This policy (hereinafter, the “Policy”) is issued in compliance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) and of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (“LOPDGDD”).
1. Identification of the Data Controller
- Controller: FITIZENS, S.L.
- Tax ID (CIF): B‑09627944
- Address: Avenida de Francia 17, Esc. Izq., 8º A, 28916 Leganés (Madrid, Spain).
- General contact:
info@fitizens.io. - Data Protection Officer (DPO) contact:
rgpd@fitizens.io.
2. Objective and subjective scope
- This Policy applies to:
a) The website accessible at
https://fitizens.ioand subdomains (hereinafter, the “Website”). b) The mobile applications FITIZENS Mobile (Android/iOS) and the desktop application FITIZENS Desktop (hereinafter, jointly, the “Apps”). - For the purposes of this Policy, “Data Subject” means any natural person who uses the Website or the Apps (hereinafter, the “Services”).
3. Legal basis, purposes, and retention periods
| No. | Purpose of processing | Categories of data | Legal basis (art. 6 and 9 GDPR) | Retention period1 |
|---|---|---|---|---|
| 3.1 | Account creation and management | Identifiers, credentials | Performance of a contract (art. 6.1 b) | Duration of the relationship plus 5 years |
| 3.2 | Profiling and analysis of performance metrics | Health and performance data: biometric and activity parameters captured by integrated physical sensors (e.g., accelerometers, heart-rate monitors, cameras) | Explicit consent (art. 9.2 a) | Until withdrawal or while the account remains active |
| 3.3 | Billing and accounting-tax obligations | Identifiers, transactions | Legal obligation (art. 6.1 c) | 6 years (art. 30 Commercial Code) |
| 3.4 | Commercial electronic communications | Email, preferences | Consent (art. 6.1 a) | Until withdrawal or 24 months of inactivity |
| 3.5 | Web and App analytics | Abbreviated IP, navigation events, pseudonymized Device-ID | Consent (art. 6.1 a) | 24 months |
| 3.6 | Fraud prevention and security to protect the integrity of the Services and user data | Access records, logs | Balanced legitimate interest (art. 6.1 f) | 12 months |
| 3.7 | Management and sharing of user-generated audiovisual content | Images and videos provided by the user, associated metadata | Performance of a contract (art. 6.1 b) | Until the user deletes the content or requests its removal |
| 3.8 | Service evaluation and improvement (anonymized data) | Anonymized or aggregated data | Not applicable (non-personal data) | Indefinite |
| 3.9 | Management of inquiries and requests for information (Contact form) | Identifiers (name, email), content of the inquiry | Consent of the data subject (art. 6.1 a) | Until resolution of the inquiry or 12 months |
| 3.10 | Processing of videos in which third parties appear (coaches) | Images and videos of third parties provided by the user, associated metadata | Performance of a contract (art. 6.1 b) | Until the user deletes the content or requests its removal |
1 Once the indicated periods have elapsed, the data will be blocked and retained solely for the handling of legal liabilities, after which they will be deleted or irreversibly anonymized. Data that has been anonymized or aggregated will fall outside the scope of the GDPR and may be retained indefinitely for statistical, research, or service improvement purposes.
Note: when a user (for example, a coach) uploads videos in which third parties appear, the user uploading the video declares that they have an appropriate legal basis and, where applicable, the necessary consent. Any person who considers that their image or data has been processed improperly may exercise their rights by writing to rgpd@fitizens.io.
4. Consent regarding health data, performance metrics, and other data captured by sensors
Certain functionalities of the Service (for example, technique analysis through video and the generation of metrics) require the processing of data belonging to special categories (art. 9 GDPR) —including biometric and activity parameters captured by means of integrated physical sensors (for example, accelerometers, heart-rate monitors, optical sensors, cameras, or other equivalent devices)—.
For this reason, during the first opening of the App (or during the sign-up process), the Data Subject is asked for their explicit consent by means of a checkbox or equivalent mechanism. If the Data Subject does not grant such consent, it will not be possible to use the functionalities of the Service that require such processing (which may prevent use of the App).
The withdrawal of consent does not affect the lawfulness of prior processing and may be carried out at any time from the profile within the App or by communication to the DPO; however, withdrawal may imply the impossibility of continuing to provide the Service.
4 bis. Anonymized data and use for improvement and research purposes
FITIZENS applies anonymization and aggregation techniques in accordance with industry best practices and the guidelines of the AEPD and the EDPB, ensuring that the resulting information does not allow for the direct or indirect identification of users.
Anonymized or aggregated data may be used for statistical, research, and development purposes, and for the improvement and optimization of the functionalities and technologies of our Services.
5. Recipients and data processors
- FITIZENS will not transfer data to third parties except where legally required or with the prior consent of the Data Subject.
- Providers belonging to the categories in the table indicated below access the data as data processors (art. 28 GDPR).
- The Controller has formalized (or will formalize before any processing) the corresponding processor agreements (art. 28 GDPR) and has carried out (or will carry out) Transfer Impact Assessments (TIA) where appropriate, in accordance with EDPB Guidelines 05/2021.
| Provider Category | Main Service | Processing location | Transfer guarantee |
|---|---|---|---|
| Cloud Infrastructure and Database Providers | Hosting of Services, Database | Primarily EEA¹ | Standard Contractual Clauses (SCC) or other appropriate safeguards (art. 46 GDPR)¹ |
| Web Analytics Providers | Measurement of web usage | EEA and/or third countries¹ | SCC or other appropriate safeguards + Consent¹ |
| Mobile Application Analytics Providers | Measurement of App usage | EEA and/or third countries¹ | SCC or other appropriate safeguards + Consent¹ |
| Email marketing service providers | Sending of emails | EEA and/or third countries¹ | SCC or other appropriate safeguards¹ |
¹ The specific processing location and the guarantees applicable to international transfers will depend on the specific provider selected within each category. FITIZENS ensures that all providers comply with the requirements of the GDPR, including the application of appropriate safeguards for international transfers (Chapter V GDPR) where necessary.
6. Rights of Data Subjects
The Data Subject may exercise before FITIZENS the rights of access, rectification, erasure, restriction, portability, objection, and the right not to be subject to automated decisions, by:
- Email to
rgpd@fitizens.io, or - Written communication to the address indicated in section 1.
The request will be handled within a maximum period of one month, extendable by two additional months in complex cases, in accordance with art. 12 GDPR. The Data Subject may also file a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.
7. Cookies and similar technologies
The Website and the Apps use cookies and SDKs only after obtaining granular consent in accordance with the AEPD Cookie Guide (2024). Detailed information can be consulted in the Cookie Policy.
8. Processing of minors’ data
The Services are addressed exclusively to persons over eighteen (18) years of age. Registration or use of the Services by minors is not permitted.
9. Security measures (art. 32 GDPR)
FITIZENS applies appropriate technical and organizational measures, including:
- Encryption in transit: TLS 1.2+ / TLS 1.3.
- Encryption at rest: AES‑256 managed by the cloud provider.
- Role-based access control (RBAC) through Firestore Rules and Google Cloud IAM.
- Multi-factor authentication optional for users and mandatory for employees.
- Audit logs retained for ≥ 12 months.
- Incident response plan that provides for notification to the AEPD within ≤ 72 h.
10. Record of Processing Activities
The Controller keeps an up-to-date Record of Processing Activities as provided for in art. 30 GDPR, available to the AEPD.
11. Validity and modifications
This Policy will remain in force until it is replaced by a new version duly published. FITIZENS will notify the Data Subject, 30 days in advance, of any modification that materially affects their rights or interests.
FITIZENS, S.L.
In case of any discrepancy between this English translation and the Spanish version, the Spanish version shall prevail.
