This policy applies to the MitFit.app service, including the web app and any installable version. The service is operated by Chawla Technology Ltd, a company registered in England and Wales.
MitFit.app is operated by Chawla Technology Ltd, company number to follow once registration is complete. We are the data controller for your personal data.
Our data protection contact can be reached at the email address above.
This policy explains what personal information MitFit.app collects, why we collect it, how we use it, and your rights in relation to it. It covers all versions of the service, including the website at mitfit.app, the web app, and the installable version. References to the service cover all of these.
When you create an account and use the service, we collect your email address at registration and your password, which is stored encrypted. We never store it in plain text.
When you use the fitness tracking features, you may provide your sex, age, height, and current weight, your goal weight and goal type (lose, gain, maintain, or recomposition), your activity level and number of workouts per week, your daily step target, food and drink consumed, logged by text, voice, photo, or barcode scan, your water intake, weight entries over time, and exercise sessions and activity notes.
Health data, including weight, food intake, and exercise, is classified as special category personal data under UK GDPR, Article 9. We apply a higher level of protection to this data and only process it with your explicit consent.
When you use the service, we may automatically collect your IP address, device type and operating system, browser type and version, app usage data showing which features you use and when, and error and diagnostic data.
If you use the photo food logging feature, you choose to take or upload a photograph of your food. That image is sent to Google Gemini, our AI provider, for calorie and macro estimation. We do not store the photograph on our servers after the AI has processed it and returned an estimate.
Under UK GDPR we must have a lawful basis for processing your personal data.
We process your account data and profile data to create your account and calculate personalised calorie and macro targets. Without this we cannot provide the core service. Lawful basis: performance of a contract, Article 6(1)(b) UK GDPR.
Your food logs, weight entries, exercise data, and step counts are health related data. We process this data only with your explicit consent, given when you tick the consent checkbox at registration. Lawful basis: explicit consent, Article 9(2)(a) UK GDPR. You can withdraw your consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing before withdrawal.
We use error logs and usage data to identify bugs, improve performance, and develop new features. We only use aggregated or anonymised data for this purpose where possible. Lawful basis: legitimate interests, Article 6(1)(f) UK GDPR.
We may process data where required to comply with UK law or respond to lawful requests from authorities. Lawful basis: legal obligation, Article 6(1)(c) UK GDPR.
If you join MitFit.app during the private beta, your data is collected, used, and protected in exactly the same way as described throughout this policy. Beta participation does not change your rights or our obligations in any way. Feedback you give us during the beta, such as bug reports or feature suggestions, may be stored and used to improve the service, and will not be shared publicly in a way that identifies you without your separate consent.
MitFit.app uses artificial intelligence to provide core functionality. This includes Google Gemini for interpreting natural language food logs, photo food estimation, and powering the AI coach chat, Open Food Facts, an open source crowd sourced food database used when you scan a product barcode, where only the barcode number is sent to look up nutritional information and no personal data is transmitted, and the Web Speech API for voice input, which is processed entirely on your device. We do not receive the audio.
When you log food by text, voice, or photo, your input is sent to Google Gemini via Google's API. Google processes this data as a data processor acting on our instructions, under a data processing agreement. Google's use of your data is governed by their API terms of service and does not include use of your data to train their models without your consent.
AI estimates are approximations. We apply a buffer to food logging estimates to account for this uncertainty. The service is not a medical or dietary advice service. See section 11.
We do not sell your personal data. We share it only as necessary to provide the service, with Supabase Inc for our database and authentication, data stored on servers in the EU and US, governed by Standard Contractual Clauses, Google LLC for AI processing via the Gemini API, with a data processing agreement in place, Stripe Inc for payment processing when you subscribe, where we receive only subscription status and not your card details, Vercel Inc for web hosting and serverless functions, Resend Inc for transactional email such as account verification and password reset, and Cloudflare Inc for website and app traffic analytics, with no cookies set and no personal data collected.
All third party processors are bound by data processing agreements and may only use your data for the purposes we specify. We may disclose your data if required by law or to protect the safety of users or others.
Authentication tokens, stored in browser local storage, are required for you to stay logged in. These are not traditional cookies but serve the same purpose. No consent is required for these.
We use Cloudflare Web Analytics to measure website and app traffic. It does not use cookies and does not collect any personally identifiable information, so no cookie consent banner is required. Traffic data is processed by Cloudflare Inc under their privacy policy.
We do not currently use advertising cookies, tracking pixels, or third party marketing cookies. If we add these in future, this policy will be updated and we will obtain your consent where required.
Account and profile data, and food, water, step, exercise, and weight logs, are kept for as long as your account is active. AI chat history is retained for as long as your account is active to provide context to the coach. Payment records are kept for 7 years, as required by UK financial regulations. Error and diagnostic logs are kept for up to 90 days.
When you delete your account, we will delete all your personal data from our active systems within 30 days, except where retention is required by law, such as payment records.
Some of our service providers are based outside the UK, including in the United States. Where we transfer your data outside the UK, we ensure appropriate safeguards are in place, including UK International Data Transfer Agreements or EU Standard Contractual Clauses recognised under UK law. Our primary providers, Supabase, Google, Stripe, Vercel, Resend, and Cloudflare, all operate under appropriate transfer mechanisms. Details are available on request.
You have the right to access a copy of the data we hold about you, the right to rectification to correct inaccurate data directly in the app or by contacting us, the right to erasure to delete your account in the app settings, which removes all your data from our active systems, the right to restrict processing in certain circumstances, the right to data portability to request your data in a structured, machine readable format, the right to object to processing based on legitimate interests, and the right to withdraw consent to health data processing by deleting your account.
To exercise any of these rights, other than account deletion which is in the app, please contact us at privacy@mitfit.app. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk, or by calling 0303 123 1113.
MitFit.app is a fitness tracking tool, not a medical device or medical service. Calorie estimates, macro targets, and AI coach responses are approximations intended to support general wellness habits. They are not medical advice, clinical nutrition advice, or a substitute for professional dietary guidance. Always consult a qualified healthcare professional before making significant changes to your diet or exercise.
The service is not suitable for children under 18, pregnant women without medical supervision, or individuals with eating disorders except under guidance from their medical team.
We take the security of your data seriously. All data in transit is encrypted using HTTPS and TLS. Passwords are hashed and salted, and we never store plain text passwords. Database access is protected by row level security policies. Authentication is managed with email verification.
No system is completely secure. If you become aware of a security issue, please contact us at privacy@mitfit.app immediately.
MitFit.app is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe we hold data from a child under 18, please contact us at privacy@mitfit.app and we will delete it promptly.
We may update this privacy policy from time to time. Where changes are material, we will notify you by email or by a prominent notice in the app before the change takes effect. The updated policy will always show the last updated date at the top.
If you have any questions about this privacy policy, please contact us at privacy@mitfit.app, Chawla Technology Ltd, registered address to be confirmed once registration is complete.
Company number and registered address will be added here once Companies House registration is complete.
This draft must be reviewed by a qualified UK solicitor familiar with UK GDPR and health data processing before publishing. Do not treat this page as final or legally binding until that review is complete.