Privacy Policy

1. Controller Information

The controller responsible for data processing through the Fimobo application and the fimobo.com website within the meaning of the General Data Protection Regulation (GDPR) is:

tupevo S.àr.l.-S
12, Rue du Château d'Eau
L-3364 Leudelange, Luxembourg
Email: [email protected]

2. Overview

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Fimobo mobile applications (iOS, Android, watchOS, Wear OS), the fimobo.com website, and related services (collectively, the "Services"). We are committed to protecting your privacy and processing your data in accordance with the GDPR and the laws of the Grand Duchy of Luxembourg.

You must be at least 16 years of age to use our Services.

3. Data We Process

a) Account Data

When you create a Fimobo account, we collect your email address, display name, and profile information. This data is necessary to provide you with a personalized experience and to sync your data across devices.

b) Workout Data

We process the workout data you enter, including exercises, sets, repetitions, weight lifted, workout duration, and related training metrics. This data is stored on our servers to enable cloud sync and AI coaching features.

c) Nutrition Data

We process the nutrition data you log, including meals, calories, macronutrients, water intake, and supplement reminders. When you use the barcode scanning feature, queries are made to the OpenFoodFacts open-source nutrition database. No personal data is transmitted to OpenFoodFacts -- only product barcodes are sent to retrieve nutritional information.

d) Health Data (On-Device Only)

If you grant permission, Fimobo reads health data from Apple HealthKit (iOS/watchOS) or Google Health Connect (Android/Wear OS), including heart rate, heart rate variability (HRV), resting heart rate, sleep data, and step counts. This health data stays on your device. We do not transmit health data to our servers. Recovery scores, readiness calculations, and heart rate zone computations are performed locally on your device.

e) AI Coaching Data

When you use our AI coaching features (workout suggestions, nutrition chat, meal planning), your queries and relevant context (such as recent workout history and nutrition goals) are processed by our AI service to generate personalized recommendations. Conversation histories are maintained for the duration of your session to provide contextual responses. AI coaching data is processed on our servers within the European Union.

f) Subscription and Payment Data

Subscription payments are processed entirely by Apple (App Store) or Google (Google Play). We do not receive, store, or process your payment card details, bank account information, or billing address. We receive only a confirmation of your subscription status (active, expired, or cancelled) and the subscription tier (Free, Premium, or Pro).

g) App Analytics

We use PostHog for in-app usage analytics. PostHog collects anonymized usage events such as feature interactions and screen views. Analytics data is aggregated and does not identify individual users. PostHog is configured to respect user privacy preferences and does not use third-party advertising trackers.

h) Website Analytics

On the fimobo.com website, we use Umami, a privacy-friendly, cookieless analytics tool. Umami collects anonymized, aggregated page view statistics and events. It does not use cookies, does not collect personal data, and does not track individual visitors across sessions. Our Umami instance is self-hosted, meaning no analytics data is shared with third parties.

i) Server Log Data

When you visit our website or connect to our API, our hosting provider automatically collects and stores information in server log files that your browser or device transmits. This includes your IP address, browser type and version, operating system, referring URL, pages or endpoints accessed, and the date and time of your request. This data is collected by the hosting provider for the purpose of ensuring the security and stability of the service and is retained according to the hosting provider's own policies.

j) Voluntary Contact

If you contact us by email at [email protected], we process the personal data you provide (such as your name and email address) solely to respond to your inquiry.

4. Legal Basis for Processing

We process personal data on the following legal bases under the GDPR:

• Article 6(1)(b) -- Performance of a contract: Processing of account data, workout data, nutrition data, AI coaching data, subscription status, and cloud sync is necessary for the performance of the contract between you and us (the Terms of Service) and to provide the Services you have requested.
• Article 6(1)(f) -- Legitimate interests: Server log data is processed to ensure the secure and stable operation of our website and API. App analytics (PostHog) and website analytics (Umami) are processed to understand how our Services are used and to improve them. Since both tools collect only anonymized or aggregated data, the impact on your privacy is minimal.
• Article 6(1)(a) -- Consent: Health data from HealthKit or Health Connect is accessed only after you grant explicit permission through your device's operating system. You may revoke this permission at any time in your device settings.

5. Cloud Sync

If you create a Fimobo account, your workout data, nutrition logs, recipes, pill reminders, and app preferences are synchronized across your devices through our cloud sync service. Synced data is stored on encrypted servers within the European Union. Data transmitted between your device and our servers is encrypted using TLS. Cloud sync data is encrypted at rest.

6. Data Recipients and Transfers

Your data may be processed by the following categories of recipients:

• Hosting provider: Our servers and website are hosted within the European Union. The hosting provider processes server log data and stores synced user data on our behalf.
• App analytics (PostHog): Anonymized, aggregated in-app usage analytics.
• Website analytics (Umami): Self-hosted. No analytics data is shared with any third party.
• OpenFoodFacts: Product barcode queries for nutritional information. No personal data is transmitted.
• Apple / Google: Subscription management and payment processing are handled entirely by Apple (App Store) and Google (Google Play) under their respective privacy policies.

We do not sell, trade, or otherwise transfer your personal data to third parties for marketing or advertising purposes. We do not transfer personal data outside the European Economic Area (EEA).

7. Data Retention

• Account and app data: We retain your account data, workout data, nutrition data, and preferences for as long as your account is active.
• Account deletion: Upon account deletion, all your personal data is permanently removed from our servers within 30 days.
• AI coaching conversations: Session-based conversation histories are retained only for the duration of your active session and are not stored long-term.
• Server logs: Retained by the hosting provider in accordance with their data retention policies.
• Analytics data: Umami and PostHog data is aggregated and anonymized. It does not constitute personal data and may be retained indefinitely.
• Email correspondence: Retained for as long as necessary to address your inquiry and for any follow-up communication, or as required by law.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS), encryption at rest for stored data, access controls, and regular security reviews.

9. Your Rights Under the GDPR

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Article 15) -- You have the right to obtain information about the personal data we process about you.
• Right to rectification (Article 16) -- You may request the correction of inaccurate personal data.
• Right to erasure (Article 17) -- You may request the deletion of your personal data, subject to legal retention obligations.
• Right to restriction of processing (Article 18) -- You may request that we restrict the processing of your data under certain conditions.
• Right to data portability (Article 20) -- You have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21) -- You may object to the processing of your personal data based on legitimate interests at any time.

To exercise any of these rights, please contact us at [email protected].

10. Right to Lodge a Complaint

If you believe that the processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent supervisory authority for Luxembourg is:

Commission Nationale pour la Protection des Donnees (CNPD)
15, Boulevard du Jazz
L-4370 Belvaux, Luxembourg
Website: https://cnpd.public.lu

11. Cookies and Local Storage

For detailed information about the cookies and local storage technologies used on the fimobo.com website, please see our Cookies & Local Storage page.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable legal requirements. The updated version will be indicated by the "Last updated" date at the top of this page. For significant changes, we will notify you via the app or email. We encourage you to review this page periodically.

13. Contact

For any privacy-related inquiries or to exercise your data protection rights, please contact us at:

tupevo S.àr.l.-S
12, Rue du Château d'Eau
L-3364 Leudelange, Luxembourg
Email: [email protected]