← Back to Fitley

Privacy Policy

Last updated: 14 March 2026

This Privacy Policy explains how Fitley Ltd (“Fitley”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal data when you use our platform at www.getfitley.com (the “Services”). We are committed to processing your personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who we are

The data controller for your personal data is:

Fitley Ltd

Registered in England and Wales

Registered address: Kingweston Road, Charlton Mackrell, Somerton, Somerset TA11 6AH

Email: fin@getfitley.com

Fitley Ltd is registered with the Information Commissioner’s Office (“ICO”) as a data controller. You can verify our registration on the ICO Data Protection Register.

2. What personal data we collect

We collect the following categories of personal data:

Account data

  • Name
  • Email address
  • Date of birth
  • Profile photo
  • Username

Fitness and workout data (special category health data)

Exercise logs, sets, reps, weight, RPE (rate of perceived exertion), workout history, and derived metrics such as estimated one-rep max and training volume trends. This data is classified as special category health data under Article 9 UK GDPR. Full details are set out in our Health Data Policy.

Payment data

Payment processing is handled by Stripe. We do not receive or store your card number or bank details. We store transaction records, including payment amounts, dates, subscription references, and payout records to creators, for accounting and legal compliance purposes.

Messages

The content of paid messages exchanged between subscribers and creators through the platform.

Device and usage data

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Referral URL

Cookies

Essential and analytics cookies. See Section 9 for full details.

3. How we use your data

We only process your personal data where we have a lawful basis to do so under Article 6 (and, where applicable, Article 9) of the UK GDPR. The table below sets out each purpose and its corresponding lawful basis.

PurposeLawful basis
Providing our Services (account management, subscriptions, content delivery)Performance of contract — Art 6(1)(b)
Processing fitness and health dataExplicit consent — Art 9(2)(a), supplemented by contractual necessity — Art 6(1)(b)
Processing payments via StripePerformance of contract — Art 6(1)(b)
Sending service communications (receipts, subscription confirmations, billing updates)Performance of contract — Art 6(1)(b)
Platform security and fraud preventionLegitimate interest — Art 6(1)(f)
Compliance with legal obligations (tax records, responses to law enforcement requests)Legal obligation — Art 6(1)(c)
Analytics and service improvementLegitimate interest — Art 6(1)(f)

Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests are not overridden by your rights and freedoms. You can request a copy of our legitimate interests assessment by contacting us at fin@getfitley.com.

4. Controller and processor roles

Fitley Ltd as data controller: Fitley Ltd is the data controller for all personal data processed through the platform. We determine the purposes and means of processing and are responsible for ensuring that processing complies with UK GDPR.

Creators as independent data controllers: Creators who access subscriber data through the platform — including subscriber usernames and workout completion counts — are independent data controllers for that data. Full details of creator data obligations are set out in our Terms of Service, Section 25.9. See also Section 11 of this policy.

Our data processors: We engage a number of third-party service providers who act as data processors on our behalf. These processors act only on our documented instructions and are subject to binding data processing agreements. See Section 5 for details.

5. Sub-processors

We use the following sub-processors to operate the Services. We maintain Data Processing Agreements (DPAs) with each of them. Where data is transferred outside the UK, we rely on the transfer safeguards indicated below.

ProcessorPurposeLocationTransfer safeguard
Supabase IncDatabase hosting, storage, authenticationUS (AWS regions)UK IDTA / Standard Contractual Clauses
Vercel IncApplication hosting, edge functions, CDNUS and global edgeUK IDTA / Standard Contractual Clauses
Stripe Payments UK LtdPayment processing, creator payoutsUK and USUK adequacy (UK entity) + SCCs for US processing
Upstash IncRate limiting, cachingUS/EU regionsUK IDTA / Standard Contractual Clauses

6. International transfers and safeguards

Some of our sub-processors are located in the United States and other countries outside the UK. When we transfer your personal data to these countries, we ensure appropriate safeguards are in place to protect your data to a standard equivalent to that required under UK GDPR.

The safeguards we rely on include:

  • UK International Data Transfer Agreements (IDTAs): The ICO-approved mechanism for transferring personal data from the UK to third countries.
  • Standard Contractual Clauses (SCCs): Contractual protections approved by the ICO and the European Commission that bind the recipient to appropriate data protection standards.
  • Adequacy decisions: Where the UK Secretary of State has determined that a country provides an adequate level of data protection.

We assess the adequacy of protection in each destination country before making a transfer. Copies of our IDTAs and SCCs are available on request — contact us at fin@getfitley.com.

7. Data retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, or to resolve disputes and enforce our agreements. The table below sets out our retention periods by data category.

Data categoryRetention period
Account dataDuration of account + 30 days after deletion
Fitness and workout dataDuration of account, or until consent withdrawal + 30 days
Payment and transaction records6 years from transaction date (HMRC requirements)
Messages (paid messages)Duration of both accounts + 30 days after the last account is deleted
Consent records6 years from the date of last consent change (Limitation Act 1980)
Device and usage data26 months from collection
Support correspondence3 years from resolution

After the relevant retention period, data is securely deleted or anonymised. In some circumstances we may retain data for longer if required by law, for example in connection with legal proceedings.

8. Your rights under UK GDPR

You have the following rights in relation to your personal data. To exercise any of these rights, contact us at fin@getfitley.com. We may ask you to verify your identity before processing your request.

  • Right of access (Subject Access Request): You have the right to obtain a copy of the personal data we hold about you and information about how we use it. We will respond within one calendar month of receiving your request. We may extend this period by a further two months where the request is complex or we have received multiple requests, in which case we will notify you of the extension within the first month.
  • Right to rectification: You have the right to request that we correct inaccurate or incomplete personal data we hold about you.
  • Right to erasure (“right to be forgotten”): You have the right to request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other lawful basis for processing.
  • Right to restrict processing: You have the right to request that we restrict processing of your personal data in certain circumstances, for example while a dispute about accuracy is resolved.
  • Right to data portability: Where we process your data by automated means on the basis of your consent or to perform a contract, you have the right to receive a copy of your data in a structured, commonly used, machine-readable format (JSON or CSV). You may also request that we transmit this data directly to another controller where technically feasible.
  • Right to object: You have the right to object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
  • Right to withdraw consent: Where we process your data on the basis of consent (in particular, your fitness and health data), you have the right to withdraw that consent at any time. Full details are in our Health Data Policy. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
  • Right to complain to the ICO: If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office. See Section 15 for contact details. We would, however, appreciate the opportunity to address your concerns first.

We will respond to all rights requests within one calendar month. We do not charge a fee for exercising your rights, except in the case of requests that are manifestly unfounded or excessive.

9. Cookies and analytics

We use cookies and similar technologies to operate the platform and understand how it is used.

Essential cookies

These cookies are strictly necessary for the platform to function. They include:

  • Session management and authentication (keeping you signed in)
  • CSRF protection (preventing cross-site request forgery attacks)
  • Load balancing and security

Essential cookies are set on the basis of our legitimate interests in operating a secure and functional platform. You cannot opt out of essential cookies without preventing the platform from working.

Analytics

We may use privacy-respecting analytics tools to understand how users interact with the platform. Where analytics cookies are set, we will ask for your consent. We do not use advertising cookies, retargeting cookies, or sell data to third parties for advertising purposes.

Managing cookies

You can manage or delete cookies through your browser settings. Note that disabling certain cookies may affect the functionality of the platform. For more information about cookies generally, see ICO guidance on cookies.

10. Children

Fitley is intended for users who are 18 years of age or over. We do not knowingly collect or process personal data from anyone under the age of 18.

We verify age by reference to the date of birth provided at registration. Providing a false date of birth is a breach of our Terms of Service.

If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will delete that data promptly without further notice. If you believe we may have collected data from a minor, please contact us at fin@getfitley.com.

11. Creator data obligations

Creators on the Fitley platform may access limited subscriber data through the platform, including subscriber usernames and aggregate workout completion counts. For this data, creators act as independent data controllers under UK GDPR.

Creators must comply with their own data protection obligations, including processing subscriber data only for the purpose of delivering and improving their content on the platform, and not sharing or exporting subscriber personal data to third parties. Full details are set out in our Terms of Service, Section 25.9.

If you have a data protection concern relating to a creator’s handling of your data, please contact us at fin@getfitley.com and we will assist you in understanding who to contact.

12. Security measures

We take the security of your personal data seriously. The technical and organisational measures we have in place include:

  • Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
  • Encryption at rest: Data stored in our database (Supabase) and on our hosting infrastructure (Vercel) is encrypted at rest.
  • Row-Level Security: We use Supabase’s Row-Level Security (RLS) to ensure that each user can only access their own data.
  • EXIF metadata stripping: We automatically remove EXIF metadata (which can include location data) from photos and images uploaded to the platform.
  • Rate limiting: We use Upstash to rate-limit API requests, helping to prevent abuse and brute-force attacks.
  • Access controls: We apply the principle of least privilege — staff and systems access only the data necessary to perform their function.
  • Regular security review: We regularly review our security practices and update them as the platform evolves.

We will notify the ICO within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to your rights and freedoms, in accordance with Article 33 UK GDPR. We will notify affected individuals without undue delay where the breach is likely to result in a high risk, in accordance with Article 34 UK GDPR.

13. Data Protection Officer

We have assessed our obligations under Article 37 of the UK GDPR regarding the appointment of a Data Protection Officer (DPO). Given the current scale of our operations, we have determined that we are not required to appoint a DPO at this time. This assessment will be reviewed as our business grows and as the nature of our data processing activities changes.

All data protection queries can be directed to our data protection contact at fin@getfitley.com.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. The “Last updated” date at the top of this page will always reflect the most recent revision.

For material changes — for example, changes that significantly affect how we use your personal data or your rights — we will notify you by email and/or via an in-platform notification at least 14 days before the changes take effect. Continued use of the platform after that date constitutes acceptance of the updated policy. If you do not agree to the changes, you may delete your account before they take effect.

15. Contact and complaints

If you have any questions about this Privacy Policy or how we handle your personal data, or if you wish to exercise any of your rights, please contact us:

Fitley Ltd

Email: fin@getfitley.com

Post: Kingweston Road, Charlton Mackrell, Somerton, Somerset TA11 6AH

We will respond to your request within one calendar month. Where the request is complex, we may extend this period by a further two months and will inform you of the extension within the first month.

If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

Information Commissioner’s Office (ICO)

Website: ico.org.uk/make-a-complaint

Telephone: 0303 123 1113