Website analytics (Cloudflare Web Analytics) and displaying personalized advertisements via Google AdMob in the free tier. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legitimate interest (Art. 6(1)(f) GDPR): Cloud data sync for signed-in users. When you create an account via Apple or Google sign-in, cloud sync is enabled by default to ensure your workout data is backed up and accessible across devices. You can disable cloud sync at any time in the app settings. Our legitimate interest is providing a seamless, reliable cloud backup experience that users reasonably expect when creating an account.
• Legitimate interest (Art. 6(1)(f) GDPR): Crash reporting via Firebase Crashlytics to maintain service stability and fix bugs. Our legitimate interest is ensuring a reliable, functional app experience.

4. Information We Collect — Website

When you visit our website (alpa.fit), we collect minimal data:

• Cookie Preferences: We store your cookie consent choice locally in your browser (localStorage). This data never leaves your device.
• Analytics (with consent only): If you accept analytics, we use Cloudflare Web Analytics to collect anonymized, aggregated data about website usage. This service does not track individual users, does not use cookies for analytics, and does not fingerprint visitors.

Our website uses self-hosted fonts and does not make requests to external font services, ensuring your IP address is not shared with third parties when loading fonts.

5. Information We Collect — Mobile App

5.1 Profile Data (voluntarily provided)

If you choose to create an account via Google or Apple sign-in, we receive:

• Name and email address (from your Google or Apple account)

You may also optionally provide the following in your user profile:

• Height, weight, birthdate, and gender

5.2 Workout and Fitness Data (voluntarily provided)

The core purpose of AlpaFit is fitness tracking. We store the following data that you enter:

• Workout history: type, date, duration, intensity level, notes, distance (for running/cardio), treadmill incline
• Exercise tracking: exercises performed, sets, repetitions, weight lifted, RPE (Rate of Perceived Exertion), warm-up flags
• Body weight entries (weight tracking over time)
• Scheduled workouts (weekly planner)
• Achievements and streak progress
• Injury or illness flags on workouts

5.3 Technical and Diagnostic Data (collected automatically)

• Crash reports: Via Firebase Crashlytics — crash logs, error stack traces, device type, operating system version, and app version. This data is anonymized and not linked to your identity.
• Advertising identifiers: Your device's advertising ID (IDFA on iOS, GAID on Android) is collected by Google AdMob for the purpose of displaying advertisements. This applies only to free-tier users; advertising identifiers are not collected for AlpaFit Max subscribers.
• Ad interaction data: Ad impressions and clicks, collected by Google AdMob (free tier only).

5.4 Purchase Data

If you subscribe to AlpaFit Max, we use RevenueCat to manage your subscription. RevenueCat receives:

• Your Firebase user ID (to link your subscription to your account)
• Subscription status and entitlements (active plan, expiration date)

We do not collect or store your payment card details. All payment processing is handled entirely by Apple (App Store) or Google (Play Store).

5.5 Authentication Data

• Firebase user ID (unique account identifier)
• Authentication tokens (stored securely on your device)

6. Data We Do NOT Collect

AlpaFit does not access or collect: location data, contacts, photos or media, camera or microphone input, calendar data, clipboard contents, keyboard input, or browsing history.

7. How We Use Your Data

We use your data for the following purposes:

• Providing the fitness tracking service: recording workouts, displaying statistics, tracking progress, and managing achievements
• Syncing your data across devices when you are signed in (cloud sync is enabled by default for signed-in users and can be disabled in settings)
• Processing and managing your AlpaFit Max subscription and entitlements
• Displaying advertisements in the free tier via Google AdMob
• Diagnosing app crashes and improving stability via Firebase Crashlytics

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

8. How We Store Your Data

8.1 Local Storage (on your device)

• SQLite database: Workouts, weight entries, profile data, exercises, exercise sets, scheduled workouts, and achievements.
• Encrypted storage (Hive with AES-256): Data sync queue, encrypted at rest to protect your data even if your device is compromised.
• Secure storage: Encryption keys stored in platform-secure storage (iOS Keychain / Android Keystore via FlutterSecureStorage).
• Preferences: App settings such as language, theme, and cloud sync preference.

8.2 Cloud Storage (requires account)

When you create an account and sign in, cloud sync is enabled by default to back up your workout data. You can disable cloud sync at any time in the app settings. Your data syncs to our backend servers:

• Backend hosted API with PostgreSQL database
• All data transmitted via HTTPS/TLS encryption
• Synced data includes: workouts, weight entries, scheduled workouts, exercises, exercise sets, and achievements

8.3 Guest Mode

AlpaFit is fully functional without creating an account. In guest mode, all data is stored locally on your device only. No data is transmitted to our servers or any third party (except crash reports via Crashlytics and ads via AdMob in the free tier).

9. Third-Party Services

We use the following third-party services. Each processes data as described below and is subject to their own privacy policy:

9.1 Firebase Authentication (Google LLC)

• Purpose: Account creation and sign-in via Google or Apple
• Data shared: Email address, name, authentication tokens
• Privacy policy: firebase.google.com/support/privacy

9.2 Firebase Crashlytics (Google LLC)

• Purpose: Crash reporting and app stability monitoring
• Data shared: Crash logs, error stack traces, device type, OS version, app version
• Note: No personally identifiable information is included. Crash reporting is disabled in development/debug mode.
• Privacy policy: firebase.google.com/support/privacy

9.3 Google AdMob (Google LLC)

• Purpose: Displaying advertisements in the free tier of AlpaFit
• Data shared: Advertising identifier (IDFA/GAID), ad interaction data (impressions, clicks), device information
• Note: Advertising is not active for AlpaFit Max subscribers — ads are completely disabled when you subscribe. You can limit ad tracking through your device settings (iOS: Settings > Privacy > Tracking; Android: Settings > Google > Ads).
• Privacy policy: policies.google.com/privacy

9.4 RevenueCat (RevenueCat, Inc.)

• Purpose: Subscription and in-app purchase management
• Data shared: Firebase user ID, subscription status, entitlement data
• Note: RevenueCat does not receive your payment card details. All payments are processed by Apple or Google.
• Privacy policy: revenuecat.com/privacy

10. International Data Transfers

Some of our third-party service providers are based in the United States. When your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Google LLC (Firebase, AdMob): Certified under the EU-US Data Privacy Framework, providing an adequate level of data protection as recognized by the European Commission.
• RevenueCat, Inc.: Data transfers are governed by EU Standard Contractual Clauses (SCCs) as approved by the European Commission.

11. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data in transit is encrypted via HTTPS/TLS
• Local sync queue is encrypted with AES-256 (Hive encrypted storage)
• Encryption keys are stored in platform-secure storage (iOS Keychain / Android Keystore)
• API access is authenticated via Firebase ID tokens
• Cloud sync is enabled by default for signed-in users and can be disabled at any time in app settings

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

12. Your Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your data. You can delete your account via app settings or our account deletion page.
• Right to restriction of processing (Art. 18): Request that we limit how we use your data.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used format.
• Right to object (Art. 21): Object to processing based on legitimate interest, including advertising-related processing.
• Right to withdraw consent (Art. 7(3)): Withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at [email protected].

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The competent authority for our location is:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestraße 2–4
40213 Düsseldorf, Germany
Website: www.ldi.nrw.de

13. Data Retention

• Local data: Stored on your device for as long as the app is installed. Uninstalling the app removes all local data.
• Cloud data: Retained for as long as your account is active. Upon account deletion, all cloud-synced data is permanently deleted from our servers within 30 days.
• Crashlytics data: Retained for 90 days per Google's standard retention policy.
• AdMob data: Retained per Google's data retention policies.
• Server backups: Backups that may contain your data are purged within 30 days of account deletion.

14. Children's Privacy

AlpaFit is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected], and we will promptly delete the data.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the updated policy in the app and updating the "Last Updated" date above. We encourage you to review this policy periodically.

16. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Ugur Kaya
Erich-Ollenhauer-Straße 120
59192 Bergkamen, Germany
Email: [email protected]