FitClash ('we', 'our', 'us') is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we collect from users of the FitClash mobile application ('the App'), why we collect it, how we use it, and your rights under UK data protection law — including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
By creating an account and using the App, you agree to the collection and use of information as described in this policy.
1. WHO WE ARE
FitClash is an independent mobile application. For the purposes of UK GDPR, we are the data controller responsible for your personal data.
Contact: fitclashapp@gmail.com
2. WHAT DATA WE COLLECT
2.1 Account data
When you register you provide:
- Email address — used for account creation and login via Supabase Auth
- Arena name (display name) — shown to other users within the App
- Avatar (emoji or photo) — shown alongside your name in clashes and the social feed
2.2 Health and fitness data (Apple HealthKit)
With your explicit consent, the App reads the following data from Apple HealthKit on iOS:
- Step count (HKQuantityTypeIdentifierStepCount)
- Active energy burned / calories (HKQuantityTypeIdentifierActiveEnergyBurned)
- Walking and running distance (HKQuantityTypeIdentifierDistanceWalkingRunning)
- Exercise / distance (HKQuantityTypeIdentifierAppleExerciseTime)
Important details about how this data is handled:
- We do not read any other HealthKit data types — no heart rate, sleep, weight, blood glucose, or clinical records
- Raw HealthKit samples never leave your device. Only the computed total (e.g. 7,340 steps as a single integer) is sent to our servers to update your clash score
- Health data is used solely to calculate and display your scores in clashes. It is never used for advertising, profiling, or shared with third parties
- We do not write any data back to Apple HealthKit — access is strictly read-only
- You can revoke HealthKit access at any time: Settings → Privacy & Security → Health → FitClash
2.3 Push notification token
If you grant permission for push notifications, we store a push token (a device identifier generated by Apple's notification service via Expo) in your profile record in our database. This token is used only to deliver clash-related notifications such as invites, acceptances, and results. We do not use it for marketing without your separate consent.
2.4 Profile photo (optional)
You may optionally upload a profile photo using your device's photo library (via expo-image-picker). If uploaded, your photo is stored securely in our database and shown to users you are clashing with or friends with. You can remove your photo at any time from your profile settings.
2.5 Contacts (future feature)
A future version of the App may request access to your device contacts to help you find friends already using FitClash. If and when this feature is introduced:
- Contact access will require your explicit permission at the point of use
- Contact data will not be stored on our servers
- Contacts will not be used for marketing or shared with any third party
- You can revoke contact access at any time in your device Settings
2.6 Usage and activity data
In the normal course of using the App, the following data is created and stored in our database:
- Clash records — clash names, types, durations, participant scores, and outcomes
- Friendship records — which users you are friends with or have sent/received friend requests from
- Activity feed entries — goal completions and clash results visible to your friends
- Daily activity totals — your aggregated step, calorie, and distance totals per day (derived from HealthKit reads, stored as integers)
- Goal settings — your chosen daily targets for steps, calories, and distance
- Streak count, wins, and losses — kept on your profile record
2.7 Session data
Your Supabase Auth session token is stored securely on your device using iOS Keychain (via expo-secure-store). This is used to keep you logged in between app sessions. It is not shared with any third party.
3. HOW WE USE YOUR DATA
- To create and manage your account
- To enable clash creation, participation, and live score tracking
- To display your arena name, avatar, and clash stats to users you are competing with or friends with
- To calculate your daily goal progress using health data read from your device
- To send you push notifications about clash activity (invites, acceptances, results) when you have opted in
- To maintain your clash history, win/loss record, and streak
- To display your activity in your friends' social feeds when you hit goals or finish clashes
- To respond to support requests
- To comply with our legal obligations
4. LEGAL BASIS FOR PROCESSING (UK GDPR)
- Contract — processing necessary to provide the clash and social features you have signed up for
- Consent — for Apple HealthKit data access, push notifications, and profile photos
- Legitimate interests — for maintaining clash integrity, security, and fraud prevention, where these do not override your rights
- Legal obligation — where required by applicable law
5. APPLE HEALTHKIT — SPECIAL RULES
Apple HealthKit data is treated with the highest level of care. In addition to the points in section 2.2, we confirm the following:
- HealthKit data is not used to advertise or market to you
- HealthKit data is not disclosed to third parties except as strictly necessary to provide clash scoring (the computed totals only, never raw samples)
- We comply with Apple's HealthKit privacy requirements as set out in the App Store Review Guidelines
6. THIRD-PARTY SERVICES
Supabase Inc.
Provides our backend database, authentication, real-time data sync, and file storage. Receives: account data, computed clash scores, friendship records, push tokens, activity feed entries, and goal settings. Supabase processes data on our behalf as a data processor under a Data Processing Agreement. Supabase infrastructure is hosted in the EU/US.
Privacy policy: supabase.com/privacy
Expo / Expo Push Service
Used to deliver push notifications to your device. When you enable notifications, your device push token is sent to Expo's notification infrastructure, which forwards the notification to Apple's Push Notification service (APNs). Expo does not receive the content of your personal data beyond what is necessary to route the notification.
Privacy policy: expo.dev/privacy
Apple Inc. (HealthKit and APNs)
Apple HealthKit is used to read your health and fitness data on your device. Apple's Push Notification service (APNs) is used to deliver push notifications. These are governed by Apple's Privacy Policy: apple.com/legal/privacy
7. DATA WE DO NOT COLLECT
To be explicit about what we do not collect:
- No analytics or usage tracking SDK is installed — we do not use Google Analytics, Mixpanel, Firebase Analytics, or any equivalent tool
- No crash reporting SDK is installed — we do not use Sentry, Crashlytics, or Bugsnag
- No payment data — FitClash is currently free. We do not collect, store, or process any payment card information
- No location data
- No camera data (the image picker accesses your photo library only, not the camera directly)
- No microphone data
- No raw HealthKit samples — only computed integer totals
8. DATA SHARING
We do not sell your personal data. We share data only in the following circumstances:
- With other FitClash users — your arena name, avatar, and clash scores are visible to users you are actively competing with or are friends with
- With Supabase Inc. — as our data processor for database and auth services (see section 6)
- With Expo — for push notification delivery (token only)
- With Apple — for HealthKit reads and APNs delivery
- With legal authorities — if required to comply with a legal obligation, court order, or to protect the safety of users
- In a business transfer — if FitClash is acquired or merged, we will notify you before your data is transferred and becomes subject to a different privacy policy
9. DATA RETENTION
- Account and profile data is retained for as long as your account is active
- Clash records, activity data, and goal settings are retained while your account exists
- If you delete your account, your personal data will be deleted from our systems within 30 days
- Your session token on your device is cleared when you log out
- Backup copies of data may persist for up to 90 days after deletion
10. INTERNATIONAL DATA TRANSFERS
Supabase infrastructure may involve data being processed in the United States or other countries outside the UK. Supabase operates under Standard Contractual Clauses and other adequacy mechanisms as required by UK GDPR. We ensure appropriate safeguards are in place for any international transfers.
11. YOUR RIGHTS UNDER UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your personal data
- Right to restriction — request that we limit how we use your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent at any time for health data, notifications, and profile photos, without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at: fitclashapp@gmail.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
12. CHILDREN'S PRIVACY
FitClash is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. Users aged 13–17 should have parental or guardian consent before using the App. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
13. SECURITY
We implement appropriate technical and organisational measures to protect your personal data. These include:
- Encrypted data transmission (HTTPS/TLS) between the App and our servers
- Session tokens stored in iOS Keychain (encrypted, hardware-backed storage)
- Supabase Row Level Security (RLS) on all database tables, ensuring users can only access their own data
- Access controls limiting who within our team can access production data
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but will notify you of any breach that affects your personal data as required by law.
14. CHANGES TO THIS POLICY
We may update this Privacy Policy from time to time. We will notify you of material changes through the App or by email. The effective date at the top of this document indicates when it was last updated. Continued use of the App after changes take effect constitutes acceptance of the updated policy.
15. GOVERNING LAW
This Privacy Policy is governed by and construed in accordance with the laws of England and Wales. Any disputes relating to this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.