Privacy Policy

FastFitPro is operated by GeniuzLab Ltd, a company registered in England and Wales (Company No. 16220840). Our registered address is available on request.

We are the data controller for personal data processed through FastFitPro. If you have any questions about how we handle your data, contact us at nuwan@geniuzlab.info.

We collect the following categories of personal data:

• Account data: name, email address, hashed password.
• Fitness profile data: age, gender, height, weight, fitness goals, fitness level, injuries, dietary preferences, and workout schedule. This is provided voluntarily during onboarding and is used to generate your personalised programme.
• Health data: blood test results (uploaded as PDFs or images), fitness assessment scores, posture images. This is special category data under UK GDPR. We process it only with your explicit consent.
• Activity data: workout logs, check-in data (weight, energy level, sleep), GeniuzScore history.
• Payment data: Stripe customer ID and subscription status. We do not store card numbers — these are held securely by Stripe.
• Communications data: messages sent to our AI trainer (Alex), and any direct communications with support.
• Technical data: IP address (for rate limiting and security), browser type, and session tokens.

We use your data for the following purposes:

• Providing and personalising your fitness programme and nutrition plan.
• Processing AI analysis of health data (blood reports, posture) via AWS Bedrock.
• Calculating and tracking your GeniuzScore over time.
• Managing your subscription and processing payments via Stripe.
• Sending transactional emails (welcome, plan generated, subscription updates).
• Sending marketing emails — only if you have not opted out. You may opt out at any time.
• Fraud prevention and security (rate limiting, suspicious activity detection).
• Improving our service using aggregated, anonymised analytics.

Legal basis: We process your data under Article 6(1)(b) (contract performance), Article 6(1)(f) (legitimate interests — security and fraud prevention), and Article 9(2)(a) (explicit consent for health data).

We share data with the following third parties, all subject to appropriate data processing agreements:

• Stripe, Inc. — Payment processing. Stripe is PCI-DSS compliant. Data may be transferred to the USA under Standard Contractual Clauses.
• Amazon Web Services (AWS) — AI processing via AWS Bedrock (Claude models) and email delivery via AWS SES. AWS is ISO 27001 certified. Data is processed in eu-west-1 (Ireland) and us-east-1 (Virginia).
• Supabase Inc. — PostgreSQL database hosting. Data is stored in AWS eu-west-1 (Ireland).

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory reasons (e.g., financial records for 6 years under UK tax law).

AI conversation logs (Alex chat history) are retained for 12 months to allow conversation continuity. You can delete them at any time from your dashboard.

You have the following rights regarding your personal data:

• Access: Request a copy of the data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your account and associated data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Restriction: Request restriction of processing in certain circumstances.
• Withdraw consent: Where processing is based on consent (e.g., health data), you may withdraw at any time.

To exercise any of these rights, email nuwan@geniuzlab.info. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use only essential cookies necessary for authentication (session tokens via NextAuth.js). We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

We implement appropriate technical and organisational measures to protect your data, including HTTPS encryption, hashed passwords (bcrypt), role-based access controls, and rate limiting on all sensitive endpoints. No system is completely secure, and we cannot guarantee absolute security.

We may update this policy from time to time. We will notify you of material changes by email. Continued use of FastFitPro after changes constitutes acceptance of the updated policy.

This policy is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.