This Privacy Policy explains how we process your personal data when you use the FitnessLi mobile app and the website fitnessli.com. We take the protection of your data seriously, only collect what we need to run the service, and never sell your data.
Short version: Your account, training, and nutrition data live on our own servers in Germany (EU). Health data (steps, weight, body metrics) is only read with your explicit consent. Photos you take for AI food analysis stay on your device and are sent for processing only at the moment of analysis — we do not store them. You can delete your account and all associated data at any time from inside the app.
1. Who is responsible (Controller)
Zum Isetal 1
38518 Gifhorn
Germany
Managing Director: Shajan Gambari
Email: info@mindroshan.com
Mindroshan UG (haftungsbeschränkt) is the controller responsible for the processing of your personal data within the meaning of the General Data Protection Regulation (GDPR / DSGVO).
2. The data we process, why, and on what legal basis
2.1 Account & authentication
To create and secure your account we process your email address, a display name, and your chosen sign-in method. You can register with email and a one-time code (OTP) sent by email, or use Sign in with Apple or Sign in with Google. If you use Apple’s “Hide My Email”, we only receive a relay address. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interest in account security (Art. 6(1)(f) GDPR).
2.2 Profile & goals
To personalise calorie and training targets we process the profile details you provide: optionally your biological sex (male/female only, for metabolic calculations), age, height, weight, activity level, and your fitness goals. Body and weight information is health-related data. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and, for health-related fields, your explicit consent (Art. 9(2)(a) GDPR).
2.3 Training & nutrition logs
We store the data you log so the app can show your history and progress: workouts and sets, food and meal entries, body weight entries, step counts, and streaks. Legal basis: performance of a contract (Art. 6(1)(b) GDPR); for health-related entries, your explicit consent (Art. 9(2)(a) GDPR).
2.4 Apple Health & Android Health Connect
With your separate, explicit permission, FitnessLi can read fitness and health data from Apple Health (HealthKit) on iOS or Health Connect on Android — for example steps, body weight, and basic body metrics — to calculate streaks and show your activity. This data is read on your device and stored in your account only to provide these features. We never use Health data for advertising or marketing, and we never share it with third parties for their own purposes. You can revoke this access at any time in your device’s Health settings. Legal basis: your explicit consent (Art. 9(2)(a) GDPR), which you can withdraw at any time with future effect.
2.5 AI food photo analysis (Premium)
If you use the AI food-scan feature, the photo you take is sent — together with an optional text note — to our analysis function and on to an external AI service provider (located in the USA) purely to estimate the foods and their nutrition. The image is processed transiently for that single request: we do not store your photos on our servers, and the photo itself remains saved only locally on your device. We enforce Zero Data Retention (ZDR) for every analysis request, which means the AI service provider and its underlying model providers do not store your photos or analysis results after processing, and your data is not used for model training. We keep a per-day counter of how many analyses you ran (to enforce fair-use limits), but not the images. Legal basis: performance of a contract (Art. 6(1)(b) GDPR); to the extent a photo reveals health-related information, your explicit consent given by choosing to use the feature (Art. 9(2)(a) GDPR).
2.6 Subscriptions & purchases
Premium subscriptions are sold through the Apple App Store and Google Play and managed with RevenueCat. To unlock and validate your subscription we process your purchase and entitlement status and a pseudonymous app user id. Payment itself is handled by Apple or Google — we never receive your full card or payment details. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
2.7 Food database (self-hosted)
Product and nutrition data is hosted on our own servers in Germany. When you search for a food or scan a barcode, the search and barcode lookup run against our own database — your query is not sent to any third party. Only when a scanned product is not yet in our database does our server retrieve that single product’s public record from Open Food Facts to add it to the catalogue; that lookup contains only the product barcode and no personal data about you. Our catalogue builds on the openly licensed Open Food Facts database and a bundled USDA nutrient reference (used entirely on-device, with no network call). Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
2.8 Reminders & notifications
Any nutrition or training reminders you enable are scheduled and delivered locally on your device. We do not need to process your data on our servers to send them. Legal basis: your consent via the system notification permission (Art. 6(1)(a) GDPR).
2.9 Hosting & server logs
Our backend is self-hosted by us in Germany. When the app or website communicates with our servers, the hosting infrastructure processes technically necessary access data (such as IP address, date and time, requested resource, and status code) to deliver the service and ensure its stability and security. These logs are kept only as long as needed for security and abuse prevention and are then deleted or anonymised. Legal basis: our legitimate interest in a secure, reliable service (Art. 6(1)(f) GDPR).
3. No advertising or tracking
FitnessLi does not use advertising networks, cross-app tracking, or third-party product-analytics services, and does not build advertising profiles about you. The only third parties that receive data are the service providers listed below, each strictly to perform a function you requested.
4. Recipients & processors
We share data only with the following service providers, acting on our behalf or as required to provide the service:
| Recipient | Purpose | Location |
|---|---|---|
| Our hosting provider (data processor under Art. 28 GDPR) | App backend, accounts, and the data you log | Germany (EU) |
| RevenueCat, Inc. | Subscription management and validation | USA |
| External AI service provider | AI analysis of the food photos you submit | USA |
| Apple Inc. | App distribution, Sign in with Apple, in-app purchases, push delivery | USA / EU |
| Google LLC | Sign in with Google, Google Play billing, Health Connect (Android) | USA / EU |
5. International transfers
Some providers (RevenueCat, our AI provider, and parts of Apple’s and Google’s infrastructure) may process data in the United States. Where this happens, transfers are safeguarded by the European Commission’s Standard Contractual Clauses and/or the provider’s certification under the EU–U.S. Data Privacy Framework. You can request a copy of the relevant safeguards from us.
6. How long we keep your data
We keep your account and the data you log for as long as your account exists. When you delete your account, your profile, training, and nutrition data are permanently deleted from our systems (cascading deletion). Server logs are kept only short-term for security. Where the law requires longer retention (e.g. tax records relating to purchases), we keep only the data strictly necessary for that purpose.
7. Deleting your account
You can delete your account and all associated data at any time, directly in the app under Profile → Account → Delete account. This permanently removes your data from our servers. Subscriptions purchased through Apple or Google must be cancelled separately in your App Store or Google Play account.
8. Your rights
Under the GDPR you have the right to:
- Access your personal data (Art. 15 GDPR)
- Rectify inaccurate data (Art. 16 GDPR)
- Erase your data (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing based on legitimate interests (Art. 21 GDPR)
- Withdraw any consent at any time, with effect for the future (Art. 7(3) GDPR)
To exercise any of these rights, contact us at info@mindroshan.com.
9. Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority. The authority competent for us is:
Prinzenstraße 5
30159 Hannover, Germany
10. Children
FitnessLi is not directed at children. You must be at least 16 years old to use the app and to consent to the processing described here. If you believe a child has provided us with personal data, contact us and we will delete it.
11. Security
Connections between the app and our servers are encrypted in transit (TLS). Access to our backend is restricted and protected. While no online service can be guaranteed perfectly secure, we apply appropriate technical and organisational measures to protect your data.
12. Changes to this policy
We may update this Privacy Policy when our service or the law changes. The current version is always available here, with the date of the last update shown at the top.
13. Contact
Questions about your privacy? Email us at info@mindroshan.com. See also our Imprint.