Back
Legal · GDPR / RGPD

Privacy Policy

Last updated: 21 June 2026

1. Introduction and Data Controllers

This Privacy Policy explains how MyFitnessClient — a platform operated by Vasco José Cardoso Correia, sole trader, with tax identification number (NIF) 262045630 and address at Rua de Campezinhos, 27, Lomba, 4600-663 Amarante, Portugal ("MyFitnessClient", "we") — collects, uses, shares and protects personal data, in accordance with the General Data Protection Regulation (GDPR). For any privacy enquiry, you can contact us at [email protected]. It applies to the myfitnessclient.com website, the web application (including the installable/PWA version) and all associated services.

MyFitnessClient acts in two distinct roles: (i) as the data controller for account, billing, security and website data; and (ii) as a data processor for the data each professional manages about their clients — including health data — in which case the professional is the data controller and we process the data under their instructions. Clients may exercise their rights over that data with their professional and/or directly with us.

2. Data We Collect

We collect the data you provide to us, the data recorded by your professional in the course of coaching, and technical data generated by your use of the platform:

2.1 Account Information

  • Full name
  • Email and password (stored with secure hashing — never in readable form)
  • Phone number, profile photo, date of birth and gender (optional)
  • Language, timezone, currency and app preferences
  • When you sign in with Google: the identifier and email of your Google account (the name used is the one you provide when creating your account)

2.2 Professional Data

  • Bio, specialties, certifications, years of experience and gallery
  • Public profile/microsite content, when enabled (services, indicative pricing, testimonials, FAQ, social links, public contact)
  • Subscription and billing data: plan, status, invoice history, and the type and last 4 digits of the payment method (full card details stay with Stripe only)
  • Fiscal data for invoicing, when provided (fiscal name, tax number, address)
  • Supporter badge (founder/beta), when assigned

2.3 Client Data (including health data)

  • Body measurements and body composition (weight, height, girths, skinfolds, body-fat percentage, among others)
  • Physical test and assessment results
  • Progress and assessment photos
  • Health questionnaires/anamnesis, which may include medical history, injuries and limitations
  • Workout, nutrition and habit logs
  • Goals and coaching notes
  • Responses to forms created by the professional (including forms shared via public link)

2.4 Communications

  • Chat messages, including files, audio messages, reactions and GIFs
  • Video/audio call metadata (participants, start time and duration) — call content is not recorded
  • Support requests and messages sent through contact forms
  • Notification preferences

2.5 Professional-Client Payment Records

  • Amounts, dates, statuses, method and notes of payments recorded by the professional
  • Payment confirmations submitted by the client
  • These records are informational only — we do not process those payments (see the Terms of Service)

2.6 Technical Data

  • IP address, browser and device type, operating system
  • Login history (including failed attempts) and session tokens
  • Push notification subscriptions
  • Automatic error reports, with technical context of the action
  • Audit logs of sensitive actions
  • Data stored locally on your device (app preferences and usage state)

3. Purposes and Legal Bases

We process your data for the following purposes, under the corresponding GDPR legal bases:

  • Providing the Service (performance of contract): account creation and management, platform features, the professional-client relationship, integrations you enable, and support.
  • Billing and legal compliance (legal obligation): subscription processing, invoicing (including certified invoicing in Portugal) and compliance with tax and accounting obligations.
  • Security and fraud prevention (legitimate interest): authentication, access and audit logs, abuse detection and blocking, technical limits and bot protection.
  • Service communications (performance of contract and legitimate interest): transactional emails, account notices, reminders and notifications — configurable in settings.
  • Service improvement (legitimate interest): aggregated website usage statistics and error diagnosis and fixing.
  • Client health data (explicit consent): processed on behalf of the responsible professional, who must ensure the client's explicit consent (Article 9 GDPR) — see section 4.

4. Health Data

Client health data (measurements, assessments, anamnesis, progress photos and logs) is processed exclusively in the context of the coaching provided by the professional and under their instructions. We never use it for advertising and we never sell it.

The professional, as data controller, must obtain their clients' explicit consent before collecting this data. Clients may withdraw consent at any time and exercise their rights with the professional and/or by contacting us directly (section 9).

We do not use users' personal data or clients' health data to train, fine-tune or develop artificial intelligence or machine learning models, nor do we make it available to third parties for that purpose. Should we introduce any artificial intelligence feature, it will be disclosed and, where required, subject to its own consent.

5. Who We Share Your Data With

We never sell your personal data. We share data only in the following situations:

  • Between professional and client: the professional — and the team members they grant permissions to — accesses their clients' data in the context of coaching; the client accesses the content assigned to them.
  • Public profiles (optional): if the professional enables the marketplace/microsite, their profile information becomes public and indexable by search engines; the supporters wall publicly shows name, photo and badge.
  • Hosting and infrastructure: cloud infrastructure providers that host the application and database (servers located in the European Union) and provide transactional email delivery, content delivery (CDN), website protection (including DDoS and bot protection) and file storage.
  • Payment processor: Stripe processes subscription payments in compliance with PCI-DSS; we do not store full card details — only the type and last 4 digits.
  • Certified invoicing: Moloni (Portugal) issues subscription invoices and receives, when provided, the fiscal name, tax number and address.
  • Google: Google sign-in (if you use it) and Google Calendar sync — only if you voluntarily connect your Google account; in that case we send the events to be synced. You can disconnect the integration at any time.
  • On-demand services: food search (Open Food Facts — search terms and barcodes), GIF search (Klipy — search terms) and location search (OpenStreetMap/Nominatim — the text you type).
  • Embedded videos: when you play YouTube or Vimeo videos embedded in the platform, those services receive your IP address and browser data.
  • Push notifications: if you enable them, they are delivered through your browser's or device's push service (Google, Mozilla or Apple).
  • Website usage analytics: Google Analytics 4 (Google LLC), on the public website only — see section 10.
  • Authorities: only when required by an applicable legal obligation or to exercise and defend legal claims.
  • Corporate transactions: in the event of a merger, acquisition or asset sale, data may be transferred with safeguards equivalent to this policy, and users will be informed.

5.1 List of Sub-processors

We rely on the following categories of sub-processors, which process data on our behalf under contracts that impose the GDPR safeguards. A detailed, up-to-date list of the specific sub-processors is available to the professionals acting as data controllers on request:

  • Cloud infrastructure provider — application and database hosting and transactional email delivery — European Union
  • CDN and web-security provider — content delivery, website protection (DDoS and bot protection) and file storage — global network, under Standard Contractual Clauses
  • Stripe — processing of subscription payments — USA, under the EU-U.S. Data Privacy Framework and Standard Contractual Clauses
  • Moloni — issuance of subscription invoices — Portugal
  • Google — sign-in and Google Calendar sync (only if enabled by you) — USA, under the EU-U.S. Data Privacy Framework and Standard Contractual Clauses
  • On-demand services consulted (Open Food Facts, Klipy, OpenStreetMap/Nominatim) and embedded videos (YouTube, Vimeo) — global networks
  • Public STUN servers — technical establishment of video/audio calls (WebRTC); receive the participants' IP addresses

5.2 Google Calendar Integration (Google API Services)

If you voluntarily connect your Google account, we access only the Google Calendar data necessary to create, update and remove, in your calendar, the events corresponding to your sessions and appointments on the platform (events, dates, titles, descriptions and technical identifiers). Synchronisation is one-way only — from the platform to Google Calendar; we do not read or import events from your Google Calendar.

Use of data obtained through the Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Google Calendar data is not used for advertising, is not sold or transferred to third parties, and is not used to train artificial intelligence or machine learning models.

You may disconnect the integration at any time, either on the platform itself or in your Google account's permission settings; from that moment on we stop accessing the Google Calendar data.

6. International Transfers

Our core servers (application and database) are hosted in the European Union. Some of the providers identified in section 5 (such as the CDN and web-security provider, and services like Stripe, Google, Apple, Mozilla and Klipy) operate global networks and may process data outside the European Economic Area. In those cases, we ensure appropriate safeguards under Chapter V of the GDPR — European Commission adequacy decisions (including the EU-U.S. Data Privacy Framework, where applicable) and/or Standard Contractual Clauses.

7. Security

We apply appropriate technical and organisational measures, in line with Article 32 GDPR, including:

  • Encryption in transit (HTTPS/TLS) for all communications
  • Passwords protected with secure hashing; sensitive secrets (2FA, OAuth connections) encrypted at rest
  • Two-factor authentication (2FA) via email or authenticator app, with backup codes
  • Per-account, permission-based access controls following the least-privilege principle
  • Rate limiting, bot protection and access monitoring
  • Audit logs of sensitive actions
  • Regular backups with limited retention
  • Periodic security reviews

In the event of a personal data breach likely to result in a risk to data subjects, we will notify the supervisory authority and, where required, the affected users, in accordance with Articles 33 and 34 GDPR.

8. Data Retention and Deletion

We retain your data for as long as your account exists. You may request account deletion by contacting support: the account is deactivated and personal data is deleted or irreversibly anonymised within a maximum of 30 days, except where the law requires retention (for example, invoicing documents, kept for up to 10 years under tax law). Deleted data may persist in backups for up to an additional 30 days, until those expire.

Specific periods: hosted files (photos, videos, documents) are permanently deleted 90 days after a paid subscription ends, with prior email warnings; expired session tokens are removed after 7 days; error reports are kept for at most 90 days (30 days after resolution); team activity logs for 90 days; processed reminders for 30 days. Login history and audit logs are kept only for as long as necessary for security and legal-compliance purposes.

Inactive accounts: after 12 months without any activity, we send email warnings; without a response, the account is deactivated and, after a 30-day recovery window, personal data is permanently anonymised. Accounts with an active subscription and professionals with active clients are excluded from this process.

8.1 Retention Periods (summary)

  • Account and profile — for as long as the account exists; deleted or anonymised within 30 days of a deletion request
  • Invoicing documents — 10 years (tax obligation)
  • Hosted files (photos, videos, documents) — 90 days after the end of a paid subscription
  • Expired session tokens — 7 days
  • Error reports — up to 90 days (30 days after resolution)
  • Team activity logs — 90 days
  • Backups — up to 30 additional days
  • Inactive accounts — permanent anonymisation after 12 months without activity and a 30-day recovery window

9. Your Rights (GDPR)

As a data subject, you have the following rights:

  • Access: obtain confirmation and a copy of your personal data
  • Rectification: correct inaccurate or incomplete data
  • Erasure: request the deletion of your data ("right to be forgotten")
  • Portability: receive your data in a structured, commonly used format
  • Objection: object to processing based on legitimate interest and, in any case, to direct marketing
  • Restriction: restrict the processing of your data in certain circumstances
  • Withdraw consent: at any time, without affecting the lawfulness of processing already carried out

To exercise any of these rights, contact us at [email protected].

We respond within one month at most. Where your data is managed by a professional acting as data controller, you may also exercise your rights directly with them. You also have the right to lodge a complaint with a supervisory authority — in Portugal, the CNPD (Comissão Nacional de Proteção de Dados, cnpd.pt).

10. Cookies and Local Storage

We use cookies that are strictly necessary for authentication and platform operation. Session and authentication cookies are HttpOnly (inaccessible to scripts). Some strictly necessary or preference cookies are readable by scripts only where those processes require it. We do not use advertising cookies and we do not share data with advertising networks. The app also stores some information in the device's local storage (preferences and usage state), which you can clear by logging out or via your browser settings.

The public website uses Google Analytics 4 (Google LLC) for aggregated visit statistics; this measurement is not used in the authenticated areas of the application (the professional dashboard and the client app). You may opt out by blocking third-party cookies in your browser or by using the Google Analytics opt-out add-on.

11. Notifications and Communications

We send transactional and service communications: account verification, security, subscription and billing notices, invitations, reminders and activity notifications. You can manage push and email notifications, per category, in settings; push notifications require your browser permission and can be disabled at any time. We do not send newsletters or marketing communications without your consent.

12. Video and Audio Calls

Calls between professional and client are established directly between participants (WebRTC, peer-to-peer) whenever technically possible. Public STUN servers are used to establish the connection and process the participants' IP addresses. We do not record or store call content — only metadata (participants, start time and duration) associated with the conversation.

13. Changes to This Policy

This policy may be updated periodically. Whenever there are relevant changes, you will be notified by email or through the platform before they take effect. The date of the last update is shown at the top of this page.

14. Contact

For questions about privacy or how your data is processed:

  • Email: [email protected]
  • Address: Rua de Campezinhos, 27, Lomba, 4600-663 Amarante, Portugal