Legal · Privacy

Privacy
/ Policy.

How Fiz collects, uses, and protects the data you trust us with – written in plain English for athletes, not lawyers.

Last updated · 13 June 2026

01/ Introduction

Fiz Global Ltd ("Fiz", "we", "us", or "our"), a company registered in England and Wales under company number 17237174, with registered office at 66 Paul Street, London EC2A 4NA, United Kingdom, operates the Fiz mobile application and website at joinfiz.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. By using Fiz, you consent to the practices described in this policy. If you do not agree, please discontinue use of the app.


02/ Information We Collect

We collect the following categories of information:

Account Information

Email address, password (hashed), first and last name, username, and profile picture.

Date of Birth (Age Verification)

We collect your date of birth at sign-up to verify that you meet the minimum age requirement (18 years old). Your date of birth is stored in a separate, isolated table with strict access controls — only you can read it. It is never displayed publicly, never returned in profile fetches by other users, and never used for advertising or marketing.

You may optionally provide your body weight. We use it solely to estimate the calories burned in your workouts when no device-measured health data is attached. Your body weight itself is stored in the same isolated, owner-only table as your date of birth — never shown publicly, never returned in profile fetches by other users, and never used for advertising or marketing. The calorie estimates we derive from it are clearly labelled as estimates and count toward your personal stats and challenges. They are only ever shown to you — on your own activities — and are never displayed to other users. You can edit or remove your weight at any time.

Profile Information

Bio, location, unit preferences (metric/imperial), timezone, profile links, and affiliate codes.

Health & Fitness Data

When you connect Apple HealthKit or Google Health Connect, we may read:

  • Heart rate (average and maximum during workouts)
  • Active calories burned
  • Steps taken
  • Distance covered
  • Body weight and height
  • Blood pressure readings
  • Workout duration

Fitness Activity Data

Workout scores, training metrics, personal records, activity images, optional video links you choose to attach to an activity (for example a YouTube, Vimeo, or Instagram URL — we store the link only and do not host or re-upload the video itself), comments on activities, strain and load calculations, muscle group breakdowns, and achievement badges.

Location Data

If you provide a location on your profile, we use Google Geocoding API to convert it to coordinates for features such as timezone detection. We do not continuously track your location.

Device Information

Device push notification tokens for delivering notifications. We do not collect device identifiers for advertising purposes.

Usage & Analytics Data

Timestamps of when you accepted our Terms of Service and Privacy Policy, marketing consent preferences, and product-analytics events — such as screens viewed and key actions (for example, logging an activity or viewing the subscription paywall) — collected via PostHog to understand how Fiz is used and to improve it. These events are linked to your account by your Fiz user ID and subscription tier. We do not capture the contents of what you type, and we never send health data to analytics. Analytics is hosted in the European Union, with cross-app tracking and session recording disabled.


03/ How We Collect Information

  • Directly from you: When you create an account, fill in your profile, log workouts, post activities, or communicate with us.
  • Automatically: Timezone detection based on your device, push notification tokens when you enable notifications, and product-analytics events (screens viewed, key in-app actions) via PostHog.
  • From third-party services: Health data from Apple HealthKit or Google Health Connect (only with your explicit permission), subscription status from RevenueCat.

04/ Legal Basis for Processing

We process your personal data on the following legal bases:

  • Explicit consent (Article 9(2)(a)): Health and fitness data (heart rate, calories, workout metrics) imported from Apple HealthKit or Google Health Connect.
  • Consent (Article 6(1)(a)): Marketing communications and optional profile information.
  • Contract (Article 6(1)(b)): Processing necessary to provide you with the Fiz service, including account management, workout tracking, and social features.
  • Legal obligation (Article 6(1)(c)): Age verification (date of birth) to ensure we do not knowingly create accounts for users below the minimum age.
  • Legitimate interest (Article 6(1)(f)): Service improvement, product analytics (privacy-respecting, non-advertising), security, and fraud prevention.

05/ How We Use Your Information

We use the information we collect to:

  • Provide and maintain the Fiz platform, including workout creation, score logging, activity tracking, and social features.
  • Personalise your experience, such as displaying workouts in your preferred units and timezone.
  • Power AI-generated workouts and programmes using Google Gemini (see Section 7).
  • Display leaderboards, challenges, and achievement badges.
  • Send push notifications about social interactions, challenges, and updates.
  • Send transactional service emails — a welcome message when you first sign in, and confirmation when you delete your account. You can also opt in to engagement emails (e.g. community invites) or product news via Settings → Notifications. Account and security emails are sent regardless of these preferences.
  • Process subscription payments and manage entitlements.
  • Ensure safety and enforce our terms of service, including content moderation.
  • Respond to support requests via support@joinfiz.com.

06/ Health Data

Health and fitness data (including heart rate, calories burned, workout duration, body weight, and other metrics imported from Apple HealthKit or Google Health Connect) is classified as special category personal data under Article 9 of the UK GDPR and EU GDPR. We process this data only on the basis of your explicit consent (Article 9(2)(a)), provided via the HealthKit / Health Connect permission prompt and via in-app activity-level sharing toggles. You can withdraw this consent at any time:

  • We only access health data with your explicit opt-in consent via Apple HealthKit or Google Health Connect.
  • Health data is read-only – we never write to your health platforms.
  • You control whether health data from individual activities is shared publicly via the "Share Health Data" toggle on each activity. When the toggle is off, health metrics are visible only to you.
  • Health data is never sold to third parties, used for advertising, or shared with insurers, employers, or any other entity outside the service providers listed in Section 10.
  • You can disconnect health integrations at any time through the app settings; existing data you have already imported will remain until you delete individual activities or your account.
  • When you delete your account, all associated health data is permanently deleted from our systems within 30 days, including from backups.

07/ AI-Generated Content

Fiz uses Google Gemini API to generate workouts and programmes based on your text prompts. When you use the AI workout creator:

  • Your text prompt is sent to Google Gemini for processing.
  • We do not include personally identifiable information (name, email, health data) in prompts sent to Google Gemini.
  • Generated workout content is stored in your Fiz account.
  • AI usage is subject to quotas based on your subscription tier (Free, Pro, or Partner).
  • Google Gemini's own privacy policy governs how Google processes these requests.

08/ Location Data

When you add a location to your profile, we use Google Geocoding API to convert the place name to geographic coordinates. This is used for timezone detection and displaying your location on your profile. We do not track your real-time GPS location or create movement profiles.


09/ Information Sharing with Other Users

Depending on your privacy settings:

  • Public accounts: Your profile, workouts, activities, and collections are visible to all Fiz users.
  • Private accounts: Your content is only visible to approved followers.
  • You can control whether you appear in search results and on leaderboards via privacy settings.
  • Comments, likes, and follows are visible to the relevant users.
  • You can block users to prevent them from viewing your content or interacting with you.

10/ Third-Party Service Providers

We use the following third-party services to operate Fiz:

  • Supabase: Authentication, database hosting, file storage, and edge functions. Data is stored on Supabase's infrastructure with row-level security.
  • Resend: Transactional and engagement email delivery. Resend processes your email address, first name (when known), and the message content on our behalf in order to deliver Fiz emails. We do not share health data, fitness data, or payment data with Resend. Resend acts as a data processor under a signed Data Processing Agreement.
  • RevenueCat: Subscription management and in-app purchase processing. Payment is taken and processed by the Apple App Store or Google Play; we never receive or store your payment card details.
  • Cloudflare: Hosting and delivery of our website and images (including the cdn.joinfiz.com content delivery network), and bot-protection on our sign-up and waitlist forms via Cloudflare Turnstile. In providing these services Cloudflare processes technical data such as your IP address. We do not send health, fitness, or payment data to Cloudflare.
  • Google Firebase Cloud Messaging: Delivery of push notifications. Firebase processes your device push-notification token in order to route notifications to your device. We do not send health or payment data through Firebase.
  • Google Gemini API: AI workout and programme generation.
  • Google Geocoding API: Location-to-coordinates conversion.
  • Apple HealthKit: Reading health and fitness data on iOS devices.
  • Google Health Connect: Reading health and fitness data on Android devices.
  • PostHog: First-party product analytics — screens viewed and key in-app actions — hosted in the European Union. Configured without advertising, without cross-app tracking, and with session recording disabled. We do not send health or payment data to PostHog. PostHog acts as a data processor under a signed Data Processing Agreement.

11/ Data Storage & Security

We implement appropriate technical and organisational measures to protect your data:

  • All data is transmitted over HTTPS/TLS encryption.
  • Database access is protected by row-level security (RLS) policies ensuring users can only access their own data.
  • Passwords are hashed and never stored in plain text.
  • File storage uses signed URLs with expiration for secure access.
  • We regularly review and update our security practices.

12/ Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with our services. When you delete your account, we permanently delete your personal data, including activities, workouts, scores, comments, likes, saves, follows, and health data. Some anonymised, aggregated data may be retained for analytics purposes. We may retain certain data as required by law or for legitimate business purposes such as resolving disputes.


13/ Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data via your profile settings.
  • Deletion: Request deletion of your account and all associated data.
  • Portability: Request your data in a machine-readable format.
  • Restrict processing: Request that we limit how we use your data.
  • Withdraw consent: Withdraw consent for health data access, marketing, or other optional processing at any time.
  • Object: Object to processing based on legitimate interest.

14/ Data Export

You can request a full export of your personal data at any time. Fiz provides a GDPR-compliant data export feature that compiles your profile information, workouts, activities, scores, social data, and health data into a downloadable format. To request an export, contact us at hello@joinfiz.com.


15/ Account Deletion

You can delete your account at any time. Deletion is permanent and cascading – it removes your profile, all workouts you created, activities, scores, comments, likes, saves, follows, blocked users, collections, challenge participations, notification tokens, and any associated health data. This action cannot be undone.


16/ Children's Privacy

Fiz is not intended for users under the age of 18. We require all users to confirm their date of birth at sign-up and we do not knowingly create accounts for anyone under 18. If we become aware that a person under 18 has provided us with personal information, we will take steps to delete the account and associated data promptly. If you are a parent or guardian and believe your child has created an account on Fiz, please contact us at hello@joinfiz.com.


17/ International Data Transfers

Your data may be transferred to and processed in countries other than your own. Our service providers, including Supabase, Google, Cloudflare, and RevenueCat, may process data in various jurisdictions. Where data is transferred outside the United Kingdom or the European Economic Area (EEA), we ensure appropriate safeguards are in place — such as an adequacy decision, the EU Standard Contractual Clauses, or the UK International Data Transfer Agreement (IDTA) / UK Addendum to the SCCs.


18/ Cookies & Tracking

The Fiz mobile app does not use cookies. Our website (joinfiz.com) may use essential cookies for basic functionality. We use PostHog for privacy-respecting, first-party product analytics (see Section 10) to understand how Fiz is used and improve it. We do not use advertising cookies, tracking pixels, or ad-targeting trackers, and we do not sell your data to advertisers or data brokers.


19/ Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy within the app and updating the "Last updated" date. Your continued use of Fiz after changes are posted constitutes acceptance of the updated policy.


20/ DMCA & Copyright

If you believe your copyrighted work has been infringed on Fiz, please refer to Section 23 of our Terms of Service for our full DMCA compliance policy, including how to submit a notice or counter-notice. You may contact our designated DMCA agent at dmca@joinfiz.com.


21/ Data Processing Agreements

As required by GDPR Article 28, Fiz Global Ltd maintains Data Processing Agreements with all third-party data processors listed in Section 10. These agreements ensure that your data is processed only as instructed, with appropriate security measures, and that your data subject rights are preserved. A copy of our standard DPA is available upon request at hello@joinfiz.com.


22/ California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), gives you additional rights regarding your personal information. This section describes those rights and how to exercise them.

Categories of personal information we collect

In the last 12 months, we have collected the categories of personal information listed in Section 2 (Information We Collect), specifically: identifiers (email, user ID), customer records (name, username), commercial information (subscription status), internet/network activity (in-app usage), geolocation data (location you add to your profile, coarse only), sensory information (profile/activity photos you upload), health and fitness information (where you opt-in via HealthKit), and inferences drawn from training data (strain, load, achievements).

No sale, no share for cross-context behavioural advertising

Fiz does not sell your personal information. We do not share your personal information with third parties for cross-context behavioural advertising. We use PostHog for first-party product analytics only (see Section 10); we do not use advertising cookies, tracking pixels, or ad-targeting trackers. We have not sold or shared personal information for advertising in the preceding 12 months and we have no plans to do so.

Your CCPA rights

  • Right to know — request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose, and the categories of third parties with whom we have shared it.
  • Right to delete — request that we delete personal information we have collected from you (with limited statutory exceptions).
  • Right to correct — request that we correct inaccurate personal information.
  • Right to opt-out of the sale or sharing of personal information (we do not sell or share, so this right is preserved by design).
  • Right to limit use of sensitive personal information — to the use necessary to provide the Service (we do not use sensitive personal information beyond providing the Service).
  • Right to non-discrimination — we will not deny services, charge different prices, or provide a different level of service because you exercised any of these rights.

How to exercise your rights

You can exercise your rights of access, deletion, and correction directly in the app: Settings → Download My Data (right to know / portability) and Settings → Delete Account (right to delete). For all other CCPA requests, including authorised-agent requests, email hello@joinfiz.com with subject "CCPA request". We will verify your identity by reference to your registered account email and respond within 45 days (extendable to 90 days where reasonably necessary, with notice).

Minors

Fiz is for adults only (18+) and is not directed to minors; we do not knowingly sell or share personal information of consumers under 18. See Section 16 (Children's Privacy) for our minimum-age policy.

Shine the Light

California Civil Code §1798.83 (the "Shine the Light" law) permits California residents to request information about disclosures of personal information to third parties for direct-marketing purposes. We do not share personal information with third parties for their direct marketing.


23/ Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data practices, please contact us:

Fiz Global Ltd
66 Paul Street
London EC2A 4NA
United Kingdom
Registered in England & Wales · Company No. 17237174

Email: hello@joinfiz.com
Website: joinfiz.com