Skip to main content
Back to Home

Privacy Policy

Last updated: May 22, 2026

1. Introduction

SERRATUS FIT SRL ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the SERRATUS FIT mobile application ("App") and website at serratusfit.com ("Website"), collectively referred to as the "Services."

By using the Services, you acknowledge that we process information as described in this Privacy Policy. Some processing is necessary to provide the Services, some is required for security or legal compliance, and some optional processing depends on your choices and permissions.

2. Our Privacy Commitment

Our Core Privacy Principles

  • We minimize personal information where possible
  • We do not sell your personal data to third parties
  • We do not use HealthKit data, workout data, or fitness profile data for advertising purposes
  • We only share data with essential service providers as described in this policy
  • We configure analytics to minimize personal data collection

3. Information We Collect

3.1 Information from Authentication Providers

When you sign in to the App using Apple Sign-In or Google Sign-In, we receive certain information from these services:

Apple Sign-In

When you use Sign in with Apple, we may receive:

  • Your name (which you can edit before sharing)
  • Your email address (you may choose to hide your email and use Apple's private email relay service)
  • A unique user identifier

Google Sign-In

When you use Google Sign-In, we may receive:

  • Your name
  • Your email address
  • Your profile picture (if available)
  • A unique user identifier

We comply with Google's API Services User Data Policy. We do not transfer, sell, or use your Google user data for serving advertisements or for any purposes other than providing and improving our App.

3.2 Workout, Fitness, and Onboarding Data

When you use the App, you may choose to input and store:

  • Workout logs (exercises, sets, reps, weights)
  • Workout schedules and plans
  • Fitness preferences, goals, experience level, and training profile selections
  • Progress tracking data
  • Workout completion metrics such as duration, sets, reps, volume, and perceived exertion

3.3 Apple HealthKit Data (iOS)

If you choose to grant access, we may read the following data from the iOS Health app via Apple HealthKit:

  • Weight
  • Height
  • Step count

We may also write weight and height data from the App to Apple HealthKit, allowing you to keep your health data in sync across apps.

In the current App version, HealthKit values are used to display in-app health widgets and metrics and are cached locally on your device. We do not send HealthKit weight, height, or step-count values to Convex, Clerk, RevenueCat, PostHog, or other third-party analytics providers.

HealthKit Data Protection

  • HealthKit data is never used for marketing or advertising purposes
  • HealthKit data is never sold to or shared with third parties
  • HealthKit data is not used for data mining or use-based purposes beyond providing core App functionality
  • You are not required to share HealthKit data — the App functions without it
  • All HealthKit data is maintained in accordance with Apple's development guidelines

3.4 Security and Authentication Data

To protect our Services and users, we collect certain technical information during authentication. Our authentication provider, Clerk, automatically collects:

Data Collected for Security

  • IP Address: Used for rate limiting authentication requests and detecting suspicious activity
  • User Agent / Device Info: Used to identify the device and browser making authentication requests
  • Approximate Location: Derived from IP address for fraud detection and security purposes

This data is processed by Clerk on our behalf and used solely for security purposes, including preventing abuse, rate limiting, and detecting fraudulent authentication attempts.

3.5 Automatically Collected Information

We and our third-party service providers automatically collect certain information when you use the Services:

  • Device type and operating system version
  • App version (for App usage)
  • Browser type and version (for Website usage)
  • Session information (duration, screens/pages viewed)
  • Product interaction events such as onboarding progress, paywall views, purchases, restores, and sharing
  • General usage patterns and technical metadata, de-identified or aggregated where possible

3.6 Cookies and Tracking Technologies

Our Website does not use cookies. Our Website analytics tool (Umami) is privacy-focused, operates without cookies, and does not track users across websites. The App uses cookies solely for authentication purposes — no cookies are used for advertising or cross-site tracking. Our App analytics tool (PostHog) is configured with autocapture disabled and collects only the product usage events that we explicitly send from the App.

We do not use pixel tags, web beacons, or similar tracking technologies. We do not engage in interest-based or personalized advertising.

4. Legal Bases for Processing

If privacy laws such as the General Data Protection Regulation (GDPR) apply to you, we rely on the following legal bases for processing personal data:

  • Contract necessity: to create and manage your account, provide App features, store and sync workout data, manage subscriptions, and provide support.
  • Consent: for optional HealthKit access and any other optional permissions you choose to grant. You can withdraw HealthKit permission in iOS settings.
  • Legitimate interests: to protect the Services, prevent fraud and abuse, troubleshoot issues, understand product usage, and improve the App and Website in ways that do not override your privacy rights.
  • Legal obligations: to comply with accounting, tax, consumer protection, platform, and other legal requirements that apply to us.

5. Third-Party Service Providers

We work with the following third-party service providers to operate and improve the App. We share data with these providers only as necessary for them to provide their services:

Convex (Backend Infrastructure)

We use Convex as our backend database and server infrastructure. Convex stores your workout data, exercise logs, fitness preferences, and application settings.

  • Our current Convex deployment stores data in the United States (AWS us-east-1)
  • Data is encrypted in transit and at rest
  • Database state is replicated across multiple availability zones
  • Convex publishes security and data protection documentation, including GDPR-related terms

Clerk (Authentication)

We use Clerk to provide secure authentication services. When you sign in with Apple or Google, Clerk processes the authentication flow and manages your account session.

  • Clerk processes: email address, name, profile image (from your social sign-in provider), and a unique user identifier
  • Clerk automatically collects: IP address, device and browser information, and approximate location (derived from IP address) for security and fraud prevention
  • Clerk stores authentication tokens and session data
  • Clerk may process data in the United States and other locations described in its security, privacy, and sub-processor documentation
  • Clerk uses sub-processors for functions such as verification emails, infrastructure, security, and webhook delivery

For more information, see Clerk's Privacy Policy and Data Processing Addendum

RevenueCat (Subscription Management)

We use RevenueCat to manage in-app subscriptions and purchases. RevenueCat acts as a data processor on our behalf.

  • We send RevenueCat the data required for subscription and entitlement management
  • RevenueCat processes purchase history and subscription status to operate billing features
  • RevenueCat may process identifiers, transaction metadata, and technical data needed to operate and secure its service
  • We currently enable RevenueCat's Apple Ads attribution token collection so RevenueCat can help us understand whether an install was attributed to Apple Search Ads. This is used for campaign measurement and subscription analytics, not for personalized advertising.
  • RevenueCat publishes privacy, GDPR/CCPA, data residency, and contractual transfer safeguard information

For more information, see RevenueCat's Privacy Policy at revenuecat.com/privacy and Data Processing Addendum at revenuecat.com/dpa

PostHog (Mobile App Analytics)

We use PostHog in our mobile App to understand how users interact with the App and to improve the user experience. PostHog is used for product analytics in the mobile application, not for Website analytics.

  • We send custom events such as onboarding progress, sign-in method, paywall views, purchase and restore outcomes, workout completion summaries, and sharing actions
  • Some event properties may include fitness-related selections or workout summary metrics, such as fitness goal, experience level, gender selection, workout duration, total sets, total reps, total volume, and perceived exertion
  • PostHog may process identifiers and technical metadata needed to associate events with an account and operate analytics reliably
  • Our current App configuration uses PostHog's EU ingestion endpoint
  • Autocapture, surveys, remote configuration, and feature-flag preloading are disabled in the App
  • Events are cached locally when offline and synced when connection is restored
  • We do not use PostHog for advertising or cross-app tracking

For more information, see PostHog's Privacy Policy at posthog.com/privacy

Umami (Website Analytics)

We use Umami to understand how visitors interact with our Website (serratusfit.com) and to improve the user experience. Umami is a privacy-focused analytics tool used exclusively for our Website, not for the mobile App.

  • Umami does not use cookies or track users across websites
  • Data collected includes: page views, referrer sources, browser type, operating system, device type, and country or region derived from IP-based processing
  • Umami publishes information about its hosting, privacy, and international transfer practices
  • Umami publishes GDPR, CCPA, and PECR-related privacy documentation

For more information, see Umami's Privacy Policy at umami.is/privacy

Data Storage Locations

Because our Services are available internationally, we disclose where our providers store or process your information:

  • Convex: Workout data and application settings are stored in the United States (AWS us-east-1) for our current deployment.
  • Clerk: Authentication and account data may be processed in the United States and other regions described in Clerk's current legal and security documentation.
  • RevenueCat: Subscription, purchase, entitlement, and Apple Ads attribution data may be processed in regions described in RevenueCat's current legal and data residency documentation.
  • PostHog: Mobile analytics data is currently sent to PostHog's EU ingestion endpoint; PostHog and its sub-processors may process data in other regions where necessary to operate and support the service.
  • Umami Cloud: Website analytics data is processed according to Umami's current hosting, privacy, and transfer practices.

If we change provider regions, we will update this policy's "Last updated" date.

6. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Services and their features
  • Create and manage your account
  • Process and manage your subscriptions
  • Store and sync your workout data across devices
  • Use HealthKit data (if you grant access) to display your health metrics within the App — this data is never used for marketing or shared with third-party analytics providers
  • Analyze usage patterns to improve user experience
  • Measure Apple Search Ads campaign performance through RevenueCat attribution data
  • Protect the security of our Services through rate limiting and fraud prevention
  • Detect, prevent, and address technical issues
  • Respond to your requests and communications
  • Comply with legal obligations

7. Data Sharing and Disclosure

We Do NOT:

  • Sell your personal data to third parties
  • Use HealthKit data, workout data, or fitness profile data for advertising or marketing purposes
  • Share your data with data brokers or information resellers
  • Transfer your data for credit-worthiness or lending purposes

We may share your information only in the following circumstances:

  • Service Providers: With the third-party service providers described above (Convex, Clerk, RevenueCat, PostHog for the App, Umami for the Website) who need access to perform services on our behalf
  • Platform Providers (Apple and Google): With Apple and Google for authentication, app-store billing where available, subscription lifecycle events, and related account operations
  • Apple Ads Attribution: If Apple Search Ads attribution is enabled, RevenueCat may send an Apple Ads attribution token to Apple and receive attribution information for campaign measurement
  • Apple App Store Refund Handling: We may share usage and entitlement data with Apple when necessary to review or resolve App Store refund requests
  • Legal Requirements: When required by law, court order, or governmental regulation
  • Protection of Rights: To protect our rights, privacy, safety, or property, and/or that of our users or others
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case you will be notified of any change in ownership or uses of your information

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest using AES-256
  • Secure authentication managed by Clerk (SOC 2 Type 2 compliant), supporting Apple and Google sign-in
  • Regular security assessments

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

9. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Services. We use the following retention criteria:

  • Account, authentication, subscription, and workout data is retained while your account is active.
  • HealthKit values used by the current App version are cached locally on your device and are removed when you clear the App, delete local App data, or remove the App, subject to your device settings.
  • Security logs, authentication metadata, analytics events, and support records are retained only for as long as needed for security, troubleshooting, service operation, legal compliance, or dispute handling.
  • Transaction and accounting records may be retained for the periods required by tax, accounting, consumer protection, and platform rules.
  • Backups and system logs are deleted or overwritten on a rolling basis according to provider retention schedules.

If you request deletion of your account, we delete personal information from active systems promptly, except where retention is required or permitted for legal, security, fraud prevention, dispute resolution, or backup purposes.

10. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

  • Access: Request access to your personal information
  • Correction: Request correction of inaccurate personal information
  • Deletion: Request deletion of your personal information
  • Portability: Request a copy of your data in a portable format
  • Objection: Object to certain processing of your personal information
  • Withdraw Consent: Withdraw consent where processing is based on consent, such as optional HealthKit permission
  • Complaint: Lodge a complaint with your local data protection authority. If you are in Romania, you may contact the National Supervisory Authority for Personal Data Processing (ANSPDCP).

To exercise any of these rights, please contact us at privacy@serratusfit.com. You can also delete your account directly within the App. Account deletion removes personal information from active systems promptly, with any limited residual retention handled as described in Section 8.

11. Children's Privacy

The Services are not intended for use by children under the age of 13, or a higher minimum age if required by local law. In the European Economic Area, where consent is the legal basis for processing in relation to information society services offered directly to a child, the relevant minimum age may be 16 unless local law provides a lower age. We do not knowingly collect personal information from children below the applicable minimum age. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us so that we can take necessary action.

12. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. For our current services, this includes:

  • United States: Convex (current deployment), Clerk (authentication), RevenueCat (default data residency)
  • European Union: PostHog mobile analytics through the current EU ingestion endpoint and Umami Cloud for Website analytics, subject to each provider's current processing and support practices

Where cross-border transfers occur, we rely on appropriate safeguards under applicable law, including standard contractual clauses (SCCs), data processing agreements, adequacy decisions, and other transfer mechanisms provided by our processors where applicable. We periodically review provider documentation and contractual terms for these safeguards.

13. App Store Privacy Disclosures

In accordance with Apple App Store requirements and, where the App is available on Google Play, Google Play Data safety requirements, we disclose the following:

Data Collected

  • Contact Info: Name and email address from authentication providers and support requests
  • Identifiers: User ID and device or installation identifiers used for account, subscription, analytics, and security features
  • Purchase History: In-app purchases and subscriptions
  • Fitness: Workout logs, plans, goals, onboarding fitness selections, workout summaries, and progress metrics
  • User Content: Feedback or support messages you submit to us
  • Usage Data: Product interactions and analytics events
  • Advertising Data: Apple Ads attribution information used to measure Apple Search Ads campaign performance when attribution is enabled
  • Location: Coarse Location (approximate location derived from IP address by Clerk, used for security/fraud prevention)
  • Diagnostics: Technical metadata or error information when needed for security, reliability, and service operation

HealthKit Data Used On Device

If you grant HealthKit access, the current App version reads weight, height, and step count from Apple HealthKit and may write weight and height to HealthKit. These HealthKit values are used on device for in-app widgets and metrics and are not transmitted to our backend, analytics, subscription, or authentication providers.

Data Usage

  • App Functionality: To provide core features
  • Analytics: To understand app usage and improve experience
  • Product Personalization: To recommend workouts and tailor the in-app experience
  • Security: To protect against fraud and abuse through rate limiting and authentication security (processed by Clerk)
  • No Tracking: We do not use collected data to track you across apps or websites owned by other companies for advertising or data-broker purposes

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page. Third-party provider terms and infrastructure can change over time, and we periodically review this policy to keep disclosures accurate.

15. Contact Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us:

SERRATUS FIT SRL

Controller: SERRATUS FIT SRL

Email: privacy@serratusfit.com

Legal inquiries: legal@serratusfit.com