Privacy Policy
Last updated: 18.11.2025 ยท Version: 2.0
General
This Privacy Policy ("Policy") describes how we collect and use your personal data in connection with ROXFIT website, application and services. The terms "ROXFIT", "we", "us", or "our" refer to ROXFIT LIMITED, registered under the laws of the United Kingdom.
Scope
This Policy applies to the ROXFIT website (https://www.roxfit.app/ - the "Website"); mobile application (the "App"); the service offerings available via the Website and App (collectively - the "Services"). The Services, together with our App and Website, are referred to as the "Platform".
This Privacy Policy does not constitute, create, or form part of any contract or warranty between you and ROXFIT. This Policy is provided for informational purposes under the applicable privacy laws and regulations.
Who is responsible for your data
For the purposes of applicable data protection laws (in particular, the General Data Protection Regulation (EU) 2016/679 ("GDPR")), your data will be controlled by ROXFIT, which provides the Platform to you as a Controller of your personal data.
Controller details
Registered name: ROXFIT LIMITED.
Registered address: 128 City Road, London, United Kingdom, EC1V 2NX
General contact: hello@roxfit.app
Privacy support: hello@roxfit.app
Failure to provide personal data
Please read this Privacy Policy and our Terms of Use carefully before using the Services. If you do not agree with the Terms of Use, you should not use the Services. If we are required by law to collect personal data, or if it is necessary to process your requests or fulfill a contract with you, and you do not provide the requested data, we may be unable to carry out your instructions or meet our contractual obligations. In such cases, we may need to terminate our engagement or the contract, but we will inform you of this decision at that time.
Key terms and definitions
Personal data: any information relating to an identified or identifiable natural person ("Data subject"). For the purposes of GDPR, personal data means any information relating to you such as a name, surname, gender, age, health information, preferences etc.
Processing: any operation performed on personal data, whether or not by automated means (e.g., collection, storage, use, disclosure, erasure).
Data controller: the entity that determines the purposes and means of processing personal data.
You: any individual accessing the Platform ("Visitor") or obtaining the Services ("User"), or otherwise interacting with us directly or indirectly, including as a prospective user ("Prospective user"), current or former User, or suggested athlete ("Athlete").
Services: features, tools, content, and functionalities provided through the Platform (e.g., create/store/share/review workouts; access aggregated race results).
Website: the ROXFIT website at https://www.roxfit.app/.
Website visitor: a person who visits ROXFIT's website.
Cookies: small text files stored on your device by our website's server.
Table of contents
- Sources of personal data
- Why we process your data
- Types of personal data & legal basis for processing
- The use of Cookies & other tracking technologies
- Automated decisions
- How and when we share your information
- International data transfers
- Data retention practices
- Information security
- Updating personal data
- Children's Privacy
- Your Rights and Choices
- Updates to this Privacy Policy
- Contact information
Sources of personal data
Directly from you: when you register, create a profile, interact with the AI assistant, record race results, log workouts, or exercise your privacy rights.
Automatically through your use of our services: we log usage events and feature interactions, record crash reports, store preferences, workout data, cached content, and register push tokens when enabled; optional analytics can be disabled at any time.
We also collect data from device/platform providers (e.g., authentication status, device information, system settings) and inferred sources (performance trends and percentiles) to support functionality and personalization.
Third-party and partner sources: with your consent, we receive health/fitness metrics from Apple Health and Google Fit, workout data from Strava and Garmin, and profile information from Google Sign-In and Apple Sign-In.
Why we process your data
- Account management & authentication
- Service delivery (workouts, race results, training plans, social features)
- Platform analytics and improvement (opt-out available)
- Platform maintenance & performance (bug/crash reporting)
- Communication with Users (push, transactional email, in-app messages)
- User support (GDPR rights handling)
- Billing and payment processing
- Security and fraud prevention
- Compliance with legal and regulatory requirements
- Defending or resolving legal claims
- Social and community features
- Cookies & other tracking technologies implementation
- Data anonymization for analytics and ML training
No sale of personal data
We do not sell personal data under any circumstances. Any sharing occurs only where necessary to provide our services, comply with legal obligations, or with your explicit consent.
Types of personal data & legal basis for processing
| Type of personal data processed | Data subjects | Purpose | Legal basis |
|---|---|---|---|
| Identity data: first/last name, email, username, birthday, gender, profile photo | Users, Athletes | Account mgmt & authentication; communications; support; compliance; legal claims; social/community | Art. 6(1)(b), 6(1)(c), 6(1)(f) GDPR |
| Authentication data: Firebase UID, OAuth tokens (Google, Apple, Strava, Garmin) | Users | Account mgmt & authentication; security & fraud prevention | Art. 6(1)(b), 6(1)(f) GDPR |
| Communications data: emails, in-app chat messages, support tickets, feedback, attachments | Users, Athletes | User support; compliance; legal claims | Art. 6(1)(b), 6(1)(c), 6(1)(f) GDPR |
| Payment data: name, payment history, subscription details, billing address (if applicable), limited metadata | Users | Billing & payment; compliance; legal claims | Art. 6(1)(b), 6(1)(c), 6(1)(f) GDPR |
| Profile data: height, weight, bio, country, city, Instagram handle, profile image | Users | Account mgmt & authentication | Art. 6(1)(b) GDPR |
| Location data: timezone, offset (no precise GPS) | Users | Account mgmt; service delivery | Art. 6(1)(b) GDPR |
| Device data: platform, brand, OS version, model, app version, build | Users, Platform visitors | Account mgmt; service delivery | Art. 6(1)(b) GDPR |
| Workout data: completed workouts, duration, calories, exercise types | Users | Service delivery | Art. 6(1)(b) GDPR |
| Health metrics: weight, height, steps, workout energy burned (Apple Health/Google Fit - READ_WRITE) | Users | Service delivery | Art. 6(1)(b) GDPR |
| Performance data: race results, personal bests, workout history, streaks | Users | Service delivery; anonymization for analytics & ML | Art. 6(1)(b), 6(1)(f) GDPR |
| Biometric data: motion data, activity recognition (via health integrations) | Users | Service delivery | Art. 6(1)(a) GDPR (consent); Art. 9(2)(a) GDPR (explicit consent) |
| Social & community interaction data: visibility, connections, feed, posts, comments, interactions, photos | Users, Athletes | Social/community features | Art. 6(1)(f) GDPR; Art. 6(1)(a) GDPR (consent) |
| Core identifiers & device info (cookies/tracking): user ID, session state, device type, OS version, notification permissions | Users, Platform visitors | Cookies & tracking; service delivery | Art. 6(1)(b), 6(1)(f) GDPR |
| AI & chat communications data: AI coach messages/responses/summaries; workout generation preferences/requests; behavioral usage patterns | Users, Platform visitors | Platform analytics & improvement; anonymization for analytics & ML | Art. 6(1)(f) GDPR |
| User settings & preferences: units, notifications, workout settings, profile visibility; notification tokens; analytics opt-out | Users | Account mgmt; service delivery; communications; analytics preferences | Art. 6(1)(b), 6(1)(f) GDPR |
| Third-party integrations (Strava, Garmin, Apple Health/Google Fit) | Users | Service delivery | Art. 6(1)(a) GDPR (consent); Art. 9(2)(a) GDPR (explicit consent); Art. 6(1)(b) GDPR |
| Analytics & technical data: feature usage, screen views; crash reports/error logs; performance metrics/percentiles | Users, Platform visitors | Platform analytics & improvement; maintenance & performance | Art. 6(1)(f) GDPR |
The use of Cookies & other tracking technologies
ROXFIT uses cookies and limited tracking technologies to ensure platform functionality and enhance your experience. Certain cookies are essential (Art. 6(1)(b) GDPR). Others are used under legitimate interests (Art. 6(1)(f) GDPR). In-app analytics (Mixpanel, Firebase) can be disabled under Settings โ Privacy & Data โ "Help Improve ROXFIT". Crash reporting (Sentry) is used solely to detect and fix issues; PII is removed. ROXFIT does not use advertising identifiers (IDFA/AAID). See our Cookie Policy for details.
Automated decisions
We do not make decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects (GDPR Art. 22).
How and when we share your information
Corporate transaction: we may transfer data where necessary for mergers, acquisitions, reorganizations, or insolvency, with safeguards (Art. 6(1)(f) GDPR or other lawful bases).
Compliance with the laws: we may disclose data to comply with legal obligations (Art. 6(1)(c) GDPR).
Protection and safety: we may disclose data to protect vital interests (Art. 6(1)(d) GDPR).
Service providers and professional advisors
- Authentication & Infrastructure: Firebase (Google), MongoDB Atlas, AWS S3
- Analytics & Monitoring: Mixpanel, Sentry
- Communications: Pushwoosh, Crisp Chat
- Payments: RevenueCat, Apple App Store, Google Play Store
- AI Services: Google Gemini, OpenAI (Fallback), ROXFIT AI API (Primary)
- Third-Party Integrations (User-Initiated): Strava, Garmin Connect, Apple Health, Google Fit
- Search & Social: Typesense, GetStream
- Development & Operations: Cloudflare Workers, Slack
We do not sell user data. All providers operate under DPAs per Art. 28 GDPR; we share only what's necessary. Third-party integrations are user-controlled and require explicit consent.
With your consent: where you explicitly consent (Art. 6(1)(a) GDPR), we may share your data with third parties or entities of your choosing.
International data transfers
We use providers in the EU, UK and USA. Personal information may be transferred outside your jurisdiction where laws may be less protective.
Primary data processing locations in the EU and UK
- MongoDB Atlas (EU regions)
- GetStream (EU regions)
- Crisp Chat (France, EU)
- Typesense (configurable location)
Primary data processing locations in the USA
- Firebase/Google Cloud; AWS S3 (configurable); Mixpanel; Sentry; Pushwoosh; RevenueCat; Google Gemini; OpenAI; ROXFIT AI API; Strava; Garmin; Google Fit; Cloudflare (global network)
Legal mechanism for international transfers
Where data is transferred outside the EEA, we implement appropriate safeguards (Standard Contractual Clauses). United States-based providers utilize EU-approved SCCs (e.g., Google DPTs, AWS DPA). Transfers to countries with adequacy decisions (e.g., UK, Switzerland) are permitted accordingly.
Data retention practices
We support user-requested deletion and automatic retention/deletion. Users may delete their accounts at any time ("Delete Account" is permanent). When confirmed, we delete user-related data and clean up external services.
External service cleanup (examples)
- Firebase authentication: user account deleted
- AWS S3: profile images deleted
- Pushwoosh: user unregistered
- Typesense: removed from search
- GetStream: feed deleted
- Analytics: future tracking stopped
Anonymization: certain information (e.g., race results, chat messages, deep links) may be anonymized to preserve data integrity.
Deletion executes within ~1 minute. Data is removed from primary systems; backups are securely overwritten within 30 days.
Inactive users
- Accounts inactive for 4 years are marked for deletion; users are notified and given a 30-day grace period to reactivate.
- If not reactivated, accounts are permanently deleted (primary systems immediately; backups within 30 days).
General data retention practices
| Purpose | Retention period |
|---|---|
| Account management & authentication | For the life of your account; deleted within 30 days of account closure |
| Service delivery | For the life of your account |
| Platform analytics and improvement | Up to 26 months, then aggregated or anonymised |
| Platform maintenance & performance | Up to 90 days (crash and error logs) |
| Communication with Users | For the life of your account |
| User support | Up to 3 years after your last interaction with us |
| Billing and payment processing | 7 years (to meet UK tax and accounting obligations) |
| Security and fraud prevention | Up to 12 months |
| Compliance with legal and regulatory requirements | As required by applicable law |
| Defending or resolving legal claims | Up to 6 years (UK limitation period) |
| Social and community features | For the life of your account |
| Cookies & tracking technologies | Session to 24 months (see our Cookie Policy) |
| Data anonymization for analytics and ML training | Indefinitely once anonymised (no longer personal data) |
Information security
We implement technical and organizational measures to protect personal data, including encryption in transit and at rest, access controls, secure authentication, protected databases/storage, monitoring and incident detection, vendor DPAs and audits. While we take reasonable steps to protect your data, no system can be completely secure; please keep credentials confidential. We may suspend use of Services without notice during a suspected security breach.
Updating personal data
If your personal data changes or is inaccurate, contact us at hello@roxfit.app. We are not responsible for losses arising from inaccurate or incomplete data you provide.
Children's Privacy
ROXFIT does not knowingly collect Personal Data from children under the age of 13. If you believe your child has provided such information, contact us and we will promptly remove it. If you are under the age of majority in your jurisdiction, you may use the Services only with parental/guardian consent. If we learn we have data from a child under 13 without verified consent, we will use it only to respond and then delete it.
Your Rights and Choices
Under the GDPR, you may request that we: opt-out you from direct marketing; provide access to your data and processing details; correct inaccuracies; delete your data (subject to exceptions); transfer your data; restrict processing; or object to processing based on legitimate interests.
In-app visibility and controls
- View: profile, workout history/performance, race results, training plans/schedules
- Export: complete JSON export via support request
- Edit: profile (name, email, birthday, gender, height, weight), bio, social profile, privacy settings, notifications, unit preferences
- Delete Account: permanently removes workouts, races, tokens/connections, search presence, feed, subscriptions; unregisters push; finishes in < 1 minute; covers 20+ systems
- Transfer: machine-readable export (JSON) via support request
- Restrict/Object: analytics opt-out; manage push; manage social features; manage integrations
To exercise rights, contact hello@roxfit.app. We may verify identity and, where laws require or allow, decline certain requests (with explanation, subject to legal restrictions). You may also contact your local data protection authority.
Updates to this Privacy Policy
We may update this Policy to reflect changes in processing or legal requirements. We'll notify you by posting the new Policy here and updating the "Last updated" date; we may notify you before changes take effect. Please review periodically.
Contact information
We welcome your questions at hello@roxfit.app.
