Privacy Policy of FlixFit® AG

Last updated: 18 April 2026

1. Controller

FlixFit® AG Mosacher 25 8126 Zumikon Switzerland E-mail: support@flixfit.me

2. EU Representative pursuant to Art. 27 GDPR

Our representative in the European Union pursuant to Art. 27 GDPR is: [Name, address, contact to be inserted]

3. Scope

This privacy policy applies to the FlixFit app (iOS/Android) and the website flixfit.me. For users in Switzerland, the revised Swiss Federal Act on Data Protection (revFADP) applies. For users in the European Economic Area, the General Data Protection Regulation (GDPR) additionally applies.

Part A: FlixFit App

4. Account and Account Management

Service provider: Supabase (server location: Zurich, Switzerland)

Data processed:

• Name, e-mail address
• Year and month of birth
• Fitness level and information on injuries
• Authentication data
• Usage and progress data related to training
• Metadata relating to account management

Purpose: Provision and management of the user account, personalisation of training content, storage of training progress.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract); for information on injuries and fitness level additionally Art. 9(2)(a) GDPR (explicit consent to the processing of health data); Art. 31 revFADP.

Storage period: Until the account is deleted by the user. Deletion can be carried out directly within the app.

5. Smart Notifications

Service provider: Expo (server location: USA, Microsoft Azure)

Data processed:

• Push token and device information
• Language, time zone and reminder time settings
• Metadata regarding the dispatch of notifications

Expo forwards notifications to Apple APNs or Google FCM.

Purpose: Delivery of personalised push notifications.

Legal basis: Consent (Art. 6(1)(a) GDPR, Art. 31(1) revFADP), granted by activating smart notifications. Consent can be withdrawn at any time by deactivating smart notifications in the app settings.

Third-country transfer USA: Transfer is carried out on the basis of the EU-US Data Privacy Framework or EU Standard Contractual Clauses.

6. Product Analytics (PostHog)

Service provider: PostHog (server location: Frankfurt, Germany)

Data processed: Operating system, app version, language, time zone, technical user ID (only for users with an account). No collection of name, e-mail address or IP address.

Purpose: Analysis of app usage to improve the product.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR, Art. 31(2)(d) revFADP).

7. Error Reporting (Sentry)

Service provider: Sentry (server location: Frankfurt, Germany)

Data processed: Technical error messages, login status, technical user ID (only for users with an account). No collection of name or e-mail address.

Purpose: Detection and resolution of technical errors.

Legal basis: Legitimate interest in the stability and security of the app (Art. 6(1)(f) GDPR, Art. 31(2)(d) revFADP).

8. Support Communication

If you contact us by e-mail, we process your e-mail address and the content of your message in order to handle your enquiry.

Legal basis: Legitimate interest in handling the enquiry (Art. 6(1)(f) GDPR); where the enquiry relates to a contract, Art. 6(1)(b) GDPR.

Storage period: Until the enquiry has been fully handled, at the latest until the expiry of statutory retention periods.

Part B: Website flixfit.me

9. Website Hosting (Webflow)

Service provider: Webflow, Inc. (server location: USA)

Data processed: IP address, browser type, operating system, timestamp, URL accessed.

Purpose: Provision of the website, IT security.

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR, Art. 31(2)(d) revFADP).

Third-country transfer USA: Transfer is carried out on the basis of the EU-US Data Privacy Framework or EU Standard Contractual Clauses.

10. Cookies

The website uses only technically necessary cookies. No analytics, tracking or marketing cookies are set.

Legal basis: Section 25(2)(2) TTDSG; Art. 6(1)(f) GDPR.

11. Launch Newsletter (MailerLite)

Service provider: MailerLite (server location: EU)

Data processed: E-mail address, time of registration.

Purpose: Notification about the launch of the FlixFit app.

Legal basis: Consent (Art. 6(1)(a) GDPR, Art. 31(1) revFADP), obtained via a double opt-in procedure. Consent can be withdrawn at any time via the unsubscribe link in any e-mail or by sending an e-mail to support@flixfit.me.

Storage period: Until consent is withdrawn.

Part C: General Provisions

12. Recipients of the Data

Your data is only shared with the processors listed in this policy. Beyond this, data will only be disclosed where required by law or with your consent. Data will not be disclosed to third parties for marketing purposes.

13. Third-Country Transfers

Transfers of personal data to the USA (Expo, Webflow) are carried out on the basis of the EU-US Data Privacy Framework or EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). For Switzerland, there is an adequacy decision by the EU Commission.

14. Your Rights

You have the following rights:

• Right of access (Art. 15 GDPR, Art. 25 revFADP)
• Right to rectification (Art. 16 GDPR, Art. 32(1) revFADP)
• Right to erasure (Art. 17 GDPR, Art. 32(2)(c) revFADP)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR, Art. 28 revFADP)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR, Art. 30(2)(b) revFADP)
• Right to lodge a complaint with a supervisory authority (Art. 77 GDPR); in Switzerland, the competent authority is the Federal Data Protection and Information Commissioner (FDPIC), www.edoeb.admin.ch.

To exercise your rights, an informal message to support@flixfit.me is sufficient.

15. Data Security

We implement appropriate technical and organisational measures to protect your data. Data is transmitted using TLS encryption.

16. Changes

The current version of this privacy policy is available within the app and at flixfit.me.

17. Contact

FlixFit® AG, Mosacher 25, 8126 Zumikon, Switzerland E-mail: support@flixfit.me

‍